[ https://issues.apache.org/jira/browse/HADOOP-7988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194945#comment-13194945 ]
Matt Foley commented on HADOOP-7988: ------------------------------------ This is a complex topic. I'll try to summarize what I've found, but I'll also give the full reference hyperlinks. The [Kerberos RFC | http://www.ietf.org/rfc/rfc4120.txt ] says this: {quote} 6.2.1. Name of Server Principals ... The first component of the two- or multi-component name will identify the service, and the latter components will identify the host. Where the name of the host is not case sensitive (for example, with Internet domain names) the name of the host MUST be lowercase. {quote} The Oracle Java Docs say this: [Kerberos Requirements | http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html#realmnamereqs ] {quote} By convention, all Kerberos realm names are uppercase and all DNS hostname and domain names are lowercase. On the Windows 2000 platform, domains are also Kerberos realms; however, the realm name is always the uppercase version of the domain name. Hostnames are case insensitive and by convention they are all lowercase. They must resolve to the same hostname on the client and server by their respective naming services. However, in the Kerberos database hostnames are case sensitive. In all host-based Kerberos service principals in the KDC, hostnames are case-sensitive. The hostnames used in the Kerberos service principal names must exactly match the hostnames returned by the naming service. For example, if the naming service returns a fully qualified lowercased DNS hostname, such as "raven.sun.com", then the administrator must use the same fully qualified lowercased DNS hostname when creating host-based principal names in the KDC: "host/raven.sun.com". {quote} Finally, in an older IETF Draft related to [Distributing Kerberos KDC and Realm Information with DNS | http://tools.ietf.org/html/draft-ietf-krb-wg-krb-dns-locate-03 ] the following commentary is provided: {quote} DNS vs. Kerberos - Case Sensitivity of Realm Names In Kerberos, realm names are case sensitive. While it is strongly encouraged that all realm names be all upper case this recommendation has not been adopted by all sites. Some sites use all lower case names and other use mixed case. DNS on the other hand is case insen- sitive for queries but is case preserving for responses to TXT queries. Since "MYREALM", "myrealm", and "MyRealm" are all different it is necessary that only one of the possible combinations of upper and lower case characters be used. This restriction may be lifted in the future as the DNS naming scheme is expanded to support non-ASCII names. {quote} These are the only authoritative references I could find. However, there is a considerable body of archived email list correspondence that strongly implies the Java Kerberos packages work best if host names are forced to lower case in the Kerberos principle names. The key issue seems to be the statement in the second reference, {{"The hostnames used in the Kerberos service principal names must exactly match the hostnames returned by the naming service,"}} plus the observation in the third reference, {{ "it is necessary that only one of the possible combinations of upper and lower case characters be used [the same way in Kerberos and DNS]." }} So, if DNS servers and Kerberos servers disagree on hostname case usage and/or sensitivity, authentication won't work. For example, see this detailed complaint from 2010, [mixed case hostname issue |http://old.nabble.com/mixed-case-hostname-issue-td28097602.html], where the response from a Kerberos contributor was simply {{"Hostnames are always case folded (to lower case) in principal names."}} There are also threads that imply the Java Kerberos packages may have or had bugs around this issue that are resolved by forcing hostnames to lower case. For example, see http://www.nexentastor.org/projects/site/wiki/CIFS : {quote} There is a known bug in the kerberos package which breaks ticketing in Nexenta if your domain name (in the case of active directory users) is mixed case or all upper case. Because kerberos requires all lower case this causes ticket errors that can be hard to trace down. {quote} and http://linux-nfs.org/pipermail/nfsv4/2005-July/002278.html : {quote} Browsing the code showed that handling keytab file has been done in different ways in Server and Client. While the server code mandates hostnames/principals to be of lowercase, client code doesn't impose any restriction... The current theory on the client was that we would use any usable key we found to do the mount. It can be argued that with authenticated delegation callback, the client becomes a server and therefore the server principal name restriction should apply. If everyone agrees with that, I will make the changes to restrict the principal name to be used on the client. {quote} To find other references, search the Web for "kerberos mixed case" and "kerberos requires lowercase". It seems to me that given the above, it makes sense that both HBase and Hadoop would choose to fold hostnames to lower case, in the Kerberos principals only. > Upper case in hostname part of the principals doesn't work with kerberos. > ------------------------------------------------------------------------- > > Key: HADOOP-7988 > URL: https://issues.apache.org/jira/browse/HADOOP-7988 > Project: Hadoop Common > Issue Type: Bug > Affects Versions: 0.24.0, 0.23.1, 1.0.0 > Reporter: Jitendra Nath Pandey > Assignee: Jitendra Nath Pandey > Attachments: HADOOP-7988.branch-1.patch > > > Kerberos doesn't like upper case in the hostname part of the principals. > This issue has been seen in 23 as well as 1.0. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira