Ticket History #5836: libkrb5 (libads/kerberos.c:ads_kinit_password) fails for usernames with UTF8 characters

# Fri Nov 02 07:42:07 2007 guest (Public Submitter) - Ticket created

Subject:

libkrb5 (libads/kerberos.c:ads_kinit_password) fails for usernames with UTF8 characters

Download (untitled) / with headers
text/plain 1.3KiB

When trying to use the Samba "net" command, or pam_krb5 to authenticate
users against an active directory, it fails if the username or password
uses special UTF8 characters, for instance...

If I have a user with username DÅNNY, and try the samba "net ads user"
command under Linux, I get the following...

cnv4:/home/dan# net ads user -U DÅNNY
DÅNNY's password:
[2007/11/02 11:30:46, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password DÅNNY@ADTEST.LOCAL failed: Client not found in
Kerberos database
[2007/11/02 11:30:46, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Client not found in Kerberos database

The user DÅNNY does exist on the active directory, and I can get NTLM
authentication to work with these usernames using the ntlm_auth helper
that's part of the winbind suite.

Further to this, if I try to authenticate a user with no special
characters in the username, but with them in it's password, I get the
following...

cnv4:/home/dan# net ads user -U o\'gradey
o'gradey's password:
[2007/11/02 11:40:21, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password o'gradey@ADTEST.LOCAL failed:
Preauthentication failed
[2007/11/02 11:40:21, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Preauthentication failed

The password in question here conatins a "Å" character.

Looks like the libkrb5 doesn't support the UTF8 characters.

# Wed Nov 07 10:38:22 2007 Dan Searle <dan.searle@adelix.com> - Ticket #5838: - Ticket created

Date:	Wed, 7 Nov 2007 11:21:23 +0000
From:	Dan Searle <dan@adelix.com>
To:	krb5-bugs@mit.edu
Subject:	libkrb5 (libads/kerberos.c:ads_kinit_password) fails with 16 bit UTF8 characters in usernames and/or passwords

Download (untitled) / with headers
text/plain 2.4KiB

Hi,

I came across this problem when trying to use the Samba "net" command,
or pam_krb5 to authenticate users against an active directory, they
fail if the username and/or password uses UTF8 characters encoded with
more than one byte, for instance...

If I have a user with username DÃNNY, (the special "Ã" character
encodes as two bytes using UTF8), and try the samba "net ads user"
command under Linux, I get the following...

cnv4:/home/dan# net ads user -U DÃNNY
DÃNNY's password:
[2007/11/02 11:30:46, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password DÃNNY@ADTEST.LOCAL failed: Client not found in
Kerberos database
[2007/11/02 11:30:46, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Client not found in Kerberos database

The user DÃNNY does exist on the active directory, and I can get NTLM
authentication to work with these usernames using the ntlm_auth helper
that's part of the winbind suite.

Further to this, if I try to authenticate a user with no special
characters in the username, but with them in it's password, I get the
following...

cnv4:/home/dan# net ads user -U o\'gradey
o'gradey's password:
[2007/11/02 11:40:21, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password o'gradey@ADTEST.LOCAL failed:
Preauthentication failed
[2007/11/02 11:40:21, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Preauthentication failed

The password in question here also conatins a "Ã" character.

Looks like the libkrb5 doesn't support the UTF8 characters that encode
with more than one byte.

Regards, Dan...

--

Dan Searle
Adelix Ltd
dan.searle@adelix.com web: www.adelix.com
tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.

Adelix Ltd is a registered company in England & Wales No. 4232156
VAT registration number 779 4232 91
Adelix Ltd is BS EN ISO 9001:2000 Certified (No. GB 12763)

Any views expressed in this email communication are those
of the individual sender, except where the sender specifically states
them to be the views of a member of Adelix Ltd. Adelix Ltd. does not
represent, warrant or guarantee that the integrity of this communication
has been maintained nor that the communication is free of errors or
interference.

------------------------------------------------------------------------------------
Scanned for viruses, spam and offensive content by CensorNet MailSafe

Professional Web & E-mail Filtering from www.censornet.com

# Wed Nov 07 12:01:23 2007 tlyu (Taylor Yu) - Ticket #5838: - Ticket 5838 MergedInto ticket 5836.

# Thu Nov 08 22:00:01 2007 raeburn (Ken Raeburn) - Correspondence added

From:	Ken Raeburn <raeburn@MIT.EDU>
Subject:	Re: [krbdev.mit.edu #5838] libkrb5 (libads/kerberos.c:ads_kinit_password) fails with 16 bit UTF8 characters in usernames and/or passwords
Date:	Thu, 8 Nov 2007 21:59:50 -0500
To:	rt@krbdev.mit.edu
RT-Send-Cc:

Download (untitled) / with headers
text/plain 723B

On Nov 7, 2007, at 10:38, Dan Searle via RT wrote:

Show quoted text

> I came across this problem when trying to use the Samba "net" command,
> or pam_krb5 to authenticate users against an active directory, they
> fail if the username and/or password uses UTF8 characters encoded with
> more than one byte, for instance...

That's correct, we currently don't support non-ASCII characters well,
and in particular, non-ASCII passwords for accounts using RC4
encryption just don't work when talking to Microsoft implementations,
or anything compatible with their handling of non-ASCII passwords.

It's one of the things we'd like to fix up, if those funding the
Kerberos Consortium rate it an important enough problem of course...

Ken

# Fri Nov 09 05:06:08 2007 <dan@adelix.com> - Comments added

Date:	Fri, 09 Nov 2007 10:06:31 +0000
From:	Dan Searle <dan@adelix.com>
To:	rt-comment@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #5836] Re: [krbdev.mit.edu #5838] libkrb5 (libads/kerberos.c:ads_kinit_password) fails with 16 bit UTF8 characters in usernames and/or passwords
RT-Send-Cc:

Download (untitled) / with headers
text/plain 1.5KiB

Hi,

Would it be possible for an external body to fund or aid development of
support for non-ASCII characters in the libkrb5 library?

Regards, Dan...

Ken Raeburn via RT wrote:

Show quoted text

> On Nov 7, 2007, at 10:38, Dan Searle via RT wrote:
>

>> I came across this problem when trying to use the Samba "net" command,
>> or pam_krb5 to authenticate users against an active directory, they
>> fail if the username and/or password uses UTF8 characters encoded with
>> more than one byte, for instance...
>>

>
> That's correct, we currently don't support non-ASCII characters well,
> and in particular, non-ASCII passwords for accounts using RC4
> encryption just don't work when talking to Microsoft implementations,
> or anything compatible with their handling of non-ASCII passwords.
>
> It's one of the things we'd like to fix up, if those funding the
> Kerberos Consortium rate it an important enough problem of course...
>
> Ken
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
>
> ------------------------------------------------------------------------------------
> Scanned for viruses, spam and offensive content by CensorNet MailSafe
>
> Professional Web & E-mail Filtering from www.censornet.com
>
>
>
>

------------------------------------------------------------------------------------
Scanned for viruses, spam and offensive content by CensorNet MailSafe

Professional Web & E-mail Filtering from www.censornet.com