[OpenAFS-devel] Minimum autoconf version
Derrick J Brashear
shadow@dementia.org
Tue, 5 Jul 2005 10:22:26 -0400 (EDT)
>> Hrrm? hasn't the 'user/admin' kerberos ticket to 'user.admin' AFS id
>> always been standard?
Everywhere I've gone.
>
> user.admin@REALM
> user/admin@REALM
>
> Two identities in Kerberos should not be treated as the same identity in
> AFS.
If you have a user in krb5 named "user.admin" i think we do something to
avoid it being simply "user.admin" for afs, so user/admin can be mapped
safely.
In fact, from rxkad/ticket5.c:
/*
* If the first part of the name_string contains a dot, punt since
* then we can't see the diffrence between the kerberos 5
* principals foo.root and foo/root later in the fileserver.
*/
if (strchr(decr_part.cname.name_string.val[0], '.') != NULL)
goto bad_ticket;
so, yes, user/admin becomes user.admin, and user.admin gets to pound salt.