OID gss_nt_krb5_name value?

[Will Fiveash]

On Wed, May 29, 2002 at 12:15:29PM -0400, Ken Raeburn wrote:
> GSS_KRB5_NT_USER_NAME from RFC 1964 is the same as GSS_C_NT_USER_NAME
> from RFC 2744; it's a generic user name, not a principal name.  But
> the string you were looking at is for one of the Kerberos-related name
> types.
> 
> Unfortunately, the naming is a little screwed up.
> GSS_KRB5_NT_PRINCIPAL_NAME is {... gssapi(2) krb5(2) krb5_name(1)} and
> uses the C variable gss_nt_krb5_name.  There's also a
> gss_nt_krb5_principal variable, oid {... gssapi(2) krb5(2)
> krb5_principal(2)}, but that doesn't seem to be in the RFC.  Possibly
> for internal use, or for the revised krb5 mechanism that never really
> got off the ground, but I have to run and don't have time to look more
> closely just this moment.  At first glance, it does appear to be a
> binary format name, using the krb5_principal data type.

Thanks for the explanation.  I also see in RFC 2744 where it
discusses the ASN.1 BER encoding scheme for the gss_OID which explains
the octal values assigned to gss_nt_krb5_name.  

One other question, does anyone know if there are any interop problems
caused by different values for gss_nt_krb5_name being used by
different Kerberos implementations?  Is this value ever sent over the
network?  I'm trying to figure out what to do regarding a bug caused
by our redefining gss_nt_krb5_name from:

"\052\206\110\206\367\022\001\002\001\001"

to the MIT value:

"\052\206\110\206\367\022\001\002\002\001".

I'm concerned that if I change gss_nt_krb5_name back to
"\052\206\110\206\367\022\001\002\001\001" I may be creating interop
problems.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)