A client name with an '@'

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Wed Jun 3 13:07:43 EDT 2015


> Or hack on the KDCs to implement AD-style case-insensitive/preserving
> realm matching.  I'm starting to think that we ought to do this in Heimdal and
> MIT Kerberos, at least as an option.

This plus canonicalizing is how our corporate system might work. I don't think there's a FEDIDCARD.GOV realm (or fedidcard.gov either) outside the scope of my PKINIT test. I think our corporate AD sees users from that domain and knows (somehow) how to map them into the USDA.NET realm. Klist has never shown me a FEDIDCARD.GOV ticket on my windows box, and I can't locate a FEDIDCARD.GOV KDC inside or outside the firewall.

Maybe canonicalizing isn't the right word for this..."appropriating user identities from unrelated virtual realms" may be more descriptive.

I had nothing to do with it. :) 

Bryce



More information about the Kerberos mailing list