[
https://issues.apache.org/jira/browse/HADOOP-7988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194945#comment-13194945
]
Matt Foley commented on HADOOP-7988:
------------------------------------
This is a complex topic. I'll try to summarize what I've found, but I'll also
give the full reference hyperlinks.
The [Kerberos RFC | http://www.ietf.org/rfc/rfc4120.txt ] says this: {quote}
6.2.1. Name of Server Principals
... The first component of the
two- or multi-component name will identify the service, and the
latter components will identify the host. Where the name of the host
is not case sensitive (for example, with Internet domain names) the
name of the host MUST be lowercase.
{quote}
The Oracle Java Docs say this: [Kerberos Requirements |
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html#realmnamereqs
] {quote}
By convention, all Kerberos realm names are uppercase and all DNS hostname and
domain names are lowercase. On the Windows 2000 platform, domains are also
Kerberos realms; however, the realm name is always the uppercase version of the
domain name.
Hostnames are case insensitive and by convention they are all lowercase. They
must resolve to the same hostname on the client and server by their respective
naming services.
However, in the Kerberos database hostnames are case sensitive. In all
host-based Kerberos service principals in the KDC, hostnames are
case-sensitive. The hostnames used in the Kerberos service principal names must
exactly match the hostnames returned by the naming service. For example, if the
naming service returns a fully qualified lowercased DNS hostname, such as
"raven.sun.com", then the administrator must use the same fully qualified
lowercased DNS hostname when creating host-based principal names in the KDC:
"host/raven.sun.com".
{quote}
Finally, in an older IETF Draft related to [Distributing Kerberos KDC and Realm
Information with DNS |
http://tools.ietf.org/html/draft-ietf-krb-wg-krb-dns-locate-03 ] the following
commentary is provided: {quote}
DNS vs. Kerberos - Case Sensitivity of Realm Names
In Kerberos, realm names are case sensitive. While it is strongly
encouraged that all realm names be all upper case this recommendation
has not been adopted by all sites. Some sites use all lower case
names and other use mixed case. DNS on the other hand is case insen-
sitive for queries but is case preserving for responses to TXT
queries. Since "MYREALM", "myrealm", and "MyRealm" are all different
it is necessary that only one of the possible combinations of upper
and lower case characters be used. This restriction may be lifted in
the future as the DNS naming scheme is expanded to support non-ASCII
names.
{quote}
These are the only authoritative references I could find. However, there is a
considerable body of archived email list correspondence that strongly implies
the Java Kerberos packages work best if host names are forced to lower case in
the Kerberos principle names.
The key issue seems to be the statement in the second reference, {{"The
hostnames used in the Kerberos service principal names must exactly match the
hostnames returned by the naming service,"}} plus the observation in the third
reference, {{ "it is necessary that only one of the possible combinations of
upper and lower case characters be used [the same way in Kerberos and DNS]." }}
So, if DNS servers and Kerberos servers disagree on hostname case usage and/or
sensitivity, authentication won't work. For example, see this detailed
complaint from 2010, [mixed case hostname issue
|http://old.nabble.com/mixed-case-hostname-issue-td28097602.html], where the
response from a Kerberos contributor was simply {{"Hostnames are always case
folded (to lower case) in principal names."}}
There are also threads that imply the Java Kerberos packages may have or had
bugs around this issue that are resolved by forcing hostnames to lower case.
For example, see
http://www.nexentastor.org/projects/site/wiki/CIFS : {quote}
There is a known bug in the kerberos package which breaks ticketing in Nexenta
if your domain name (in the case of active directory users) is mixed case or
all upper case. Because kerberos requires all lower case this causes ticket
errors that can be hard to trace down.
{quote}
and http://linux-nfs.org/pipermail/nfsv4/2005-July/002278.html : {quote}
Browsing the code showed that handling keytab file has been done in
different ways in Server and Client. While the server code mandates
hostnames/principals to be of lowercase, client code doesn't impose any
restriction...
The current theory on the client was that we would use any usable
key we found to do the mount. It can be argued that with
authenticated delegation callback, the client becomes a server
and therefore the server principal name restriction should apply.
If everyone agrees with that, I will make the changes to restrict
the principal name to be used on the client.
{quote}
To find other references, search the Web for "kerberos mixed case" and
"kerberos requires lowercase".
It seems to me that given the above, it makes sense that both HBase and Hadoop
would choose to fold hostnames to lower case, in the Kerberos principals only.
> Upper case in hostname part of the principals doesn't work with kerberos.
> -------------------------------------------------------------------------
>
> Key: HADOOP-7988
> URL: https://issues.apache.org/jira/browse/HADOOP-7988
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 0.24.0, 0.23.1, 1.0.0
> Reporter: Jitendra Nath Pandey
> Assignee: Jitendra Nath Pandey
> Attachments: HADOOP-7988.branch-1.patch
>
>
> Kerberos doesn't like upper case in the hostname part of the principals.
> This issue has been seen in 23 as well as 1.0.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
