[OpenAFS-devel] Krb5-only and KeyFile?
Ken Hornstein
kenh@cmf.nrl.navy.mil
Mon, 06 Jun 2005 13:38:02 -0400
>Right now, this mapping is fixed and is fairly simple:
>
> - for single-component names (V4 or V5), we use the one component
> - for two-component V4 names, we use the two components separated by dots.
> - for two-component V5 names, we use the two components separated by dots,
> except that host/foo is converted to rcmd.foo, and for some 40 services
> the second component is truncated at the first dot (*)
> - names with more than two components are rejected
> - if the realm is not one of the server's local realms, we add @realm,
> with the realm coerced to lower case.
You forgot one:
- If the first component has a dot in it, the rxkad module will reject
the name. This will hose you hard if you have names with a dot in
them and you switch from a V4-converted ticket to a rxkad-2b ticket.
(Yes, I learned this the hard way).
--Ken