A client name with an '@'

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Mon Jun 1 18:04:46 EDT 2015


Hi,

I'm trying to set up the MIT Kerberos server (1.12.2 / Fedora 21) to PKINIT from my organizations' smart cards.

They have a MS user principal name of the form: 12001000550281 at fedidcard.gov

I tried creating a realm "FEDIDCARD.GOV" with a user principal 12001000550281. This resulted in a client name mismatch when trying to kinit to 12001000550281 at FEDIDCARD.GOV.

I then tried creating a "12001000550281 at fedidcard.gov" principal in my realm. Unfortunately, I cannot kinit using the principal "12001000550281 at fedidcard.gov@FEDIDCARD.GOV". kinit gives a "Malformed representation of principal when parsing name..." error.

Is there a solution to this? Some special syntax that tells the command line tools to ignore '@' signs in a client principal name? Or am I thinking wrong: Does kinit parse the user principal name into client and realm? Should I rename my realm to lowercase fedidcard.gov?

Thanks,
Bryce


More information about the Kerberos mailing list