On Fri, Aug 27, 2010 at 4:14 AM, Harald Barth <[email protected]> wrote: > >> Old rxkad fileservers convert krb5 names to a krb4 "name" and >> "instance" according to a semi-obscure set of hardcoded rules in >> rxkad, join them with '.' (unless the instance is null), then append >> '@' and the downcased realm (unless it is a "local" realm). The >> resulting string is passed to PR_NameToID, and what _that_ does is >> not currently specified. > > I can say that I _am_ confused about how the name I have in an krb v5 > keytab, host/[email protected], gets convered to > rcmd.computer for use in pts. But web/[email protected] > gets converted to web.computer.example.com. There is this section > about conversion of named in krb5.conf but I do not know which > programs actually use it and if it is used for this conversion at all > (as stuff is hardcoded somewhere, too).
This is somewhat out of scope as it is legacy rather than something being standardized here. However, rxkad includes a hardcoded table in src/rxkad/ticket5.c which claims: /* * Principal conversion Taken from src/lib/krb5/krb/conv_princ from MIT Kerberos . If you * find a need to change the services here, please consider opening a * bug with MIT by sending mail to [email protected]. */ Most converted names have a short hostname in krb4 and are converted from a full hostname. Exceptions: kadmin, zephyr keep their existing instance; host/full becomes rcmd/short. Other converted principals: discuss, rvdsrv, sample, olc, pop, sis, rfs, imap, ftp, ecat, daemon, gnats, moira, prms, mandarin, register, changepw, sms, afpserver, gdss, news, abs, nfs, tftp, http, khttp, pgpsigner, irc, mandarin-agent, write, palladium, imap, smtp, lmtp, acap, argus, mupdate. >> Note that I'm not proposing changing rxkad's existing interface, >> which returns a separate name, instance, and cell. I'm only >> proposing changing the form of the binary authname blob that would >> be returned when the _new_ interface is used. > > Whatever we do, I'd like to see that the solution does _not_ result in > something that is like the current mess where only a few people in the > world know what is converted where and how. Given that source is shipped and the rules match the convert MIT krb5 does, that *should not* be the case. -- Derrick _______________________________________________ AFS3-standardization mailing list [email protected] http://michigan-openafs-lists.central.org/mailman/listinfo/afs3-standardization
