Add enterprise & canonicalize support (Active Directory)
Brought to you by:
kouril
Menu
▾
▴
#31 Add enterprise & canonicalize support (Active Directory)
Applies primarily to Active Directory authentication (possibly others?)
When KrbMethodK5Passwd=On and SSO doesn't work, the user get's prompted for authentication. Logging in with a bare username (i.e. user), if KRB is configured to do so, the default_realm is used to authentication the user as user@REALM. With a bare username, authentication works. When logging in with user@REALM, authentication also works. However, if the user attempts to logon with user@realm (lowercase), authentication will fail with the error:
krb5_get_init_creds_password() failed: KDC reply did not match expectations
Enterprise (NT-ENTERPRISE) authentication takes user@realm and converts it to user\@realm@REALM.
Canonical authentication will allow lowercase authentication.
KrbCanonicalize and KrbEnterprise configuration options added.
The kinit command supports these two options with '-E' and '-C' command options. For kerberos installations that require this (i.e. Active Directory), these options can be enabled so that various forms of username work for authentication (i.e. user, user@REALM, user@realm)
Patch to add KrbCanonicalize and KrbEnterprise configuration