Hi All, I have a kerberos client with hostname in uppercase and the hostname resolution happens locally (/etc/hosts has uppercase entry for the hostname). When I run ksu for root, it fails with an error saying the service principal is not found in the database. Everything else seems to be working fine- kinit, kadmin etc, its just that ksu doesn't work.
I have added the host entry in the database with uppercase hostname- host/ [email protected] instead of host/[email protected] and kinit for host/[email protected] works fine. While digging into the issue further, I noticed that, AS_REQ is sent for host/[email protected](lower case) instead of host/ [email protected], which causes the failure since the host principal is added with uppercase in the database and the AS_REQ is sent for lowercase, which obviously can't be found. when I looked into the code, I found that the host service principal is converted into lowercase in the src/lib/krb5/os/sn2princ.c file before sending AS_REQ. if (type == KRB5_NT_SRV_HST) for (cp = remote_host; *cp; cp++) if (isupper((unsigned char) (*cp))) *cp = tolower((unsigned char) (*cp)); When I commented out the tolower function(basically all the lines mentioned above), ksu started working. I'm assuming this is causing the failure. Since some of our clients have uppercase hostname, I want ksu to work in this scenario and I'm kind of stuck at this point. I have been breaking my head over this from a long time. I have a few questions: 1. Why are the principals converted into lowercase here? Since, ksu works if I remove this part of the code, what would be the consequences if I comment this out. 2. Does ksu work with uppercase hostname? 3. Can a service principal be created with uppercase. I understand that the realm has to be uppercase but are there any standard rules for service names as well? 4. If my assumptions mentioned above are wrong, what can I do to make ksu work with uppercase hostname? Any suggestions/comments are highly appreciated. Thanks, Anubha ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
