[krbdev.mit.edu #5838] libkrb5 (libads/kerberos.c:ads_kinit_password) fails with 16 bit UTF8 characters in usernames and/or passwords
Dan Searle via RT
rt-comment at krbdev.mit.edu
Wed Nov 7 10:38:25 EST 2007
Hi,
I came across this problem when trying to use the Samba "net" command,
or pam_krb5 to authenticate users against an active directory, they
fail if the username and/or password uses UTF8 characters encoded with
more than one byte, for instance...
If I have a user with username DÅNNY, (the special "Å" character
encodes as two bytes using UTF8), and try the samba "net ads user"
command under Linux, I get the following...
cnv4:/home/dan# net ads user -U DÅNNY
DÅNNY's password:
[2007/11/02 11:30:46, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password DÅNNY at ADTEST.LOCAL failed: Client not found in
Kerberos database
[2007/11/02 11:30:46, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Client not found in Kerberos database
The user DÅNNY does exist on the active directory, and I can get NTLM
authentication to work with these usernames using the ntlm_auth helper
that's part of the winbind suite.
Further to this, if I try to authenticate a user with no special
characters in the username, but with them in it's password, I get the
following...
cnv4:/home/dan# net ads user -U o\'gradey
o'gradey's password:
[2007/11/02 11:40:21, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password o'gradey at ADTEST.LOCAL failed:
Preauthentication failed
[2007/11/02 11:40:21, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Preauthentication failed
The password in question here also conatins a "Å" character.
Looks like the libkrb5 doesn't support the UTF8 characters that encode
with more than one byte.
Regards, Dan...
--
Dan Searle
Adelix Ltd
dan.searle at adelix.com web: www.adelix.com
tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.
Adelix Ltd is a registered company in England & Wales No. 4232156
VAT registration number 779 4232 91
Adelix Ltd is BS EN ISO 9001:2000 Certified (No. GB 12763)
Any views expressed in this email communication are those
of the individual sender, except where the sender specifically states
them to be the views of a member of Adelix Ltd. Adelix Ltd. does not
represent, warrant or guarantee that the integrity of this communication
has been maintained nor that the communication is free of errors or
interference.
------------------------------------------------------------------------------------
Scanned for viruses, spam and offensive content by CensorNet MailSafe
Professional Web & E-mail Filtering from www.censornet.com
More information about the krb5-bugs
mailing list