[OpenAFS] Re: gssklog[d] works with berkeley.edu kerberos realm, but needed a hack -- why?

Adam Megacz megacz@cs.berkeley.edu
Thu, 28 Apr 2005 01:55:05 -0700 

"Douglas E. Engert" <deengert@anl.gov> writes:
> Looks like they let you register the principal gssklog/...@BERKLEY.EDU

Correct; I requested that a few days ago and imported the secret key
they generated for me into /etc/krb5.keytab.

>>            -s gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU \

> The -s option is for the GSSAPI import name, which is not the same as
> a krb5 principal name, as the gss is expecting <service>@<host>
> If the krb5 gss is being used, you should not need the -s option,
> as the defaults for creating a principal will be gssklog/<host>@<realm>

Right, but if I don't specify the "-s" option, it tries:

  len=69, name=gssklog/reconfigurable.cs.berkeley.edu@RECONFIGURABLE.CS.BERKELEY.EDU

... it's using the "home" realm for the "@<realm>" part.  It ought to
be using the foriegn realm.  If I use "-s gssklog@BERKELEY.EDU", it's
*almost* right:

  len=41, name=gssklog/arachne.berkeley.edu@BERKELEY.EDU

Again, I have no clue what arachne is.  How do I forcibly override this?

> Its not gssklog/<afscell>@<realm>
> but     gssklog/<host of gssklogd server>@<realm>

Ok, in my case, these happen to be the same thing.  But I'll keep that
in mind.

> You will need a principal in the realm and the keytab for
> gssklog/arachne.berkely.edu@BERKELEY.EDU
> I assume that the host name of the afs/gssklogd server is arachne.berkley.edu?
> Or was you IP once asigned to arachne, and DNS needs to be updated?

No:

  root@reconfigurable# hostname
  reconfigurable.cs.berkeley.edu

  root@reconfigurable# dig reconfigurable.cs.berkeley.edu
  reconfigurable.cs.berkeley.edu. 86400 IN A      128.32.37.206

  root@reconfigurable# dig -x 128.32.37.206
  206.37.32.128.in-addr.arpa. 3600 IN     PTR     reconfigurable.CS.Berkeley.EDU.


> In any case the principal has the hostname.

Um, I don't understand.

> Note for AFS with gssklog, you don't need your own realm. But if
> you do have users in your realm and don't use cross realm
> You may also want to add a principal to  your own realm,

Right, I will need to add users who don't have @BERKELEY.EDU
principals (and are not able to get them).

> Answer:Mis-understanding of the -s option and the principals used by default.

Okay, but we still haven't figured out why gssklogd thinks my machine
is arachne.  Or even where that name came from.  Polling /dev/random,
perhaps?

  - a