Alternative UPN Kerberos Client Support

[Gabriel SERPRO]

Hello everybody!

Is there any way to configure a gnu shishi client to get tickets based on a alternative upn?

In my case, I have 10 MS AD-DS child domains and a root domain with a alternate upn configured (which can be used for all child domains during the user creation action), that matches with upn values written in the user's (we have 55k users) smartcard/token.

If I try to get a ticket using the realm/dns domain name, like AD1.ENTERPRISE.COM. or AD2.ENTERPRISE.COM, it functions properly, but in my case, the alternate upn is CORPORATE.COM and, of course, a realm calledCORPORATE.COM doesn't really exists.

I've made the following tests:

kinit address@hidden --> Ok, it works, klist shows the ticket!

kinit address@hidden --> OK, it works klist shows the ticket!

kinit address@hidden --> Error: Realm not local to KDC while getting initial credentials.

Relevant portion of krb5.conf used for this example:

http://dpaste.com/hold/1069113/

Thank you in advance!

Gabriel Abdalla Cavalcante

PS: Additional info that can be usefull:

http://technet.microsoft.com/en-us/library/cc772007.aspx