[OpenAFS-devel] Minimum autoconf version
Tim Spriggs
tims@lpl.arizona.edu
Tue, 5 Jul 2005 07:33:57 -0700 (MST)
On Tue, 5 Jul 2005, Derrick J Brashear wrote:
> >> Hrrm? hasn't the 'user/admin' kerberos ticket to 'user.admin' AFS id
> >> always been standard?
>
> Everywhere I've gone.
>
> >
> > user.admin@REALM
> > user/admin@REALM
> >
> > Two identities in Kerberos should not be treated as the same identity in
> > AFS.
>
> If you have a user in krb5 named "user.admin" i think we do something to
> avoid it being simply "user.admin" for afs, so user/admin can be mapped
> safely.
>
> In fact, from rxkad/ticket5.c:
> /*
> * If the first part of the name_string contains a dot, punt since
> * then we can't see the diffrence between the kerberos 5
> * principals foo.root and foo/root later in the fileserver.
> */
> if (strchr(decr_part.cname.name_string.val[0], '.') != NULL)
> goto bad_ticket;
>
> so, yes, user/admin becomes user.admin, and user.admin gets to pound salt.
>
So essentially it is not valid to have usernames with dots in them?
While we are mapping / to ., maybe we could map . to something else to
extend the ugliness? Or make things really confusing and map . to / and /
to .?
What was the motivation for this mapping in the first place?
/++--._.--++\ . _.-._
\|/ /+
| /|\ /| _.-._.-._ <{
+ | |/ \ \_
/_\ _|_ | | ^=-._
\
Lunar and Planetary Lab }>
(520) 626 - 4991 -- SS 416 _/
_______________________________________.-=$/ <|>
1629 E. University Blvd.
University of Arizona