[OpenAFS] Re: is there any good reason to use capialized names
for new realms?
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 25 Jan 2006 19:02:33 -0500
On Wednesday, January 25, 2006 01:15:35 PM -0800 Russ Allbery
<rra@stanford.edu> wrote:
> Adam Megacz <megacz@cs.berkeley.edu> writes:
>> Russ Allbery <rra@stanford.edu> writes:
>
>>> Yes, there's a lot of software out there that assumes all realm names
>>> are in uppercase. It's possible to use lowercase realms (stanford.edu
>>> is a lowercase realm), but learn from our mistake and don't do it.
>>> It's not worth it.
>
>> I'd actually be really interested in knowing more about what broke. Are
>> there any non-ancient libkrb's that include this assumption, or is it
>> just some poorly written applications?
>
> It's not that anything necessarily *broke* (although I think some versions
> of desktop Kerberos had difficulty, although that may have been with our
> K4 vs. K5 realm mismatch). As I said, we're using it, and it does work.
> It's that it's not the default, so you have to do a bunch more
> configuration work. For instance, I think your AFS cell will need special
> configuration to tell it what realm it's associated with, automatic
> derivations of realm names from system names will fail and you'll need to
> configure special mappings, etc.
Please take a look at RFC4120, section 6.1, which sums up the issue:
Although realm names are encoded as GeneralStrings and technically a
realm can select any name it chooses, interoperability across realm
boundaries requires agreement on how realm names are to be assigned,
and what information they imply.
To enforce these conventions, each realm MUST conform to the
conventions itself, and it MUST require that any realms with which
inter-realm keys are shared also conform to the conventions and
require the same from its neighbors.
[...]
Domain style realm names MUST look like domain names: they consist of
components separated by periods (.) and they contain neither colons
(:) nor slashes (/). Though domain names themselves are case
insensitive, in order for realms to match, the case must match as
well. When establishing a new realm name based on an internet domain
name it is recommended by convention that the characters be converted
to uppercase.
In other words, this is one of those cases where things work a lot better
if everyone does it the same way, and in this case, the well-established
approach is to use upper-case realm names.
No one is going to force you to follow those conventions, though some
people may refuse to talk to you if you don't, and others may simply be
unable to talk to you because they know realm names are always uppercase
and simply will not believe yours is lowercase no matter how much you tell
them. However, you asked for advice, and Russ operates what as far as I
know is the largest and longest-lived example of a realm that has deviated
from convention in this way. I'd listen to him if I were you.
-- Jeff