@ in principal names
Peter Mogensen
apm at mutex.dk
Thu Jan 13 14:13:26 EST 2011
On 2011-01-13 20:01, Booker Bense wrote:
> In theory, yes you can have principals with \@ in the principal name with proper quoting.
Yes... I found the requirement to quote @ somewhere, and I managed to
create principals without kadmin complaining.
But when trying to authenticate IMAP, Dovecot complained about illegal
"\" in username. So I guessed I were missing something.
> In practice, you will find lot's of hidden bugs in various kerberos implementations.
Currently trying with MIT Kerberos 1.8.1
> If you control all the kerberos libraries of all the clients it can be made to work. ( I did this
> at EPRI around 1993 or so with kerberos 4 ), but realistically it's not feasible.
>
> Even if you don't find library bugs, it's a user interface nightmare.
So, are there any recommended solution for such a scenario?
Hosting many virtual realms? (more than practically editable in krb5.conf)
Replaing @ (with, say %) so principals are localpart%domain at realm ?
Any other way?
/Peter
More information about the Kerberos
mailing list