[37054] in Kerberos
Re: A client name with an '@'
daemon@ATHENA.MIT.EDU (Luke Howard)
Wed Jun 3 07:54:17 2015
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E7E1194@001FSN2MPN1-046.001f.mgd2.msft.net>
Date: Wed, 3 Jun 2015 13:53:30 +0200
Message-Id: <05E14023-C0E1-46B9-87C3-DE138E3B1249@padl.com>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Ah, I didn’t read the context. MIT has supported client name canonicalisation in AS-REQs for a while so it might be worth a try.
Also: re earlier message, enterprise principal names (UPNs) imply canonicalisation, so you shouldn’t need to set the canon flag if you’re using this name type.
— Luke
> On 2 Jun 2015, at 11:37 pm, Nordgren, Bryce L -FS <bnordgren@fs.fed.us> wrote:
>
>> You could try the -C and -E options to kinit:
>>
>> -C canonicalize
>> -E client is enterprise principal name
>>
>> — Luke
>
> I could, but I'm not certain the MIT Kerberos KDC (to which kinit is connecting) knows how to canonicalize. Boy if I could get user principal mapping going, that would be sweet.
>
> For the moment, I seem to be PKINITing successfully.
>
> Bryce
--
www.lukehoward.com
soundcloud.com/lukehoward
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
