[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate format for PKINIT to Windows?




Geoffrey Elgey <geoffree@vintela.com> writes:

> I specified the client principal explicitly above, as my
> /etc/krb5.conf did not have SC.VAS as the default realm. If I modify
> the default realm to SC.VAS, and perform a kinit while logged in as
> 'geoffree', then I do not need to specify the client principal
> explicitly.
>
> Howver, if I perform a kinit while logged in as a different user, then
> I do need to specify the client principal explicitly. Otherwise, a
> client name mismatch occurs. But shouldn't the client principal name
> be derived from information in the certificate?
>
> Windows adds a subjectAltName to the certificate, of the form
> OtherName:PrincipalName=geoffree@sc.vas, which represents the UPN of
> the user.
>
> Although using the UPN may not always work for Windows authentication,
> is there a configuration option or similar that will map the UPN to
> the client principal name?

The the code should pick up the name from the certificate if its there. But
since it required me to reorganize the code in kinit and add support for
client principal in the libkrb5, so I ignored that for me. Something like
it is also needed for the PAM support.

Love

PGP signature