Case insensitive names (was Re: Turning off hostname canonicalisation)
abartlet at samba.org
Tue Sep 13 18:48:44 EDT 2005
On Tue, 2005-09-13 at 14:59 -0400, Sam Hartman wrote:
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
> Nicolas> The proposed set/change password version 2 protocol deals
> Nicolas> with principal aliasing...
> It requires that the KDC be able to enumerate all the principals that
> a particular service can be known as. That is not compatible with
> case insensitive keytabs in an interoperable manner.
I don't get this. If the KDC knows that it is case insensitve, then why
can't it just include an extra boolean to the effect of 'and all case
variations of the above'? The set/change password isn't RFC yet, right?
And why can't we have a similar flag in a keytab entry?
It seems to me that current sites using unix kerberos are jumping though
some very high hoops to avoid this kind of extension. Likewise, it is
forcing applications (such as Samba3) to manually enumerates all entries
in a keytab to implement such a behaviour.
Now, for Samba4 I can just hack more stuff into a custom kerberos lib,
and pretend these problems don't exist in a broader world. However, I
know this isn't popular, and I've promised to at least try and
transition to system libs eventually. Even if Samba4 never does, I
would really like other services to be able to provide kerberos logins
to windows clients, without major pain, or rewriting the apps, or
telling users 'just recompile and statically link against
(I already have this issue coming up to my plate soon, as I try to
understand how GSS-TSIG and BIND 9 will fit into Samba4's AD-like
environment. Given advise on these lists before, I don't want to
include a custom BIND if I don't have to...).
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050914/9ffb89da/attachment.bin
More information about the krbdev