[OpenAFS] Re: gssklog[d] works with berkeley.edu kerberos
realm, but needed a hack -- why?
Thu, 28 Apr 2005 11:04:09 -0400
On Thursday, April 28, 2005 01:55:05 AM -0700 Adam Megacz
> "Douglas E. Engert" <firstname.lastname@example.org> writes:
>> Looks like they let you register the principal gssklog/...@BERKLEY.EDU
> Correct; I requested that a few days ago and imported the secret key
> they generated for me into /etc/krb5.keytab.
>>> -s gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU \
>> The -s option is for the GSSAPI import name, which is not the same as
>> a krb5 principal name, as the gss is expecting <service>@<host>
>> If the krb5 gss is being used, you should not need the -s option,
>> as the defaults for creating a principal will be gssklog/<host>@<realm>
> Right, but if I don't specify the "-s" option, it tries:
> ... it's using the "home" realm for the "@<realm>" part. It ought to
> be using the foriegn realm. If I use "-s gssklog@BERKELEY.EDU", it's
> *almost* right:
> len=41, name=gssklog/arachne.berkeley.edu@BERKELEY.EDU
> Again, I have no clue what arachne is. How do I forcibly override this?
I think you missed a point that Doug made, and in fact he missed part of
The argument to -s is not a Kerberos principal name.
It is a GSSAPI host-based service name, as described in section 4.1 of
RFC2743. The form of such a name is 'service@hostname'; since GSSAPI is
generic, it has no concept of "realm".
In the case of the Kerberos V5 mechanism, a GSSAPI host-based service name
of the form 'service@hostname' is mapped onto a Kerberos principal name
like 'service/hostname@REALM', where the realm is derived from the hostname
in the standard fashion. So, when you give a service name like
'gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU', the mechanism takes
'gssklog/reconfigurable.cs.berkeley.edu' as the service name, and
'BERKELEY.EDU' as the hostname. Following a bad recommendation in RFC2743,
it then attempts to "canonicalize" the hostname by looking it up in DNS.
If you look up BERKELEY.EDU's address in DNS, and then do a reverse lookup
on that address, you'll find that arachne.berkeley.edu is BERKELEY.EDU's
Doug is also right that you don't need the -s in this case, because the
default service name 'email@example.com' is correct.
However, you do need to add an appropriate domain_realm mapping to your
krb5.conf so that this hostname is mapped into the BERKELEY.EDU realm.
-- Jeffrey T. Hutzelman (N3NHS) <firstname.lastname@example.org>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA