A client name with an '@'

Todd Grayson tgrayson at cloudera.com
Mon Jun 1 20:03:01 EDT 2015


Bryce

Its either 12001000550281 at FEDIDCARD.GOV <fedidcard.gov at FEDIDCARD.GOV> or
its 12001000550281 at fedidcard.gov <fedidcard.gov at FEDIDCARD.GOV>

as far as your shell escaping with a \, in a command line you will not
escape the @, if you are scripting it, you might.

to the left of the @ is the principal name, traditionally lowercase.  To
the right is the REALM, traditionally uppercase.  AD userPrincipalName
entries should be able to handle the uppercase value being presented at
authentication for the user.

The userPrincipalName is the kerberos principal name, within AD.  You do
not have to nest the lowercase instance into the uppercase realm (in other
words, dont use 12001000550281\@fedidcard.gov at FEDIDCARD.GOV ).  You should
be able to get it to work presenting consistent case and based on the
example I give above.



On Mon, Jun 1, 2015 at 5:02 PM, Nordgren, Bryce L -FS <bnordgren at fs.fed.us>
wrote:

> > $ kinit '12001000550281\@fedidcard.gov at FEDIDCARD.GOV'
>
> Thanks! Making progress!
>
> It now prints a single backslash when describing the principal, both in
> errors emitted from kinit and the "listprincs" command in kadmin.local.
> However, I'm back to "client name mismatch" out of kinit, presumably
> because the MS User Principal Name in the certificate lacks the backslash.
>
> Bryce
>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Customer Operations Engineering


More information about the Kerberos mailing list