Hey folks!
I need to allow smartcard authentication of a third party certificate
generated with an UPN that has a suffix that is not my domain name. From AD
literature, it's possible.
I followed these guidelines to make an additional UPN available for login:
https://technet.microsoft.com/en-us/library/cc772007.aspx
But I'm missing something. Kerberos does a part of the job, but then fails
to find the user.
*Kerberos: found MS UPN SAN: marcelo.rabelo-andrade at notmydomain*
*Kerberos: Found matching MS UPN SAN in certificate*
*Kerberos: PKINIT pre-authentication succeeded --
marcelo.rabelo-andrade\@notmydomain at MY.DOMAIN using CN=MARCELO ROCHA RABELO
DE ANDRADE,OU=Emissor of my certificate,C=BR*
Up to this part, everything seems fine (note the login at notmydomain followed
by the @MY.DOMAIN).
But then, it derails:
* Kerberos: TGS-REQ marcelo.rabelo-andrade at MY.DOMAIN from
ipv4:10.35.64.59:50639 <http://10.35.64.59:50639> for
host/serpro1560071v1.receita.intranet at MY.DOMAIN [canonicalize, renewable,
forwardable]*
*[2015/08/31 18:46:49.021827, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)*
* Kerberos: Client no longer in database: marcelo.rabelo-andrade at MY.DOMAIN*
If I run a kinit -E marcelo.rabelo-andrade at notmydomain, it works
flawlessly.
Any hints on the subject so I can pull it off? Am I missing something?
