[36470] in Kerberos
Re: Creating enterprise principals with kadmin
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Sep 15 10:39:26 2014
Message-ID: <5416FA0B.8080004@mit.edu>
Date: Mon, 15 Sep 2014 10:39:07 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Rick van Rein <rick@openfortress.nl>,
"<kerberos@mit.edu>" <Kerberos@mit.edu>
In-Reply-To: <38B36826-5C1B-477C-825F-39DE83478D77@openfortress.nl>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 09/13/2014 12:52 PM, Rick van Rein wrote:
> But this leaves me a bit worried about the KRB5-NT-ENTERPRISE nametype — does it apply to what I am doing? Does my approach create a correct enterprise principal name, or am I so lucky to run into leniency by Kerberos?
As I understand the enterprise principal name type based on RFC 6806
section 5, it is intended to convey an email-style alias which should be
looked up in some kind of name service to figure out the actual
principal name and realm for a user. Active Directory contains such a
service; the MIT krb5 KDC does not, unless you use a third-party KDB
module which provides one. (Our LDAP KDB module supports aliases within
a realm, but not aliases which point to other realms.)
Creating an actual principal entry for an enterprise name doesn't seem
like a good idea. A client which makes an AS request for an enterprise
name should wind up with a ticket for an actual, normal principal name,
not a ticket for the alias.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
