[OpenAFS] Re: what is aklog's algorithm for "deducing" what
cell to authenticate to?
Fri, 30 Dec 2005 16:33:38 -0500
On Tuesday, December 27, 2005 08:20:10 PM -0800 Adam Megacz
> Derrick J Brashear <firstname.lastname@example.org> writes:
>> realm. It's using the krb5 "realm of host" function on,probably, the
> For the [mailing list] record, it appears that aklog does this in the
> absence of anything in krb5.conf overriding its behavior:
> aklog -c foo.com
> resolve AFSDB record for domain foo.com
> -> result is server.bar.com
> perform kerberos server discovery (RFC2052) on server.bar.com
> -> usually something.bar.com (depends on DNS entries)
> In my case, this was fixed by making the AFSDB record for my cell's
> domain point at a hostname ending with the cell name (fake.foo.com),
> which had an "A" record that could point wherever I wanted (same IP as
Actually, it seems that there's been a fair bit of confusion because you
missed a step.
What aklog does is figure out what the dbservers are for the cell you're
interested in, either by doing a CellServDB lookup or by getting AFSDB
records. Then it picks a dbserver and does the normal hostname->realm
mapping to find out what kerberos realm that host is in. Finally, it
attempts to get a ticket for an AFS service in that realm.
The Kerberos library will perform hostname->realm mapping based on local
configuration (the domain_realm section in krb5.conf) or by applying a
fixed algorithm such as dropping the first component of the domain name.
This is security policy for the client, and cannot be safely discovered via
an unsecured DNS query.
Once the target realm has been selected, the Kerberos library also needs to
know where the KDC's are for that realm. Most modern implementations will
determine this information based on local configuration (krb5.conf), or by
using DNS SRV records as described in RFC4120 section 22.214.171.124.
So, you can safely use the DNS to find the KDC's for a specified realm, and
aklog will do that if linked against a Kerberos library which supports that
feature. However, you cannot safely use the DNS to determine what realm to
use. In fact, even using the results of AFSDB queries as input to this
process is broken. Unfortunately, aklog uses the AFS configuration library
to find the dbservers for a cell, and was written in a time when the only
source for that information was the (presumably trustworthy) CellServDB