[27777] in Kerberos
Re: @ character in username
daemon@ATHENA.MIT.EDU (Booker C. Bense)
Tue May 15 13:21:20 2007
In-Reply-To: <396126.1881.qm@web61011.mail.yahoo.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <0A5DA8B2-95AC-47BB-BDE7-8B3C5C7C05A9@stanford.edu>
From: "Booker C. Bense" <bbense@stanford.edu>
Date: Tue, 15 May 2007 10:21:12 -0700
To: Arati Desai <artipdesai@yahoo.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On May 15, 2007, at 7:56 AM, Arati Desai wrote:
> Hi All,
>
> My user name contains '@' character as I need to host multiple
> domains on a single box.
> I have created a user's principal as username\@domain@REALM. First
> @' character is escaped with a '\' while creating principal and
> generating a ticket.
> But I am getting 'Invalid user' error when I try to login with this
> user while the kerb5 authentication succeeds for normal users. (I
> am using heimdal at the service's end for authentication, while the
> KDC is from MIT.)
>
> Is '@' character supported in user name? If so, is there any
> special precaution to be taken while using such user names?
In theory, yes it's supported if properly quoted. In practice, it's a
nightmare. My first kerberos job was making stuff like this work for
kerberos 4 MIT code at EPRI. We found lot's of bugs in the principal
handling code.
Kerberos code has changed a lot since 1993, but I suspect there are
still bugs lurking in dealing with these kinds of things. If there is
anything you can do to avoid using these kinds of principals I would
highly recommend doing so.
_ Booker C. Bense
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
