San, You need an implementation of Kerberos, which has support for UPN authentication (using nt-enterprise principal names) and the canonical flag, as well as client side realm referrals. I guess the implementation of Kerberos on Ubuntu does not have these extensions coded.
I represent a vendor who develops and sells a commercial implementation of Kerberos, and our product works as you expect - see below: tal...@perky:~> kinit talsop Password for tal...@dev.local: tal...@perky:~> klist Cache Type: Kerberos V5 Credentials Cache Cache File: /krb5/tmp/cc/krb5cc_1000 Cache Version: 0502 Default Principal: tal...@dev.local Valid From Expires Service Principal ---------------------------- ---------------------------- ----------------- Mon 09 Mar 2009 12:06:03 GMT Mon 09 Mar 2009 20:06:23 GMT krbtgt/dev.lo...@dev.local tal...@perky:~> kinit tal...@dev.local Password for tals...@dev.local@DEV.LOCAL: tal...@perky:~> klist Cache Type: Kerberos V5 Credentials Cache Cache File: /krb5/tmp/cc/krb5cc_1000 Cache Version: 0502 Default Principal: tal...@dev.local Valid From Expires Service Principal ---------------------------- ---------------------------- ----------------- Mon 09 Mar 2009 12:06:16 GMT Mon 09 Mar 2009 20:06:35 GMT krbtgt/dev.lo...@dev.local tal...@perky:~> Thanks, Tim -----Original Message----- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of San tos Sent: 09 March 2009 11:49 To: kerberos@mit.edu Subject: Authenticating using lower case domain/realm Hello to all. I have successfully configured ubuntu machines to authenticate to a active directory running windows 2k (pam_krb5/LDAP/Kerberos). The realm is DOMAIN.COM, however in order to be user friendly and maintain the same login address in everything, i need to authenticate using u...@domain.com instead of u...@domain.com. It seems windows 2k, accepts either way, but maybe kerberos don't like the response it receives: kinit(v5): KDC reply did not match expectations while getting initial credentials I'm using ubuntu 8.10 and: krb5-config 1.19 Configuration files for Kerberos Version 5 krb5-user 1.6.dfsg.4~beta1-3 Basic programs to authenticate using MIT Ker libkrb53 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries The krb5.conf: [libdefaults] default_realm = DOMAIN.COM kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # dns_lookup_realm = true # dns_lookup_kdc = false [realms] DOMAIN.COM = { kdc = dc.domain.com admin_server = dc.domain.com default_domain = DOMAIN.COM } [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM I have googled, read the mans, tried a lot of other configurations, etc, for days now, but can't figure it out. I will appreciate any input you got on this. Thanks in advance for you replies. Santos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos