[31635] in Kerberos
Re: Capitalization question
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Thu Oct 29 19:34:59 2009
From: Ken Raeburn <raeburn@mit.edu>
To: <Kanevsky_Arkady@emc.com>
In-Reply-To: <B49F8C859EF1D9428D1AEE1A5C20E6320136069F@CORPUSMX90B.corp.emc.com>
Message-Id: <1EC828A3-2BE1-4DEC-8B3B-0882F3D13322@mit.edu>
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 29 Oct 2009 19:34:28 -0400
Cc: kaneva@emc.com, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Oct 29, 2009, at 18:35, <Kanevsky_Arkady@emc.com> wrote:
> Can I use capitalization in names used in kerberos domain?
> I am bumping into a issue when capital letters are used in domain
> but not in the hostname only.
> Details below.
> Needless to say all sort of other authentication also fails.
The DNS is case-insensitive for comparing names (though sometimes case-
preserving for returning data). But Kerberos needs to have a
canonical way of constructing host-based principal names from host
names, and it is specified that the lower-case form of the host name
is used. So, you can create the principals, but unless you make a
bunch of code changes -- and force anyone else who wants to
authenticate to your hosts to do so too -- they're not likely to get
used.
(Some of the alias handling in 1.7 might make it easier to implement,
but I still wouldn't recommend it.)
> [root@nf-ArkTEST-sto ~]# kinit -k /etc/krb5.keytab
> kinit(v5): Client not found in Kerberos database while getting
> initial credentials
That's a different problem. "-k" specifies that a keytab is to be
used instead of asking for a password. It doesn't take a parameter;
you use "-t type:keytabname" if you need to specify a keytab (e.g., "-
t FILE:/etc/krb5.keytab"). So "/etc/krb5.keytab" is taken as the
client principal name, and that almost certainly isn't in your
database....
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
