How do I configure a default principal for kinit (acquiring Kerberos ticket)?

Question

When using kinit to acquire a Kerberos ticket I have configured it to use a default realm, e.g. GERT.LAN by editing /etc/krb5.conf:

[libdefaults]
        default_realm = GERT.LAN

That's great since I don't have to supply that all the time on the command line.

⟫ kinit
gert@GERT.LAN's Password:

However, my local username gert does not match the remote username gertvdijk. Now I have to supply the full principal name as an argument still. If this is just kinit I could create a bash alias, but more Kerberos tools appear to try my local username. For example Kredentials does not allow me to use another than default principal.

So, basically, what I want is to create a mapping between the local user gert and the remote principal gertvdijk@GERT.LAN.

Ironically, when using a more complicated setup with PAM I am able to achieve this. In krb5.conf:

[appdefaults]
        pam = {
                mappings = gert gertvdijk@GERT.LAN
        }

But I don't want to use the Kerberos PAM module anymore since I've locked out myself so many times by thinking the Kerberos server isn't reachable and I'm trying to enter the local password...

So, long story short, is there a way to configure a default principal or a mapping from local usernames?

score 5 · Answer 1 · answered Jun 15 '14 at 13:16

5

The default principal can be set in ~/.k5identity

$ cat .k5identity
user@EXAMPLE.COM

Then kinit will use it as a default identity.

answered Jun 15 '14 at 13:16

Misc

1,092

redseven · Answer 2 · 2022-04-21T09:35:02.077

I belive currently there is no solution for that. From the kinit man page:

kinit obtains and caches an initial ticket-granting ticket for principal.
If principal is absent, kinit chooses an appropriate principal name based
on existing credential cache contents or the local username of the user in‐
voking kinit. Some options modify the choice of principal name.

meaning you have to use an option at least once at the first time, later the user from the existing (but may be expired) ticket will be used.

But at least you can have a workaround for it, like:

alias kinit='/usr/bin/kinit $KRB_USER'

which falls back to the original in case the KRB_USER is not defined.

score 0 · Answer 3 · answered May 16 '18 at 18:54

Use a default realm and use a user mapping in your /etc/krb5.conf like this:

[libdefaults]
    default_realm = GERT.LAN

[realms]
    GERT.LAN = {
        auth_to_local_names = {
            gert = gert.vandijk
        }
    }

Now kinit/kpasswd will map this when invoking it as the local user and map that to a domain username.

How do I configure a default principal for kinit (acquiring Kerberos ticket)?

3 Answers3