On Thu, 2014-05-22 at 11:07 +0200, Jakub Hrozek wrote:
> On Thu, May 22, 2014 at 10:11:54AM +0200, Sumit Bose wrote:
> > Hi,
> > 
> > I would like to use getpwnam() to find the POSIX user for a given
> > Kerberos principal.
> 
> In general I'm fine with what you propose, but I wonder why is it easier
> to use getpwnam() and not a special library call, like we have for sid-to-name
> lookups? Did you want to avoid having to link the localauth plugin with
> a third party library (like sss_nss_idmap) ?
> 
> > To achieve this I have to change the
> > regular-expression we use to split the user name into name and domain
> > components because we use '@' as a delimiter here and Kerberos
> > principals contain an '@' as well.
> > 
> > My idea is to allow an '@' in the name part so that 'a@b@c' is split
> > into the name part 'a@b' and the domain part 'c'.
> 
> Yes, I think we were asked to allow e-mail addresses as username in the
> past anyway.
> 
> > A name containing an
> > '@' will then be considered as a Kerberos principal by SSSD and used
> > accordingly. If the domain is not known and the Kerberos principal
> > should be searched in all known domains a single '@' at the end, e.g.
> > 'a@b@' shall indicate that the argument is a Kerberos principal.
> > 
> > I would like to know if you agree with this approach, if you have
> > concerns and other suggestions?
> > 
> > As a side node. While looking at this I found some oddities in the
> > current regular-expressions. E.g. currently '@' is not allowed in the
> > name part, but in the domain part when '@' is the separator. This leads
> > to a splitting of 'a@b@c' to name 'a' and domain 'b@c'. For AD-style
> > names with '\' as a separator '@' is allowed in names, i.e. 'a\b@c' will
> > be result in name 'b@c' and domain 'a' (so in theory I could use this
> > scheme to send a Kerberos principal to SSSD, but for me this looks even
> > stranger than my suggestion above, it hard to use on the command-line
> > and does not solve the case where the domain is not known). I will try
> > to fix those inconsistencies as well.
> 
> Currently we only support domain names that contain alphanumeric ASCII
> characters, dashes and underscores anyway, at least those defined in the
> sssd.conf. I'm not sure if the same limitation is also imposed on
> subdomains.
> 
> But still, what about only allowing the '@' in the name part? I don't
> think we would break backwards compatibility, I doubt anyone is using a
> subdomain with '@' in the name.

AD does not allows special characters in domain names (nor should IPA as
they are DNS names too), so I do not think there is any problem on this
point.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to