Re: iSCSI: Kerb auth issue 2 - name use in kerberos

[Bill Studenmund <wrstuden@wasabisystems.com>]

On Thu, 19 Dec 2002, Ofer Biran wrote:

> Bill,
>
> I don't understand why Kerberos is different then the other methods
> from this aspect. No mapping between iSCSI names and user names
> used in the authentication methods is specified. This is left to
> local users/principals administration. An administrator may decide
> that iSCSI target principals in his domain are always
> iscsi/<target_name>, and this should be known to initiators in that
> domain. But someone may want / already has different scheme.

Please note I was talking about behaviors for the name-is-nul case. If you
put in a principal name, you use that principal name.

Also, Kerberos is different in that it has concepts about who/what a
principal is, and how to get the principal name given what you want to
talk to. If your host name is foo.bar.com, your principal (for telnetting,
etc.) is host/foo.bar.com. That's that. If your DNS name is different,
your principal (and what needs to be in your keytab) is different. Two DNS
names? Then you have two sets of principal keys in your keytab.

All the Kerberos folks I talked to said (after translating) that as the
canonical name in iSCSI is the node name, the principal SHOULD be
"iscsi/<node_name>". You should really only do something different if you
have a good reason. And maybe even not then.

Rather than lock people into this (the stick of an RFC MUST), my thought
was to use the carrot of convenience. You leave the name nul (zero-length
string), and the "right" thing just happens.


So no comment on the difference in semantics for the principal names in
the ipsAuthCredKerberos when used via iscsiIntrAuthorization?

Take care,

Bill