[AFS3-std] Re: Revised PTS authentication name mapping draft, call for review

Derrick Brashear shadow@gmail.com
Fri, 27 Aug 2010 09:06:32 -0400 

On Fri, Aug 27, 2010 at 4:14 AM, Harald Barth <haba@kth.se> wrote:
>
>> Old rxkad fileservers convert krb5 names to a krb4 "name" and
>> "instance" according to a semi-obscure set of hardcoded rules in
>> rxkad, join them with '.' (unless the instance is null), then append
>> '@' and the downcased realm (unless it is a "local" realm). The
>> resulting string is passed to PR_NameToID, and what _that_ does is
>> not currently specified.
>
> I can say that I _am_ confused about how the name I have in an krb v5
> keytab, host/computer.example.com@EXAMPLE.COM, gets convered to
> rcmd.computer for use in pts. But web/computer.example.com@EXAMPLE.COM
> gets converted to web.computer.example.com. There is this section
> about conversion of named in krb5.conf but I do not know which
> programs actually use it and if it is used for this conversion at all
> (as stuff is hardcoded somewhere, too).

This is somewhat out of scope as it is legacy rather than something
being standardized here. However,
rxkad includes a hardcoded table in src/rxkad/ticket5.c which claims:
/*
 * Principal conversion Taken from src/lib/krb5/krb/conv_princ from MIT Kerberos
.  If you
 * find a need to change the services here, please consider opening a
 * bug with MIT by sending mail to krb5-bugs@mit.edu.
 */

Most converted names have a short hostname in krb4 and are converted
from a full hostname. Exceptions:
kadmin, zephyr keep their existing instance; host/full becomes rcmd/short.

Other converted principals:
discuss, rvdsrv, sample, olc, pop, sis, rfs, imap, ftp, ecat, daemon,
gnats, moira, prms, mandarin, register, changepw, sms, afpserver,
gdss, news, abs, nfs, tftp, http, khttp, pgpsigner, irc,
mandarin-agent, write, palladium, imap, smtp, lmtp, acap, argus,
mupdate.

>> Note that I'm not proposing changing rxkad's existing interface,
>> which returns a separate name, instance, and cell. I'm only
>> proposing changing the form of the binary authname blob that would
>> be returned when the _new_ interface is used.
>
> Whatever we do, I'd like to see that the solution does _not_ result in
> something that is like the current mess where only a few people in the
> world know what is converted where and how.

Given that source is shipped and the rules match the convert MIT krb5
does, that *should not* be the case.




-- 
Derrick