case sensitive realms and Windows Active Directory

Paul W. Nelson nelson at
Fri Feb 20 11:33:19 EST 2004

Since there was a discussion about case sensitive user names, I thought I
would post this regarding case sensitive realms.

1) Using MIT 1.3.1 and have a realm "MYREALM.ORG" that is an Active
Directory domain.

2) I don't have "MYREALM.ORG" in my file, and I allow dns

3) I kinit with the realm in lowercase:  nelson at and receive the
error "KDC reply did not match expectations"

The KRB_AS_REP returns the realm in uppercase, and the
krb5_principal_compare(context, as_reply->client, request->client) in
verify_as_reply fails.

The question is whether it would be a security flaw to accept the uppercase
domain returned in KRB_AS_REP?  Aren't the other methods (decrypt_as_reply)
of validating that the KRB_AS_REP hasn't been tampered with adequate?

Paul W. Nelson
Thursby Software Systems, Inc.

More information about the krbdev mailing list