Using enterprise principal name in GSS-API
Alan Braggins
abraggin at brocade.com
Thu Oct 6 14:47:01 EDT 2016
Apparently I also have a broken mail that truncated most of that message.
I'll see if I can recover it.
________________________________________
From: Alan Braggins
Sent: 06 October 2016 19:45
To: Greg Hudson; Isaac Boukris; kerberos
Subject: Re: Using enterprise principal name in GSS-API
On 23/09/16 15:50, Greg Hudson wrote:
> On 09/23/2016 03:52 AM, Isaac Boukris wrote:
>> Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME,
>> though I guess it's more complicated than it sounds :)
>
> I think that might be reasonable for this use case. I've seen requests
> to be able to import enterprise principal names before, although (IIRC)
> sometimes for use cases where it might not have made as much sense.
>
> The concerns I can immediately think of are:
>
> * Is there any prior art we should try to be compatible with? I don't
> see any in Heimdal, and MS doesn't directly implement GSS-API, so I
> don't think there is.
>
> * If someone uses one of these GSS names in a different scenario (e.g.
> for an acceptor credential), will it fail gracefully? I believe that's
> generally the case.
>
> * Does canonicalization at cred acquisition time pose any issues for the
> GSS-API model, because the name you get creds for won't be the same as
> the name you asked for? gss_acquire_cred_with_password() is an
> extension, not a standardized part of the API, so I think it shouldn't
> be a problem.
I have actually got a patch that adds gss_nt_krb5_name_enterprise as a
recognised OID (
More information about the Kerberos
mailing list