"REGISTRY" back-end for profile info

Jeffrey Altman jaltman at MIT.EDU
Tue Nov 22 12:14:49 EST 2005 

Joseph Calzaretta wrote:
> At 11:22 AM 11/22/2005, Jeffrey Altman wrote:
>> "REGISTRY:" (for Windows)
> 
> Hey, now that you mention it... what should this format look like in the
> Windows registry?  On the face of it, I would think that there's a
> straightforward mapping:
> 
> krb5.conf               =>      Windows registry
> section names           =>      keys
> subsection names        =>      subkeys
> relation tags           =>      value names
> relation values         =>      value data (REG_MULTI_SZ to support
> multiple ordered realtion values like "kdc=x", "kdc=y"...)
> 
> but how much more complicated is it than that?  

I do not expect it to be much more complicated than that.

> On first blush I could
> expect issues like collisions due to registy keys and value names being
> case-insensitive. 

I'm not all that concerned about case collisions.   Realm names should
be upper-cased and those sites that have decided to roll out "my.realm"
and "MY.REALM" will lose in the DNS SRV record space in an identical
fashion.

However, if we wanted to support both, we would simply have to perform
some form of name mangling for the lower-cased realm names.

> Plus the fact that registry keys and value names are
> sorted, so order cannot be preserved except at the leaves (with
> REG_MULTI_SZ).  Does that wreak havoc with [capaths]?  Or is the only
> truly order-dependent stuff at the leaves?

This is order-dependent:

[capaths]
        RAEBURN.ORG = {
        ATHENA.MIT.EDU = .
                ANDREW.CMU.EDU = DEMENTIA.ORG
                DEMENTIA.ORG = ATHENA.MIT.EDU
        GRAND.CENTRAL.ORG = ATHENA.MIT.EDU
                GRAND.CENTRAL.ORG = DEMENTIA.ORG
        OPENAFS.ORG = ATHENA.MIT.EDU
                OPENAFS.ORG = DEMENTIA.ORG
        SECURE-ENDPOINTS.COM = ATHENA.MIT.EDU
                SECURE-ENDPOINTS.COM = DEMENTIA.ORG
        WINDOWS.SECURE-ENDPOINTS.COM = ATHENA.MIT.EDU
                WINDOWS.SECURE-ENDPOINTS.COM = DEMENTIA.ORG
                WINDOWS.SECURE-ENDPOINTS.COM = SECURE-ENDPOINTS.COM
        }

and so is:

[libdefaults]
        default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc des-cbc-md5 des-cbc-md4

I would want to store [capaths] RAEBURN.ORG and [libdefaults]
default_tgs_enctypes as REG_MULTI_SZ with the order-dependent
information inside.

But I would want [realms] ATHENA.MIT.EDU master_kdc to be a REG_SZ
although [realms] ATHENA.MIT.EDU kdc should be a REG_MULTI_SZ.

It seems like there would need to be some additional type information
available to the profile library indicating how the data should be treated.

> And is there a Windows Vista registry format for Kerberos already out
> there somewhere we need to support?

Interesting question.  Microsoft already stores Kerberos data in the
registry and has done so since Win2000.  All the data configured with
KSETUP.EXE.   With Vista they are adding domain realm mapping in a wacky
way.

I don't think we want to store our profile data in their locations.
Instead I think we would want logic to allow syncing of the data as
appropriate.

> 
> Thanks!
> 
> Joe Calzaretta
> Software Development & Integration Team
> MIT Information Services & Technology
> 
> 
>

More information about the krbdev mailing list