[31712] in Kerberos
Re: MIT kinit with AD userPrincipalName with SMTP domain and not
daemon@ATHENA.MIT.EDU (Michael B Allen)
Fri Nov 20 21:35:12 2009
MIME-Version: 1.0
In-Reply-To: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com>
Date: Fri, 20 Nov 2009 21:34:33 -0500
Message-ID: <78c6bd860911201834n7909b6b3sf99249e481f1be3e@mail.gmail.com>
From: Michael B Allen <ioplex@gmail.com>
To: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Well it's all coming back to me now. It seems this has been discussed before:
http://mailman.mit.edu/pipermail/kerberos/2007-October/012373.html
The userPrincipalName is only used if the principal type is 10
(KRB5_NT_ENTERPRISE_PRINCIPAL or perhaps GSS_C_NT_ENTERPRISE_PRINCIPAL
if GSSAPI supported such a thing). AD will also canonicalize the
supplied name in the AS-REP to the sAMAccountName@dnsRoot.
As for the domain, I'm still a little fuzzy there as well. I would
have to take some captures to see if the Windows client tries to
lookup the domain name supplied or if it simply ignored the @domain
and sent the AS-REQ to the default authority.
Mike
On Fri, Nov 20, 2009 at 7:48 PM, Michael B Allen <ioplex@gmail.com> wrote:
> Hi,
>
> Is it possible to acquire credentials using kinit from AD using the
> userPrincipalName on an AD account if the DNS domain does not match
> the AD realm?
>
> Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM
> and userPrincipalName attributes on accounts in AD use the SMTP domain
> like alice@EXAMPLE.COM can initial credentials be acquired?
>
> If I try kinit I get:
>
> $ kinit -f alice@EXAMPLE.COM
> kinit(v5): Cannot resolve network address for KDC in realm
> EXAMPLE.COM while getting initial credentials
>
> If I then add the following to my krb5.conf:
>
> [realms]
> EXAMPLE.COM = {
> dc1.example.local
> }
>
> and try kinit again I get:
>
> $ kinit -f alice@EXAMPLE.COM
> kinit(v5): KRB5 error code 68 while getting initial credentials
>
> and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM.
> Error code 68 is KDC_ERR_WRONG_REALM.
>
> Adding .example.com = EXAMPLE.COM to [domain_realm] doesn't appear to
> have any effect.
>
> Of course using the implied principal name <sAMAccountName>@<dnsRoot> works:
>
> $ kinit -f alice@EXAMPLE.LOCAL
> Password for alice@EXAMPLE.LOCAL: ...
>
> Windows must be able to do this. How does a Windows client know that
> the SMTP domain should be substituted with a proper realm and which
> one?
>
> Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
