> On Nov 29, 2018, at 10:00 AM, Weijun Wang <weijun.w...@oracle.com> wrote:
>
>> - gss_canonicalize_name() is not fully implemented. This will be noticeable
>> to callers of GSSNameElement's getKrbName(). In particular, permissions
>> checks will fail (e.g., in GSSCredElement's doServicePermCheck(); similarly
>> in NativeGSSContext).
>>
>> At minimum you absolutely must parse generic GSS name type names into
>> Kerberos-style names (e.g., service@hostname -> service/hostname@).
>
> OK.
I'm playing with the Java native bridge to MIT krb5 and noticed that whatever
GSSName I created (user, user@REALM, service@host) the toString() of the
original GSSName and its canonicalize(KRB5_OID) are always the same (and the
same as the original input). On the other hand, the export() forms of them are
also the same and show Kerberos-style names.
From the debug output, I can see the first export() call notices it's not MN
and canonicalize automatically.
In my library, since there is only one mechanism, the name is created as MN at
the beginning. So in import_name() you can see service@host is already changed
into service/host, canonicalize_name() does nothing, and export_name() adds the
realm. Is this also OK?
Summary:
Input MIT name export MIT mn export my name export my
mn export
----- -------- ------ ------ ------ ------- ------
----- ------
a a a@R a a@R a a@R a
a@R
s@h s@h s/h@ s@h s/h@ s/h s/h@R s/h
s/h@R
Thanks
Max
