case sensitive realms and Windows Active Directory
Paul W. Nelson
nelson at thursby.com
Fri Feb 20 11:33:19 EST 2004
Since there was a discussion about case sensitive user names, I thought I
would post this regarding case sensitive realms.
1) Using MIT 1.3.1 and have a realm "MYREALM.ORG" that is an Active
Directory domain.
2) I don't have "MYREALM.ORG" in my edu.mit.Kerberos file, and I allow dns
fallback
3) I kinit with the realm in lowercase: nelson at myrealm.org and receive the
error "KDC reply did not match expectations"
The KRB_AS_REP returns the realm in uppercase, and the
krb5_principal_compare(context, as_reply->client, request->client) in
verify_as_reply fails.
The question is whether it would be a security flaw to accept the uppercase
domain returned in KRB_AS_REP? Aren't the other methods (decrypt_as_reply)
of validating that the KRB_AS_REP hasn't been tampered with adequate?
--
Paul W. Nelson
Thursby Software Systems, Inc.
More information about the krbdev
mailing list