Details
-
Type:
Bug
-
Status: Done (View Workflow)
-
Priority:
Low
-
Resolution: Complete
-
Affects Version/s: 11.2-U5
-
Fix Version/s: 11.2-U7, TrueNAS 11.2-U7
-
Component/s: Middleware
-
Labels:
Description
Assuming a configuration where FreeNfiAS is configured to use AD, using an imported keytab file, where the NetBIOS style SPN is used. (see attached image)
The NetBIOS style hostname usually includes a '$' sign at the end.
I.E nd-bsd-1$@REALM
observed behaviour:
Upon (re)start of the AD Directory Service on FreeNAS, cachetool passes the SPN 'nd-bsd-1REALM' string to kinit, which inevitably fails. (Mind the missing '$@' signs)
This produces the following log messages:
Sep 6 03:30:21 nd-bsd-1 /cachetool.py: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT Sep 6 03:30:25 nd-bsd-1 /cachetool.py: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT Sep 6 10:34:16 nd-bsd-1 uwsgi: [common.pipesubr:65] Popen()ing: /usr/bin/kinit --renewable -k -t /etc/kerberos/nd-bsd-1 ND-BSD-1LAN.DOMAIN.AT
Whereas the kerberos_start script properly calls
Sep 6 10:34:47 nd-bsd-1 ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable -t /etc/kerberos/nd-bsd-1 -k ND-BSD-1$@LAN.DOMAIN.AT
This is most likely, due to improper escaping of the SPN string passed on to kinit, causing '$' to be interpreted as a special character.
expected behaviour:
The string passed on to kinit by cachetool.py (?) is being properly escaped.
Attachments
Attachments
JEditor
Issue Links
- duplicates
-
NAS-103413 Kerberos keytab named "nfs/..." not added to krb5.keytab
-
- Engineering Closed
-