Hi all,
I'm looking to set up a KDC to issue TGTs from my organization's smart cards.
Establishing a trust is a non-starter. My target environment is outside the
firewall, all corporate infrastructure is inaccessible and will stay that way.
However, CA bundles are public information. Looking at my PIV certificate, I
see my SAN is:
Other Name:
Principal Name=12001000550...@fedidcard.gov
I won't type that big long number every time I try to login. My peers will
revolt. As it turns out, when I put the smart card in my corporate machine,
klist shows that the client in the resulting tickets is:
bnordg...@usda.net<mailto:bnordg...@usda.net>. There is really nothing in the
certificate which would perform this mapping. I can, however, automatically
generate a mapping file to push out to my KDC by querying AD. (For instance,
I'm pretty sure a 1:1 mapping between userPrincipalName and sAMAccountName
would do the trick.)
How would I compel the MIT Kerberos server to perform that same mapping? I want
to be able to ask for a ticket for "bnordgren@MY.OTHER.REALM", provide a
certificate with a MS UPN of
12001000550...@fedidcard.gov<mailto:12001000550...@fedidcard.gov> and have it
work. I also want it to KRB_ERROR if a valid certificate with any other MS UPN
tries to get a ticket for
bnordgren@MY.OTHER.REALM<mailto:bnordgren@MY.OTHER.REALM>.
Has this already been done, and if not, would it be possible to do the mapping
by writing a plugin?
Bryce
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
