[37731] in Kerberos
Re: Using enterprise principal name in GSS-API
daemon@ATHENA.MIT.EDU (Alan Braggins)
Fri Oct 7 12:16:20 2016
From: Alan Braggins <abraggin@brocade.com>
To: kerberos <kerberos@mit.edu>
Date: Thu, 6 Oct 2016 18:47:01 +0000
Message-ID: <1475779627474.25973@Brocade.com>
In-Reply-To: <1475779510832.52990@Brocade.com>
Content-Language: en-GB
MIME-Version: 1.0
Cc: Alan Braggins <abraggin@brocade.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Apparently I also have a broken mail that truncated most of that message.
I'll see if I can recover it.
________________________________________
From: Alan Braggins
Sent: 06 October 2016 19:45
To: Greg Hudson; Isaac Boukris; kerberos
Subject: Re: Using enterprise principal name in GSS-API
On 23/09/16 15:50, Greg Hudson wrote:
> On 09/23/2016 03:52 AM, Isaac Boukris wrote:
>> Maybe we need a new gss name type oid like GSS_NT_ENTERPRISE_NAME,
>> though I guess it's more complicated than it sounds :)
>
> I think that might be reasonable for this use case. I've seen requests
> to be able to import enterprise principal names before, although (IIRC)
> sometimes for use cases where it might not have made as much sense.
>
> The concerns I can immediately think of are:
>
> * Is there any prior art we should try to be compatible with? I don't
> see any in Heimdal, and MS doesn't directly implement GSS-API, so I
> don't think there is.
>
> * If someone uses one of these GSS names in a different scenario (e.g.
> for an acceptor credential), will it fail gracefully? I believe that's
> generally the case.
>
> * Does canonicalization at cred acquisition time pose any issues for the
> GSS-API model, because the name you get creds for won't be the same as
> the name you asked for? gss_acquire_cred_with_password() is an
> extension, not a standardized part of the API, so I think it shouldn't
> be a problem.
I have actually got a patch that adds gss_nt_krb5_name_enterprise as a
recognised OID (
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
