MIT kinit with AD userPrincipalName with SMTP domain and not proper realm?
Michael B Allen
ioplex at gmail.com
Fri Nov 20 19:48:25 EST 2009
Hi,
Is it possible to acquire credentials using kinit from AD using the
userPrincipalName on an AD account if the DNS domain does not match
the AD realm?
Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM
and userPrincipalName attributes on accounts in AD use the SMTP domain
like alice at EXAMPLE.COM can initial credentials be acquired?
If I try kinit I get:
$ kinit -f alice at EXAMPLE.COM
kinit(v5): Cannot resolve network address for KDC in realm
EXAMPLE.COM while getting initial credentials
If I then add the following to my krb5.conf:
[realms]
EXAMPLE.COM = {
dc1.example.local
}
and try kinit again I get:
$ kinit -f alice at EXAMPLE.COM
kinit(v5): KRB5 error code 68 while getting initial credentials
and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM.
Error code 68 is KDC_ERR_WRONG_REALM.
Adding .example.com = EXAMPLE.COM to [domain_realm] doesn't appear to
have any effect.
Of course using the implied principal name <sAMAccountName>@<dnsRoot> works:
$ kinit -f alice at EXAMPLE.LOCAL
Password for alice at EXAMPLE.LOCAL: ...
Windows must be able to do this. How does a Windows client know that
the SMTP domain should be substituted with a proper realm and which
one?
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
More information about the Kerberos
mailing list