@ character in username

Booker C. Bense bbense at stanford.edu
Tue May 15 13:21:12 EDT 2007

On May 15, 2007, at 7:56 AM, Arati Desai wrote:

> Hi All,
> My user name contains '@' character as I need to host multiple  
> domains on a single box.
> I have created a user's principal as username\@domain at REALM. First  
> @' character is escaped with a '\' while creating principal and  
> generating a ticket.
> But I am getting 'Invalid user' error when I try to login with this  
> user while the kerb5 authentication succeeds for normal users. (I  
> am using heimdal at the service's end for authentication, while the  
> KDC is from MIT.)
> Is '@' character supported in user name? If so, is there any  
> special precaution to be taken while using such user names?

In theory, yes it's supported if properly quoted. In practice, it's a  
nightmare. My first kerberos job was making stuff like this work for  
kerberos 4 MIT code at EPRI. We found lot's of bugs in the principal  
handling code.

Kerberos code has changed a lot since 1993, but I suspect there are  
still bugs lurking in dealing with these kinds of things. If there is  
anything you can do to avoid using these kinds of principals I would  
highly recommend doing so.

_ Booker C. Bense 

More information about the Kerberos mailing list