[AFS3-std] Re: Revised PTS authentication name mapping draft, call for review

Harald Barth haba@kth.se
Fri, 27 Aug 2010 10:14:53 +0200 (CEST)


> Old rxkad fileservers convert krb5 names to a krb4 "name" and
> "instance" according to a semi-obscure set of hardcoded rules in
> rxkad, join them with '.' (unless the instance is null), then append
> '@' and the downcased realm (unless it is a "local" realm). The
> resulting string is passed to PR_NameToID, and what _that_ does is
> not currently specified.

I can say that I _am_ confused about how the name I have in an krb v5
keytab, host/computer.example.com@EXAMPLE.COM, gets convered to
rcmd.computer for use in pts. But web/computer.example.com@EXAMPLE.COM
gets converted to web.computer.example.com. There is this section
about conversion of named in krb5.conf but I do not know which
programs actually use it and if it is used for this conversion at all
(as stuff is hardcoded somewhere, too).

> Note that I'm not proposing changing rxkad's existing interface,
> which returns a separate name, instance, and cell. I'm only
> proposing changing the form of the binary authname blob that would
> be returned when the _new_ interface is used.

Whatever we do, I'd like to see that the solution does _not_ result in
something that is like the current mess where only a few people in the
world know what is converted where and how. All the others follow the
"we have always done it like this and then it works and don't ask
questions" line.

Harald.