Authenticating using lower case domain/realm

Santos sansancasd at gmail.com
Tue Mar 10 06:30:02 EDT 2009


Oh, just compiled 1.7 alpha and indeed kinit worked great with nt-enterprise
(just used the -E flag). I was trying to find the krb5.conf setting that
enabled the enterprise name for all krb apps.

But even if i do find it, you say it's useless because pam_krb5 won't use
it? Ahh what a disappointment..



On Mon, Mar 9, 2009 at 9:51 PM, Luke Howard <lukeh at padl.com> wrote:

>
> On 10/03/2009, at 3:17 AM, Santos wrote:
>
>  On Mon, Mar 9, 2009 at 1:35 PM, Luke Howard <lukeh at padl.com> wrote:
>>>
>>>  MIT Kerberos 1.7 adds the -C (canonicalize) and -E (enterprise
>>>> principal name) options to kinit, which may help.
>>>>
>>>
>>>
>>>
>> Actualy my main priority is to use pam_krb5.
>>
>> If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able to use
>> those flags? Does the krb5.conf file have any settings to enable those
>> settings as default?
>>
>
> It doesn't but you should be able to easily modify pam_krb5 to call
> krb5_get_init_creds_opt_set_canonicalize(), and to call
> krb5_parse_name_flags(KRB5_PRINCIPAL_PARSE_ENTERPRISE) rather than
> krb5_parse_name(). Of course, this should be made configurable.
>
> -- Luke
>



More information about the Kerberos mailing list