A client name with an '@'
Luke Howard
lukeh at padl.com
Wed Jun 3 07:53:30 EDT 2015
Ah, I didn’t read the context. MIT has supported client name canonicalisation in AS-REQs for a while so it might be worth a try.
Also: re earlier message, enterprise principal names (UPNs) imply canonicalisation, so you shouldn’t need to set the canon flag if you’re using this name type.
— Luke
> On 2 Jun 2015, at 11:37 pm, Nordgren, Bryce L -FS <bnordgren at fs.fed.us> wrote:
>
>> You could try the -C and -E options to kinit:
>>
>> -C canonicalize
>> -E client is enterprise principal name
>>
>> — Luke
>
> I could, but I'm not certain the MIT Kerberos KDC (to which kinit is connecting) knows how to canonicalize. Boy if I could get user principal mapping going, that would be sweet.
>
> For the moment, I seem to be PKINITing successfully.
>
> Bryce
--
www.lukehoward.com
soundcloud.com/lukehoward
More information about the Kerberos
mailing list