Hi, I would like to use getpwnam() to find the POSIX user for a given Kerberos principal. To achieve this I have to change the regular-expression we use to split the user name into name and domain components because we use '@' as a delimiter here and Kerberos principals contain an '@' as well.
My idea is to allow an '@' in the name part so that 'a@b@c' is split into the name part 'a@b' and the domain part 'c'. A name containing an '@' will then be considered as a Kerberos principal by SSSD and used accordingly. If the domain is not known and the Kerberos principal should be searched in all known domains a single '@' at the end, e.g. 'a@b@' shall indicate that the argument is a Kerberos principal. I would like to know if you agree with this approach, if you have concerns and other suggestions? As a side node. While looking at this I found some oddities in the current regular-expressions. E.g. currently '@' is not allowed in the name part, but in the domain part when '@' is the separator. This leads to a splitting of 'a@b@c' to name 'a' and domain 'b@c'. For AD-style names with '\' as a separator '@' is allowed in names, i.e. 'a\b@c' will be result in name 'b@c' and domain 'a' (so in theory I could use this scheme to send a Kerberos principal to SSSD, but for me this looks even stranger than my suggestion above, it hard to use on the command-line and does not solve the case where the domain is not known). I will try to fix those inconsistencies as well. bye, Sumit _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
