Canonicalize on Mac
Tim Alsop
Tim.Alsop at cybersafe.com
Wed Mar 23 15:07:43 EDT 2016
Hi
I am using Active Directory as a KDC and using a Mac with OSX 10.8, 10.9, 10.10 and 10.11
When I configure Kerberos on a Mac OSX system, and login to the Mac and then run klist I see a principal name which is lower case but in AD the principal name is mixed case.
I can run kinit --canonicalize <user id> and this returns the correct case principal, but when I logon to the Mac this is not happening. I assume that an API call is being made during Mac logon and not kinit being run. Is this a correct assumption ?
I also checked in krb5.conf but there doesn’t appear to be a documented way to force the canonical flag on an AS-REQ when Mac login uses Kerberos.
Thanks
Tim
Tim Alsop
Director
[Telephone] +44 1256 330596
[CyberSafe]<https://CyberSafe.com>
[Web] https://CyberSafe.com/SAP<https://CyberSafe.com/SAP>
Copyright © 2002–2016 CyberSafe Limited. All Rights Reserved. Abbey House, 450 Bath Road, Longford, Middlesex, UB7 0EB, United Kingdom. Registered in England and Wales. Company Number 03245350. VAT Registration Number GB 695 7551 78.
Telephone: +44 203 510 6333 (United Kingdom) | +1 929 333 4499 (United States)
________________________________
Disclaimer: This email message and any attachments transmitted with it may contain legally privileged and confidential information and information protected by intellectual property rights, and is intended solely for use by the above named recipient(s). If you are not the recipient(s) named above, or an authorised agent acting on behalf of the recipient(s) named above, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachment(s) is strictly prohibited. If you have received this message in error, please notify the sender immediately by telephone or by email, and delete this message and all copies and backups thereof. No waiver of privilege or confidentiality should be inferred from an error in sending.
This email message does not under any circumstances constitute a binding commitment by or on behalf of CyberSafe Limited, or any affiliated companies, unless it contains an express statement to the contrary from an authorised representative and clearly identifies the entity for which the commitment is taken.
More information about the Kerberos
mailing list