[36485] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Creating enterprise principals with kadmin

daemon@ATHENA.MIT.EDU (Booker Bense)
Wed Sep 17 20:45:19 2014

MIME-Version: 1.0
In-Reply-To: <291CA3C8-FF1F-4DE7-9205-96AE3BB29B72@openfortress.nl>
Date: Wed, 17 Sep 2014 17:45:08 -0700
Message-ID: <CAEGpuoi4h738unEMS0PpAh-hXP1NO2YPqYFGgGhgjYAGqBgT-w@mail.gmail.com>
From: Booker Bense <bbense@gmail.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

FWIW, I ran a realm in the early nineties ( in kerberos 4 no less ) in
which all the user names were
email addresses, some of which were quoted Full names with spaces and
punctuations. It was exactly the
nightmare you might expect. It did shake out a lot of parsing bugs in the
principal escaping code.

It can be done, it's an incredibly bad idea.

- Booker C. Bense

On Tue, Sep 16, 2014 at 6:32 AM, Rick van Rein <rick@openfortress.nl> wrote:

> Hi Greg,
>
> > As I understand the enterprise principal name type based on RFC 6806
> > section 5, it is intended to convey an email-style alias which should be
> > looked up in some kind of name service to figure out the actual
> > principal name and realm for a user.  Active Directory contains such a
> > service; the MIT krb5 KDC does not, unless you use a third-party KDB
> > module which provides one.
>
> …or find an elegant concept and patch it into an existing one...
>
> > (Our LDAP KDB module supports aliases within
> > a realm, but not aliases which point to other realms.)
>
> Yes, I found the is_principal_in_realm() check that is obviously there to
> weed out funny responses due to aliases in the LDAP store, crossing
> over the boundaries of realms.
>
> > Creating an actual principal entry for an enterprise name doesn't seem
> > like a good idea.  A client which makes an AS request for an enterprise
> > name should wind up with a ticket for an actual, normal principal name,
> > not a ticket for the alias.
>
> That’s why I would combine it with canonicalisation.  That way, the login
> with an enterprise name is not the normal mode, but it would translate
> to a “real” principal name. This is not enforced by the KDC and the user
> should choose to canonicalise, but if someone insisted on a funny name
> like joe\@example.com@EXAMPLE.COM then I fail to see hard reasons
> to stop him...?
>
> Thanks,
>  -Rick
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home help back first fref pref prev next nref lref last post