[OpenAFS-devel] Kerberos v5 Principal Names containing dots in
the first component
Douglas E. Engert
deengert@anl.gov
Thu, 02 Aug 2007 14:36:29 -0500
Russ Allbery wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
>
>> I agree with Ken that there may only be a handfull of special
>> cases. There may also be an approach 4.
>
>> 4. Map compound K5 principal names, to name1/name2 rather
>> then name1.name2 in the PTS. i.e. use K5 separator and rules
>> rather then K4.
>
>> This would require a site to go through there PTS and look at current
>> entries. But it would be much more in line with K5. The mapping of
>> "host" to "rcmd" and other K4 mapping should also be looked at. If AFS
>> is dropping K4, then it should drop its conventions in the PTS too.
>
> This makes migrating an existing site a huge pain and means that you can't
> use both K4 and K5 at the same time easily without adding another PTS
> entry for all PTS entries of this kind and then trying to find what ACLs
> they're on.
Depends. We have 3 entries that need to be renamed. You may have many more,
and may stil be using K4 a lot. but its all in the PTS, and "pts listentries"
should list all of them. I could see a script to rename the entries that need
to be changed one morning when the seperator was changed from "." to "/".
I may have over simplified, but the point is to quite using the old K4
separator of a "." as a "."is valid in a component of a k5 principal.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444