[OpenAFS] what is aklog's algorithm for "deducing" what realm to authenticate
to?
Adam Megacz
megacz@cs.berkeley.edu
Tue, 27 Dec 2005 15:54:21 -0800
[see end of message for additional details on why my cell works this way]
This is weird. When I execute "aklog -c megacz.com", aklog does not attempt
to authenticate to the "obvious" k5 realm (MEGACZ.COM -- I have the
DNS autodetection entries for that, and they work):
megacz@maxwell:~$aklog -d -c megacz.com
Authenticating to cell megacz.com (server fleet.cs.berkeley.edu).
We've deduced that we need to authenticate to realm CS.BERKELEY.EDU.
Getting tickets: afs/megacz.com@CS.BERKELEY.EDU
Kerberos error code returned by get_cred: -1765328377
aklog: Couldn't get megacz.com AFS tickets:
aklog: Server not found in Kerberos database while getting AFS tickets
On unixoid platforms I can override this with "-k MEGACZ.COM" and
everything works fine, but the Win32 GUI token client offers no such
option.
Is there anything I can do on the server/DNS side to get clients'
aklog to deduce the proper cell without having to be explicitly told?
I would assume that if the cell name explicitly stated on the command
line is a valid realm that aklog would use that before trying anything
else.
.......................................................
Gory details:
At the moment I'm using my own domain (megacz.com) to try out some AFS
stuff on my machines here on campus since making any sort of DNS
change to *.berkeley.edu usually turns into a four-day ordeal
involving begging and bribery -- and that's just during the semester.
During winter break it'd probably be even worse.
I'll move back to *.berkeley.edu when I'm ready to "etch things in
stone" so to speak. At the moment my cell and realm are
megacz.com/MEGACZ.COM, my k5 server is on turing.megacz.com
(off-campus), and all other machines are on-campus hosts in
*.cs.berkeley.edu (some of which have additional entries in
*.megacz.com pointing at them).
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380