Skip Menu |
 

From: Anand Patil <anand@cloudera.com>
Date: Fri, 06 Jan 2017 20:57:33 +0000
Subject: kinit from keytab fails when principal contains a backslash
To: krb5-bugs@mit.edu
Reproduction:

1. Create principal with backslash using kadmin.local:

kadmin.local:  addprinc anand\\slash@DOMAIN
WARNING: no policy specified for anandslash@DOMAIN; defaulting to no policy
Enter password for principal "anand\\slash@DOMAIN": 
Re-enter password for principal "anand\\slash@DOMAIN": 
Principal "anand\\slash@DOMAIN" created.

2. Create a keytab for that principal using ktutil:

# ktutil
ktutil:  addent -password -p anand\\slash@DOMAIN -k 1 -e des3-cbc-sha1
Password for anand\\slash@DOMAIN: 
ktutil:  wkt /tmp/slash.keytab
[root@anand-cm-1 ~]# klist -kte /tmp/slash.keytab
Keytab name: FILE:/tmp/slash.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/06/17 12:53:30 anand\\slash@DOMAIN (des3-cbc-sha1) 

3. Try to use that keytab with kinit:

# kinit -k -t /tmp/slash.keytab -p anand\\slash@DOMAIN
kinit: Keytab contains no suitable keys for anandslash@DOMAIN while getting initial credentials

Thanks!
Anand
In step three, the shell eats one of the backslash characters before
kinit sees it, so kinit parses the principal name
"anand\slash@DOMAIN". "\s" is parsed as just "s" (since it is not one
of the special sequences "\n", "\t", "\b", or "\0" which map to
newline, tab, bell, and nul), so the result of parsing is the same as
just "anandslash@DOMAIN".

If you put single quotes around the principal name in the shell line
like this:

kinit -k -t /tmp/slash.keytab -p 'anand\\slash@DOMAIN'

then it should work, or does in my tests just now.

(Incidentally, the -p flag requests proxiable tickets, which is not
common usage. You don't need to specify any particular option just to
give a principal name on the command line.)
From: Anand Patil <anand@cloudera.com>
Date: Fri, 06 Jan 2017 22:35:11 +0000
Subject: Re: [krbdev.mit.edu #8535] kinit from keytab fails when principal contains a backslash
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Thanks, Greg, sorry for the mis-report!

On Fri, Jan 6, 2017 at 4:27 PM Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
In step three, the shell eats one of the backslash characters before
kinit sees it, so kinit parses the principal name
"anand\slash@DOMAIN".  "\s" is parsed as just "s" (since it is not one
of the special sequences "\n", "\t", "\b", or "\0" which map to
newline, tab, bell, and nul), so the result of parsing is the same as
just "anandslash@DOMAIN".

If you put single quotes around the principal name in the shell line
like this:

  kinit -k -t /tmp/slash.keytab -p 'anand\\slash@DOMAIN'

then it should work, or does in my tests just now.

(Incidentally, the -p flag requests proxiable tickets, which is not
common usage.  You don't need to specify any particular option just to
give a principal name on the command line.)
From: Anand Patil <anand@cloudera.com>
Date: Fri, 06 Jan 2017 22:35:11 +0000
Subject: Re: [krbdev.mit.edu #8535] kinit from keytab fails when principal contains a backslash
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Thanks, Greg, sorry for the mis-report!

On Fri, Jan 6, 2017 at 4:27 PM Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
In step three, the shell eats one of the backslash characters before
kinit sees it, so kinit parses the principal name
"anand\slash@DOMAIN".  "\s" is parsed as just "s" (since it is not one
of the special sequences "\n", "\t", "\b", or "\0" which map to
newline, tab, bell, and nul), so the result of parsing is the same as
just "anandslash@DOMAIN".

If you put single quotes around the principal name in the shell line
like this:

  kinit -k -t /tmp/slash.keytab -p 'anand\\slash@DOMAIN'

then it should work, or does in my tests just now.

(Incidentally, the -p flag requests proxiable tickets, which is not
common usage.  You don't need to specify any particular option just to
give a principal name on the command line.)