OID gss_nt_krb5_name value?

Tom Yu tlyu at MIT.EDU
Wed May 29 15:48:01 EDT 2002

>>>>> "WF" == Will Fiveash <william.fiveash at sun.com> writes:

WF> On Wed, May 29, 2002 at 12:15:29PM -0400, Ken Raeburn wrote:

>> GSS_KRB5_NT_USER_NAME from RFC 1964 is the same as
>> GSS_C_NT_USER_NAME from RFC 2744; it's a generic user name, not a
>> principal name.  But the string you were looking at is for one of
>> the Kerberos-related name types.


WF> One other question, does anyone know if there are any interop
WF> problems caused by different values for gss_nt_krb5_name being
WF> used by different Kerberos implementations?  Is this value ever
WF> sent over the network?  I'm trying to figure out what to do
WF> regarding a bug caused by our redefining gss_nt_krb5_name from:

I don't believe that the lowercase versions of the symbols should be
considered to be part of the exported API.  RFC 2744 makes it clear
that the OID convenience symbols should be uppercase.  There might be
cases where the nametype is sent over the network... not certain,

WF> "\052\206\110\206\367\022\001\002\001\001"

This is the _generic_ "user name" OID.

WF> to the MIT value:

WF> "\052\206\110\206\367\022\001\002\002\001".

This is the krb5 principal name OID.

WF> I'm concerned that if I change gss_nt_krb5_name back to
WF> "\052\206\110\206\367\022\001\002\001\001" I may be creating
WF> interop problems.

You might be... people had been using these undocumented(?) symbols
for quite some time.  Prior to v2 of C-bindings, I believe there was
no "portable" way to specify a nametype OID, other than to explicitly
code up the DER encoding for it... RFC 1509 did not specify constants
for implementations to define for common name type OIDs.


More information about the krbdev mailing list