@ in principal names

Peter Mogensen apm at mutex.dk
Thu Jan 13 14:13:26 EST 2011

On 2011-01-13 20:01, Booker Bense wrote:
> In theory, yes you can have principals with \@ in the principal name with proper quoting.

Yes... I found the requirement to quote @ somewhere, and I managed to 
create principals without kadmin complaining.
But when trying to authenticate IMAP, Dovecot complained about illegal 
"\" in username. So I guessed I were missing something.

> In practice, you will find lot's of hidden bugs in various kerberos implementations.

Currently trying with MIT Kerberos 1.8.1

> If you control all the kerberos libraries of all the clients it can be made to work. ( I did this
> at EPRI around 1993 or so with kerberos 4 ), but realistically it's not feasible.
> Even if you don't find library bugs, it's a user interface nightmare.

So, are there any recommended solution for such a scenario?

Hosting many virtual realms? (more than practically editable in krb5.conf)

Replaing @ (with, say %) so principals are localpart%domain at realm ?

Any other way?


More information about the Kerberos mailing list