A client name with an '@'
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Wed Jun 3 13:07:43 EDT 2015
> Or hack on the KDCs to implement AD-style case-insensitive/preserving
> realm matching. I'm starting to think that we ought to do this in Heimdal and
> MIT Kerberos, at least as an option.
This plus canonicalizing is how our corporate system might work. I don't think there's a FEDIDCARD.GOV realm (or fedidcard.gov either) outside the scope of my PKINIT test. I think our corporate AD sees users from that domain and knows (somehow) how to map them into the USDA.NET realm. Klist has never shown me a FEDIDCARD.GOV ticket on my windows box, and I can't locate a FEDIDCARD.GOV KDC inside or outside the firewall.
Maybe canonicalizing isn't the right word for this..."appropriating user identities from unrelated virtual realms" may be more descriptive.
I had nothing to do with it. :)
Bryce
More information about the Kerberos
mailing list