[OpenAFS] Kerberos with AFS

Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
29 May 2001 10:16:56 +0200


"Patrick J. LoPresti" <patl@curl.com> writes:

> Derrick J Brashear <shadow@dementia.org> writes:
> 
> > That would be "the krb5 principal "host/name.of.machine.domain" gets
> > translated to the krb4 principal "rcmd.name".
> 
> Translated by whom, and when?

As I understood it, it is the task of the client side. Kerberos 4
principals are restricted to the form of "pricipal" or
"princ.instance".  So if aklog (or any other client program) wants to
get an afs token, it has to translate the krb5 principal to the krb4 form. 

For usual human users with principals without any dots and slashes
such as "schulz", nothing changes. Principals such as "schulz/admin",
need to be translated to "schulz.admin". It really gets tricky when it
comes to principals such as the above mentioned
"host/name.of.machine.domain". This gets translated to "rcmd.name" by
convention. 

> Sorry if that is a dumb question; I guess I need to learn about v4/v5
> integration in general.  Any suggestions for things to read?

Dunno. I fell in the very same trap. Thats way I mentioned it here. 


I suppose, I will start next week to put this thread into a small
mini-faq on my web-page.... or does anybody already started to do so? 

Yours,
-- 
Martin Schulz                             schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe