SSO Application needs username from GSSName (or GSSAPI) Spike_White at
Tue Aug 5 15:34:52 EDT 2014


The problem with what you're suggesting is that it's a static conversion.   Admittedly, the static conversion that usually (but not always) desired.

If you use krb5_aname_to_localname() instead,  by default it does the same conversion.  But additionally, the site administrator is able to write his or her own auth_to_local rules, if this default conversion is not what's desired.

Here's an example, from
              ATHENA.MIT.EDU = {
                  auth_to_local = {

Date: Tue, 5 Aug 2014 04:55:33 -0700 (PDT)
From: amit
Subject: Re: SSO Application needs username from GSSName (or GSSAPI)
To: krbdev at
Content-Type: text/plain; charset=us-ascii

Thank you Simo & Nico,

Simo, Nico is right about my application.

Please have a look at the following link which talks about realm name in kerberos.
It says that you can have anything as a realm name but when it comes to follow the conventions, realm name should be a domain name in capital letters.

So, assuming that customers will always follow the conventions of kerberos and will keep the realm name as a capital letter of domain name.

Again, following link talks about what restrictions domain name have.

So, it looks like domain name can never have '@' sign in it (which intern says that realm name will never have the '@' sign in it).

Cropping the GSSName string with its last index of '@' will give me the username.

Please let me know if I am mistaken somewhere.

More information about the krbdev mailing list