A client name with an '@'
Simo Sorce
simo at redhat.com
Wed Jun 3 16:06:47 EDT 2015
On Wed, 2015-06-03 at 17:07 +0000, Nordgren, Bryce L -FS wrote:
> > Or hack on the KDCs to implement AD-style case-insensitive/preserving
> > realm matching. I'm starting to think that we ought to do this in Heimdal and
> > MIT Kerberos, at least as an option.
>
> This plus canonicalizing is how our corporate system might work. I
> don't think there's a FEDIDCARD.GOV realm (or fedidcard.gov either)
> outside the scope of my PKINIT test. I think our corporate AD sees
> users from that domain and knows (somehow) how to map them into the
> USDA.NET realm. Klist has never shown me a FEDIDCARD.GOV ticket on my
> windows box, and I can't locate a FEDIDCARD.GOV KDC inside or outside
> the firewall.
>
> Maybe canonicalizing isn't the right word for this..."appropriating
> user identities from unrelated virtual realms" may be more
> descriptive.
>
> I had nothing to do with it. :)
In AD there is a mapping function to know which user a certificate
belongs to. AD does not care at all about the name you have in there
outside the mapping. Once mapped what matters is the UPN on the user
account, IIRC.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list