When using kinit to acquire a Kerberos ticket I have configured it to use a default realm, e.g. GERT.LAN by editing /etc/krb5.conf:
[libdefaults]
default_realm = GERT.LAN
That's great since I don't have to supply that all the time on the command line.
⟫ kinit
[email protected]'s Password:
However, my local username gert does not match the remote username gertvdijk. Now I have to supply the full principal name as an argument still. If this is just kinit I could create a bash alias, but more Kerberos tools appear to try my local username. For example Kredentials does not allow me to use another than default principal.
So, basically, what I want is to create a mapping between the local user gert and the remote principal [email protected].
Ironically, when using a more complicated setup with PAM I am able to achieve this. In krb5.conf:
[appdefaults]
pam = {
mappings = gert [email protected]
}
But I don't want to use the Kerberos PAM module anymore since I've locked out myself so many times by thinking the Kerberos server isn't reachable and I'm trying to enter the local password...
So, long story short, is there a way to configure a default principal or a mapping from local usernames?
The default principal can be set in ~/.k5identity
Then kinit will use it as a default identity.
Use a default realm and use a user mapping in your
/etc/krb5.conflike this:Now
kinit/kpasswdwill map this when invoking it as the local user and map that to a domain username.I belive currently there is no solution for that. From the kinit man page:
meaning you have to use an option at least once at the first time, later the user from the existing (but may be expired) ticket will be used.
But at least you can have a workaround for it, like:
which falls back to the original in case the
KRB_USERis not defined.