[OpenAFS] Re: is there any good reason to use capialized names for new realms?

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 25 Jan 2006 19:02:33 -0500


On Wednesday, January 25, 2006 01:15:35 PM -0800 Russ Allbery 
<rra@stanford.edu> wrote:

> Adam Megacz <megacz@cs.berkeley.edu> writes:
>> Russ Allbery <rra@stanford.edu> writes:
>
>>> Yes, there's a lot of software out there that assumes all realm names
>>> are in uppercase.  It's possible to use lowercase realms (stanford.edu
>>> is a lowercase realm), but learn from our mistake and don't do it.
>>> It's not worth it.
>
>> I'd actually be really interested in knowing more about what broke.  Are
>> there any non-ancient libkrb's that include this assumption, or is it
>> just some poorly written applications?
>
> It's not that anything necessarily *broke* (although I think some versions
> of desktop Kerberos had difficulty, although that may have been with our
> K4 vs. K5 realm mismatch).  As I said, we're using it, and it does work.
> It's that it's not the default, so you have to do a bunch more
> configuration work.  For instance, I think your AFS cell will need special
> configuration to tell it what realm it's associated with, automatic
> derivations of realm names from system names will fail and you'll need to
> configure special mappings, etc.


Please take a look at RFC4120, section 6.1, which sums up the issue:

   Although realm names are encoded as GeneralStrings and technically a
   realm can select any name it chooses, interoperability across realm
   boundaries requires agreement on how realm names are to be assigned,
   and what information they imply.

   To enforce these conventions, each realm MUST conform to the
   conventions itself, and it MUST require that any realms with which
   inter-realm keys are shared also conform to the conventions and
   require the same from its neighbors.

   [...]

   Domain style realm names MUST look like domain names: they consist of
   components separated by periods (.) and they contain neither colons
   (:) nor slashes (/).  Though domain names themselves are case
   insensitive, in order for realms to match, the case must match as
   well.  When establishing a new realm name based on an internet domain
   name it is recommended by convention that the characters be converted
   to uppercase.


In other words, this is one of those cases where things work a lot better 
if everyone does it the same way, and in this case, the well-established 
approach is to use upper-case realm names.

No one is going to force you to follow those conventions, though some 
people may refuse to talk to you if you don't, and others may simply be 
unable to talk to you because they know realm names are always uppercase 
and simply will not believe yours is lowercase no matter how much you tell 
them.  However, you asked for advice, and Russ operates what as far as I 
know is the largest and longest-lived example of a realm that has deviated 
from convention in this way.  I'd listen to him if I were you.

-- Jeff