Authenticating using lower case domain/realm

Luke Howard lukeh at
Mon Mar 9 17:51:54 EDT 2009

On 10/03/2009, at 3:17 AM, Santos wrote:

>> On Mon, Mar 9, 2009 at 1:35 PM, Luke Howard <lukeh at> wrote:
>>> MIT Kerberos 1.7 adds the -C (canonicalize) and -E (enterprise
>>> principal name) options to kinit, which may help.
> Actualy my main priority is to use pam_krb5.
> If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able  
> to use
> those flags? Does the krb5.conf file have any settings to enable those
> settings as default?

It doesn't but you should be able to easily modify pam_krb5 to call  
krb5_get_init_creds_opt_set_canonicalize(), and to call  
krb5_parse_name_flags(KRB5_PRINCIPAL_PARSE_ENTERPRISE) rather than  
krb5_parse_name(). Of course, this should be made configurable.

-- Luke

More information about the Kerberos mailing list