[OpenAFS] what is aklog's algorithm for "deducing" what realm to authenticate
Tue, 27 Dec 2005 15:54:21 -0800
[see end of message for additional details on why my cell works this way]
This is weird. When I execute "aklog -c megacz.com", aklog does not attempt
to authenticate to the "obvious" k5 realm (MEGACZ.COM -- I have the
DNS autodetection entries for that, and they work):
megacz@maxwell:~$aklog -d -c megacz.com
Authenticating to cell megacz.com (server fleet.cs.berkeley.edu).
We've deduced that we need to authenticate to realm CS.BERKELEY.EDU.
Getting tickets: afs/megacz.com@CS.BERKELEY.EDU
Kerberos error code returned by get_cred: -1765328377
aklog: Couldn't get megacz.com AFS tickets:
aklog: Server not found in Kerberos database while getting AFS tickets
On unixoid platforms I can override this with "-k MEGACZ.COM" and
everything works fine, but the Win32 GUI token client offers no such
Is there anything I can do on the server/DNS side to get clients'
aklog to deduce the proper cell without having to be explicitly told?
I would assume that if the cell name explicitly stated on the command
line is a valid realm that aklog would use that before trying anything
At the moment I'm using my own domain (megacz.com) to try out some AFS
stuff on my machines here on campus since making any sort of DNS
change to *.berkeley.edu usually turns into a four-day ordeal
involving begging and bribery -- and that's just during the semester.
During winter break it'd probably be even worse.
I'll move back to *.berkeley.edu when I'm ready to "etch things in
stone" so to speak. At the moment my cell and realm are
megacz.com/MEGACZ.COM, my k5 server is on turing.megacz.com
(off-campus), and all other machines are on-campus hosts in
*.cs.berkeley.edu (some of which have additional entries in
*.megacz.com pointing at them).
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380