[37040] in Kerberos
Re: A client name with an '@'
daemon@ATHENA.MIT.EDU (Todd Grayson)
Mon Jun 1 20:03:37 2015
MIME-Version: 1.0
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E7DFD63@001FSN2MPN1-046.001f.mgd2.msft.net>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Mon, 1 Jun 2015 18:03:01 -0600
Message-ID: <CALNT6MXgt0r7HbeJ5=1-TEa5hBNDExs6+pkPbX-hs5_DhzV2Hw@mail.gmail.com>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Bryce
Its either 12001000550281@FEDIDCARD.GOV <fedidcard.gov@FEDIDCARD.GOV> or
its 12001000550281@fedidcard.gov <fedidcard.gov@FEDIDCARD.GOV>
as far as your shell escaping with a \, in a command line you will not
escape the @, if you are scripting it, you might.
to the left of the @ is the principal name, traditionally lowercase. To
the right is the REALM, traditionally uppercase. AD userPrincipalName
entries should be able to handle the uppercase value being presented at
authentication for the user.
The userPrincipalName is the kerberos principal name, within AD. You do
not have to nest the lowercase instance into the uppercase realm (in other
words, dont use 12001000550281\@fedidcard.gov@FEDIDCARD.GOV ). You should
be able to get it to work presenting consistent case and based on the
example I give above.
On Mon, Jun 1, 2015 at 5:02 PM, Nordgren, Bryce L -FS <bnordgren@fs.fed.us>
wrote:
> > $ kinit '12001000550281\@fedidcard.gov@FEDIDCARD.GOV'
>
> Thanks! Making progress!
>
> It now prints a single backslash when describing the principal, both in
> errors emitted from kinit and the "listprincs" command in kadmin.local.
> However, I'm back to "client name mismatch" out of kinit, presumably
> because the MS User Principal Name in the certificate lacks the backslash.
>
> Bryce
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
