On Tue, 2005-09-13 at 14:59 -0400, Sam Hartman wrote: > >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes: > > Nicolas> The proposed set/change password version 2 protocol deals > Nicolas> with principal aliasing... > > > It requires that the KDC be able to enumerate all the principals that > a particular service can be known as. That is not compatible with > case insensitive keytabs in an interoperable manner. I don't get this. If the KDC knows that it is case insensitve, then why can't it just include an extra boolean to the effect of 'and all case variations of the above'? The set/change password isn't RFC yet, right? And why can't we have a similar flag in a keytab entry? It seems to me that current sites using unix kerberos are jumping though some very high hoops to avoid this kind of extension. Likewise, it is forcing applications (such as Samba3) to manually enumerates all entries in a keytab to implement such a behaviour. Now, for Samba4 I can just hack more stuff into a custom kerberos lib, and pretend these problems don't exist in a broader world. However, I know this isn't popular, and I've promised to at least try and transition to system libs eventually. Even if Samba4 never does, I would really like other services to be able to provide kerberos logins to windows clients, without major pain, or rewriting the apps, or telling users 'just recompile and statically link against lorikeet-heimdal'... (I already have this issue coming up to my plate soon, as I try to understand how GSS-TSIG and BIND 9 will fit into Samba4's AD-like environment. Given advise on these lists before, I don't want to include a custom BIND if I don't have to...). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part