[OpenAFS] Re: is there any good reason to use capialized names for new realms?

Russ Allbery rra@stanford.edu
Thu, 26 Jan 2006 14:46:47 -0800

Adam Megacz <megacz@cs.berkeley.edu> writes:

> So, to summarize, I guess the basic problem is that a lot of
> "applications" (ie things that use libkrb, such as AFS)

Ack, wait up a bit.  I'm not sure that it matters, but that's not quite
right.  :)

First, AFS comes with its own Kerberos v4 implementation, and that's what
all the servers use.  The only part of AFS that links with K5 is aklog.
For the rest, it's theoretically doing K4 but it turns out that you can
use the guts of a K5 ticket with the right enctype and everything still
works.  But the internals of that implementation, I believe, assume that
they can find the Kerberos realm by upcasing the cell name, so you have to
use the (so far, undocumented) krb.conf file to change this.

Second, nothing (except KTH Kerberos) uses a libkrb any more, so that name
is a bit confusing.  You probably mean libkrb5.

And third, the assumption isn't in the applications; it's in libkrb5.
Upcasing the domain is the final fallback algorithm used to determine the
realm for a host if DNS lookups fail (or are turned off, which is the
default as mentioned by others) and there's no realm mapping in the

Using a lowercase realm has forced us to distribute krb5.conf files to all
of our clients or enable DNS lookups, where otherwise we would have just
been able to use the defaults.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>