[31714] in Kerberos
Re: MIT kinit with AD userPrincipalName with SMTP domain and not
daemon@ATHENA.MIT.EDU (Michael B Allen)
Sat Nov 21 11:17:17 2009
MIME-Version: 1.0
In-Reply-To: <B8F262DF-7D50-4904-A928-4C0DDB51036B@padl.com>
Date: Sat, 21 Nov 2009 11:16:34 -0500
Message-ID: <78c6bd860911210816j531b0caay70b40fdcb1d66a06@mail.gmail.com>
From: Michael B Allen <ioplex@gmail.com>
To: Luke Howard <lukeh@padl.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sat, Nov 21, 2009 at 5:44 AM, Luke Howard <lukeh@padl.com> wrote:
>> Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM
>> and userPrincipalName attributes on accounts in AD use the SMTP domain
>> like alice@EXAMPLE.COM can initial credentials be acquired?
>>
>> If I try kinit I get:
>>
>> $ kinit -f alice@EXAMPLE.COM
>> kinit(v5): Cannot resolve network address for KDC in realm
>> EXAMPLE.COM while getting initial credentials
>
> kinit -E -f alice@example.com@EXAMPLE.LOCAL
>
> NB: if this doesn't work in 1.7, try trunk, I think it may have been broken
> in 1.7.
Hi Luke,
I understand now. Unfortunately, in practice, I need much more than
kinit. I'm integrated with an old version of Heidmal so it seems I'll
need to work on moving to a newer Heimdal and possibly work on
krb5/principal.c:build_principal et al if the latest Heimdal doesn't
already have it. I also want to do this with Java but given the
spotted history of Java's builtin Kerberos implementation I don't
expect that to be tackled easily. I kinda wish I just had a really
solid ASN.1 compiler and crypto lib for the various languages. Ho-hum.
Thanks,
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
