1KRB5_425_CONV_PRINCIP... BSD Library Functions Manual KRB5_425_CONV_PRINCIP...
2

NAME

4     krb5_425_conv_principal, krb5_425_conv_principal_ext,
5     krb5_524_conv_principal — converts to and from version 4 principals
6

LIBRARY

8     Kerberos 5 Library (libkrb5, -lkrb5)
9

SYNOPSIS

11     #include <krb5.h>
12
13     krb5_error_code
14     krb5_425_conv_principal(krb5_context context, const char *name,
15         const char *instance, const char *realm, krb5_principal *principal);
16
17     krb5_error_code
18     krb5_425_conv_principal_ext(krb5_context context, const char *name,
19         const char *instance, const char *realm,
20         krb5_boolean (*func)(krb5_context, krb5_principal),
21         krb5_boolean resolve, krb5_principal *principal);
22
23     krb5_error_code
24     krb5_524_conv_principal(krb5_context context,
25         const krb5_principal principal, char *name, char *instance,
26         char *realm);
27

DESCRIPTION

29     Converting between version 4 and version 5 principals can at best be
30     described as a mess.
31
32     A version 4 principal consists of a name, an instance, and a realm. A
33     version 5 principal consists of one or more components, and a realm. In
34     some cases also the first component/name will differ between version 4
35     and version 5.  Furthermore the second component of a host principal will
36     be the fully qualified domain name of the host in question, while the
37     instance of a version 4 principal will only contain the first part (short
38     hostname).  Because of these problems the conversion between principals
39     will have to be site customized.
40
41     krb5_425_conv_principal_ext() will try to convert a version 4 principal,
42     given by name, instance, and realm, to a version 5 principal. This can
43     result in several possible principals, and if func is non-NULL, it will
44     be called for each candidate principal.  func should return true if the
45     principal was “good”.  To accomplish this, krb5_425_conv_principal_ext()
46     will look up the name in krb5.conf.  It first looks in the
47     v4_name_convert/host subsection, which should contain a list of version 4
48     names whose instance should be treated as a hostname. This list can be
49     specified for each realm (in the realms section), or in the libdefaults
50     section.  If the name is found the resulting name of the principal will
51     be the value of this binding. The instance is then first looked up in
52     v4_instance_convert for the specified realm. If found the resulting value
53     will be used as instance (this can be used for special cases), no further
54     attempts will be made to find a conversion if this fails (with func).  If
55     the resolve parameter is true, the instance will be looked up with
56     gethostbyname().  This can be a time consuming, error prone, and unsafe
57     operation.  Next a list of hostnames will be created from the instance
58     and the v4_domains variable, which should contain a list of possible
59     domains for the specific realm.
60
61     On the other hand, if the name is not found in a host section, it is
62     looked up in a v4_name_convert/plain binding. If found here the name will
63     be converted, but the instance will be untouched.
64
65     This list of default host-type conversions is compiled-in:
66
67           v4_name_convert = {
68                   host = {
69                           ftp = ftp
70                           hprop = hprop
71                           imap = imap
72                           pop = pop
73                           rcmd = host
74                           smtp = smtp
75                   }
76           }
77
78     It will only be used if there isn't an entry for these names in the con‐
79     fig file, so you can override these defaults.
80
81     krb5_425_conv_principal() will call krb5_425_conv_principal_ext() with
82     NULL as func, and the value of v4_instance_resolve (from the libdefaults
83     section) as resolve.
84
85     krb5_524_conv_principal() basically does the opposite of
86     krb5_425_conv_principal(), it just doesn't have to look up any names, but
87     will instead truncate instances found to belong to a host principal. The
88     name, instance, and realm should be at least 40 characters long.
89

EXAMPLES

91     Since this is confusing an example is in place.
92
93     Assume that we have the “foo.com”, and “bar.com” domains that have shared
94     a single version 4 realm, FOO.COM. The version 4 krb.realms file looked
95     like:
96
97           foo.com         FOO.COM
98           .foo.com        FOO.COM
99           .bar.com        FOO.COM
100
101     A krb5.conf file that covers this case might look like:
102
103           [libdefaults]
104                   v4_instance_resolve = yes
105           [realms]
106                   FOO.COM = {
107                           kdc = kerberos.foo.com
108                           v4_instance_convert = {
109                                   foo = foo.com
110                           }
111                           v4_domains = foo.com
112                   }
113
114     With this setup and the following host table:
115
116           foo.com
117           a-host.foo.com
118           b-host.bar.com
119     the following conversions will be made:
120
121           rcmd.a-host     -> host/a-host.foo.com
122           ftp.b-host      -> ftp/b-host.bar.com
123           pop.foo         -> pop/foo.com
124           ftp.other       -> ftp/other.foo.com
125           other.a-host    -> other/a-host
126
127     The first three are what you expect. If you remove the “v4_domains”, the
128     fourth entry will result in an error (since the host “other” can't be
129     found). Even if “a-host” is a valid host name, the last entry will not be
130     converted, since the “other” name is not known to represent a host-type
131     principal.  If you turn off “v4_instance_resolve” the second example will
132     result in “ftp/b-host.foo.com” (because of the default domain). And all
133     of this is of course only valid if you have working name resolving.
134

SEE ALSO

136     krb5_build_principal(3), krb5_free_principal(3), krb5_parse_name(3),
137     krb5_sname_to_principal(3), krb5_unparse_name(3), krb5.conf(5)
138
139HEIMDAL                        September 3, 2003                       HEIMDAL
Impressum