On Wed, 2015-06-03 at 17:07 +, Nordgren, Bryce L -FS wrote:
> > Or hack on the KDCs to implement AD-style case-insensitive/preserving
> > realm matching. I'm starting to think that we ought to do this in Heimdal
> > and
> > MIT Kerberos, at least as an option.
>
> This plus canonicalizing is
Ken Hornstein writes:
> Also, the venerably Russ Allbery created a lowercase realm for
> Stanford, and repeatedly has said that if he had to do it all over again
> he wouldn't have done a lowercase realm; too much software assumes an
> uppercase realm. Maybe that has changed in the intervening y
> Or hack on the KDCs to implement AD-style case-insensitive/preserving
> realm matching. I'm starting to think that we ought to do this in Heimdal and
> MIT Kerberos, at least as an option.
This plus canonicalizing is how our corporate system might work. I don't think
there's a FEDIDCARD.GOV r
On Wed, Jun 03, 2015 at 11:21:04AM -0400, Ken Hornstein wrote:
> >Or you might retain the uppercase realm and try to cross-sign between
> >the uppercase and lowercase realms. Your (somewhat silly) clients logon
> >to the lowercase realm and gain access to the (less errorprone) uppercase
> >realm.
On Wed, Jun 03, 2015 at 04:29:19PM +, Nordgren, Bryce L -FS wrote:
> Kind of moot. These smart cards are issued from GSA credentialing
> centers for USDA and certificate production is outside my sphere of
> influence. The really odd part is that the lowercase realm is encoded
> into the certifi
> Also, the venerably Russ Allberry created a lowercase realm for Stanford, and
> repeatedly has said that if he had to do it all over again he wouldn't have
> done a lowercase realm; too much software assumes an uppercase realm.
> Maybe that has changed in the intervening years.
Kind of moot. Th
>> Boy if I could get user principal mapping going, that would be sweet.
>
>Or you might retain the uppercase realm and try to cross-sign between
>the uppercase and lowercase realms. Your (somewhat silly) clients logon
>to the lowercase realm and gain access to the (less errorprone) uppercase
>rea
Ah, I didn’t read the context. MIT has supported client name canonicalisation
in AS-REQs for a while so it might be worth a try.
Also: re earlier message, enterprise principal names (UPNs) imply
canonicalisation, so you shouldn’t need to set the canon flag if you’re using
this name type.
— Luk
Hi,
Nordgren, Bryce L -FS wrote:
>
> I could, but I'm not certain the MIT Kerberos KDC (to which kinit is
> connecting) knows how to canonicalize.
It does not. It will however handle usernames with an embedded @ as any
other, as you've already found.
> Boy if I could get user principal mappi
> You could try the -C and -E options to kinit:
>
> -C canonicalize
> -E client is enterprise principal name
>
> — Luke
I could, but I'm not certain the MIT Kerberos KDC (to which kinit is
connecting) knows how to canonicalize. Boy if I could get user principal
mapping going, that
You could try the -C and -E options to kinit:
-C canonicalize
-E client is enterprise principal name
— Luke
> On 2 Jun 2015, at 1:02 am, Nordgren, Bryce L -FS wrote:
>
>> $ kinit '12001000550281\@fedidcard@fedidcard.gov'
>
> Thanks! Making progress!
>
> It now prints a si
>>Or am I thinking wrong: Does kinit parse the user principal name into client
>>and realm?
>>Should I rename my realm to lowercase fedidcard.gov?
> Its either 12001000550...@fedidcard.gov or its 12001000550...@fedidcard.gov
That it is. Deleting the realm and recreating a lowercase realm fixed
Bryce
Its either 12001000550...@fedidcard.gov or
its 12001000550...@fedidcard.gov
as far as your shell escaping with a \, in a command line you will not
escape the @, if you are scripting it, you might.
to the left of the @ is the principal name, traditionally lowercase. To
the right is the R
> $ kinit '12001000550281\@fedidcard@fedidcard.gov'
Thanks! Making progress!
It now prints a single backslash when describing the principal, both in errors
emitted from kinit and the "listprincs" command in kadmin.local. However, I'm
back to "client name mismatch" out of kinit, presumably b
On Mon, Jun 01, 2015 at 10:04:46PM +, Nordgren, Bryce L -FS wrote:
> I then tried creating a "12001000550...@fedidcard.gov" principal in my
> realm. Unfortunately, I cannot kinit using the principal
> "12001000550...@fedidcard.gov@FEDIDCARD.GOV". kinit gives a "Malformed
> representation of pri
15 matches
Mail list logo
