Null realms and servers

[Nicolas Williams]

On Sat, Dec 16, 2006 at 10:08:11AM -0500, Jeffrey Altman wrote:
> The issue Sam has raised is that now that NULL realms are being returned
> the internal library behavior has changed in places where
> krb5_sname_to_principal is called.  The first question is whether in the
> keytab code in particular "should the keytab code be modified to restore
> the previous behavior or is there a new behavior that is preferred?"
> The second question is "given how close 1.6 is to shipping, does this
> change whatever it ends up being need to be implemented now?"  In other
> words, is it a show stopper bug that prevents the release.

I believe this change to krb5_sname_to_principal() is backwards
incompatible.  Please find an alternative (e.g., as I proposed in a
separate post just now).

I don't give a rat's ass how close 1.6 is to shipping -- this change is
simply not acceptable.

> I don't think that there is going to be any answer that results in all
> use cases working out of the box with zero configuration.  For clients
> we want the configuration to be on the servers and for them to use
> referrals.  That is what brought us to this decision point.  Now we
> need to determine what happens for services which will not be using
> referrals.
> 
> I believe the solution Sam has described is acceptable given the
> constraint that you don't want clients to be forced to be re-written
> in order to benefit from the referrals code.

There's the alternative I just gave: use the krb5_context to pass
additional info between krb5_sname_to_principal() and
krb5_get_credentials().

Nico
--