Null realms and servers

Nicolas Williams Nicolas.Williams at
Wed Dec 20 12:05:54 EST 2006

On Fri, Dec 15, 2006 at 09:25:46PM -0500, Sam Hartman wrote:
>     Nicolas> IMO, no, it's not acceptable for
>     Nicolas> krb5_sname_to_principal() to return a NULL realm.
> That's nice.  The time for this comment would have been months ago or
> at the latest when the code was introduced.

I've thought about this further.  And I've reached the same conclusion
w.r.t. krb5_sname_to_principal() as I had (much earlier) about

 - Principal name canonicalization requires credentials in order to do
   it securely, therefore krb5_sname_to_principal() is a bad API and
   should be deprecated.

   The correct interface for principal name/realm canonicalization is

   (And the GSS-API requires a new function, say,

It may yet turn out that the MIT krb5 1.6 change to
krb5_sname_to_principal() causes backwards compatibility problems that
go beyond krb5_kt_get_entry().  If so I'm sure MIT will reconsider this
particular change as alternatives seem to exist.  In the meantime I
withdraw my objection.


More information about the krbdev mailing list