Details
-
Bug
-
Status: Done (View Workflow)
-
Low
-
Resolution: Complete
-
11.2-U5
Description
Assuming a configuration where FreeNfiAS is configured to use AD, using an imported keytab file, where the NetBIOS style SPN is used. (see attached image)
The NetBIOS style hostname usually includes a '$' sign at the end.
I.E nd-bsd-1$@REALM
observed behaviour:
Upon (re)start of the AD Directory Service on FreeNAS, cachetool passes the SPN 'nd-bsd-1REALM' string to kinit, which inevitably fails. (Mind the missing '$@' signs)
This produces the following log messages:
Sep 6 03:30:21 nd-bsd-1 /cachetool.py: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT Sep 6 03:30:25 nd-bsd-1 /cachetool.py: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT Sep 6 10:34:16 nd-bsd-1 uwsgi: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT
Whereas the kerberos_start script properly calls
Sep 6 10:34:47 nd-bsd-1 ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable -t /etc/kerberos/nd-bsd-1 -k ND-BSD-1$@LAN.DOMAIN.AT
This is most likely, due to improper escaping of the SPN string passed on to kinit, causing '$' to be interpreted as a special character.
expected behaviour:
The string passed on to kinit by cachetool.py (?) is being properly escaped.
Attachments
Attachments
JEditor
Issue Links
- duplicates
-
-
- Engineering Closed
-
