On Tue, 10 Oct 2006 08:40:55 +0200
"Djihangiroff, Matthias (KC-DD)" wrote:

> But it doesnt work.
> If they type in their user PrincipalName, i get an entry in my error log. (Specified realm `persona.de' not allowed by configuration)

> > > get a ticket for matthias.djihangiroff@persona.de. But the realm
> > > persona.de doesnt exists (its konzern.intern) :-)

Ahh, I see. I can think of several possible solutions:

1) Hack mod_kerb_auth to "rewrite" the email address to their correct userPrincipalName
2) Instruct users to use their correct konzern.intern domain
3) Rebuild your entire domain to use persona.de instead of konzern.inter
4) Setup a KDC for persona.de with a trust to konzern.intern

Note I know more about Negotiate auth than I do Kerberos in general so
hopefully someone will chime in if I'm wrong.

--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

I think the problem is that MIT and Heimdal don't allow a @ in the
userprincipalname. If you capture the traffic from a XP machine to AD when
you login with matthias.djihangiroff@persona.de you will see an AS request
for matthias.djihangiroff@persona.de@KONZERN.INTERN

Rgards
Markus


"Michael B Allen" wrote in message
news:20061010122914.1aaf9fc1.mba2000@ioplex.com...
> On Tue, 10 Oct 2006 08:40:55 +0200
> "Djihangiroff, Matthias (KC-DD)" wrote:
>
>> But it doesnt work.
>> If they type in their user PrincipalName, i get an entry in my error log.
>> (Specified realm `persona.de' not allowed by configuration)
>
>> > > get a ticket for matthias.djihangiroff@persona.de. But the realm
>> > > persona.de doesnt exists (its konzern.intern) :-)
>
> Ahh, I see. I can think of several possible solutions:
>
> 1) Hack mod_kerb_auth to "rewrite" the email address to their correct
> userPrincipalName
> 2) Instruct users to use their correct konzern.intern domain
> 3) Rebuild your entire domain to use persona.de instead of konzern.inter
> 4) Setup a KDC for persona.de with a trust to konzern.intern
>
> Note I know more about Negotiate auth than I do Kerberos in general so
> hopefully someone will chime in if I'm wrong.
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

I tried to use kinit user\\@mailaddress.com@DOMAIN.COM (\\ escapes @) with
MIT against AD where the userprincipalname is set to the email address but
failed, whereas I can login on XP using the email address. I found that MS
uses a principal type 10 (= enterprise name). Is this anywhere defined in a
standard or is this a MS extension ?

Thanks
Markus



"Markus Moeller" wrote in message
news:egjsck$i0$1@sea.gmane.org...
>I think the problem is that MIT and Heimdal don't allow a @ in the
>userprincipalname. If you capture the traffic from a XP machine to AD when
>you login with matthias.djihangiroff@persona.de you will see an AS request
>for matthias.djihangiroff@persona.de@KONZERN.INTERN
>
> Rgards
> Markus
>
>
> "Michael B Allen" wrote in message
> news:20061010122914.1aaf9fc1.mba2000@ioplex.com...
>> On Tue, 10 Oct 2006 08:40:55 +0200
>> "Djihangiroff, Matthias (KC-DD)"
>> wrote:
>>
>>> But it doesnt work.
>>> If they type in their user PrincipalName, i get an entry in my error
>>> log. (Specified realm `persona.de' not allowed by configuration)
>>
>>> > > get a ticket for matthias.djihangiroff@persona.de. But the realm
>>> > > persona.de doesnt exists (its konzern.intern) :-)
>>
>> Ahh, I see. I can think of several possible solutions:
>>
>> 1) Hack mod_kerb_auth to "rewrite" the email address to their correct
>> userPrincipalName
>> 2) Instruct users to use their correct konzern.intern domain
>> 3) Rebuild your entire domain to use persona.de instead of konzern.inter
>> 4) Setup a KDC for persona.de with a trust to konzern.intern
>>
>> Note I know more about Negotiate auth than I do Kerberos in general so
>> hopefully someone will chime in if I'm wrong.
>>
>> --
>> Michael B Allen
>> PHP Active Directory SSO
>> http://www.ioplex.com/
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

On Friday, October 13, 2006 07:45:17 PM +0100 Markus Moeller
wrote:

> I tried to use kinit user\\@mailaddress.com@DOMAIN.COM (\\ escapes @)
> with MIT against AD where the userprincipalname is set to the email
> address but failed, whereas I can login on XP using the email address. I
> found that MS uses a principal type 10 (= enterprise name). Is this
> anywhere defined in a standard or is this a MS extension ?

The value is assigned in RFC4120 section 7.5.8, but without details as to
the expected name form. What you're seeing is the most common usage for
this name type. Note that Kerberos principal name types are advisory; they
generally do not need to match.

You only said "I tried... but failed." How did you fail? Were you unable
to type the backslash, or perhaps the at-sign? Or did kinit print some
error message you're not sharing with us?

-- Jeffrey T. Hutzelman (N3NHS)
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Thanks for clarifying. I got the following reply

kinit(v5): Client not found in Kerberos database while getting initial
credentials

The only real difference I could see in the AS REQ is that XP uses type 10
and kinit use type 1.

Regards
Markus

"Jeffrey Hutzelman" wrote in message
news:AE1D56BEA05AA8A328BF3929@sirius.fac.cs.cmu.ed u...
>
>
> On Friday, October 13, 2006 07:45:17 PM +0100 Markus Moeller
> wrote:
>
>> I tried to use kinit user\\@mailaddress.com@DOMAIN.COM (\\ escapes @)
>> with MIT against AD where the userprincipalname is set to the email
>> address but failed, whereas I can login on XP using the email address. I
>> found that MS uses a principal type 10 (= enterprise name). Is this
>> anywhere defined in a standard or is this a MS extension ?
>
> The value is assigned in RFC4120 section 7.5.8, but without details as to
> the expected name form. What you're seeing is the most common usage for
> this name type. Note that Kerberos principal name types are advisory;
> they
> generally do not need to match.
>
> You only said "I tried... but failed." How did you fail? Were you unable
> to type the backslash, or perhaps the at-sign? Or did kinit print some
> error message you're not sharing with us?
>
> -- Jeffrey T. Hutzelman (N3NHS)
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

If I change the MIT code (set the type to 10 in parse.c) I can get a ticket
with my email address as principal name.

Regards
Markus

"Markus Moeller" wrote in message
news:egop10$50c$1@sea.gmane.org...
> Thanks for clarifying. I got the following reply
>
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
> The only real difference I could see in the AS REQ is that XP uses type 10
> and kinit use type 1.
>
> Regards
> Markus
>
> "Jeffrey Hutzelman" wrote in message
> news:AE1D56BEA05AA8A328BF3929@sirius.fac.cs.cmu.ed u...
>>
>>
>> On Friday, October 13, 2006 07:45:17 PM +0100 Markus Moeller
>> wrote:
>>
>>> I tried to use kinit user\\@mailaddress.com@DOMAIN.COM (\\ escapes @)
>>> with MIT against AD where the userprincipalname is set to the email
>>> address but failed, whereas I can login on XP using the email address.
>>> I
>>> found that MS uses a principal type 10 (= enterprise name). Is this
>>> anywhere defined in a standard or is this a MS extension ?
>>
>> The value is assigned in RFC4120 section 7.5.8, but without details as to
>> the expected name form. What you're seeing is the most common usage for
>> this name type. Note that Kerberos principal name types are advisory;
>> they
>> generally do not need to match.
>>
>> You only said "I tried... but failed." How did you fail? Were you
>> unable
>> to type the backslash, or perhaps the at-sign? Or did kinit print some
>> error message you're not sharing with us?
>>
>> -- Jeffrey T. Hutzelman (N3NHS)
>> Sr. Research Systems Programmer
>> School of Computer Science - Research Computing Facility
>> Carnegie Mellon University - Pittsburgh, PA
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--===============1508880337==

Matthias,

could you try and set principal.type = 10 just before the following line in
mod_auth_kerb and try to login with matthias.djihangiroff\\@persona.de


ret = krb5_get_init_creds_password(context, &creds, principal,
(char *)password, NULL,
NULL, 0, NULL, NULL);

If this works you propably only need to check the if name includes a @ to
add the two \\ for escaping call krb5_parse_name(context, new_name,
principal) and set then principal.type=10 before
krb5_get_init_creds_password is called.

I would be curious if that works.

Regards
Markus


"Djihangiroff, Matthias (KC-DD)" wrote in
message
news:A4987E8FC1C6CD44805DDE5676EE262E0109DAE5@w2km ail.konzern.intern...
But it doesnt work.
If they type in their user PrincipalName, i get an entry in my error log.
(Specified realm `persona.de' not allowed by configuration)

My /etc/krb.conf

[libdefaults]
default_realm = KONZERN.INTERN
clockskew = 300

[realms]
KONZERN.INTERN = {
kdc = w2kroot.konzern.intern
default_domain = konzern.intern
admin_server = w2kroot
}

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.konzern.intern = KONZERN.INTERN

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}

-----Ursprüngliche Nachricht-----
Von: Michael B Allen [mailto:mba2000@ioplex.com]
Gesendet: Montag, 9. Oktober 2006 18:16
An: Djihangiroff, Matthias (KC-DD)
Betreff: Re: AW: AW: Anyone has an apache running with mod_auth_kerb AND
mod_auth_ldap?

Then it should work. Kerberos requires the userPrincipalName and not their
"windowsusername" (aka sAMAccountName). Or am I missing something?

Mike

PS: I recommend steering this thread back onto the kerberos mailing list.

On Mon, 9 Oct 2006 09:14:51 +0200
"Djihangiroff, Matthias (KC-DD)" wrote:

> The Users only use their usersPrincipalName
> (Matthias.Djihangiroff@persona.de), not their
> sAMAccountName(Matthias.Djihangirof).
>
>
> -----Ursprüngliche Nachricht-----
> Von: Michael B Allen [mailto:mba2000@ioplex.com]
> Gesendet: Freitag, 6. Oktober 2006 18:04
> An: Djihangiroff, Matthias (KC-DD)
> Betreff: Re: AW: Anyone has an apache running with mod_auth_kerb AND
> mod_auth_ldap?
>
> So what you're saying is that users do not know their userPrincipalName
> and that they only know their sAMAccountName? For example, consider the
> following domain:
>
> dnsRoot example.com
> REALM EXAMPLE.COM
> nETBIOSName EXAMPLE
>
> and the following example user account:
>
> userPrincipalName alice@EXAMPLE.COM
> sAMAccountName abaker
>
> For kerberos to work with the above example one would need to use the UPN
> alice@EXAMPLE.COM. But people are using abaker@EXAMPLE.COM or
> abaker@EXAMPLE?
>
> You could split the name and do an LDAP search on sAMAccountName=abaker
> for the userPrincipalName and then pass that to
> krb5_get_init_creds_password.
>
> Mike
>
> On Fri, 6 Oct 2006 07:27:06 +0200
> "Djihangiroff, Matthias (KC-DD)" wrote:
>
> >
> > I just want to point out that you can use krb5_get_init_creds_password
> > to do Basic so there's no reason to use LDAP at all <- The problem ist,
> > that the loginname for a kerberos realm is realusername@KERBEROS.REALM.
> > The users arent aware of their real windowsusername (it is limited for
> > 21? Characters, so my name is matthias.djihangirof@KONZERN.INTERN).
> >
> > Our users are loggin in with their email-adress:
> > firstname.lastname@windowsdomain (e.g
> > matthias.djihangiroff@persona.de, look at the double ff in my
> > lastname, its different to my kerberos name)
> >
> > If i try to type my email in the basic auth, mod_auth_kerb tries to
> > get a ticket for matthias.djihangiroff@persona.de. But the realm
> > persona.de doesnt exists (its konzern.intern) :-)
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Michael B Allen [mailto:mba2000@ioplex.com]
> > Gesendet: Donnerstag, 5. Oktober 2006 17:09
> > An: Djihangiroff, Matthias (KC-DD)
> > Cc: kerberos@mit.edu
> > Betreff: Re: Anyone has an apache running with mod_auth_kerb AND
> > mod_auth_ldap?
> >
> > On Thu, 5 Oct 2006 08:03:51 +0200
> > "Djihangiroff, Matthias (KC-DD)"
> > wrote:
> >
> > > Hello,
> > >
> > > Anyone out there whos running an Apache with mod_auth_kerb and
> > > mod_auth_ldap?
> > > Im running an Apache with mod_auth_kerb perfectly.
> > >
> > > But we have users, which arent in our Windows AD, so they cant
> > > load the websites protected through mod_auth_kerb.
> > > Is it possible to fall back to mod_auth_ldap, so they can manualy
> > > type in their login? (The Apache than check the user against the
> > > LDAP).
> >
> > I don't know the answer to this (my understanding is that trying to
> > stack mod_auth_* modules together is not practical) but I just want to
> > point out that you can use krb5_get_init_creds_password to do Basic so
> > there's no reason to use LDAP at all. In fact using LDAP as a make-shift
> > authentication service is crude and insecure. Wether or not
> > mod_auth_kerb can do it I have no idea.
> >
> > Mike
> >
> > --
> > Michael B Allen
> > PHP Active Directory SSO
> > http://www.ioplex.com/
> > ###########################################
> >
> > This message has been scanned by F-Secure Anti-Virus for Microsoft
> > Exchange.
> > For more information, connect to http://www.f-secure.com/
> >
>
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> ###########################################
>
> This message has been scanned by F-Secure Anti-Virus for Microsoft
> Exchange.
> For more information, connect to http://www.f-secure.com/
>


--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




--===============1508880337==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--===============1508880337==--