Authenticating using lower case domain/realm

Tim Alsop Tim.Alsop at CyberSafe.com
Mon Mar 9 08:07:29 EDT 2009 

San,

You need an implementation of Kerberos, which has support for UPN authentication (using nt-enterprise principal names) and the canonical flag, as well as client side realm referrals. I guess the implementation of Kerberos on Ubuntu does not have these extensions coded.

I represent a vendor who develops and sells a commercial implementation of Kerberos, and our product works as you expect - see below:

talsop at perky:~> kinit talsop
Password for talsop at DEV.LOCAL:
talsop at perky:~> klist
          Cache Type: Kerberos V5 Credentials Cache
          Cache File: /krb5/tmp/cc/krb5cc_1000
       Cache Version: 0502
   Default Principal: talsop at DEV.LOCAL

Valid From                    Expires                       Service Principal
----------------------------  ----------------------------  -----------------
Mon 09 Mar 2009 12:06:03 GMT  Mon 09 Mar 2009 20:06:23 GMT  krbtgt/DEV.LOCAL at DEV.LOCAL
talsop at perky:~> kinit talsop at dev.local
Password for talsop\@dev.local at DEV.LOCAL:
talsop at perky:~> klist
          Cache Type: Kerberos V5 Credentials Cache
          Cache File: /krb5/tmp/cc/krb5cc_1000
       Cache Version: 0502
   Default Principal: talsop at DEV.LOCAL

Valid From                    Expires                       Service Principal
----------------------------  ----------------------------  -----------------
Mon 09 Mar 2009 12:06:16 GMT  Mon 09 Mar 2009 20:06:35 GMT  krbtgt/DEV.LOCAL at DEV.LOCAL
talsop at perky:~>

Thanks,
Tim

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of San tos
Sent: 09 March 2009 11:49
To: kerberos at mit.edu
Subject: Authenticating using lower case domain/realm

Hello to all.

I have successfully configured ubuntu machines to authenticate to a active
directory running windows 2k (pam_krb5/LDAP/Kerberos). The realm is
DOMAIN.COM, however in order to be user friendly and maintain the same login
address in everything, i need to authenticate using user at domain.com instead
of user at DOMAIN.COM.

It seems windows 2k, accepts either way, but maybe kerberos don't like the
response it receives:

kinit(v5): KDC reply did not match expectations while getting initial
credentials



I'm using ubuntu 8.10 and:

krb5-config 1.19 Configuration files for Kerberos Version 5
krb5-user 1.6.dfsg.4~beta1-3 Basic programs to authenticate using MIT Ker
libkrb53 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries

The krb5.conf:

[libdefaults]
        default_realm = DOMAIN.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
#       dns_lookup_realm = true
#       dns_lookup_kdc = false

[realms]
        DOMAIN.COM = {
                kdc = dc.domain.com
                admin_server = dc.domain.com
                default_domain = DOMAIN.COM
        }


[domain_realm]
        domain.com = DOMAIN.COM
        .domain.com  = DOMAIN.COM



I have googled, read the mans, tried a lot of other configurations, etc, for
days now, but can't figure it out. I will appreciate any input you got on
this.


Thanks in advance for you replies.

Santos
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list