Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id lA7FcGHW013293; Wed, 7 Nov 2007 10:38:16 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lA7FcBrB025061; Wed, 7 Nov 2007 10:38:11 -0500 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lA7BFMh2007778 for ; Wed, 7 Nov 2007 06:15:22 -0500 Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id lA7BFFv6012844 for ; Wed, 7 Nov 2007 06:15:15 -0500 (EST) Received: from thb-mta-08.emailsystems.com (thb-mta-08-tx.emailfiltering.com [194.116.199.208]) by mit.edu (Spam Firewall) with ESMTP id F0B07B2DFDB for ; Wed, 7 Nov 2007 06:15:13 -0500 (EST) Received: from ns.adelix.com ([212.100.254.243]) by thb-mta-08.emailsystems.com with emfmta (version 3.5.2.3321.0.r-3.2.2-libc2.3.1) by TLS id 1408962028 for krb5-bugs@mit.edu; Wed, 07 Nov 2007 11:15:12 +0000 Received: from 81-178-20-108.dsl.pipex.com ([81.178.20.108] helo=controller) by ns.adelix.com with esmtp (Exim 4.50) id 1IpivP-0006c0-7m for krb5-bugs@mit.edu; Wed, 07 Nov 2007 11:18:23 +0000 Date: Wed, 7 Nov 2007 11:21:23 +0000 From: Dan Searle X-Mailer: The Bat! (v3.65.03) Professional Organization: Adelix Ltd. X-Priority: 3 (Normal) Message-ID: <1616475236.20071107112123@adelix.com> To: krb5-bugs@mit.edu Subject: libkrb5 (libads/kerberos.c:ads_kinit_password) fails with 16 bit UTF8 characters in usernames and/or passwords MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Adelix: yes X-Spam-Score: 0.01 X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Mailman-Approved-At: Wed, 07 Nov 2007 10:38:09 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: Dan Searle Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU X-RT-Original-Encoding: iso-8859-15 Content-Length: 2525 Hi, I came across this problem when trying to use the Samba "net" command, or pam_krb5 to authenticate users against an active directory, they fail if the username and/or password uses UTF8 characters encoded with more than one byte, for instance... If I have a user with username DÅNNY, (the special "Å" character encodes as two bytes using UTF8), and try the samba "net ads user" command under Linux, I get the following... cnv4:/home/dan# net ads user -U DÅNNY DÅNNY's password: [2007/11/02 11:30:46, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password DÅNNY@ADTEST.LOCAL failed: Client not found in Kerberos database [2007/11/02 11:30:46, 0] utils/net_ads.c:ads_startup(289) ads_connect: Client not found in Kerberos database The user DÅNNY does exist on the active directory, and I can get NTLM authentication to work with these usernames using the ntlm_auth helper that's part of the winbind suite. Further to this, if I try to authenticate a user with no special characters in the username, but with them in it's password, I get the following... cnv4:/home/dan# net ads user -U o\'gradey o'gradey's password: [2007/11/02 11:40:21, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password o'gradey@ADTEST.LOCAL failed: Preauthentication failed [2007/11/02 11:40:21, 0] utils/net_ads.c:ads_startup(289) ads_connect: Preauthentication failed The password in question here also conatins a "Å" character. Looks like the libkrb5 doesn't support the UTF8 characters that encode with more than one byte. Regards, Dan... -- Dan Searle Adelix Ltd dan.searle@adelix.com web: www.adelix.com tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592 snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK. Adelix Ltd is a registered company in England & Wales No. 4232156 VAT registration number 779 4232 91 Adelix Ltd is BS EN ISO 9001:2000 Certified (No. GB 12763) Any views expressed in this email communication are those of the individual sender, except where the sender specifically states them to be the views of a member of Adelix Ltd. Adelix Ltd. does not represent, warrant or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors or interference. ------------------------------------------------------------------------------------ Scanned for viruses, spam and offensive content by CensorNet MailSafe Professional Web & E-mail Filtering from www.censornet.com