[SSSD-users] Re: Lowercase principals on login

Fri, 26 Oct 2018 09:42:01 -0700 

On Fri, Oct 26, 2018 at 12:15:44PM -0400, Tom wrote:
> Thanks Sumit.  And canonicalize = yes in [libdefaults] will make that happen 
> on login I think.  

SSSD controls this option on its own, so if you want to be on the safe
side you can set 'krb5_canonicalize = True' in sssd.conf.

But only the plain 'krb5' auth provider would use the default of
'False'. The 'ad' and 'ipa' providers have
'krb5_use_enterprise_principal = True' be default which will switch on
canonicalization as well.

bye,
Sumit

> 
> Sent from my iPhone
> 
> > On Oct 26, 2018, at 11:40 AM, Sumit Bose <sb...@redhat.com> wrote:
> > 
> >> On Fri, Oct 26, 2018 at 11:03:05AM -0400, Tom wrote:
> >> Is there a way to ensure the principal generated has the lowercase user 
> >> not an uppercase user showing up in kinit?
> > 
> > The principal is part of the ticket generated by the KDC. So you have to
> > make sure the canonical principal on the KDC is in lower case and use
> > canonicalization on the client side ('-C' with kinit).
> > 
> > HTH
> > 
> > bye,
> > Sumit
> > 
> >> 
> >> Cheers,
> >> Tom
> >> 
> >> Sent from my iPhone
> >> _______________________________________________
> >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives: 
> >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to