Using enterprise principal name in GSS-API

Isaac Boukris iboukris at gmail.com
Fri Sep 23 03:52:24 EDT 2016


Hi again,

On Wed, Sep 21, 2016 at 12:07 AM, Isaac Boukris <iboukris at gmail.com> wrote:
> Hi all,
>
> Is there a way to support name canonicalization (like kinit -E) when
> acquiring creds via gss_acquire_cred_with_password() and
> gss_acquire_cred_impersonate_name() ?
>
> The use case is to use userPrincipalName for client name against AD.


I've found RFC 4768 already laments the lack of enterprise names in
GSS-API (and raises some concerns, mainly ACL related).
RFC 6860 on the other hand says nothing about GSS-API.

Technically, if I change krb5_gss_import_name() to pass
KRB5_PRINCIPAL_PARSE_ENTERPRISE flag when parsing the name, then both
aforementioned functions work fine with UPN (even when the UPN suffix
differs from realm name).

Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME,
though I guess it's more complicated than it sounds :)

Thanks and regards.


More information about the Kerberos mailing list