[1492] in Kerberos-V5-bugs
Re: Kerberos V5 beta5 / DCE interoperability problem
daemon@ATHENA.MIT.EDU (Joseph N. Pato)
Mon Jun 19 17:15:35 1995
Date: Mon, 19 Jun 1995 17:13:15 -0400
To: Theodore Ts'o <tytso@MIT.EDU>
From: pato@apollo.hp.com (Joseph N. Pato)
Cc: Bill Sommerfeld <sommerfeld@apollo.hp.com>, Theodore Ts'o <tytso@MIT.EDU>,
KRB5-BUGS@MIT.EDU, "Doug Engert" <DEEngert@anl.gov>
At 7:06 6/19/95, Theodore Ts'o wrote:
> Date: Mon, 19 Jun 1995 15:47:56 -0400
> From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
>
> Joe was incorrect.
>
> All DCE implementations I am aware of force the cell name to lower
> case after reading it from the `dce_cf.db' config file.
>
>Are there any plans to fix this in DCE 1.2?
>
>This is a real show-stopper as far as any widespread use of DCE at MIT,
>and I suspect at number of other sites as well, where backwards
>compatibility and preserving the existing Kerberos database is consdered
>important.
>
> - Ted
There are several issues here.
1) In the abstract, a cell name can be case-correct. In practice a cell
that is rooted in DNS is in a case insensitive environment. There is
cell-name canonicalization code that will downcase the name in this
environment as Bill points out.
2) Not all cells are rooted in DNS. In particular, some cells are
hierarchical and are rooted in the DCE CDS. In this case at least some
portion of the name is case sensitive.
3) There was a bug in the DCE Security server, it "canonicalized" all realm
names when a realm was to be created. It was possible to create a
case-correct realm name - but it required the administrator to dump the
database into an ascii form, edit the name to correct the "spelling error"
and then restore the database. (Not friendly, but possible - in particular
possible to create an alias name for the realm)
The bug is unfortunate. Allowing case-correct names for sites that desire
them is useful. I would be very upset (as would some customers) if RFC 1510
would change in an incompatible manner to rule-out case correctness.
- joe
