Jeff Blaine <jbla...@kickflop.net> writes: > Can anyone explain away the reasoning behind the decision > to make user principals need the form: > > specific_part/contextual_part > > e.g. jennifer/admin > > and service principals the OPPOSITE - of the form > > contextual_part/specific_part > > e.g. host/daffodil.mit.edu > > What happened? Who knows the history and reason for this?
In kerberos 4, the first part was the "name", and the second part was the "instance". So jennifer = name admin = instance host = name daffodil.mit.edu = instance Obviously, "daffodil" is the name, not "host". For whatever reason, in kerberos 5, they got rid of calling them "name" and "instance", and it's just an array of name components (1, 2, or you can have more, 3, 4...). So the first part is not "context" or "specific_part", it's just the "first part". host/<fqdn> - is wired into program logic. <user>/admin - is not wired in. that's strictly a human convention. If it really bothers you, why not switch to admin/<user> - and revise your acl logic to match? -Marcus Watts ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos