#3280 Unclear in sssd_krb5_locator_plugin how to deal with lowercase/uppercase domains
Closed: Invalid None Opened 7 years ago by mpiechotka.

This may be documentation issue or the domain issue. In /var/lib/sss/pubconf/ the domain is in uppercase form but the lookup tries the lowercase. There seems to be no option to resolve this (I used consistently lowercase form).


Please try to set 'krb5_realm = your.realm.in.lower.case' in the [domain/...] section of sssd.conf. This should create the kdcinfo file with the realm you specified with the krb5_realm option.

Please note that technically the suffix of the kdcinfo file is not the DNS domain but the Kerberos realm. And there is the convention that Kerberos realms are all upper-case. To make configuration easier the Kerberos realm is typically the DNS domain in upper-case this is why it is easy to mix up the two.

As I said using upper-case form for the realm is just a convention, so it is valid to use lower-case names here as well. But according to the RFC Kerberos realms are sensitive and applications which implicitly assume that the realm is upper-case might run into troubles. So I would recommend in general to keep using the upper-case convention but if the lower-case form works in your environment you can of course keep it this way.

Btw, AD treats Kerberos name case-insensitive (in contrast to the RFC) but internally use an upper-case realm as well which is used e.g. to construct principals. If e.g. you call 'kinit user@ad.domain' on a Linux client AD will return a ticket but kinit will fail and tell you that the response does not match the expectations. This is because in the response from AD the principal will be 'user@AD.DOMAIN' and kinit only accepts a different principal in the response if canonicalization is requested. So you either have to you the -C option with kinit or set the 'canonicalize' option in /etc/krb5.conf if you want to use 'user@ad.domain' with kinit.

HTH

bye,
Sumit

cc: => sbose

Thanks. Many configuration guides of the AD integration already do the conversion and use the lowercase only version so it might be better to include it in documentation guide as a note.

Thank you for the hint. Can you give me some links to some of the guides you are thinking of? It would be good to understand the reasoning for breaking a long existing convention. I'm not saying it is wrong but it might help to adopt the configuration if the reasons are clear.

I'll close the ticket because I think SSSD is working as expected here. Please feel free to add links to configuration guides you mentioned on comment #3.

resolution: => invalid
status: new => closed

Metadata Update from @mpiechotka:
- Issue set to the milestone: NEEDS_TRIAGE

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4313

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata