On Fri, May 31, 2013 at 03:53:19PM +0200, Jakub Hrozek wrote:
On Wed, May 29, 2013 at 06:36:26PM +0200, Sumit Bose wrote:
> after some discussion with Greg Hudson I realized that AD does not
> canonicalize enterprise principals by default, as a MIT KDC does, but
> explicitly needs the canonicalize flag to be set. With this fix the ugly
> user\@SOME.REALM(a)OTHER.REALM principals in the credential cache should
> go away.
Authentication works fine and the principal seems to be nicer now:
$ su - DOM2\\tuser
Ticket cache: DIR::/run/user/854001109/krb5cc/tktWtm2rL
Default principal: tuser(a)DOM2.BAR
Valid starting Expires Service principal
05/31/2013 15:51:15 06/01/2013 01:51:15 krbtgt/DOM2.BAR(a)DOM2.BAR
renew until 06/07/2013 15:51:15
Pushed to master.