It's not uncommon when generating keytab files for users to include hostnames in the service principal name, for example:
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 bob/hashi-J67927WY11@CORP.EXAMPLE.NET
Some users want the CLI to strip these instances if they're found while parsing the keytab during login to avoid authentication issues when searching LDAP for the user. To do this, I added a new CLI login parameter remove_instance_name, which will remove any instance names from the keytab file. It then sends the modified keytab file to Vault to be used for the login request.
Using this new parameter, a login might look like this:
It's not uncommon when generating keytab files for users to include hostnames in the service principal name, for example:
Some users want the CLI to strip these instances if they're found while parsing the keytab during login to avoid authentication issues when searching LDAP for the user. To do this, I added a new CLI login parameter
remove_instance_name
, which will remove any instance names from the keytab file. It then sends the modified keytab file to Vault to be used for the login request.Using this new parameter, a login might look like this:
To enable server side trimming, I added a new config to the kerberos config, with the same name
remove_instance_name
: