[OpenAFS] Kerberos Authentication with OpenAFS.

Derek Atkins warlord@MIT.EDU
11 May 2002 19:51:30 -0400


Ken,

Are you _sure_ it doesn't try it?  I'm only asking because
it has always worked for me.  Then again, it's quite possible
that I patch it to try afs/cell@REALM and, if that fails, to
try afs@REALM.

The choice of afs@REALM was _always_ a bad idea, and whoever made
that decision long ago should be shot.

<wistful memory>
I remember a certain bug...  You see, there was an MIT student who
obtained the username "afs", and, well, there was this interesting
bug in the AFS code, and, well.....  Needless to say once this user
went away we locked out the account.
</wistful memory>

We should seriously standardize on afs/cell@REALM, whether or not
the cell == REALM.

-derek

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

> >You will need:
> >        afs/<cell>@REALM in kerberos, with a des-cbc-crc key only
> 
> This brings up something I've been meaning to talk about.
> 
> The migration kit's documentation says normally you should use afs@REALM,
> because if you're migrating over from V4, that's the name of the principal
> you're using.  It only suggests using afs/<cell>@REALM if your cell name
> doesn't match your realm.
> 
> The problem with using afs/<cell>@REALM is that the stock aklog I have
> in the migration kit doesn't try it.  I guess the one you guys are shipping
> has been patched.  I'm just wondering if we should think about standardizing
> on the principal name, because there seems to be some variance out there.
> 
> --Ken
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available