[569] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

Re: More Concerns Over The Case of The Realm Names

daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri Jul 8 13:02:55 1994

Date: Fri, 8 Jul 94 13:02:40 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: "Doug Engert" <DEEngert@anl.gov>
Cc: <auth-pilot@es.net>, <bcn@ISI.EDU>, <krb5-bugs@MIT.EDU>
In-Reply-To: Doug Engert's message of Fri, 08 Jul 94 11:23:33 CDT,
	<9407081624.AA00882@MIT.EDU>

   Date: Fri, 08 Jul 94 11:23:33 CDT
   From: "Doug Engert" <DEEngert@anl.gov>

   The more I think about the convention of using upper case realm names
   the more it bothers me for five reasons:

   Reason 1:

   Most of us have defined realm names using lower case for the
   cross realm testing using k5.es.net as the base. But it looks
   like LLNL is using LLNL.K5.ES.NET as the realm.

I'm sorry you happened to choose a convention which conflicts with the
current installed base.  But you seem to be asking us to make a change
in convention that would break all of the currently existing Kerberos
realms.  Remember, the V5 KDC supports both V4 and V5 requests for
compatibility's sake, so MIT's realm, and any realm which started and V4
and is migrating to V5, will NOT be able to change their realm name.

   Reason 2:

   Kerberos 5.3 is said to able to interoperate with OSF/DCE. I
   would like to be able to use Kerberized clients with an OSF
   security server acting as the KDC. But what is the Cell/Realm
   name? Does OSF use uppercase for the cell name? I don't believe
   so, I know AFS does not. (Currently I am using the AFS kaserver
   as the Kerberos V4 KDC and use K4 clients. The AFS Cell name is
   anl.gov and the Kerberos realm is ANL.GOV.) I hope that K5 and
   OSF work similarly.

OSF/DCE is currently using all lower-case Cell names as its convention, and
the realm name is the same as the cell name.  It is unfortunate that OSF
choose to use a convention which is different from the established V4
convention; perhaps they don't care as much about backwards
compatibility.

However, DCE will allow the use of upper-case cells; just as Kerberos
will allow the use of lower-case realm names.  They are just contrary to
the established convention of each system.  I wish DCE could have kept
to the already established convention, but I wasn't consulted when they
made that particular design change.

   Reason 3:

   I only see one places in the K 5.4.1 source where there is some
   attempt at using a specific case for the realm name. (I may have
   missed some). This is lib/krb5/os/hst_realm.c where it tries to
   generate a realm name from a domain name, and converts it to
   upper case, and it scans the krb.realms file and does a
   strcasecmp against the domain name.

This is not quite right.  It prepares a default realm name from the
domain name, which follows the current conventions (i.e. upper case
domain name).  It is doing a case insensitive compare against the domain
name because domain names are case insensitive.  These are two separate
operations, and you seemed to be confusing them as one operation.

   Reason 4:

   The string to key routine now uses the realm name in the salt. I
   don't see any case conversion here. 

There is no case conversion, because realm names are case insensitive.
This is not a reason to make a change to the convention.

   Reason 5:

   Users tend to type using lower case, and are use to domain names
   being in lower case. Having to use uppercase will be frustrating.

Users will rarely, if ever, need to type Kerberos realm names.  In the
few places where they do, the code could be set up to uppercase the
realms if this was really a problem --- although I don't think it is.

   Suggestion:

   I would like to see the realm name be considered case sensitive,
   but with the convention being to use lower case for domain name
   style realm names, and have hst_realm.c convert a domain name to
   lower case. ( I know this may be considered a major change, but
   in the long run, it will make things eaiser.)

Sorry, but the convention has been too-long established that the
Kerberos realm name is all upper case.  This was done originally to
make the distinction that Kerberos realm names are *NOT* the same
concept as domain names.  They are often the same because of the
convention, but they do not have to be the same, and in the interests of
architectural purity, it is important that they be kept separate.  
Otherwise, you run into other problems....

The Kerberos realm name is case insensitive, and if you want to confuse
people you can even use a mixed case realm name.  However, I don't see
any point in making the change now, especially since already deployed
sites can not possibly be expected to change to a new convention,
especially when there aren't any really good reasons for making the
change.

If you want to use all lower-case, you are free to; it will break
assumption made in hst_realm.c, which tries to guess the realm name
from the domain name; but because of already deployed sites, some of
them with substantial numbers of users, I am not prepared to change the
behavior of that routine.  The net result of that is that you will have
to have your realms listed in /etc/krb.realms; Kerberos V5 will not be
able to guess the realm name for you.

							- Ted

home help back first fref pref prev next nref lref last post