using keytab with preauth and ldap alias canonicalization

Greg Hudson ghudson at
Mon Oct 4 01:34:23 EDT 2021

On 10/4/21 12:28 AM, Chris Hecker wrote:> Wait, so to be clear, at the
time when I create the keytab I don't know
> if the princ is canonical or not.  So I need to use that new API on each
> princ after the user enters it, and use that to create the keytab?
> Is there a way to do this with the API before 1.17 or do I need to
> update everything?  Is this only on the client, or does the KDC need to
> be 1.17 as well?

If you have the username and password, you could obtain credentials with
krb5_get_init_creds_password() (with the canonicalize flag set in the
gic options) and look at the client principal.  It would be a bit less
efficient than what ktutil addent -f does in 1.17 and it won't handle
all of the same edge cases such as non-default salts, but I think it
should work for your purposes.

If you do upgrade, the KDC doesn't need to be 1.17 or even be running
MIT krb5.  The API just makes an unauthenticated AS-REQ and looks at the
method data in the PREAUTH_REQUIRED error.

More information about the krbdev mailing list