> Or hack on the KDCs to implement AD-style case-insensitive/preserving > realm matching. I'm starting to think that we ought to do this in Heimdal and > MIT Kerberos, at least as an option.
This plus canonicalizing is how our corporate system might work. I don't think there's a FEDIDCARD.GOV realm (or fedidcard.gov either) outside the scope of my PKINIT test. I think our corporate AD sees users from that domain and knows (somehow) how to map them into the USDA.NET realm. Klist has never shown me a FEDIDCARD.GOV ticket on my windows box, and I can't locate a FEDIDCARD.GOV KDC inside or outside the firewall. Maybe canonicalizing isn't the right word for this..."appropriating user identities from unrelated virtual realms" may be more descriptive. I had nothing to do with it. :) Bryce ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos