[33097] in Kerberos
Re: @ in principal names
daemon@ATHENA.MIT.EDU (Peter Mogensen)
Thu Jan 13 14:13:32 2011
Message-ID: <4D2F4ED6.7090903@mutex.dk>
Date: Thu, 13 Jan 2011 20:13:26 +0100
From: Peter Mogensen <apm@mutex.dk>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <D7CE9DD2-AF68-429F-AC81-2ED6EDABC678@stanford.edu>
Cc: Booker Bense <bbense@stanford.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 2011-01-13 20:01, Booker Bense wrote:
> In theory, yes you can have principals with \@ in the principal name with proper quoting.
Yes... I found the requirement to quote @ somewhere, and I managed to
create principals without kadmin complaining.
But when trying to authenticate IMAP, Dovecot complained about illegal
"\" in username. So I guessed I were missing something.
> In practice, you will find lot's of hidden bugs in various kerberos implementations.
Currently trying with MIT Kerberos 1.8.1
> If you control all the kerberos libraries of all the clients it can be made to work. ( I did this
> at EPRI around 1993 or so with kerberos 4 ), but realistically it's not feasible.
>
> Even if you don't find library bugs, it's a user interface nightmare.
So, are there any recommended solution for such a scenario?
Hosting many virtual realms? (more than practically editable in krb5.conf)
Replaing @ (with, say %) so principals are localpart%domain@realm ?
Any other way?
/Peter
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
