Principal naming
Marcus Watts
mdw at umich.edu
Fri Jan 18 14:23:48 EST 2013
Jeff Blaine <jblaine at kickflop.net> writes:
> Can anyone explain away the reasoning behind the decision
> to make user principals need the form:
>
> specific_part/contextual_part
>
> e.g. jennifer/admin
>
> and service principals the OPPOSITE - of the form
>
> contextual_part/specific_part
>
> e.g. host/daffodil.mit.edu
>
> What happened? Who knows the history and reason for this?
In kerberos 4, the first part was the "name", and the
second part was the "instance".
So jennifer = name
admin = instance
host = name
daffodil.mit.edu = instance
Obviously, "daffodil" is the name, not "host".
For whatever reason, in kerberos 5, they got rid of calling them
"name" and "instance", and it's just an array
of name components (1, 2, or you can have more, 3, 4...).
So the first part is not "context" or "specific_part",
it's just the "first part".
host/<fqdn> - is wired into program logic.
<user>/admin - is not wired in. that's strictly a human convention.
If it really bothers you, why not switch to
admin/<user> - and revise your acl logic to match?
-Marcus Watts
More information about the Kerberos
mailing list