freeipa

Clone
Source Code
GIT

#6239 Prinicipal canonicalization does not work with arbitrarily-cased realm component
Closed: Invalid None Opened 7 years ago by mbabinsk.

Closed: Invalid
Reopen Issue

When requesting TGT with the canonicalization flag set, the realm component of the principal is not converted to uppercase, leading to the following error observed on console:

[root@master ~]# KRB5_TRACE=/dev/stderr kinit -C
talias@ipa.test
[80650] 1471852872.307764: Getting initial credentials for
talias@ipa.test
[80650] 1471852872.310180: Sending request (228 bytes) to
ipa.test
[80650] 1471852872.311370: Resolving hostname
master.ipa.test.
[80650] 1471852872.317520: Sending initial UDP request to dgram
2620:52:0:224e:21a:4aff:fe23:13a6:88
[80650] 1471852872.319931: Received answer (262 bytes) from dgram
2620:52:0:224e:21a:4aff:fe23:13a6:88
[80650] 1471852872.320243: Response was from master KDC
[80650] 1471852872.320270: Received error from KDC: -1765328324/Generic error
(see e-text)
kinit: Generic error (see e-text) while getting initial credentials

The KDC log contains an attempt to use the supplied realm name instead of the canonical uppercase form during AS_REQ processing, which obviously fails

Aug 22 09:59:41 master.ipa.test
krb5kdc[41525](info): AS_REQ (6 etypes {18 17 16 23 25 26})
2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT:
talias@ipa.test for
krbtgt/ipa.test@ipa.test,
No such entry in the database
Aug 22 10:00:02 master.ipa.test
krb5kdc[41528](info): AS_REQ (6 etypes {18 17 16 23 25 26})
2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT:
talias@ipa.test for
krbtgt/ipa.test@ipa.test,
No such entry in the database
Aug 22 10:00:06 master.ipa.test
krb5kdc[41525](info): AS_REQ (6 etypes {18 17 16 23 25 26})
2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT:
talias@ipa.test for
krbtgt/ipa.test@ipa.test,
No such entry in the database
Aug 22 10:01:12 master.ipa.test
krb5kdc[41528](info): AS_REQ (6 etypes {18 17 16 23 25 26})
2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT:
talias@ipa.test for
krbtgt/ipa.test@ipa.test,
No such entry in the database
Aug 22 10:05:20 master.ipa.test

Steps to reproduce:

1.) create a user with an alias

2.) kinit with user's canonical principal and change password when prompted

3.) run 'kinit -C' using the alias and either lowercased or randomly-cased realm name

Expected result:

A password prompt is shown and upon entering a correct password the user gets TGT containing his canonical principal name

Actual result:

The following error is displayed:

kinit: Generic error (see e-text) while getting initial credentials

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1184628 (Red Hat Enterprise Linux 7)

Realm is not subject to canonicaliation in MIT Kerberos, so this is expected.

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1184628 (Red Hat Enterprise Linux 7)

Closed as invalid as per simo's comment above. Realm name is always case sensitive.

Metadata Update from @mbabinsk:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.4.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
None
0
None
no
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1184628
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.