[OpenAFS] Re: Cell/Realm Name and DNS
Dr A V Le Blanc
Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Wed, 9 Jul 2003 17:03:18 +0100
On Tue 08 Jul 2003 at 01:07:54, Stefan Nobis <stefan-ml@snobis.de> wrote:
> How important is it to choose a domain name as realm and cell name
> for Kerberos/OpenAFS? What are the drawbacks if something other
> than domain names are choosen?
On 07 Jul 2003 at 20:46:32, Derek Atkins <warlord@MIT.EDU> wrote:
> It depends -- do you plan to play in the global world? If you do, then
> you must use a real domain name.
And later added:
> [This] is a real-world answer to the effect that if you want to publish
> your domain info for others to use, you need to either be in the
> global CellServDB _OR_ you need to publish AFSDB records for your
> domain.
>
> If someone else has your domain name then THEY could publish AFSDB
> records and usurp your cell from under you.
There were many cells in the Transarc CellServDB that did not have
the cell and realm names match the DNS records. There are some
in the OpenAFS CellServDB. For an example, consider:
>hephy.at # hephy-vienna
193.170.243.14 #akela.oeaw.ac.at
193.170.243.12 #baloo.oeaw.ac.at
193.170.243.10 #mowgli.oeaw.ac.at
Note that I agree with Derek that it is easier when everything matches.
What I don't agree with is the statement Derek made: that you _must_
use a real domain name for your cell and realm name. This is not
true, and what Stefan asked was a more detailed account of what
the consequences might be.
First, you can't use afsdb. Second, if you use KTH Kerberos, you
will need to put statements into your /etc/krb.realms like these:
.mcc.ac.uk MCC.AC.GB
.man.ac.uk MCC.AC.GB
.umist.ac.uk MCC.AC.GB
and so on. If you use Heimdal, you need a number of things in your
/etc/krb5.conf. Is this accurate so far? Are there any other
consequences? I've never used MIT Kerberos, so I can't say what
the consequences are in that case.
-- Owen
LeBlanc@mcc.ac.uk