Case sensitivity in Kerberos principal names.

Ian Schorr ian.schorr at gmail.com
Thu Aug 16 21:58:21 GMT 2007 

Hi list,

Just responding to a very old thread (from last year!) but I wanted to get a
reply on the record for posterity...  If I recently ran into this old
thread, others probably will as well!

This was an interoperability discussion about case sensitivity and format of
principal names with EMC Celerra.  Just wanted to mention that we (Celerra
folks) did agree with Andrew - it was much simpler to change our format, and
starting with Celerra code releases 5.4.26 and 5.5.24, we began using the
preferred "lower at UPPER" format that Chris mentioned.

...For anyone that may have been interested =)

-Ian Schorr

>* Here's an interesting buglet I ran into recently...
> *>*
> *>* (Andrew Bartlett, it's been suggested that I solicit your opinion here...)
> *>*
> *>* I've got commercial NAS device, acting as a CIFS server.  It's a member
> *>* of an AD domain that only accepts Kerberos Auth.  Windows clients are able
> *>* to authenticate and gain access to the CIFS shares without problems.
> *>*
> *>* Other clients--MacOS's SMB file system, the Linux CIFS VFS, and smbclient--
> *>* all fail with an error along the lines of:
> *>*
> *>*    spnego_gen_negTokenTarg failed: KDC reply did not match expectations
> *>*
> *>* The problem seems to be the case of the principal.  The Celerra goes
> *>* against the grain by sending principal names in the form NAME at realm <https://lists.samba.org/mailman/listinfo/samba-technical> (that
> *>* is, UPPER at lower <https://lists.samba.org/mailman/listinfo/samba-technical>).  The Windows KDC will "canonicalize" the name changing it
> *>* to name at REALM <https://lists.samba.org/mailman/listinfo/samba-technical> (that is, lower at UPPER <https://lists.samba.org/mailman/listinfo/samba-technical>).
> *
> A well known behaviour.
>
> >* As described above, the Windows clients appear not to care about the case
> *>* of the fields of the principal, but the MacOS and Linux clients do.
> *
> Yep.  It isn't perhaps the best idea (there are some vague security
> reasons not to), but it does make things work a lot more often.
>
> >* I have highly-respected contacts within the company that makes the NAS
> *>* device.  They assure me that the problem is that the clients are being
> *>* too picky, and that case should not matter.  I am also fairly certain,
> *>* however, that this authentication would work if the CIFS server were
> *>* providing its principal name in the preferred lower at UPPER <https://lists.samba.org/mailman/listinfo/samba-technical> format (so
> *>* that it would be the same as the format the Windows KDC returns).
> *
> Yes, the client is being picky, but the server is being painful.
>
> >* I'm looking for comments regarding this.  I'd like to know, in particular,
> *>* whether or not folks think changes need to be made in the above-mentioned
> *>* clients.
> *
> In Samba4, I don't rely on the principal name from the negtokeninit.
> This better matches windows behaviour.  However, I still supply the
> principal name, because I think that a product in the marketplace should
> not make itself any less compatible than possible.
>
> I'll assert that it would be far, far easier for one commercial NAS
> device to check AD for the correct case than for all the Linux and Apple
> MAC clients in the world to change behaviour.
>
> Andrew Bartlett
>
>

More information about the samba-technical mailing list