Using enterprise principal name in GSS-API
Isaac Boukris
iboukris at gmail.com
Fri Sep 23 03:52:24 EDT 2016
Hi again,
On Wed, Sep 21, 2016 at 12:07 AM, Isaac Boukris <iboukris at gmail.com> wrote:
> Hi all,
>
> Is there a way to support name canonicalization (like kinit -E) when
> acquiring creds via gss_acquire_cred_with_password() and
> gss_acquire_cred_impersonate_name() ?
>
> The use case is to use userPrincipalName for client name against AD.
I've found RFC 4768 already laments the lack of enterprise names in
GSS-API (and raises some concerns, mainly ACL related).
RFC 6860 on the other hand says nothing about GSS-API.
Technically, if I change krb5_gss_import_name() to pass
KRB5_PRINCIPAL_PARSE_ENTERPRISE flag when parsing the name, then both
aforementioned functions work fine with UPN (even when the UPN suffix
differs from realm name).
Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME,
though I guess it's more complicated than it sounds :)
Thanks and regards.
More information about the Kerberos
mailing list