using UPN to auth
Markus Moeller
huaraz at moeller.plus.com
Wed Mar 12 15:09:33 EDT 2008
Yes you need to modify mod_auth_kerb. One thing you need to aware of is
that the determination of the realm id more difficult as the email address
uses @ and the REALM starts with @.
Markus
Source inserted below:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <krb5.h>
#define REALM "WIN2003R2.HOME"
#define KDC_OPT_CANONICALIZE 0x00010000
int main(int argc, char *argv[], char **envp) {
char* program_name=NULL;
char* principal_name=NULL;
char* realm_name=NULL;
krb5_context kcontext;
krb5_principal kprincipal;
krb5_ccache kccache;
krb5_error_code code=0;
krb5_creds my_creds;
krb5_get_init_creds_opt options;
int i;
program_name = argv[0];
if (argc <= 1)
exit(-1);
if (argc > 1)
principal_name=argv[1];
code = krb5_init_context(&kcontext);
if (code) {
com_err(program_name, code, "while initializing Kerberos 5
library");
exit(-2);
}
if ((code = krb5_cc_default(kcontext, &kccache))) {
com_err(program_name, code, "while getting default ccache");
exit(-3);
}
krb5_get_init_creds_opt_init(&options);
memset(&my_creds, 0, sizeof(my_creds));
if ( argc <= 2 ) {
/*
* No realm give on command line use predefined realm
*/
realm_name=strdup(REALM);
if (strchr(principal_name,'@')){
/*
* email address as principal name
*/
char* enterprisename;
char* p;
enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
strcpy(enterprisename,principal_name);
p=strchr(enterprisename,'@');
*p='\\';
*p++='\\';
*p++='\0';
strcat(enterprisename,strchr(principal_name,'@'));
strcat(enterprisename,"@");
strcat(enterprisename,realm_name);
if ((code = krb5_parse_name(kcontext, enterprisename,
&kprincipal))) {
com_err(program_name, code, "when parsing name %s",
enterprisename);
if (enterprisename)
free(enterprisename);
exit(1);
}
if (enterprisename)
free(enterprisename);
#ifdef HEIMDAL
kprincipal->name.name_type=10;
#else
kprincipal->type=10;
#endif
}
else
{
/*
* No email address as principal name
*/
char* principal_realm_name;
principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
strcpy(principal_realm_name,principal_name);
strcat(principal_realm_name,"@");
strcat(principal_realm_name,realm_name);
if ((code = krb5_parse_name(kcontext, principal_realm_name,
&kprincipal))) {
com_err(program_name, code, "when parsing name %s",
principal_realm_name);
exit(1);
}
if (principal_realm_name)
free(principal_realm_name);
}
/*
* Get TGT
*/
code = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
0, krb5_prompter_posix, 0,
0,
0,
&options);
if (code) {
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
fprintf(stderr, "%s: Password incorrect while getting initial
credentials\n", program_name);
else
com_err(program_name, code, "while getting initial credentials");
krb5_free_cred_contents(kcontext, &my_creds);
exit(999);
}
code = krb5_cc_initialize(kcontext, kccache, kprincipal);
if (code) {
com_err(program_name, code, "when initializing cache");
krb5_free_cred_contents(kcontext, &my_creds);
exit(999);
}
code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
if (code) {
com_err(program_name, code, "while storing credentials");
krb5_free_cred_contents(kcontext, &my_creds);
exit(999);
}
/*
* Successful
*/
krb5_free_cred_contents(kcontext, &my_creds);
exit(0);
}
else
{
/*
* realms are given on command line loop over them
*/
for (i=0;i<=argc-2;i++){
realm_name=argv[2+i];
if (strchr(principal_name,'@')){
/*
* email address as principal name
*/
char* enterprisename;
char* p;
enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
strcpy(enterprisename,principal_name);
p=strchr(enterprisename,'@');
*p='\\';
*p++='\\';
*p++='\0';
strcat(enterprisename,strchr(principal_name,'@'));
strcat(enterprisename,"@");
strcat(enterprisename,realm_name);
if ((code = krb5_parse_name(kcontext, enterprisename,
&kprincipal))) {
com_err(program_name, code, "when parsing name %s",
enterprisename);
if (enterprisename)
free(enterprisename);
exit(1);
}
if (enterprisename)
free(enterprisename);
#ifdef HEIMDAL
kprincipal->name.name_type=10;
#else
kprincipal->type=10;
#endif
}
else
{
/*
* No email address as principal name
*/
char* principal_realm_name;
principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
strcpy(principal_realm_name,principal_name);
strcat(principal_realm_name,"@");
strcat(principal_realm_name,realm_name);
if ((code = krb5_parse_name(kcontext, principal_realm_name,
&kprincipal))) {
com_err(program_name, code, "when parsing name %s",
principal_realm_name);
exit(1);
}
if (principal_realm_name)
free(principal_realm_name);
}
code = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
0, krb5_prompter_posix, 0,
0,
0,
&options);
if (code) {
if (code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN || code == KRB5_REALM_UNKNOWN)
/*
* Principal unknown in this realm try next
*/
continue;
else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
fprintf(stderr, "%s: Password incorrect while getting initial
credentials\n", program_name);
else
com_err(program_name, code, "while getting initial credentials");
krb5_free_cred_contents(kcontext, &my_creds);
exit(999);
} else {
code = krb5_cc_initialize(kcontext, kccache, kprincipal);
if (code) {
com_err(program_name, code, "when initializing cache");
krb5_free_cred_contents(kcontext, &my_creds);
exit(999);
}
code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
if (code) {
com_err(program_name, code, "while storing credentials");
krb5_free_cred_contents(kcontext, &my_creds);
exit(999);
}
/*
* Successful
*/
krb5_free_cred_contents(kcontext, &my_creds);
exit(0);
}
}
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
fprintf(stderr, "%s: Password incorrect while getting initial
credentials\n", program_name);
else
com_err(program_name, code, "while getting initial credentials");
krb5_free_cred_contents(kcontext, &my_creds);
exit(999);
}
krb5_free_cred_contents(kcontext, &my_creds);
exit(-999);
}
"Terry" <td3201 at gmail.com> wrote in message
news:mailman.33.1205339252.3372.kerberos at mit.edu...
>I am not sure if this matters but the end result is to use
> mod_auth_kerb to authenticate users. You are saying I need to
> recompile it to use type 10 (enterprise name type)? I might be able
> to figure that out. :)
>
>
>
> On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller <huaraz at moeller.plus.com>
> wrote:
>> You need a modified kinit which sets the principal type to 10
>> (enterprise
>> name type). Windows will then use the UPN instead of the samaccountname
>> to
>> authenticate. (See attached sample mkinit.c)
>>
>> Markus.
>>
>> BTW If your client support client canonicalisation you can authenticate
>> as
>> jdoe at domain.com but get a ticket for samaccountname.
>>
>> "Terry" <td3201 at gmail.com> wrote in message
>> news:8ee061010803111146g3d5b36b2rd5e22be1d3961073 at mail.gmail.com...
>>
>>
>> > Hello,
>> >
>> > I am very new to this. I have a FQDN in AD set to domain.foo. The
>> > UPN of a user is jdoe at domain.com. (note the difference between foo
>> > and com).
>> >
>> > How can I authenticate with jdoe at domain.com? I am able to auth
>> > correctly with the sAMAccountName.
>> >
>> > Thanks!
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
More information about the Kerberos
mailing list