On 09/13/2014 12:52 PM, Rick van Rein wrote: > But this leaves me a bit worried about the KRB5-NT-ENTERPRISE nametype — does > it apply to what I am doing? Does my approach create a correct enterprise > principal name, or am I so lucky to run into leniency by Kerberos?
As I understand the enterprise principal name type based on RFC 6806 section 5, it is intended to convey an email-style alias which should be looked up in some kind of name service to figure out the actual principal name and realm for a user. Active Directory contains such a service; the MIT krb5 KDC does not, unless you use a third-party KDB module which provides one. (Our LDAP KDB module supports aliases within a realm, but not aliases which point to other realms.) Creating an actual principal entry for an enterprise name doesn't seem like a good idea. A client which makes an AS request for an enterprise name should wind up with a ticket for an actual, normal principal name, not a ticket for the alias. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
