[676] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

Re: choice of realm appended in krb5_425_conv_principal()

daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue Aug 23 18:35:40 1994

Date: Tue, 23 Aug 94 18:35:27 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: "Paul Pomes" <P-Pomes@uiuc.edu>
Cc: krb5-bugs@MIT.EDU
In-Reply-To: Paul Pomes's message of Tue, 23 Aug 1994 14:27:03 -0500,
	<14844.777670023@mirage.cso.uiuc.edu>

Paul,

The convention for host tickets using Krb5 is:

		host/fully.qualified.host@REALM.EDU

The convention for Kerberos V4 is:

		rcmd/host@REALM.EDU

The problem with the V4 convention is precisely the problem with U of I,
where you have departmental domains, and a university-wide
authentication realm for the University.  The V4 convention completely
fails if you have two hosts named mirage.library.uiuc.edu and
mirage.eecs.uiuc.edu.

Hence, we moved to the V5 convention, which includes the fully qualified
domain name.  However, for compatibility's sake, we need to be able to
convert back and forth between the V5 and V4 convention, since old V4
clients expect the old format names, and we didn't want to have
duplicate keys in the Kerberos database.

This is the reason for the the krb5_425_conv_principal and
krb5_524_conv_principal calls.  Obviously, going from the V5 conventioon
to the V4 convention is easy; you simply strip off the realm name.
However, going from the V4 convention to the V5 convention is hard ---
you basically need a hard-coded table, or some sort of global network
database to contact.  I fully expect users at various different sites
will need to hack krb5_425_conv_principal in site specific ways, since
the V4 convention is inherently ambiguous.

How much V4 deployment do you have at UIUC?  If you don't have much, I'd
suggest not suggesting using V4 clients at UIUC at all; given your
architecture of multiple domains under a single realm, V4 clients aren't
going to work in the presence of name conflicts anyway.  If the problem
is the lack of V5 clients for the PC and Macintosh, perhaps the trick
will be to trying to get a consortia of schools to work on getting the
V5 library ported to the PC and Macintosh.  I anticipate that we will
be able to devote some resources to do the Krb5 PC port starting this
fall, and with any luck, we'll have a Krb5 PC port by sometime next
year.

						- Ted
home help back first fref pref prev next nref lref last post