Principal naming

Shawn M Emery Shawn.Emery at Sun.COM
Sun Apr 12 02:20:25 EDT 2009

Greg Hudson wrote:
> Can you be more specific about what real interoperability problems are
> cropping up from either principal case sensitivity or from "degenerate"
> principals like /@, and how you would like those problems to be
> resolved?

Sorry for not being clear, some implementations can have permutations of 
various principal components in upper or lower case.  During context 
acceptance servers can fail if they can not find key entries in the 
local keytab file unless all permutations of possible service principal 
names are populated in the keytab file.

> krb5 1.7 adds some support for protocol features which would allow a KDC
> to treat principals as partially or completely case-insensitive.
> Clients and servers are not expected to know the KDC's case-handling
> policy; this is achieved by allowing clients to request canonicalization
> of client principal names when obtaining initial tickets, and by
> allowing servers to match server principals in keytabs by key rather
> than by name.  There is no back-end support for case-folding in the
> shipped DB2 and LDAP back ends, so that piece remains "a simple matter
> of programming" for the moment.

Good to know that this is already being looked and can potentially 
thwart some of these issues, as in the past, various utilities have 
skirted around this issue by populating principal names with all 
possible permutation.  I was also trying to find out if there is 
consensus with the various implementors on how case sensitivity and 
principal name syntax is handled, which looks like there is none.


More information about the krbdev mailing list