[OpenAFS-devel] Kerberos v5 Principal Names containing dots in the first component

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 06 Aug 2007 14:11:34 -0400


On Thursday, August 02, 2007 11:44:25 AM -0700 Russ Allbery 
<rra@stanford.edu> wrote:

> "Douglas E. Engert" <deengert@anl.gov> writes:
>
>> I agree with Ken that there may only be a handfull of special
>> cases. There may also be an approach 4.
>
>> 4. Map compound K5 principal names, to name1/name2 rather
>>    then  name1.name2 in the PTS. i.e. use K5 separator and rules
>>    rather then K4.
>
>> This would require a site to go through there PTS and look at current
>> entries. But it would be much more in line with K5. The mapping of
>> "host" to "rcmd" and other K4 mapping should also be looked at. If AFS
>> is dropping K4, then it should drop its conventions in the PTS too.
>
> This makes migrating an existing site a huge pain and means that you can't
> use both K4 and K5 at the same time easily without adding another PTS
> entry for all PTS entries of this kind and then trying to find what ACLs
> they're on.

... which is one of the reasons why the current plan does not involve ever 
doing any such thing.  Instead, the planned approach is to treat PTS entry 
names as the independent strings they are, unrelated to any particular 
authentication mechanism.  The goal is for the ptserver to provide both 
directory- and rule-based mappings from mechanism-specific authentication 
names to PTS entries, with some default rules based on name mapping that 
will "just work" for most sites.

-- Jeff