Principal naming

Nico Williams nico at cryptonector.com
Fri Jan 18 12:44:31 EST 2013


On Fri, Jan 18, 2013 at 11:25 AM, Jeff Blaine <jblaine at kickflop.net> wrote:
> Can anyone explain away the reasoning behind the decision
> to make user principals need the form:
>
>      specific_part/contextual_part
>
>      e.g. jennifer/admin
>
> and service principals the OPPOSITE - of the form
>
>      contextual_part/specific_part
>
>      e.g. host/daffodil.mit.edu
>
> What happened? Who knows the history and reason for this?

I wasn't there, so I don't know, but it's something to live with.
Well, there's actually no need for /admin principals -- you could just
not have them and modify the kadmin client to stop baking that in (or
use it with the -c ccache option).

There's really no point to the /admin thing: since the server requires
INITIAL tickets there's no risk of use of stolen TGTs for accessing
kadmin, and if you were to have different pre-authentication
requirements for kadmin than for initial TGTs the protocol does allow
that.

So, yeah, I think it'd be a good idea to start making changes to
kadmin to stop insisting on /admin principals.

Nico
--


More information about the Kerberos mailing list