On 2011-01-13 20:01, Booker Bense wrote: > In theory, yes you can have principals with \@ in the principal name with > proper quoting.
Yes... I found the requirement to quote @ somewhere, and I managed to create principals without kadmin complaining. But when trying to authenticate IMAP, Dovecot complained about illegal "\" in username. So I guessed I were missing something. > In practice, you will find lot's of hidden bugs in various kerberos > implementations. Currently trying with MIT Kerberos 1.8.1 > If you control all the kerberos libraries of all the clients it can be made > to work. ( I did this > at EPRI around 1993 or so with kerberos 4 ), but realistically it's not > feasible. > > Even if you don't find library bugs, it's a user interface nightmare. So, are there any recommended solution for such a scenario? Hosting many virtual realms? (more than practically editable in krb5.conf) Replaing @ (with, say %) so principals are localpart%domain@realm ? Any other way? /Peter ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
