MIT kinit with AD userPrincipalName with SMTP domain and not proper realm?

Michael B Allen ioplex at gmail.com
Fri Nov 20 21:34:33 EST 2009 

Well it's all coming back to me now. It seems this has been discussed before:

  http://mailman.mit.edu/pipermail/kerberos/2007-October/012373.html

The userPrincipalName is only used if the principal type is 10
(KRB5_NT_ENTERPRISE_PRINCIPAL or perhaps GSS_C_NT_ENTERPRISE_PRINCIPAL
if GSSAPI supported such a thing). AD will also canonicalize the
supplied name in the AS-REP to the sAMAccountName at dnsRoot.

As for the domain, I'm still a little fuzzy there as well. I would
have to take some captures to see if the Windows client tries to
lookup the domain name supplied or if it simply ignored the @domain
and sent the AS-REQ to the default authority.

Mike

On Fri, Nov 20, 2009 at 7:48 PM, Michael B Allen <ioplex at gmail.com> wrote:
> Hi,
>
> Is it possible to acquire credentials using kinit from AD using the
> userPrincipalName on an AD account if the DNS domain does not match
> the AD realm?
>
> Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM
> and userPrincipalName attributes on accounts in AD use the SMTP domain
> like alice at EXAMPLE.COM can initial credentials be acquired?
>
> If I try kinit I get:
>
>  $ kinit -f alice at EXAMPLE.COM
>  kinit(v5): Cannot resolve network address for KDC in realm
> EXAMPLE.COM while getting initial credentials
>
> If I then add the following to my krb5.conf:
>
>  [realms]
>    EXAMPLE.COM = {
>      dc1.example.local
>    }
>
> and try kinit again I get:
>
>  $ kinit -f alice at EXAMPLE.COM
>  kinit(v5): KRB5 error code 68 while getting initial credentials
>
> and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM.
> Error code 68 is KDC_ERR_WRONG_REALM.
>
> Adding .example.com = EXAMPLE.COM to [domain_realm] doesn't appear to
> have any effect.
>
> Of course using the implied principal name <sAMAccountName>@<dnsRoot> works:
>
>  $ kinit -f alice at EXAMPLE.LOCAL
>  Password for alice at EXAMPLE.LOCAL: ...
>
> Windows must be able to do this. How does a Windows client know that
> the SMTP domain should be substituted with a proper realm and which
> one?
>
> Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the Kerberos mailing list