[squid-dev] Support lower case http/ spn format for realmd/adcli join support.

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 27 18:11:42 UTC 2018


On 27/06/18 06:53, Mike Surcouf wrote:
> Correction
> 
>> supports lowercases all SPNs
> 
> should read 
> 
> lowercases all SPNs (you don’t have an option)
> 
> so it always produces http/hostname at REALM.COM
> 
> This is a conscious decision by the adcli team
> 
> https://bugs.freedesktop.org/show_bug.cgi?id=84749
> 

I don't see any explicit decision by them to use only lower-case. Just
statements that AD accepts case-insensitive inputs so they don't care to
do anything special.


Case insensitivity is a Microsoft custom extension. It cannot be relied
on in non-MS software :
"
Service Principal Names (SPNs) are not case sensitive when used by
Microsoft Windows-based computers. However, an SPN can be used by any
type of computer system. Many of these computer systems, especially
UNIX-based systems, are case-sensitive and require the proper case to
function properly. Care should be taken to use the proper case
particularly when an SPN can be used by a non-Windows-based computer.

Refer this: http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx
"


Squid also does not parse these details itself. The library being used
by the helper is responsible for all processing of the local machines
keytab. Squid only parses a token of opaque bytes from HTTP message
headers and passes it as opaque string it to the auth helpers. Our
Kerberos helpers use several libraries, and the one which you are using
apparently has case sensitivity for the SPN.



On the technical side:

Kerberos documents just defer to the protocols where the elements of SPN
are sourced. So some segments in the SPN are case sensitive and others
are not, depending on what type of use the SPN is put.
 eg DNS defines hostname as insensitive, so that part is. Some auth
systems define realm as insensitive, others as case-sensitive - so that
part *might be* (or not. ouch!).


FWIW, following that deferrance style - the HTTP protocol defines its
protocol name as case-sensitive and has a significant difference between
"HTTP" (transport / messaging syntax) and "http" (URL scheme/syntax,
possibly used over non-HTTP transports).

So technically / in theory:
 * if the SPN is for access to HTTP transport (as Squid SPN are)
   - then the "HTTP/" portion should be upper case only.

 * if the SPN is for use of http:// resource URLs (eg, as opposed to
ftp:// URLs fetched with HTTP)
 - it can be any case.


Squid does not go to that second URL-specific level of detail with
authentication and SPNs. Also, since one is required upper case, and the
other doesn't matter going upper case would be the best choice for us if
we did normalize rather than handle as opaque strings anyway.


HTH
Amos


More information about the squid-dev mailing list