using UPN to auth

Markus Moeller huaraz at moeller.plus.com
Wed Mar 12 15:09:33 EDT 2008


Yes you need to modify mod_auth_kerb. One thing you need to aware of  is 
that the determination of the realm id more difficult as the email address 
uses @ and the REALM starts with @.

Markus

Source inserted below:

 #include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <krb5.h>
#define REALM "WIN2003R2.HOME"
#define      KDC_OPT_CANONICALIZE 0x00010000
int main(int argc, char *argv[], char **envp) {
    char*  program_name=NULL;
    char*  principal_name=NULL;
    char*  realm_name=NULL;

    krb5_context        kcontext;
    krb5_principal      kprincipal;
    krb5_ccache         kccache;
    krb5_error_code     code=0;
    krb5_creds   my_creds;
    krb5_get_init_creds_opt options;

    int          i;


    program_name = argv[0];
    if (argc <= 1)
        exit(-1);
    if (argc > 1)
 principal_name=argv[1];

    code = krb5_init_context(&kcontext);
    if (code) {
        com_err(program_name, code, "while initializing Kerberos 5 
library");
        exit(-2);
    }
    if ((code = krb5_cc_default(kcontext, &kccache))) {
 com_err(program_name, code, "while getting default ccache");
 exit(-3);
    }

    krb5_get_init_creds_opt_init(&options);
    memset(&my_creds, 0, sizeof(my_creds));

    if ( argc <= 2 ) {
/*
 *  No realm give on command line use predefined realm
 */
 realm_name=strdup(REALM);
 if (strchr(principal_name,'@')){
/*
 *  email address as principal name
 */
     char* enterprisename;
     char* p;
     enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
     strcpy(enterprisename,principal_name);
     p=strchr(enterprisename,'@');
     *p='\\';
     *p++='\\';
     *p++='\0';
     strcat(enterprisename,strchr(principal_name,'@'));
            strcat(enterprisename,"@");
            strcat(enterprisename,realm_name);
     if ((code = krb5_parse_name(kcontext, enterprisename,
     &kprincipal))) {
  com_err(program_name, code, "when parsing name %s",
   enterprisename);
  if (enterprisename)
      free(enterprisename);
  exit(1);
     }
     if (enterprisename)
  free(enterprisename);
#ifdef HEIMDAL
                kprincipal->name.name_type=10;
#else
                kprincipal->type=10;
#endif

 }
 else
 {
/*
 *  No email address as principal name
 */
            char* principal_realm_name;
     principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
     strcpy(principal_realm_name,principal_name);
            strcat(principal_realm_name,"@");
            strcat(principal_realm_name,realm_name);
     if ((code = krb5_parse_name(kcontext, principal_realm_name,
     &kprincipal))) {
  com_err(program_name, code, "when parsing name %s",
   principal_realm_name);
  exit(1);
     }
     if (principal_realm_name)
  free(principal_realm_name);
 }
/*
 *  Get TGT
 */
        code = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
                                            0, krb5_prompter_posix, 0,
                                            0,
                                            0,
                                            &options);

 if (code) {
     if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
  fprintf(stderr, "%s: Password incorrect while getting initial 
credentials\n", program_name);
     else
  com_err(program_name, code, "while getting initial credentials");
     krb5_free_cred_contents(kcontext, &my_creds);
     exit(999);
 }
 code = krb5_cc_initialize(kcontext, kccache, kprincipal);
 if (code) {
     com_err(program_name, code, "when initializing cache");
     krb5_free_cred_contents(kcontext, &my_creds);
     exit(999);
 }

 code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
 if (code) {
     com_err(program_name, code, "while storing credentials");
     krb5_free_cred_contents(kcontext, &my_creds);
     exit(999);
 }
/*
 *   Successful
 */
 krb5_free_cred_contents(kcontext, &my_creds);
 exit(0);
    }
    else
    {
/*
 *  realms are given on command line loop over them
 */
 for (i=0;i<=argc-2;i++){
     realm_name=argv[2+i];
     if (strchr(principal_name,'@')){
/*
 *  email address as principal name
 */
  char* enterprisename;
  char* p;
  enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
  strcpy(enterprisename,principal_name);
  p=strchr(enterprisename,'@');
  *p='\\';
  *p++='\\';
  *p++='\0';
  strcat(enterprisename,strchr(principal_name,'@'));
                strcat(enterprisename,"@");
                strcat(enterprisename,realm_name);
  if ((code = krb5_parse_name(kcontext, enterprisename,
         &kprincipal))) {
      com_err(program_name, code, "when parsing name %s",
       enterprisename);
      if (enterprisename)
   free(enterprisename);
      exit(1);
  }
  if (enterprisename)
      free(enterprisename);
#ifdef HEIMDAL
                kprincipal->name.name_type=10;
#else
                kprincipal->type=10;
#endif

     }
     else
     {
/*
 *  No email address as principal name
 */
  char* principal_realm_name;
  principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
  strcpy(principal_realm_name,principal_name);
  strcat(principal_realm_name,"@");
  strcat(principal_realm_name,realm_name);
  if ((code = krb5_parse_name(kcontext, principal_realm_name,
         &kprincipal))) {
      com_err(program_name, code, "when parsing name %s",
       principal_realm_name);
      exit(1);
  }
  if (principal_realm_name)
      free(principal_realm_name);

     }
     code = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
      0, krb5_prompter_posix, 0,
      0,
      0,
      &options);
     if (code) {
  if (code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN || code == KRB5_REALM_UNKNOWN)
/*
 *  Principal unknown in this realm try next
 */
                    continue;
  else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
      fprintf(stderr, "%s: Password incorrect while getting initial 
credentials\n", program_name);
  else
      com_err(program_name, code, "while getting initial credentials");
  krb5_free_cred_contents(kcontext, &my_creds);
  exit(999);
     } else {
  code = krb5_cc_initialize(kcontext, kccache, kprincipal);
  if (code) {
      com_err(program_name, code, "when initializing cache");
      krb5_free_cred_contents(kcontext, &my_creds);
      exit(999);
  }

  code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
  if (code) {
      com_err(program_name, code, "while storing credentials");
      krb5_free_cred_contents(kcontext, &my_creds);
      exit(999);
  }
/*
 *   Successful
 */
  krb5_free_cred_contents(kcontext, &my_creds);
  exit(0);
     }

 }
 if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
     fprintf(stderr, "%s: Password incorrect while getting initial 
credentials\n", program_name);
 else
     com_err(program_name, code, "while getting initial credentials");
 krb5_free_cred_contents(kcontext, &my_creds);
 exit(999);
    }
    krb5_free_cred_contents(kcontext, &my_creds);
    exit(-999);
}



"Terry" <td3201 at gmail.com> wrote in message 
news:mailman.33.1205339252.3372.kerberos at mit.edu...
>I am not sure if this matters but the end result is to use
> mod_auth_kerb to authenticate users.  You are saying I need to
> recompile it to use type 10 (enterprise name type)?  I might be able
> to figure that out.  :)
>
>
>
> On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller <huaraz at moeller.plus.com> 
> wrote:
>> You need a modified kinit which sets the principal type  to 10 
>> (enterprise
>>  name type). Windows will then use the UPN instead of the samaccountname 
>> to
>>  authenticate. (See attached sample mkinit.c)
>>
>>  Markus.
>>
>>  BTW If your client support client canonicalisation you can authenticate 
>> as
>>  jdoe at domain.com but get a ticket for samaccountname.
>>
>>  "Terry" <td3201 at gmail.com> wrote in message
>>  news:8ee061010803111146g3d5b36b2rd5e22be1d3961073 at mail.gmail.com...
>>
>>
>> > Hello,
>>  >
>>  > I am very new to this.  I have a FQDN in AD set to domain.foo.  The
>>  > UPN of a user is jdoe at domain.com.  (note the difference between foo
>>  > and com).
>>  >
>>  > How can I authenticate with jdoe at domain.com?  I am able to auth
>>  > correctly with the sAMAccountName.
>>  >
>>  > Thanks!
>>  > ________________________________________________
>>  > Kerberos mailing list           Kerberos at mit.edu
>>  > https://mailman.mit.edu/mailman/listinfo/kerberos
>>  >
>>
>> ________________________________________________
>>  Kerberos mailing list           Kerberos at mit.edu
>>  https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> 




More information about the Kerberos mailing list