Principal names, mappings and RFCs

[Tom_Krauss]

Hi,

we plan to use NFSv3 and Kerberos authentication.

Applications which use NFS will be provided with a keytab. 
In order to have individual keytabs for each instance of an application on
lots of servers we plan to use principal type 3 names - NT-SRV-HST - for the
clients:

myapp/host1.dom at REALM
myapp/host2.dom at REALM
...

We have an appliance providing the NFS server facility. 
The appliance cuts off everything from a client`s principal name that
follows the first instance.

So given the example above I do not need to take care about principal
mapping on the server since "myapp" equals "myapp".

On one hand side this seems pretty convenient but from a security point of
view I have some doubt and that is why I look for guidelines.

I read the relevant chapters in RFC 1510 (7.2) and 4120 (6.2) and they do
not seem to forbid the "blackbox mapping" as described above. So - does our
vendor comply to the RFCs?

Are there any kinds of rules or is that completely relative because
principal mapping always depends on a customer`s requirements?

Thanks for your insight.



--
View this message in context: http://kerberos.996246.n3.nabble.com/Principal-names-mappings-and-RFCs-tp38893.html
Sent from the Kerberos - General mailing list archive at Nabble.com.