Hi again, On Wed, Sep 21, 2016 at 12:07 AM, Isaac Boukris <ibouk...@gmail.com> wrote: > Hi all, > > Is there a way to support name canonicalization (like kinit -E) when > acquiring creds via gss_acquire_cred_with_password() and > gss_acquire_cred_impersonate_name() ? > > The use case is to use userPrincipalName for client name against AD.
I've found RFC 4768 already laments the lack of enterprise names in GSS-API (and raises some concerns, mainly ACL related). RFC 6860 on the other hand says nothing about GSS-API. Technically, if I change krb5_gss_import_name() to pass KRB5_PRINCIPAL_PARSE_ENTERPRISE flag when parsing the name, then both aforementioned functions work fine with UPN (even when the UPN suffix differs from realm name). Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME, though I guess it's more complicated than it sounds :) Thanks and regards. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
