Canonicalize on Mac

Rick van Rein rick at openfortress.nl
Thu Mar 24 05:23:51 EDT 2016


Hi Tim,

> When I configure Kerberos on a Mac OSX system, and login to the Mac
> and then run klist I see a principal name which is lower case but in
> AD the principal name is mixed case.

I heard before that AD accepts case changes (hearsay).  Not sure if that
only reflected on the realm, or also the principal name.  Your Mac may
be setup with the differently-cased name.

> I can run kinit --canonicalize <user id> and this returns the correct
> case principal, but when I logon to the Mac this is not happening.

With --canonicalize, you tell the KDC to take more control, and your
client will accept name overrides.  Under Heimdal and any
standards-compliant software, a different case makes out a different
principal name and/or a different realm.

Have you tried using kinit without --canonicalize against AD, while
playing around with the case?

Have you checked the ticket names in Keychain Access, menu item Ticket
Viewer?  It may have been setup with your logon name or such, in
different case, and accepted as such by AD.

> I assume that an API call is being made during Mac logon and not kinit
> being run. Is this a correct assumption ?
>
I have no idea what you are asking here.  FWIW, I suspect the Mac
invokes Heimdal kinit with the desktop logon password.   Check for
pam_krb5 in your /etc/pam.d/

> I also checked in krb5.conf but there doesn’t appear to be a
> documented way to force the canonical flag on an AS-REQ when Mac login
> uses Kerberos.

Try the suggestions above first, they're a better way to get it going. 
Rather than "making it work" you'll be asking the proper question.  I
hope -- I don't use AD.

> Disclaimer: This email message and any attachments transmitted with it
> may contain legally privileged and confidential information

So, why do you post it to a public list?  You're welcome to remove this
in future emails.  It's legally powerless anyway.

-Rick


More information about the Kerberos mailing list