Canonicalize on Mac

Tim Alsop Tim.Alsop at cybersafe.com
Thu Mar 24 05:46:20 EDT 2016


Rick,

>Have you tried using kinit without --canonicalize against AD, while
>playing around with the case?
Yes, kinit NAME results in NAME at REALM principal in cache. kinit name results in name at REALM. This is what I am trying to avoid since I want a consistent principal name using the case of the principal defined in AD.

>Have you checked the ticket names in Keychain Access, menu item Ticket
>Viewer?  It may have been setup with your logon name or such, in
>different case, and accepted as such by AD.
This is same as using klist from Terminal which I have been using so I haven’t bothered with Ticket Viewer as it has no advantage compared to using klist to check case of principal.

>I have no idea what you are asking here.  FWIW, I suspect the Mac
>invokes Heimdal kinit with the desktop logon password.   Check for
>pam_krb5 in your /etc/pam.d/
Yes, pam_krb5 is being used but I don’t know how to configure pam_krb5 so that it sends the canonical flag in the as-req so that AD will issue TGT with correct case. I don’t think that pam_krb5.so is calling the kinit binary. I assume it is using the Heimdal API to authenticate and is not aware of the canonical option/flag and hence not configurable.

>Try the suggestions above first, they're a better way to get it going.
>Rather than "making it work" you'll be asking the proper question.  I
>hope -- I don't use AD.
I know I can create the user in Mac with same case as in AD and this will solve the issue but often the AD admin who creates the user in AD doesn’t use same case.




Tim Alsop
Director
[Telephone] +44 1256 330596

[CyberSafe]<https://CyberSafe.com>

[Web] https://CyberSafe.com/SAP<https://CyberSafe.com/SAP>

Copyright © 2002–2016 CyberSafe Limited. All Rights Reserved. Abbey House, 450 Bath Road, Longford, Middlesex, UB7 0EB, United Kingdom. Registered in England and Wales. Company Number 03245350. VAT Registration Number GB 695 7551 78.

Telephone: +44 203 510 6333 (United Kingdom) | +1 929 333 4499 (United States)



More information about the Kerberos mailing list