using UPN to auth

Terry td3201 at gmail.com
Wed Mar 12 15:54:21 EDT 2008 

Man, this is a mess.  Not sure I want to dig this deep into the problem.

On Wed, Mar 12, 2008 at 2:09 PM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> Yes you need to modify mod_auth_kerb. One thing you need to aware of  is
>  that the determination of the realm id more difficult as the email address
>  uses @ and the REALM starts with @.
>
>  Markus
>
>  Source inserted below:
>
>   #include <stdio.h>
>  #include <stdlib.h>
>  #include <string.h>
>  #include <krb5.h>
>  #define REALM "WIN2003R2.HOME"
>  #define      KDC_OPT_CANONICALIZE 0x00010000
>  int main(int argc, char *argv[], char **envp) {
>     char*  program_name=NULL;
>     char*  principal_name=NULL;
>     char*  realm_name=NULL;
>
>     krb5_context        kcontext;
>     krb5_principal      kprincipal;
>     krb5_ccache         kccache;
>     krb5_error_code     code=0;
>     krb5_creds   my_creds;
>     krb5_get_init_creds_opt options;
>
>     int          i;
>
>
>     program_name = argv[0];
>     if (argc <= 1)
>         exit(-1);
>     if (argc > 1)
>   principal_name=argv[1];
>
>     code = krb5_init_context(&kcontext);
>     if (code) {
>         com_err(program_name, code, "while initializing Kerberos 5
>  library");
>         exit(-2);
>     }
>     if ((code = krb5_cc_default(kcontext, &kccache))) {
>   com_err(program_name, code, "while getting default ccache");
>   exit(-3);
>     }
>
>     krb5_get_init_creds_opt_init(&options);
>     memset(&my_creds, 0, sizeof(my_creds));
>
>     if ( argc <= 2 ) {
>  /*
>   *  No realm give on command line use predefined realm
>   */
>   realm_name=strdup(REALM);
>   if (strchr(principal_name,'@')){
>  /*
>   *  email address as principal name
>   */
>      char* enterprisename;
>      char* p;
>      enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
>      strcpy(enterprisename,principal_name);
>      p=strchr(enterprisename,'@');
>      *p='\\';
>      *p++='\\';
>      *p++='\0';
>      strcat(enterprisename,strchr(principal_name,'@'));
>             strcat(enterprisename,"@");
>             strcat(enterprisename,realm_name);
>      if ((code = krb5_parse_name(kcontext, enterprisename,
>      &kprincipal))) {
>   com_err(program_name, code, "when parsing name %s",
>    enterprisename);
>   if (enterprisename)
>       free(enterprisename);
>   exit(1);
>      }
>      if (enterprisename)
>   free(enterprisename);
>  #ifdef HEIMDAL
>                 kprincipal->name.name_type=10;
>  #else
>                 kprincipal->type=10;
>  #endif
>
>   }
>   else
>   {
>  /*
>   *  No email address as principal name
>   */
>             char* principal_realm_name;
>      principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
>      strcpy(principal_realm_name,principal_name);
>             strcat(principal_realm_name,"@");
>             strcat(principal_realm_name,realm_name);
>      if ((code = krb5_parse_name(kcontext, principal_realm_name,
>      &kprincipal))) {
>   com_err(program_name, code, "when parsing name %s",
>    principal_realm_name);
>   exit(1);
>      }
>      if (principal_realm_name)
>   free(principal_realm_name);
>   }
>  /*
>   *  Get TGT
>   */
>         code = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
>                                             0, krb5_prompter_posix, 0,
>                                             0,
>                                             0,
>                                             &options);
>
>   if (code) {
>      if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>   fprintf(stderr, "%s: Password incorrect while getting initial
>  credentials\n", program_name);
>      else
>   com_err(program_name, code, "while getting initial credentials");
>      krb5_free_cred_contents(kcontext, &my_creds);
>      exit(999);
>   }
>   code = krb5_cc_initialize(kcontext, kccache, kprincipal);
>   if (code) {
>      com_err(program_name, code, "when initializing cache");
>      krb5_free_cred_contents(kcontext, &my_creds);
>      exit(999);
>   }
>
>   code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
>   if (code) {
>      com_err(program_name, code, "while storing credentials");
>      krb5_free_cred_contents(kcontext, &my_creds);
>      exit(999);
>   }
>  /*
>   *   Successful
>   */
>   krb5_free_cred_contents(kcontext, &my_creds);
>   exit(0);
>     }
>     else
>     {
>  /*
>   *  realms are given on command line loop over them
>   */
>   for (i=0;i<=argc-2;i++){
>      realm_name=argv[2+i];
>      if (strchr(principal_name,'@')){
>  /*
>   *  email address as principal name
>   */
>   char* enterprisename;
>   char* p;
>   enterprisename=malloc(strlen(principal_name)+2+strlen(realm_name)+1);
>   strcpy(enterprisename,principal_name);
>   p=strchr(enterprisename,'@');
>   *p='\\';
>   *p++='\\';
>   *p++='\0';
>   strcat(enterprisename,strchr(principal_name,'@'));
>                 strcat(enterprisename,"@");
>                 strcat(enterprisename,realm_name);
>   if ((code = krb5_parse_name(kcontext, enterprisename,
>          &kprincipal))) {
>       com_err(program_name, code, "when parsing name %s",
>        enterprisename);
>       if (enterprisename)
>    free(enterprisename);
>       exit(1);
>   }
>   if (enterprisename)
>       free(enterprisename);
>  #ifdef HEIMDAL
>                 kprincipal->name.name_type=10;
>  #else
>                 kprincipal->type=10;
>  #endif
>
>      }
>      else
>      {
>  /*
>   *  No email address as principal name
>   */
>   char* principal_realm_name;
>   principal_realm_name=malloc(strlen(principal_name)+strlen(realm_name)+1);
>   strcpy(principal_realm_name,principal_name);
>   strcat(principal_realm_name,"@");
>   strcat(principal_realm_name,realm_name);
>   if ((code = krb5_parse_name(kcontext, principal_realm_name,
>          &kprincipal))) {
>       com_err(program_name, code, "when parsing name %s",
>        principal_realm_name);
>       exit(1);
>   }
>   if (principal_realm_name)
>       free(principal_realm_name);
>
>      }
>      code = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
>       0, krb5_prompter_posix, 0,
>       0,
>       0,
>       &options);
>      if (code) {
>   if (code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN || code == KRB5_REALM_UNKNOWN)
>  /*
>   *  Principal unknown in this realm try next
>   */
>                     continue;
>   else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>       fprintf(stderr, "%s: Password incorrect while getting initial
>  credentials\n", program_name);
>   else
>       com_err(program_name, code, "while getting initial credentials");
>   krb5_free_cred_contents(kcontext, &my_creds);
>   exit(999);
>      } else {
>   code = krb5_cc_initialize(kcontext, kccache, kprincipal);
>   if (code) {
>       com_err(program_name, code, "when initializing cache");
>       krb5_free_cred_contents(kcontext, &my_creds);
>       exit(999);
>   }
>
>   code = krb5_cc_store_cred(kcontext, kccache, &my_creds);
>   if (code) {
>       com_err(program_name, code, "while storing credentials");
>       krb5_free_cred_contents(kcontext, &my_creds);
>       exit(999);
>   }
>  /*
>   *   Successful
>   */
>   krb5_free_cred_contents(kcontext, &my_creds);
>   exit(0);
>      }
>
>   }
>   if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>      fprintf(stderr, "%s: Password incorrect while getting initial
>  credentials\n", program_name);
>   else
>      com_err(program_name, code, "while getting initial credentials");
>   krb5_free_cred_contents(kcontext, &my_creds);
>   exit(999);
>     }
>     krb5_free_cred_contents(kcontext, &my_creds);
>     exit(-999);
>
> }
>
>
>
>  "Terry" <td3201 at gmail.com> wrote in message
>  news:mailman.33.1205339252.3372.kerberos at mit.edu...
>
> >I am not sure if this matters but the end result is to use
>  > mod_auth_kerb to authenticate users.  You are saying I need to
>  > recompile it to use type 10 (enterprise name type)?  I might be able
>  > to figure that out.  :)
>  >
>  >
>  >
>
> > On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller <huaraz at moeller.plus.com>
>  > wrote:
>
>
> >> You need a modified kinit which sets the principal type  to 10
>  >> (enterprise
>  >>  name type). Windows will then use the UPN instead of the samaccountname
>  >> to
>  >>  authenticate. (See attached sample mkinit.c)
>  >>
>  >>  Markus.
>  >>
>  >>  BTW If your client support client canonicalisation you can authenticate
>  >> as
>  >>  jdoe at domain.com but get a ticket for samaccountname.
>  >>
>  >>  "Terry" <td3201 at gmail.com> wrote in message
>  >>  news:8ee061010803111146g3d5b36b2rd5e22be1d3961073 at mail.gmail.com...
>  >>
>  >>
>  >> > Hello,
>  >>  >
>  >>  > I am very new to this.  I have a FQDN in AD set to domain.foo.  The
>  >>  > UPN of a user is jdoe at domain.com.  (note the difference between foo
>  >>  > and com).
>  >>  >
>  >>  > How can I authenticate with jdoe at domain.com?  I am able to auth
>  >>  > correctly with the sAMAccountName.
>  >>  >
>  >>  > Thanks!
>  >>  > ________________________________________________
>  >>  > Kerberos mailing list           Kerberos at mit.edu
>  >>  > https://mailman.mit.edu/mailman/listinfo/kerberos
>  >>  >
>  >>
>  >> ________________________________________________
>  >>  Kerberos mailing list           Kerberos at mit.edu
>  >>  https://mailman.mit.edu/mailman/listinfo/kerberos
>  >>
>  >>
>
>  ________________________________________________
>  Kerberos mailing list           Kerberos at mit.edu
>  https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list