A client name with an '@'
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Jun 3 11:21:04 EDT 2015
>> Boy if I could get user principal mapping going, that would be sweet.
>
>Or you might retain the uppercase realm and try to cross-sign between
>the uppercase and lowercase realms. Your (somewhat silly) clients logon
>to the lowercase realm and gain access to the (less errorprone) uppercase
>realm.
I think if you had two realms that differed only by case, that would be
a recipe for a disaster (what happened when you tried to look up realm
information in DNS, which is case-insensitive for lookup?).
Also, the venerably Russ Allberry created a lowercase realm for Stanford,
and repeatedly has said that if he had to do it all over again he wouldn't
have done a lowercase realm; too much software assumes an uppercase realm.
Maybe that has changed in the intervening years.
--Ken
More information about the Kerberos
mailing list