Creating enterprise principals with kadmin

Greg Hudson ghudson at mit.edu
Mon Sep 15 10:39:07 EDT 2014


On 09/13/2014 12:52 PM, Rick van Rein wrote:
> But this leaves me a bit worried about the KRB5-NT-ENTERPRISE nametype — does it apply to what I am doing?  Does my approach create a correct enterprise principal name, or am I so lucky to run into leniency by Kerberos?

As I understand the enterprise principal name type based on RFC 6806
section 5, it is intended to convey an email-style alias which should be
looked up in some kind of name service to figure out the actual
principal name and realm for a user.  Active Directory contains such a
service; the MIT krb5 KDC does not, unless you use a third-party KDB
module which provides one.  (Our LDAP KDB module supports aliases within
a realm, but not aliases which point to other realms.)

Creating an actual principal entry for an enterprise name doesn't seem
like a good idea.  A client which makes an AS request for an enterprise
name should wind up with a ticket for an actual, normal principal name,
not a ticket for the alias.


More information about the Kerberos mailing list