Mikkel Kruse Johnsen wrote: > Hi All > > I'm trying to setup OpenAFS here at Copenhagen Business School > (Denmark). We have a MS Active Directory where all users are created and > on windows I will install OpenAFS for windows and hopefully be able to > access the OpenAFS servers with the principle, but unfortunately all > users have a dot (period) in the name.
A history lesson.
Kerberos v4 principal names which were in use when AFS uses the dot to
indicate the separation between the "name" and the "instance". For example:
[EMAIL PROTECTED]
Kerberos v5 principal names do not use dot or even slash as the
separator. Instead v5 principals are multiple length encoded components.
joe
admin
REALM
or
joe.admin
REALM
The dot is no longer a special character. In order to use Kerberos v5
principals with AFS we must convert the principal to its display string
form.
joe/[EMAIL PROTECTED]
[EMAIL PROTECTED]
However, because v5 "joe/[EMAIL PROTECTED]" is how the v4 "[EMAIL PROTECTED]"
will be stored in the KDC database, we must replace the slash with a
dot. As a result we have a problem.
joe/[EMAIL PROTECTED] -> [EMAIL PROTECTED]
and now there is a conflict.
joe
admin
REALM
and
joe.admin
REALM
become the same string. In order to prevent "joe.admin" from becoming
the administrative identity "joe/admin" we disable support for dots in
Kerberos v5 principal names.
If you wish to disable this check, you will have to patch the code.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
