ksu fails with uppercase hostname

Anubha Gupta anuafs84 at gmail.com
Fri Apr 6 08:10:37 EDT 2012 

Hi All,

I have a kerberos client with hostname in uppercase and the hostname
resolution happens locally (/etc/hosts has uppercase entry for the
hostname).
When I run ksu for root, it fails with an error saying the service
principal is not found in the database. Everything else seems to be working
fine- kinit, kadmin etc, its just that ksu doesn't work.

I have added the host entry in the database with uppercase hostname-  host/
CEC.IN.IBM.COM at MYREALM.COM instead of host/cec.in.ibm.com at MYREALM.COM and
kinit for host/CEC.IN.IBM.COM at MYREALM.COM works fine.

While digging into the issue further, I noticed that, AS_REQ is sent for
host/cec.in.ibm.com at MYREALM.COM(lower case) instead of host/
CEC.IN.IBM.COM at MYREALM.COM, which causes the failure since the host
principal is added with uppercase in the database and the AS_REQ is sent
for lowercase, which obviously can't be found.

when I looked into the code, I found that the host service principal is
converted into lowercase in the src/lib/krb5/os/sn2princ.c file before
sending AS_REQ.

 if (type == KRB5_NT_SRV_HST)
            for (cp = remote_host; *cp; cp++)
                if (isupper((unsigned char) (*cp)))
                    *cp = tolower((unsigned char) (*cp));

When I commented out the tolower function(basically all the lines mentioned
above), ksu started working. I'm assuming this is causing the failure.
Since some of our clients have uppercase hostname, I want ksu to work in
this scenario and I'm kind of stuck at this point. I have been breaking my
head over this from a long time.

I have a few questions:

1. Why are the principals converted into lowercase here? Since, ksu works
if I remove this part of the code, what would be the consequences if I
comment this out.
2. Does ksu work with uppercase hostname?
3. Can a service principal be created with uppercase. I understand that the
realm has to be uppercase but are there any standard rules for service
names as well?
4. If my assumptions mentioned above are wrong, what can I do to make ksu
work with uppercase hostname?

Any suggestions/comments are highly appreciated.

Thanks,
Anubha

More information about the Kerberos mailing list