On Thu, 30 Sep 2004, [ISO-8859-1] Rainer Sch�pf wrote:
A principal with a "." in its name does not work at all with Kerberos5 tokens. This is explicitly forbidden by this snippet of code from rxkad/ticket5.c:
/* * If the first part of the name_string contains a dot, punt since * then we can't see the diffrence between the kerberos 5 * principals foo.root and foo/root later in the fileserver. */ if (strchr(decr_part.cname.name_string.val[0], '.') != NULL) goto bad_ticket;
I don't see why this should be a problem: name and instance are well separated in the fileserver code. If I use the old aklog together with krb524d, no such restriction exists.
Jeff Altman explained why in the RT ticket you opened; Basically, "because it can lead to 2 principals being treated as the same one".
Until the pts suite has been modified and we are using true krb5 everywhere (or at least in the code path where such check happens) this will not be removed.
If you want an instance, create an instance. If you want a second principal, use some character other than . to separate the left part of the name from the right.
