Dave Botsch <[EMAIL PROTECTED]> writes: > Is it nothing more than a "if dot don't allow" or is there some > particular reason that if is there (allowing the dot in the username > would break something else)?
The problem is that AFS uses Kerberos v4 naming for PTS entries, and when you convert Kerberos v5 instances to Kerberos v4, you can't tell the difference between rra.root and rra/root. Since that ambiguity could potentially cause security issues if a principal with a period in it happened to map to a privileged instance, the current code takes the maximally conservative approach of rejecting any Kerberos v5 principal containing a period. There was some discussion a while back about the possible acceptable solutions that wouldn't run the risk of introducing a security issue due to name conflicts. The real long-term solution, of course, is to teach PTS about Kerberos v5 principal names, but that's a reasonably large chunk of work. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info