[OpenAFS] Re: gssklog[d] works with berkeley.edu kerberos realm, but needed a hack -- why?

Adam Megacz adam@megacz.com
Fri, 29 Apr 2005 00:46:47 -0700


"Douglas E. Engert" <deengert@anl.gov> writes:
> There are two ways around this:
>
>   (1) have an extra krb5.conf file with the default realm of BERKLEY.EDU
>       or the [domain_realm]   reconfigurable.cs.berkeley.edu = BERKELEY.EDU
>       The have enviroment variable KRB5_CONFIG set in the environment before
>       the gssklogd is run.
>
>   (2) Use a modified gss that will allow the server to use any entry
>       in the keytab  where the service and host match. Thus the same
>       gssklogd could respond to:
>        gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU
>        or
>        gssklog/reconfigurable.cs.berkeley.edu@RECONFIGURABLE.CS.BERKELEY.EDU
>
> Option (2) is probably what you will want in the long run anyway, as you are
> running two realms, and are not using cross realm (or are you?). See the attached
> patch for accept_sec_context.c


Ah, okay.  I get it now.  Thanks!!

> The arachne is still a mystery. But does your krb5.conf have a line with:
>    berkeley.edu = archane.berkeley.edu

Nope, but Jeffrey's posting managed to figure out that this is coming
from a reverse lookup on the IP you get from a forward lookup on
berkeley.edu.  Truly wierd.

  - a