kinit: Mapping a local username to a Kerberos principal?
Greg Hudson
ghudson at mit.edu
Fri Jul 17 12:14:16 EDT 2015
On 07/16/2015 05:46 PM, Lars Kellogg-Stedman wrote:
> Is it possible to configure my local Kerberos environment such that when I
> type 'kinit' with no additional parameters, it will use something other than
> '<my_local_username>@<default_kerberos_domain>'?
No, we don't have a configurable mapping from local name to Kerberos
principals. If we did, every tool which gets initial tickets (not just
kinit) would need to be modified to use it.
At least some versions of pam_krb5 have some mapping options. See the
alt_auth_map and search_k5login options here:
http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
> My username on my local workstation differs from my organizational Kerberos
> principal name. I'm currently using an explicit 'kinit
> myprincipal at CORP.COM', but this doesn't integrate well with system tools
> that might otherwise enable me to automatically acquire a token on login and
> take care of renewing it for me.
>
> The documentation for both 'auth_local_names' and 'k5identity' seemed
> promising, but neither appears to do what I want.
Right. aname-to-lname goes in the other direction, and k5identity is
about picking which of several Kerberos principals to use.
More information about the Kerberos
mailing list