[OpenAFS] Re: gssklog[d] works with berkeley.edu kerberos realm, but needed a hack -- why?

Jeffrey Hutzelman jhutz@cmu.edu
Thu, 28 Apr 2005 11:04:09 -0400

On Thursday, April 28, 2005 01:55:05 AM -0700 Adam Megacz 
<megacz@cs.berkeley.edu> wrote:

> "Douglas E. Engert" <deengert@anl.gov> writes:
>> Looks like they let you register the principal gssklog/...@BERKLEY.EDU
> Correct; I requested that a few days ago and imported the secret key
> they generated for me into /etc/krb5.keytab.
>>>            -s gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU \
>> The -s option is for the GSSAPI import name, which is not the same as
>> a krb5 principal name, as the gss is expecting <service>@<host>
>> If the krb5 gss is being used, you should not need the -s option,
>> as the defaults for creating a principal will be gssklog/<host>@<realm>
> Right, but if I don't specify the "-s" option, it tries:
>   len=69,
> name=gssklog/reconfigurable.cs.berkeley.edu@RECONFIGURABLE.CS.BERKELEY.EDU
> ... it's using the "home" realm for the "@<realm>" part.  It ought to
> be using the foriegn realm.  If I use "-s gssklog@BERKELEY.EDU", it's
> *almost* right:
>   len=41, name=gssklog/arachne.berkeley.edu@BERKELEY.EDU
> Again, I have no clue what arachne is.  How do I forcibly override this?

I think you missed a point that Doug made, and in fact he missed part of 
its significance...

The argument to -s is not a Kerberos principal name.
It is a GSSAPI host-based service name, as described in section 4.1 of 
RFC2743.  The form of such a name is 'service@hostname'; since GSSAPI is 
generic, it has no concept of "realm".

In the case of the Kerberos V5 mechanism, a GSSAPI host-based service name 
of the form 'service@hostname' is mapped onto a Kerberos principal name 
like 'service/hostname@REALM', where the realm is derived from the hostname 
in the standard fashion.  So, when you give a service name like
'gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU', the mechanism takes 
'gssklog/reconfigurable.cs.berkeley.edu' as the service name, and 
'BERKELEY.EDU' as the hostname.  Following a bad recommendation in RFC2743, 
it then attempts to "canonicalize" the hostname by looking it up in DNS.

If you look up BERKELEY.EDU's address in DNS, and then do a reverse lookup 
on that address, you'll find that arachne.berkeley.edu is BERKELEY.EDU's 
canonical hostname.

Doug is also right that you don't need the -s in this case, because the 
default service name 'gssklog@reconfigurable.cs.berkeley.edu' is correct. 
However, you do need to add an appropriate domain_realm mapping to your 
krb5.conf so that this hostname is mapped into the BERKELEY.EDU realm.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA