[OpenAFS] what is aklog's algorithm for "deducing" what realm to authenticate to?

Adam Megacz megacz@cs.berkeley.edu
Tue, 27 Dec 2005 15:54:21 -0800

[see end of message for additional details on why my cell works this way]

This is weird.  When I execute "aklog -c megacz.com", aklog does not attempt
to authenticate to the "obvious" k5 realm (MEGACZ.COM -- I have the
DNS autodetection entries for that, and they work):

  megacz@maxwell:~$aklog -d -c megacz.com

  Authenticating to cell megacz.com (server fleet.cs.berkeley.edu).
  We've deduced that we need to authenticate to realm CS.BERKELEY.EDU.
  Getting tickets: afs/megacz.com@CS.BERKELEY.EDU
  Kerberos error code returned by get_cred: -1765328377
  aklog: Couldn't get megacz.com AFS tickets:
  aklog: Server not found in Kerberos database while getting AFS tickets

On unixoid platforms I can override this with "-k MEGACZ.COM" and
everything works fine, but the Win32 GUI token client offers no such

Is there anything I can do on the server/DNS side to get clients'
aklog to deduce the proper cell without having to be explicitly told?
I would assume that if the cell name explicitly stated on the command
line is a valid realm that aklog would use that before trying anything


Gory details:

At the moment I'm using my own domain (megacz.com) to try out some AFS
stuff on my machines here on campus since making any sort of DNS
change to *.berkeley.edu usually turns into a four-day ordeal
involving begging and bribery -- and that's just during the semester.
During winter break it'd probably be even worse.

I'll move back to *.berkeley.edu when I'm ready to "etch things in
stone" so to speak.  At the moment my cell and realm are
megacz.com/MEGACZ.COM, my k5 server is on turing.megacz.com
(off-campus), and all other machines are on-campus hosts in
*.cs.berkeley.edu (some of which have additional entries in
*.megacz.com pointing at them).

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380