[577] in Kerberos-V5-bugs
Re: More Concerns Over The Case of The Realm Names
daemon@ATHENA.MIT.EDU (Joseph N. Pato)
Mon Jul 11 12:40:36 1994
Date: Mon, 11 Jul 1994 12:39:46 -0400
To: Clifford Neuman <bcn@ISI.EDU>, DEEngert@anl.gov, gnu@cygnus.com
From: pato@apollo.hp.com (Joseph N. Pato)
Cc: auth-pilot@es.net, krb5-bugs@MIT.EDU
At 9:25 7/10/94 -0700, Clifford Neuman wrote:
>With respect to DCE realm names, my understanding is that their realm
>names are not of the domain name variety even though derived from
>realm names. In particular, they use slashes to separate components
>and the order of the elements is reversed. The upper case convention
>only applies to names ****
>
In DCE 1.0X releases, a DCE realm name is derived from the DCE cell name.
This can either be a DNS name or an X.500 name. When the cell name is a DNS
name, then the name follows the standard DNS "." separated syntax. (e.g.,
/.../hp.com or /.../ch.hp.com [1]. These names map to the realm names
hp.com and ch.hp.com) Names are canonicalized when entered into the
database (but you can create an uppercase realm name if you really want).
In DCE 1.1 cell name can be rooted in another cell (yielding hierarchical
names). At that point there are "/" characters in the realm name. (The DCE
KDC database is actually a full directory system so stores these as a true
hierarchy - but the V5 protocol requires that the realm name appear in the
second field of the name structure dis-allowing the use of multi-component
realm names and requiring the DCE to introduce the "/" character into the
name of the realm when presented on the wire.)
[1] "/.../ is syntactic sugar for indicating a global name, the realm name
does not include this token. In the kerberos database the "/.../" string is
replaced by the "krbtgt" "directory".
- Joe Pato
Hewlett-Packard Co.
pato@ch.hp.com
+1 (508) 436-4350; FAX +1 (508) 436-5140
