Matching Principals
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Jun 21 21:20:02 EDT 2006
On Tuesday, June 20, 2006 04:59:08 PM -0700 "Dangi, Salil"
<Salil.Dangi at unisys.com> wrote:
> I am running into following issue with AP-Request generated by Java 1.5:
>
> AP-Request has a Ticket and an Authenticator.
> Both of these structures have client (cname) information.
>
> As part of AP-Request verification, the client information in these two
> structures should be matched.
>
> I see that the cname in the ticket and cname in the authenticator are
> not same. One of them shows a name-type of 0 (KRB_NT_UNKNOWN) and the
> other one shows a name-type of 1 (KRB_NT_PRINCIPAL). The name-string
> fields are identical in cname fields of the ticket and the
> authenticator.
>
> How do you match two names that have different name-type attributes
> (UNKNOWN and NT_PRINCIPAL)?
By piecewise comparison of the individual principal components, just as
you'd do if the name types were the same. From RFC4120, section 6.2:
The name-type SHOULD be
treated only as a hint to interpreting the meaning of a name. It is
not significant when checking for equivalence.
> Should this be considered as a bug with JAVA 1.5 implementation?
Should _what_ be considered as a bug? You've given a partial description
of what you think the behavior should be, but you haven't said what it's
doing instead. How are we supposed to say whether the behavior you haven't
described is correct or not?
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the krbdev
mailing list