PKINIT name mapping?

Ken Hornstein kenh at
Mon May 18 18:19:21 EDT 2015

>I won't type that big long number every time I try to login. My
>peers will revolt. As it turns out, when I put the smart card in my
>corporate machine, klist shows that the client in the resulting tickets
>is: bnordgren at USDA.NET<mailto:bnordgren at USDA.NET>. There is really
>nothing in the certificate which would perform this mapping. I can,
>however, automatically generate a mapping file to push out to my KDC
>by querying AD. (For instance, I'm pretty sure a 1:1 mapping between
>userPrincipalName and sAMAccountName would do the trick.)
>Has this already been done, and if not, would it be possible to do the
>mapping by writing a plugin?

We've done that here, but to answer your question ... no, you can't do
it with a plugin.  Well, technically, you CAN ... the answer is "write
a whole new PKINIT plugin, or modify the existing one".  We did the

The way this is implemented is that you'd set a string for each principal
using the set_string interface; this would be a "cert match" rule
that would match the certificate presents (you can look at the man page
for krb5.conf, specifically the pkinit_cert_match rule for the syntax).
So you could map a specific principal to only work with a specific SAN,
just as an example.

In talks with MIT, they agreed those changes would be useful and it was
on my plate to submit those for review ... and that never happened.  But
it's still on the list of things for me to do.  These changes would also
include a few other things you might be interested in (the ability to
query against an OCSP server, and the ability to set the HW_AUTH flag
in the ticket if your client certificate had a particular policy OID
in it).  So, it's possible ... just not with the current code.


More information about the Kerberos mailing list