[squid-dev] Support lower case http/ spn format for realmd/adcli join support.

Tue Jun 26 18:53:37 UTC 2018

Correction

> supports lowercases all SPNs

should read 

lowercases all SPNs (you don’t have an option)

so it always produces http/hostname at REALM.COM

This is a conscious decision by the adcli team

https://bugs.freedesktop.org/show_bug.cgi?id=84749

-----Original Message-----
From: squid-dev [mailto:squid-dev-bounces at lists.squid-cache.org] On Behalf Of Mike Surcouf
Sent: 26 June 2018 19:37
To: 'squid-dev at lists.squid-cache.org'
Subject: [squid-dev] Support lower case http/ spn format for realmd/adcli join support.

This can be seen here but also applies to other helpers that use Kerberos.

https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc#L490

adcli (which realmd uses for AD joins)  supports lowercases all SPNs when adding them to a keytab.
Whether HTTP/ or http/ SPNs are valid is up for debate and really depends on the convention of the tool in question but I see no harm in supporting lowercase http/ in addition to HTTP/ SPNs.
As far as I can see even supplying your own SPN does not allow http/ (lowercase)

This would provide compatibility with adcli and realmd join which are common tools for AD management on CentOS/RHEL.

Thanks

Mike

_______________________________________________
squid-dev mailing list
squid-dev at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev