On Wed, May 29, 2013 at 06:36:26PM +0200, Sumit Bose wrote:
Hi,
after some discussion with Greg Hudson I realized that AD does not
canonicalize enterprise principals by default, as a MIT KDC does, but
explicitly needs the canonicalize flag to be set. With this fix the ugly
user\@SOME.REALM(a)OTHER.REALM principals in the credential cache should
go away.
bye,
Sumit
Authentication works fine and the principal seems to be nicer now:
$ su - DOM2\\tuser
Password:
-bash-4.2$ klist
Ticket cache: DIR::/run/user/854001109/krb5cc/tktWtm2rL
Default principal: tuser(a)DOM2.BAR
Valid starting Expires Service principal
05/31/2013 15:51:15 06/01/2013 01:51:15 krbtgt/DOM2.BAR(a)DOM2.BAR
renew until 06/07/2013 15:51:15
-> Ack