[OpenAFS] Re: what is aklog's algorithm for "deducing" what cell to
authenticate to?
Adam Megacz
megacz@cs.berkeley.edu
Wed, 28 Dec 2005 13:04:14 -0800
Jeffrey Altman <jaltman@secure-endpoints.com> writes:
>> Modifying all those krb5.conf's is not an option (clueless users can't
>> be expected to do this), so I have no other choice. Fortunately many
>> libkrb5's _do_ know about RFC2052.
> But they will only use DNS SRV records if the krb5.conf file permits
> it and there is no domain/realm mapping entry in the krb5.conf file
> for the resulting hostname or domain.
... which is the default on almost every installation of kerberos.
Defaults are crucial. I wish this wasn't the case, and I'd like to
pretend otherwise, but such are the facts.
Understanding this dynamic is essential to getting AFS deployed in
environments with user-administered machines (ie pretty much
everywhere it currently isn't).
- a