[OpenAFS] Re: what is aklog's algorithm for "deducing" what cell to authenticate to?

Adam Megacz megacz@cs.berkeley.edu
Tue, 27 Dec 2005 20:20:10 -0800

Derrick J Brashear <shadow@dementia.org> writes:
> realm. It's using the krb5 "realm of host" function on,probably, the
> server.

For the [mailing list] record, it appears that aklog does this in the
absence of anything in krb5.conf overriding its behavior:

  aklog -c foo.com

  resolve AFSDB record for domain foo.com
       -> result is server.bar.com

  perform kerberos server discovery (RFC2052) on server.bar.com
       -> usually something.bar.com (depends on DNS entries)

In my case, this was fixed by making the AFSDB record for my cell's
domain point at a hostname ending with the cell name (fake.foo.com),
which had an "A" record that could point wherever I wanted (same IP as

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380