[OpenAFS] Re: gssklog[d] works with berkeley.edu kerberos realm, but needed a
hack -- why?
Adam Megacz
adam@megacz.com
Fri, 29 Apr 2005 00:46:47 -0700
"Douglas E. Engert" <deengert@anl.gov> writes:
> There are two ways around this:
>
> (1) have an extra krb5.conf file with the default realm of BERKLEY.EDU
> or the [domain_realm] reconfigurable.cs.berkeley.edu = BERKELEY.EDU
> The have enviroment variable KRB5_CONFIG set in the environment before
> the gssklogd is run.
>
> (2) Use a modified gss that will allow the server to use any entry
> in the keytab where the service and host match. Thus the same
> gssklogd could respond to:
> gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU
> or
> gssklog/reconfigurable.cs.berkeley.edu@RECONFIGURABLE.CS.BERKELEY.EDU
>
> Option (2) is probably what you will want in the long run anyway, as you are
> running two realms, and are not using cross realm (or are you?). See the attached
> patch for accept_sec_context.c
Ah, okay. I get it now. Thanks!!
> The arachne is still a mystery. But does your krb5.conf have a line with:
> berkeley.edu = archane.berkeley.edu
Nope, but Jeffrey's posting managed to figure out that this is coming
from a reverse lookup on the IP you get from a forward lookup on
berkeley.edu. Truly wierd.
- a