Hi all,
I'm looking to set up a KDC to issue TGTs from my organization's smart cards.
Establishing a trust is a non-starter. My target environment is outside the
firewall, all corporate infrastructure is inaccessible and will stay that way.
However, CA bundles are public information. Looking at my PIV certificate, I
see my SAN is:
Other Name:
Principal [email protected]
I won't type that big long number every time I try to login. My peers will
revolt. As it turns out, when I put the smart card in my corporate machine,
klist shows that the client in the resulting tickets is:
[email protected]<mailto:[email protected]>. There is really nothing in the
certificate which would perform this mapping. I can, however, automatically
generate a mapping file to push out to my KDC by querying AD. (For instance,
I'm pretty sure a 1:1 mapping between userPrincipalName and sAMAccountName
would do the trick.)
How would I compel the MIT Kerberos server to perform that same mapping? I want
to be able to ask for a ticket for "[email protected]", provide a
certificate with a MS UPN of
[email protected]<mailto:[email protected]> and have it
work. I also want it to KRB_ERROR if a valid certificate with any other MS UPN
tries to get a ticket for
[email protected]<mailto:[email protected]>.
Has this already been done, and if not, would it be possible to do the mapping
by writing a plugin?
Bryce
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
