[OpenAFS] Re: what is aklog's algorithm for "deducing" what cell to authenticate to?

Adam Megacz megacz@cs.berkeley.edu
Wed, 28 Dec 2005 13:04:14 -0800

Jeffrey Altman <jaltman@secure-endpoints.com> writes:
>> Modifying all those krb5.conf's is not an option (clueless users can't
>> be expected to do this), so I have no other choice.  Fortunately many
>> libkrb5's _do_ know about RFC2052.

> But they will only use DNS SRV records if the krb5.conf file permits
> it and there is no domain/realm mapping entry in the krb5.conf file
> for the resulting hostname or domain.

... which is the default on almost every installation of kerberos.

Defaults are crucial.  I wish this wasn't the case, and I'd like to
pretend otherwise, but such are the facts.

Understanding this dynamic is essential to getting AFS deployed in
environments with user-administered machines (ie pretty much
everywhere it currently isn't).

  - a