[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Case insensitive names (was Re: Turning off hostnamecanonicalisation)

On Tue, 2005-09-13 at 14:59 -0400, Sam Hartman wrote:
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes:
>     Nicolas> The proposed set/change password version 2 protocol deals
>     Nicolas> with principal aliasing...
> It requires that the KDC be able to enumerate all the principals that
> a particular service can be known as.  That is not compatible with
> case insensitive keytabs in an interoperable manner.

I don't get this.  If the KDC knows that it is case insensitve, then why
can't it just include an extra boolean to the effect of 'and all case
variations of the above'?  The set/change password isn't RFC yet, right?
And why can't we have a similar flag in a keytab entry?

It seems to me that current sites using unix kerberos are jumping though
some very high hoops to avoid this kind of extension.  Likewise, it is
forcing applications (such as Samba3) to manually enumerates all entries
in a keytab to implement such a behaviour.

Now, for Samba4 I can just hack more stuff into a custom kerberos lib,
and pretend these problems don't exist in a broader world.  However, I
know this isn't popular, and I've promised to at least try and
transition to system libs eventually.  Even if Samba4 never does, I
would really like other services to be able to provide kerberos logins
to windows clients, without major pain, or rewriting the apps, or
telling users 'just recompile and statically link against

(I already have this issue coming up to my plate soon, as I try to
understand how GSS-TSIG and BIND 9 will fit into Samba4's AD-like
environment.  Given advise on these lists before, I don't want to
include a custom BIND if I don't have to...).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part