support service principal with slash #105
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
we're using gokrb in vault-plugin-auth-kerberos to authenticate users, and noticed that we were getting unexpected "Matching key not found in keytab" errors when service principals contained slashes/multiple components, e.g. "HTTP/full-hostname.keytab@EXAMPLE.COM".
There is more detail in wintoncode/vault-plugin-auth-kerberos#1
It turns out that this is because the the
sa
is represented differently, in the keytab it's a list of components (["HTTP", "full-hostname.keytab@EXAMPLE.COM"]
), inValidateAPREQ
it's a single string"HTTP/full-hostname.keytab@EXAMPLE.COM"
.DecryptEncPart
in https://github.com/jcmturner/gokrb5/blob/master/messages/Ticket.go#L191 currently simply converts the single string into a list containing that single string:["HTTP/full-hostname.keytab@EXAMPLE.COM"]
.Therefore when
GetEncryptionKey
is called, the lengths of both lists don't match and it can't find the key in the keytab.The reason that the version in the keytab is split up is the keytab format and parsing here: https://github.com/jcmturner/gokrb5/blob/master/keytab/keytab.go#L246
The proposed solution is to simply split up the string into it's components.
All the work for this was done by @kristian-lesko in https://github.com/wintoncode/vault-plugin-auth-kerberos/pull/2/files, thanks a lot Kristian!