Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ksu fails with uppercase hostname
11 views
Skip to first unread message
Anubha Gupta
Apr 6, 2012, 8:10:37 AM4/6/12
to krb...@mit.edu, kerb...@mit.edu
Hi All,
I have a kerberos client with hostname in uppercase and the hostname
resolution happens locally (/etc/hosts has uppercase entry for the
hostname).
When I run ksu for root, it fails with an error saying the service
principal is not found in the database. Everything else seems to be working
fine- kinit, kadmin etc, its just that ksu doesn't work.
I have added the host entry in the database with uppercase hostname- host/
CEC.IN....@MYREALM.COM instead of host/cec.in....@MYREALM.COM and
kinit for host/CEC.IN....@MYREALM.COM works fine.
While digging into the issue further, I noticed that, AS_REQ is sent for
host/cec.in....@MYREALM.COM(lower case) instead of host/
CEC.IN....@MYREALM.COM, which causes the failure since the host
principal is added with uppercase in the database and the AS_REQ is sent
for lowercase, which obviously can't be found.
when I looked into the code, I found that the host service principal is
converted into lowercase in the src/lib/krb5/os/sn2princ.c file before
sending AS_REQ.
if (type == KRB5_NT_SRV_HST)
for (cp = remote_host; *cp; cp++)
if (isupper((unsigned char) (*cp)))
*cp = tolower((unsigned char) (*cp));
When I commented out the tolower function(basically all the lines mentioned
above), ksu started working. I'm assuming this is causing the failure.
Since some of our clients have uppercase hostname, I want ksu to work in
this scenario and I'm kind of stuck at this point. I have been breaking my
head over this from a long time.
I have a few questions:
1. Why are the principals converted into lowercase here? Since, ksu works
if I remove this part of the code, what would be the consequences if I
comment this out.
2. Does ksu work with uppercase hostname?
3. Can a service principal be created with uppercase. I understand that the
realm has to be uppercase but are there any standard rules for service
names as well?
4. If my assumptions mentioned above are wrong, what can I do to make ksu
work with uppercase hostname?
Any suggestions/comments are highly appreciated.
Thanks,
Anubha
I have a kerberos client with hostname in uppercase and the hostname
resolution happens locally (/etc/hosts has uppercase entry for the
hostname).
When I run ksu for root, it fails with an error saying the service
principal is not found in the database. Everything else seems to be working
fine- kinit, kadmin etc, its just that ksu doesn't work.
I have added the host entry in the database with uppercase hostname- host/
CEC.IN....@MYREALM.COM instead of host/cec.in....@MYREALM.COM and
kinit for host/CEC.IN....@MYREALM.COM works fine.
While digging into the issue further, I noticed that, AS_REQ is sent for
host/cec.in....@MYREALM.COM(lower case) instead of host/
CEC.IN....@MYREALM.COM, which causes the failure since the host
principal is added with uppercase in the database and the AS_REQ is sent
for lowercase, which obviously can't be found.
when I looked into the code, I found that the host service principal is
converted into lowercase in the src/lib/krb5/os/sn2princ.c file before
sending AS_REQ.
if (type == KRB5_NT_SRV_HST)
for (cp = remote_host; *cp; cp++)
if (isupper((unsigned char) (*cp)))
*cp = tolower((unsigned char) (*cp));
When I commented out the tolower function(basically all the lines mentioned
above), ksu started working. I'm assuming this is causing the failure.
Since some of our clients have uppercase hostname, I want ksu to work in
this scenario and I'm kind of stuck at this point. I have been breaking my
head over this from a long time.
I have a few questions:
1. Why are the principals converted into lowercase here? Since, ksu works
if I remove this part of the code, what would be the consequences if I
comment this out.
2. Does ksu work with uppercase hostname?
3. Can a service principal be created with uppercase. I understand that the
realm has to be uppercase but are there any standard rules for service
names as well?
4. If my assumptions mentioned above are wrong, what can I do to make ksu
work with uppercase hostname?
Any suggestions/comments are highly appreciated.
Thanks,
Anubha
Greg Hudson
Apr 6, 2012, 10:04:54 AM4/6/12
to Anubha Gupta, kerb...@mit.edu
I've taken krbdev off the cc line, since I'd rather not have the same
conversation on two lists.
On 04/06/2012 08:10 AM, Anubha Gupta wrote:
> 1. Why are the principals converted into lowercase here?
Because hostnames are case-insensitive and principals are
case-sensitive, the krb5 library forces a choice of case when converting
a hostname to a principal.
> Since, ksu works
> if I remove this part of the code, what would be the consequences if I
> comment this out.
krb5_sname_to_principal is used not only for ksu, but also when
determining the principal of a target service (e.g. for ssh).
> 2. Does ksu work with uppercase hostname?
ksu works fine regardless of what case gethostname() returns, but
expects the service principal to contain the lowercase form of the hostname.
> 3. Can a service principal be created with uppercase. I understand that the
> realm has to be uppercase but are there any standard rules for service
> names as well?
There are. RFC 4120 section 6.2.1, which governs the names of service
principals, states that "Where the name of the host is not case
sensitive (for example, with Internet domain names) the name of the host
MUST be lowercase."
conversation on two lists.
On 04/06/2012 08:10 AM, Anubha Gupta wrote:
> 1. Why are the principals converted into lowercase here?
case-sensitive, the krb5 library forces a choice of case when converting
a hostname to a principal.
> Since, ksu works
> if I remove this part of the code, what would be the consequences if I
> comment this out.
determining the principal of a target service (e.g. for ssh).
> 2. Does ksu work with uppercase hostname?
expects the service principal to contain the lowercase form of the hostname.
> 3. Can a service principal be created with uppercase. I understand that the
> realm has to be uppercase but are there any standard rules for service
> names as well?
principals, states that "Where the name of the host is not case
sensitive (for example, with Internet domain names) the name of the host
MUST be lowercase."
0 new messages