Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit?
Cheers, Tom
Sent from my iPhone
On Fri, Oct 26, 2018 at 11:03:05AM -0400, Tom wrote:
Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit?
The principal is part of the ticket generated by the KDC. So you have to make sure the canonical principal on the KDC is in lower case and use canonicalization on the client side ('-C' with kinit).
HTH
bye, Sumit
Cheers, Tom
Sent from my iPhone _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Thanks Sumit. And canonicalize = yes in [libdefaults] will make that happen on login I think.
Sent from my iPhone
On Oct 26, 2018, at 11:40 AM, Sumit Bose sbose@redhat.com wrote:
On Fri, Oct 26, 2018 at 11:03:05AM -0400, Tom wrote: Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit?
The principal is part of the ticket generated by the KDC. So you have to make sure the canonical principal on the KDC is in lower case and use canonicalization on the client side ('-C' with kinit).
HTH
bye, Sumit
Cheers, Tom
Sent from my iPhone _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Oct 26, 2018 at 12:15:44PM -0400, Tom wrote:
Thanks Sumit. And canonicalize = yes in [libdefaults] will make that happen on login I think.
SSSD controls this option on its own, so if you want to be on the safe side you can set 'krb5_canonicalize = True' in sssd.conf.
But only the plain 'krb5' auth provider would use the default of 'False'. The 'ad' and 'ipa' providers have 'krb5_use_enterprise_principal = True' be default which will switch on canonicalization as well.
bye, Sumit
Sent from my iPhone
On Oct 26, 2018, at 11:40 AM, Sumit Bose sbose@redhat.com wrote:
On Fri, Oct 26, 2018 at 11:03:05AM -0400, Tom wrote: Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit?
The principal is part of the ticket generated by the KDC. So you have to make sure the canonical principal on the KDC is in lower case and use canonicalization on the client side ('-C' with kinit).
HTH
bye, Sumit
Cheers, Tom
Sent from my iPhone _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Doesn’t look like this will work for us. Ad side is not right.
Sent from my iPhone
On Oct 26, 2018, at 12:15 PM, Tom tk@mdevsys.com wrote:
Thanks Sumit. And canonicalize = yes in [libdefaults] will make that happen on login I think.
Sent from my iPhone
On Oct 26, 2018, at 11:40 AM, Sumit Bose sbose@redhat.com wrote:
On Fri, Oct 26, 2018 at 11:03:05AM -0400, Tom wrote: Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit?
The principal is part of the ticket generated by the KDC. So you have to make sure the canonical principal on the KDC is in lower case and use canonicalization on the client side ('-C' with kinit).
HTH
bye, Sumit
Cheers, Tom
Sent from my iPhone _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Oct 26, 2018 at 03:32:59PM -0400, Tom wrote:
Doesn’t look like this will work for us. Ad side is not right.
Yes, first account would be 'Administrator'. That's why I said 'make sure the canonical principal on the KDC is in lower case' which might be hard with AD.
What's the reason you need the name in lower-case?
bye, Sumit
Sent from my iPhone
On Oct 26, 2018, at 12:15 PM, Tom tk@mdevsys.com wrote:
Thanks Sumit. And canonicalize = yes in [libdefaults] will make that happen on login I think.
Sent from my iPhone
On Oct 26, 2018, at 11:40 AM, Sumit Bose sbose@redhat.com wrote:
On Fri, Oct 26, 2018 at 11:03:05AM -0400, Tom wrote: Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit?
The principal is part of the ticket generated by the KDC. So you have to make sure the canonical principal on the KDC is in lower case and use canonicalization on the client side ('-C' with kinit).
HTH
bye, Sumit
Cheers, Tom
Sent from my iPhone _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hey Sumit,
HDFS and our Hadoop suite is running into issues when users are uppercased. So we’re looking into a few possible ways around this.
My ask here is just one of the avenues we’re exploring.
I’m going to try a few of the suggestions from this thread to see if they work. Using the first option unfortunately didn’t.
Our workstations and accounts were recently updated and I suspect some need drove the AD team to shuffle things around in order to get things to work. Unfortunately that causes some minor collateral damage on our end.
SSSD has been accommodating with regards to such variances and hence the question here.
Cheers, Tom
Sent from my iPhone
On Oct 27, 2018, at 10:09 AM, Sumit Bose sbose@redhat.com wrote:
On Fri, Oct 26, 2018 at 03:32:59PM -0400, Tom wrote: Doesn’t look like this will work for us. Ad side is not right.
Yes, first account would be 'Administrator'. That's why I said 'make sure the canonical principal on the KDC is in lower case' which might be hard with AD.
What's the reason you need the name in lower-case?
bye, Sumit
Sent from my iPhone
On Oct 26, 2018, at 12:15 PM, Tom tk@mdevsys.com wrote:
Thanks Sumit. And canonicalize = yes in [libdefaults] will make that happen on login I think.
Sent from my iPhone
On Oct 26, 2018, at 11:40 AM, Sumit Bose sbose@redhat.com wrote:
On Fri, Oct 26, 2018 at 11:03:05AM -0400, Tom wrote: Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit?
The principal is part of the ticket generated by the KDC. So you have to make sure the canonical principal on the KDC is in lower case and use canonicalization on the client side ('-C' with kinit).
HTH
bye, Sumit
Cheers, Tom
Sent from my iPhone _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
That is an excellent question. I'm guessing you're meaning connecting to an AD back-end.
We've had beaucoup problems historically with that; AD itself is not case sensitive, but Kerberos client on Linux very much is.
Our (Windows-based) erstwhile AD admins love them some camel-case user principal names. And we're Linux engineers, so AD is not in our span of control. We're merely consumers of it.
We'd used other AD integration tools where you have an explicit option to "map samAcccountName or UPN to lower case". Then -- regardless of the case that your AD admin used for user name, it gets mapped in Linux to lower case.
I'm looking at our SSSD deployments. They seem to do this auto-magically. whatever case I use to log in, it gets accepted and it consistently maps the login name to lower case.
That's good for us, but I'd guess some companies wouldn't like this -- now the Linux account name doesn't match the Kerberos principal name.
Spike
sssd-users@lists.fedorahosted.org
-
Spike White -
Sumit Bose -
Tom