Well it's all coming back to me now. It seems this has been discussed before:
http://mailman.mit.edu/pipermail/kerberos/2007-October/012373.html The userPrincipalName is only used if the principal type is 10 (KRB5_NT_ENTERPRISE_PRINCIPAL or perhaps GSS_C_NT_ENTERPRISE_PRINCIPAL if GSSAPI supported such a thing). AD will also canonicalize the supplied name in the AS-REP to the samaccountn...@dnsroot. As for the domain, I'm still a little fuzzy there as well. I would have to take some captures to see if the Windows client tries to lookup the domain name supplied or if it simply ignored the @domain and sent the AS-REQ to the default authority. Mike On Fri, Nov 20, 2009 at 7:48 PM, Michael B Allen <[email protected]> wrote: > Hi, > > Is it possible to acquire credentials using kinit from AD using the > userPrincipalName on an AD account if the DNS domain does not match > the AD realm? > > Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM > and userPrincipalName attributes on accounts in AD use the SMTP domain > like [email protected] can initial credentials be acquired? > > If I try kinit I get: > > $ kinit -f [email protected] > kinit(v5): Cannot resolve network address for KDC in realm > EXAMPLE.COM while getting initial credentials > > If I then add the following to my krb5.conf: > > [realms] > EXAMPLE.COM = { > dc1.example.local > } > > and try kinit again I get: > > $ kinit -f [email protected] > kinit(v5): KRB5 error code 68 while getting initial credentials > > and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM. > Error code 68 is KDC_ERR_WRONG_REALM. > > Adding .example.com = EXAMPLE.COM to [domain_realm] doesn't appear to > have any effect. > > Of course using the implied principal name <sAMAccountName>@<dnsRoot> works: > > $ kinit -f [email protected] > Password for [email protected]: ... > > Windows must be able to do this. How does a Windows client know that > the SMTP domain should be substituted with a proper realm and which > one? > > Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
