When requesting TGT with the canonicalization flag set, the realm component of the principal is not converted to uppercase, leading to the following error observed on console:
[root@master ~]# KRB5_TRACE=/dev/stderr kinit -C talias@ipa.test [80650] 1471852872.307764: Getting initial credentials for talias@ipa.test [80650] 1471852872.310180: Sending request (228 bytes) to ipa.test [80650] 1471852872.311370: Resolving hostname master.ipa.test. [80650] 1471852872.317520: Sending initial UDP request to dgram 2620:52:0:224e:21a:4aff:fe23:13a6:88 [80650] 1471852872.319931: Received answer (262 bytes) from dgram 2620:52:0:224e:21a:4aff:fe23:13a6:88 [80650] 1471852872.320243: Response was from master KDC [80650] 1471852872.320270: Received error from KDC: -1765328324/Generic error (see e-text) kinit: Generic error (see e-text) while getting initial credentials
The KDC log contains an attempt to use the supplied realm name instead of the canonical uppercase form during AS_REQ processing, which obviously fails
Aug 22 09:59:41 master.ipa.test krb5kdc[41525](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT: talias@ipa.test for krbtgt/ipa.test@ipa.test, No such entry in the database Aug 22 10:00:02 master.ipa.test krb5kdc[41528](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT: talias@ipa.test for krbtgt/ipa.test@ipa.test, No such entry in the database Aug 22 10:00:06 master.ipa.test krb5kdc[41525](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT: talias@ipa.test for krbtgt/ipa.test@ipa.test, No such entry in the database Aug 22 10:01:12 master.ipa.test krb5kdc[41528](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT: talias@ipa.test for krbtgt/ipa.test@ipa.test, No such entry in the database Aug 22 10:05:20 master.ipa.test
Steps to reproduce:
1.) create a user with an alias
2.) kinit with user's canonical principal and change password when prompted
3.) run 'kinit -C' using the alias and either lowercased or randomly-cased realm name
Expected result:
A password prompt is shown and upon entering a correct password the user gets TGT containing his canonical principal name
Actual result:
The following error is displayed:
kinit: Generic error (see e-text) while getting initial credentials
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1184628 (Red Hat Enterprise Linux 7)
Realm is not subject to canonicaliation in MIT Kerberos, so this is expected.
Closed as invalid as per simo's comment above. Realm name is always case sensitive.
Metadata Update from @mbabinsk: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.4.2
Login to comment on this ticket.