Jeff Blaine <jbla...@kickflop.net> writes:
> Can anyone explain away the reasoning behind the decision
> to make user principals need the form:
>
> specific_part/contextual_part
>
> e.g. jennifer/admin
>
> and service principals the OPPOSITE - of the form
>
> contextual_part/specific_part
>
> e.g. host/daffodil.mit.edu
>
> What happened? Who knows the history and reason for this?
In kerberos 4, the first part was the "name", and the
second part was the "instance".
So jennifer = name
admin = instance
host = name
daffodil.mit.edu = instance
Obviously, "daffodil" is the name, not "host".
For whatever reason, in kerberos 5, they got rid of calling them
"name" and "instance", and it's just an array
of name components (1, 2, or you can have more, 3, 4...).
So the first part is not "context" or "specific_part",
it's just the "first part".
host/<fqdn> - is wired into program logic.
<user>/admin - is not wired in. that's strictly a human convention.
If it really bothers you, why not switch to
admin/<user> - and revise your acl logic to match?
-Marcus Watts
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
