Dave Botsch wrote: > Is it nothing more than a "if dot don't allow" or is there some particular > reason that if is there (allowing the dot in the username would break > something > else)?
There are several threads on this topic. I really would hate to repeat it all. In short, Kerberos v4 principals use 'dot' as the separator between the 'user' and the 'instance'. As in "[EMAIL PROTECTED]" and "[EMAIL PROTECTED]". Kerberos v5 internally uses multiple length encoded components which are visibly displayed with slashes. When Kerberos v5 is used, the names are converted into Kerberos v4 form. So "dave/[EMAIL PROTECTED]" becomes "[EMAIL PROTECTED]". Now if there was a user "dave.admin" such that there was a [EMAIL PROTECTED] single component Kerberos v5 name, it would collide with "dave/[EMAIL PROTECTED]" within the PTS database. That is why there is the check. To prevent this collision. There was a description posted to openafs-devel some time back describing the patch that the Gatekeepers would accept. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
