Hi Tim, > When I configure Kerberos on a Mac OSX system, and login to the Mac > and then run klist I see a principal name which is lower case but in > AD the principal name is mixed case.
I heard before that AD accepts case changes (hearsay). Not sure if that only reflected on the realm, or also the principal name. Your Mac may be setup with the differently-cased name. > I can run kinit --canonicalize <user id> and this returns the correct > case principal, but when I logon to the Mac this is not happening. With --canonicalize, you tell the KDC to take more control, and your client will accept name overrides. Under Heimdal and any standards-compliant software, a different case makes out a different principal name and/or a different realm. Have you tried using kinit without --canonicalize against AD, while playing around with the case? Have you checked the ticket names in Keychain Access, menu item Ticket Viewer? It may have been setup with your logon name or such, in different case, and accepted as such by AD. > I assume that an API call is being made during Mac logon and not kinit > being run. Is this a correct assumption ? > I have no idea what you are asking here. FWIW, I suspect the Mac invokes Heimdal kinit with the desktop logon password. Check for pam_krb5 in your /etc/pam.d/ > I also checked in krb5.conf but there doesn’t appear to be a > documented way to force the canonical flag on an AS-REQ when Mac login > uses Kerberos. Try the suggestions above first, they're a better way to get it going. Rather than "making it work" you'll be asking the proper question. I hope -- I don't use AD. > Disclaimer: This email message and any attachments transmitted with it > may contain legally privileged and confidential information So, why do you post it to a public list? You're welcome to remove this in future emails. It's legally powerless anyway. -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos