[OpenAFS] Re: klog.krb5 on mac os x 10.6.8

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 09 Nov 2011 01:12:17 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/8/2011 10:46 AM, Salvatore Podda wrote:
> OK, I got it.=20
> `klog.krb5' can be considered like other applications (kinit, telnet ..=
=2E) with=20
> specific kerberos appdefaults?

Except that there are no [appdefaults] settings that are read from the
profile by klog.krb5.

> I read a post by Russ Allbery (actually a little be old) where he state=
> "...*Everything* uses libdefaults. Ideally, IMO, kinit and the like sho=
> take their defaults from libdefaults and then override those with appde=
> settings, if present."
> http://fixunix.com/kerberos/60055-kinit-uses-libdefaults-krb5-conf-inst=

The settings in [libdefaults] for lifetime, renewal, forwardable, etc
are used by the Kerberos library.

There are no klog.krb5 overrides in the krb5.conf.

>>> but I was induced to believe that this is the realm assumed if you mi=
ss to declare the
>>> -k REALM.XX
>>> in the klog.krb5 or a at least that is what you may desume in the rel=
ative man page.
>> -k REALM.XX is the realm of the cell.  Not the realm of the user
>> principal. =20
> I understand the eventual difference between the realm of the cell
> and the realm of the user principal but in the usual (my) case where=20
> the two realms coincide which the difference between
> `klog.krb5 -pr xxxx@REALM.XX' and  `klog.krb5 -pr xxxx -k REALM.XX'
> This is enforced (or misleaded) form the klog.krb5 man page=20
> where for the flag `-k' you can read:
> -k <realm>
>            Obtain tickets and tokens from the <realm> Kerberos realm.  =
If this
>            option is not given, klog.krb5 defaults to using the default=
>            realm.  The Kerberos realm name need not match the AFS cell =

That text is almost correct if it was written in a world where the local
AFS cell has a single Kerberos realm and that realm is the same as the
local workstation Kerberos realm.

Unfortunately, that is not true for all environments.

>> In the absence of -k, the realm of the cell is determined by
>> obtaining the DNS name of a vlserver and then applying the host to rea=
>> rules as determined by krb5.conf.
> OK
>>> Following the dispute it is even incomprehensible (to me!) why having=

>>> declared the default
>>> realm in the kerberos configuration file, the klog.krb5 command does =
>>> work in the forms
>>> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX

This doesn't work because you have not specified a realm as part of the
client principal name.

>>> or
>>> klog.krb5 -pr xxxxx@CELL.XX  -c cell.xx -k CELL.XX

Is CELL.XX the name of the realm in the afs/cell.xx@REALM or afs@REALM
service principal?

>>> but works in the form
>>> klog.krb5 -pr xxxxx@CELL.XX -c cell.xx

I would guess that CELL.XX is not the name of the realm that is a part
of the afs/cell.xx@REALM or afs@REALM service principal.

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)