[37062] in Kerberos
RE: A client name with an '@'
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Wed Jun 3 13:08:23 2015
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Nico Williams <nico@cryptonector.com>,
Ken Hornstein
<kenh@cmf.nrl.navy.mil>
Date: Wed, 3 Jun 2015 17:07:43 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E7E14BE@001FSN2MPN1-046.001f.mgd2.msft.net>
In-Reply-To: <20150603165102.GB18760@localhost>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> Or hack on the KDCs to implement AD-style case-insensitive/preserving
> realm matching. I'm starting to think that we ought to do this in Heimdal and
> MIT Kerberos, at least as an option.
This plus canonicalizing is how our corporate system might work. I don't think there's a FEDIDCARD.GOV realm (or fedidcard.gov either) outside the scope of my PKINIT test. I think our corporate AD sees users from that domain and knows (somehow) how to map them into the USDA.NET realm. Klist has never shown me a FEDIDCARD.GOV ticket on my windows box, and I can't locate a FEDIDCARD.GOV KDC inside or outside the firewall.
Maybe canonicalizing isn't the right word for this..."appropriating user identities from unrelated virtual realms" may be more descriptive.
I had nothing to do with it. :)
Bryce
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
