[36990] in Kerberos
PKINIT name mapping?
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Mon May 18 16:03:08 2015
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 18 May 2015 20:02:31 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E7DA9A2@001FSN2MPN1-046.001f.mgd2.msft.net>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi all,
I'm looking to set up a KDC to issue TGTs from my organization's smart cards. Establishing a trust is a non-starter. My target environment is outside the firewall, all corporate infrastructure is inaccessible and will stay that way. However, CA bundles are public information. Looking at my PIV certificate, I see my SAN is:
Other Name:
Principal Name=12001000550281@fedidcard.gov
I won't type that big long number every time I try to login. My peers will revolt. As it turns out, when I put the smart card in my corporate machine, klist shows that the client in the resulting tickets is: bnordgren@USDA.NET<mailto:bnordgren@USDA.NET>. There is really nothing in the certificate which would perform this mapping. I can, however, automatically generate a mapping file to push out to my KDC by querying AD. (For instance, I'm pretty sure a 1:1 mapping between userPrincipalName and sAMAccountName would do the trick.)
How would I compel the MIT Kerberos server to perform that same mapping? I want to be able to ask for a ticket for "bnordgren@MY.OTHER.REALM", provide a certificate with a MS UPN of 12001000550281@fedidcard.gov<mailto:12001000550281@fedidcard.gov> and have it work. I also want it to KRB_ERROR if a valid certificate with any other MS UPN tries to get a ticket for bnordgren@MY.OTHER.REALM<mailto:bnordgren@MY.OTHER.REALM>.
Has this already been done, and if not, would it be possible to do the mapping by writing a plugin?
Bryce
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
