[OpenAFS-devel] Kerberos v5 Principal Names containing dots in the first component

Douglas E. Engert deengert@anl.gov
Mon, 06 Aug 2007 14:12:20 -0500 

Jeffrey Hutzelman wrote:
> 
> 
> On Thursday, August 02, 2007 11:44:25 AM -0700 Russ Allbery 
> <rra@stanford.edu> wrote:
> 
>> "Douglas E. Engert" <deengert@anl.gov> writes:
>>
>>> I agree with Ken that there may only be a handfull of special
>>> cases. There may also be an approach 4.
>>
>>> 4. Map compound K5 principal names, to name1/name2 rather
>>>    then  name1.name2 in the PTS. i.e. use K5 separator and rules
>>>    rather then K4.
>>
>>> This would require a site to go through there PTS and look at current
>>> entries. But it would be much more in line with K5. The mapping of
>>> "host" to "rcmd" and other K4 mapping should also be looked at. If AFS
>>> is dropping K4, then it should drop its conventions in the PTS too.
>>
>> This makes migrating an existing site a huge pain and means that you 
>> can't
>> use both K4 and K5 at the same time easily without adding another PTS
>> entry for all PTS entries of this kind and then trying to find what ACLs
>> they're on.
> 
> ... which is one of the reasons why the current plan 

What plan?  Is there a plan? All I have seen is this thread on what to
do about K5 principal names with periods, and how this conflicts what the
pts does with multiple part principals and how it uses a K4 style "."
as a separator.


> does not involve 
> ever doing any such thing.  Instead, the planned approach is to treat 
> PTS entry names as the independent strings they are, unrelated to any 
> particular authentication mechanism.  The goal is for the ptserver to
> provide both directory- and rule-based mappings from mechanism-specific 
> authentication names to PTS entries, with some default rules based on 
> name mapping that will "just work" for most sites.
> 
> -- Jeff
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444