Re: Using enterprise principal name in GSS-API

Hi Alan, On Thu, Oct 6, 2016 at 9:29 PM, Alan Braggins wrote: > I do have a patch that adds gss_nt_krb5_name_enterprise as a > recognised OID (szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3), > and replaces a call to krb5_parse_name with krb5_parse_name_flags > with

Re: Using enterprise principal name in GSS-API

Apparently I also have a broken mail that truncated most of that message. I'll see if I can recover it. From: Alan Braggins Sent: 06 October 2016 19:45 To: Greg Hudson; Isaac Boukris; kerberos Subject: Re: Using enterprise principal name in GSS-API On 23

Re: Using enterprise principal name in GSS-API

On 23/09/16 15:50, Greg Hudson wrote: > On 09/23/2016 03:52 AM, Isaac Boukris wrote: >> Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME, >> though I guess it's more complicated than it sounds :) > > I think that might be reasonable for this use case. I've seen requests > to be

Re: Using enterprise principal name in GSS-API

On 23/09/16 15:50, Greg Hudson wrote: > On 09/23/2016 03:52 AM, Isaac Boukris wrote: >> Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME, >> though I guess it's more complicated than it sounds :) > > I think that might be reasonable for this use case. I've seen requests > to be

Re: Using enterprise principal name in GSS-API

On Mon, Sep 26, 2016 at 7:09 PM, Greg Hudson wrote: > On 09/25/2016 04:32 PM, Isaac Boukris wrote: >> In such a case (no canonicalization), if the user is found, the KDC >> returns AS reply with the exact name and name-type (enterprise) as >> requested. > > Interesting. That's

Re: Using enterprise principal name in GSS-API

On Mon, Sep 26, 2016 at 7:09 PM, Greg Hudson wrote: > On 09/25/2016 04:32 PM, Isaac Boukris wrote: >> The more a look at the code and on wire traffic, I think >> enterprise-name and canonicalization are different things (although >> related). >> Here is what my tests against AD

Re: Using enterprise principal name in GSS-API

On 09/25/2016 04:32 PM, Isaac Boukris wrote: > The more a look at the code and on wire traffic, I think > enterprise-name and canonicalization are different things (although > related). > Here is what my tests against AD (w2k3) seem to show so far. > > First, the 'kinit' man page says -E implies

Re: Using enterprise principal name in GSS-API

Hi Greg, On Fri, Sep 23, 2016 at 5:50 PM, Greg Hudson wrote: > On 09/23/2016 03:52 AM, Isaac Boukris wrote: >> Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME, >> though I guess it's more complicated than it sounds :) > > I think that might be reasonable for

Re: Using enterprise principal name in GSS-API

On 09/23/2016 03:52 AM, Isaac Boukris wrote: > Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME, > though I guess it's more complicated than it sounds :) I think that might be reasonable for this use case. I've seen requests to be able to import enterprise principal names

Re: Using enterprise principal name in GSS-API

Hi again, On Wed, Sep 21, 2016 at 12:07 AM, Isaac Boukris wrote: > Hi all, > > Is there a way to support name canonicalization (like kinit -E) when > acquiring creds via gss_acquire_cred_with_password() and > gss_acquire_cred_impersonate_name() ? > > The use case is to use

Using enterprise principal name in GSS-API

Hi all, Is there a way to support name canonicalization (like kinit -E) when acquiring creds via gss_acquire_cred_with_password() and gss_acquire_cred_impersonate_name() ? The use case is to use userPrincipalName for client name against AD. Thanks!