Hi, Is it possible to acquire credentials using kinit from AD using the userPrincipalName on an AD account if the DNS domain does not match the AD realm?
Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM and userPrincipalName attributes on accounts in AD use the SMTP domain like [email protected] can initial credentials be acquired? If I try kinit I get: $ kinit -f [email protected] kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM while getting initial credentials If I then add the following to my krb5.conf: [realms] EXAMPLE.COM = { dc1.example.local } and try kinit again I get: $ kinit -f [email protected] kinit(v5): KRB5 error code 68 while getting initial credentials and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM. Error code 68 is KDC_ERR_WRONG_REALM. Adding .example.com = EXAMPLE.COM to [domain_realm] doesn't appear to have any effect. Of course using the implied principal name <sAMAccountName>@<dnsRoot> works: $ kinit -f [email protected] Password for [email protected]: ... Windows must be able to do this. How does a Windows client know that the SMTP domain should be substituted with a proper realm and which one? Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
