Issue with Kerberos Principal swapping between upper and lowercase
Disclaimer: I am not super knowledgable about Kerberos but trying to learn more. This is what I discovered while looking into this issue.
We are currently using NoMad in our environment while being bound to Active Directory (hopefully going to go unbind down the road). This issue with the alias swapping between lower and uppercase is causing issues with kerberos renewal. For example, When signing into the machine, the principal is set to alias@TEST.DOMAIN.COM. I'm guessing this is how Apple is reading and displaying the information provided by Active Directory. I have another test machine that is not bound to AD and is using NoLo w/ NoMad and it doesn't have any issues. However, with NoMad Managing kerberos, the principal is always all capital letters (ex: ALIAS@TEST.DOMAIN.COM)
While the principal is set to lowercase, eventually the ticket somehow expires or renews w/ NoMad and the Principal changes to ALIAS@TEST.DOMAIN.COM. This is shown when you run a 'klist' It will show all Uppercase. Applications like Microsoft Outlook where it is looking for a specific Kerberos Principal for maintaining a TGT, is no longer able to establish a connection with the email@example.com and prompts the user to enter in credentials when NoMad is supposed to handle that for you.
Having the ability to control whether NoMad sets the "Alias" to upper or lowercase on renewals will allow admins to configure based on how apple is reading in the information and adjust accordingly. From testing, it seems like NoMad defaults to setting the Principal as ALIAS@TEST.DOMAIN.COM when renewing kerberos tickets.
In order for us to workaround this issue we have to run a DSCL command to delete the lowercase value and replace it with the uppercase value in /local/Default for AuthenticationAuthority. Once this command is ran, a Reboot or logout and back in will persist with the Principal always being Capital letters (ALIAS@TEST.DOMAIN.COM). This is not very ideal because a user can potentially have their kerberos messed up on first login. Also, if the machine needs to be rebinded, all scripts would need to include the logic below to pull the users alias and set it all caps again. (haven't made the script yet)
sudo dscl localhost -append /Local/Default/Users/alias AuthenticationAuthority ';Kerberosv5;;ALIAS@TEST.DOMAIN.COM;TEST.DOMAIN.COM;' sudo dscl localhost -delete /Local/Default/Users/alias AuthenticationAuthority ';Kerberosv5;;alias@TEST.DOMAIN.COM;TEST.DOMAIN.COM;'
Ultimately, i'm banking on seeing if NoMad can be updated to include this functionality (have the "alias" in alias@TEST.DOMAIN.COM be set to all uppercase or lowercase) This could already be a thing and I could be missing a configuration in NoMad so any help is appreciated.