[OpenAFS-devel] Kerberos v5 Principal Names containing dots in the first component

Douglas E. Engert deengert@anl.gov
Thu, 02 Aug 2007 14:36:29 -0500


Russ Allbery wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
> 
>> I agree with Ken that there may only be a handfull of special
>> cases. There may also be an approach 4.
> 
>> 4. Map compound K5 principal names, to name1/name2 rather
>>    then  name1.name2 in the PTS. i.e. use K5 separator and rules
>>    rather then K4.
> 
>> This would require a site to go through there PTS and look at current
>> entries. But it would be much more in line with K5. The mapping of
>> "host" to "rcmd" and other K4 mapping should also be looked at. If AFS
>> is dropping K4, then it should drop its conventions in the PTS too.
> 
> This makes migrating an existing site a huge pain and means that you can't
> use both K4 and K5 at the same time easily without adding another PTS
> entry for all PTS entries of this kind and then trying to find what ACLs
> they're on.

Depends.  We have 3 entries that need to be renamed. You may have many more,
and may stil be using K4 a lot. but its all in the PTS, and "pts listentries"
should list all of them. I could see a script to rename the entries that need
to be changed one morning when the seperator was changed from "." to "/".

I may have over simplified, but the point is to quite using the old K4
separator of a "." as a "."is valid in a component of a k5 principal.

> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444