Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Capitalization question

3 views

Skip to first unread message

Kanevsk...@emc.com

unread,

Oct 29, 2009, 6:35:44 PM10/29/09

to Kerb...@mit.edu, kan...@emc.com

Can I use capitalization in names used in kerberos domain?
I am bumping into a issue when capital letters are used in domain but not in the hostname only.
Details below.
Needless to say all sort of other authentication also fails.

[root@nf-ArkTEST-sto ~]# hostname
nf-ArkTEST-sto.ArkTEST.name.company.com

>From listprincs:
host/nf-ArkTEST-sto.ArkT...@ARKTEST.NAME.COMPANY.COM

nfs/nf-ArkTEST-sto.ArkT...@ARKTEST.NAME.COMPANY.COM

[root@nf-ArkTEST-sto ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 host/nf-ArkTEST-sto.ArkT...@ARKTEST.NAME.COMPANY.COM
2 3 host/nf-ArkTEST-sto.ArkT...@ARKTEST.NAME.COMPANY.COM
3 3 host/nf-ArkTEST-sto.ArkT...@ARKTEST.NAME.COMPANY.COM
4 3 host/nf-ArkTEST-sto.ArkT...@ARKTEST.NAME.COMPANY.COM
5 3 nfs/nf-ArkTEST-sto.ArkT...@ARKTEST.NAME.COMPANY.COM
ktutil:

[root@nf-ArkTEST-sto ~]# kinit -k /etc/krb5.keytab
kinit(v5): Client not found in Kerberos database while getting initial credentials

--
Thanks,
Arkady Kanevsky

Ken Raeburn

unread,

Oct 29, 2009, 7:34:28 PM10/29/09

to Kanevsk...@emc.com, kan...@emc.com, kerb...@mit.edu

On Oct 29, 2009, at 18:35, <Kanevsk...@emc.com> wrote:
> Can I use capitalization in names used in kerberos domain?
> I am bumping into a issue when capital letters are used in domain
> but not in the hostname only.
> Details below.
> Needless to say all sort of other authentication also fails.

The DNS is case-insensitive for comparing names (though sometimes case-
preserving for returning data). But Kerberos needs to have a
canonical way of constructing host-based principal names from host
names, and it is specified that the lower-case form of the host name
is used. So, you can create the principals, but unless you make a
bunch of code changes -- and force anyone else who wants to
authenticate to your hosts to do so too -- they're not likely to get
used.

(Some of the alias handling in 1.7 might make it easier to implement,
but I still wouldn't recommend it.)

> [root@nf-ArkTEST-sto ~]# kinit -k /etc/krb5.keytab
> kinit(v5): Client not found in Kerberos database while getting
> initial credentials

That's a different problem. "-k" specifies that a keytab is to be
used instead of asking for a password. It doesn't take a parameter;
you use "-t type:keytabname" if you need to specify a keytab (e.g., "-
t FILE:/etc/krb5.keytab"). So "/etc/krb5.keytab" is taken as the
client principal name, and that almost certainly isn't in your
database....

Ken

0 new messages