[31711] in Kerberos
MIT kinit with AD userPrincipalName with SMTP domain and not proper
daemon@ATHENA.MIT.EDU (Michael B Allen)
Fri Nov 20 19:49:36 2009
MIME-Version: 1.0
Date: Fri, 20 Nov 2009 19:48:25 -0500
Message-ID: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com>
From: Michael B Allen <ioplex@gmail.com>
To: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
Is it possible to acquire credentials using kinit from AD using the
userPrincipalName on an AD account if the DNS domain does not match
the AD realm?
Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM
and userPrincipalName attributes on accounts in AD use the SMTP domain
like alice@EXAMPLE.COM can initial credentials be acquired?
If I try kinit I get:
$ kinit -f alice@EXAMPLE.COM
kinit(v5): Cannot resolve network address for KDC in realm
EXAMPLE.COM while getting initial credentials
If I then add the following to my krb5.conf:
[realms]
EXAMPLE.COM = {
dc1.example.local
}
and try kinit again I get:
$ kinit -f alice@EXAMPLE.COM
kinit(v5): KRB5 error code 68 while getting initial credentials
and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM.
Error code 68 is KDC_ERR_WRONG_REALM.
Adding .example.com = EXAMPLE.COM to [domain_realm] doesn't appear to
have any effect.
Of course using the implied principal name <sAMAccountName>@<dnsRoot> works:
$ kinit -f alice@EXAMPLE.LOCAL
Password for alice@EXAMPLE.LOCAL: ...
Windows must be able to do this. How does a Windows client know that
the SMTP domain should be substituted with a proper realm and which
one?
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
