| 
KRB5_425_CONV_PRINCIPAL(3)OpenBSD        Programmer's       ManuaKRB5_425_CONV_PRINCIPAL(3)
      krb5_425_conv_principal, krb5_425_conv_principal_ext,
     krb5_524_conv_principal - converts to  and  from  version  4
principals
     Kerberos 5 Library (libkrb5, -lkrb5)
      #include <krb5.h>
     krb5_error_code
     krb5_425_conv_principal(krb5_context   context,  const  char
*name,
             const char *instance, const char *realm,
             krb5_principal *principal);
     krb5_error_code
     krb5_425_conv_principal_ext(krb5_context context, const char
*name,
             const char *instance, const char *realm,
             krb5_boolean (*func)(krb5_context, krb5_principal),
             krb5_boolean resolve, krb5_principal *principal);
     krb5_error_code
     krb5_524_conv_principal(krb5_context context,
             const  krb5_principal  principal,  char  *name, char
*instance,
             char *realm);
     Converting between version 4 and version 5 principals can at
best be described
 as a mess.
     A version 4 principal consists of a name, an instance, and a
realm. A
     version 5 principal consists of one or more components,  and
a realm. In
     some cases also the first component/name will differ between
version 4
     and version 5.  Furthermore the second component of  a  host
principal will
     be  the fully qualified domain name of the host in question,
while the instance
 of a version 4 principal will only contain the  first
part (short
     hostname).  Because of these problems the conversion between
principals
     will have to be site customized.
     krb5_425_conv_principal_ext() will try to convert a  version
4 principal,
     given  by  name, instance, and realm, to a version 5 principal. This can
     result in several possible principals, and if func  is  nonNULL, it will
     be  called for each candidate principal.  func should return
true if the
     principal was ``good''.  To accomplish this,
     krb5_425_conv_principal_ext()  will  look  up  the  name  in
krb5.conf.  It
     first  looks  in  the v4_name_convert/host subsection, which
should contain
     a list of version 4 names whose instance should  be  treated
as a hostname.
     This  list  can  be  specified for each realm (in the realms
section), or in
     the libdefaults section.  If the name is found the resulting
name of the
     principal will be the value of this binding. The instance is
then first
     looked up in v4_instance_convert for the specified realm. If
found the
     resulting  value  will be used as instance (this can be used
for special
     cases), no further attempts will be made to find  a  conversion if this
     fails  (with  func).   If the resolve parameter is true, the
instance will
     be looked up with gethostbyname().  This can be a time  consuming, error
     prone,  and unsafe operation.  Next a list of hostnames will
be created
     from the instance and the v4_domains variable, which  should
contain a
     list of possible domains for the specific realm.
     On  the  other hand, if the name is not found in a host section, it is
     looked up in a v4_name_convert/plain binding. If found  here
the name will
     be converted, but the instance will be untouched.
     This list of default host-type conversions is compiled-in:
           v4_name_convert = {
                   host = {
                           ftp = ftp
                           hprop = hprop
                           imap = imap
                           pop = pop
                           rcmd = host
                           smtp = smtp
                   }
           }
     It will only be used if there isn't an entry for these names
in the config
 file, so you can override these defaults.
     krb5_425_conv_principal()             will              call
krb5_425_conv_principal_ext() with
     NULL as func, and the value of v4_instance_resolve (from the
libdefaults
     section) as resolve.
     krb5_524_conv_principal() basically does the opposite of
     krb5_425_conv_principal(), it just doesn't have to  look  up
any names, but
     will  instead  truncate  instances found to belong to a host
principal. The
     name, instance, and realm should be at least  40  characters
long.
     Since this is confusing an example is in place.
     Assume that we have the ``foo.com'', and ``bar.com'' domains
that have
     shared a single version 4  realm,  FOO.COM.  The  version  4
krb.realms file
     looked like:
           foo.com         FOO.COM
           .foo.com        FOO.COM
           .bar.com        FOO.COM
     A krb5.conf file that covers this case might look like:
           [libdefaults]
                   v4_instance_resolve = yes
           [realms]
                   FOO.COM = {
                           kdc = kerberos.foo.com
                           v4_instance_convert = {
                                   foo = foo.com
                           }
                           v4_domains = foo.com
                   }
     With this setup and the following host table:
           foo.com
           a-host.foo.com
           b-host.bar.com
     the following conversions will be made:
           rcmd.a-host     -> host/a-host.foo.com
           ftp.b-host      -> ftp/b-host.bar.com
           pop.foo         -> pop/foo.com
           ftp.other       -> ftp/other.foo.com
           other.a-host    -> other/a-host
     The  first  three  are  what  you  expect. If you remove the
``v4_domains'',
     the fourth entry will result in an  error  (since  the  host
``other'' can't
     be found). Even if ``a-host'' is a valid host name, the last
entry will
     not be converted, since the ``other'' name is not  known  to
represent a
     host-type  principal.   If  you  turn  off ``v4_instance_resolve'' the second
     example will result in  ``ftp/b-host.foo.com''  (because  of
the default domain).
  And  all of this is of course only valid if you have
working name
     resolving.
     krb5_build_principal(3),             krb5_free_principal(3),
krb5_parse_name(3),
     krb5_sname_to_principal(3),            krb5_unparse_name(3),
krb5.conf(5)
 HEIMDAL                              April       11,        1999
[ Back ] |