[OpenAFS-devel] Kerberos v5 Principal Names containing dots in the first component
Russ Allbery
rra@stanford.edu
Thu, 02 Aug 2007 11:44:25 -0700
"Douglas E. Engert" <deengert@anl.gov> writes:
> I agree with Ken that there may only be a handfull of special
> cases. There may also be an approach 4.
> 4. Map compound K5 principal names, to name1/name2 rather
> then name1.name2 in the PTS. i.e. use K5 separator and rules
> rather then K4.
> This would require a site to go through there PTS and look at current
> entries. But it would be much more in line with K5. The mapping of
> "host" to "rcmd" and other K4 mapping should also be looked at. If AFS
> is dropping K4, then it should drop its conventions in the PTS too.
This makes migrating an existing site a huge pain and means that you can't
use both K4 and K5 at the same time easily without adding another PTS
entry for all PTS entries of this kind and then trying to find what ACLs
they're on.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>