Shawn M Emery
Shawn.Emery at Sun.COM
Sun Apr 12 02:20:25 EDT 2009
Greg Hudson wrote:
> Can you be more specific about what real interoperability problems are
> cropping up from either principal case sensitivity or from "degenerate"
> principals like /@, and how you would like those problems to be
Sorry for not being clear, some implementations can have permutations of
various principal components in upper or lower case. During context
acceptance servers can fail if they can not find key entries in the
local keytab file unless all permutations of possible service principal
names are populated in the keytab file.
> krb5 1.7 adds some support for protocol features which would allow a KDC
> to treat principals as partially or completely case-insensitive.
> Clients and servers are not expected to know the KDC's case-handling
> policy; this is achieved by allowing clients to request canonicalization
> of client principal names when obtaining initial tickets, and by
> allowing servers to match server principals in keytabs by key rather
> than by name. There is no back-end support for case-folding in the
> shipped DB2 and LDAP back ends, so that piece remains "a simple matter
> of programming" for the moment.
Good to know that this is already being looked and can potentially
thwart some of these issues, as in the past, various utilities have
skirted around this issue by populating principal names with all
possible permutation. I was also trying to find out if there is
consensus with the various implementors on how case sensitivity and
principal name syntax is handled, which looks like there is none.
More information about the krbdev