The kerberos RFC does not declare any restriction on
characters used in kerberos names, though
implementations MAY be more restrictive.
If the kerberos controller supports use non-conventional
user names and the kerberos admin chooses to use them
this can confuse some of the parsing.
The obvious solution is for the enterprise admins to "not do that"
as a lot of things break, bits of hadoop included.
Harden the hadoop code slightly so at least we fail more gracefully,
so people can then get in touch with their sysadmin and tell them
to stop it.
Note: given the kerberos admin is implicitly a superuser, being
able to create malformed principal names.
doesn't give them any privileges, just offers a different way
to stop the cluster working.