[OpenAFS] AFS Cell name vs K5 REALM name
John W. Sopko Jr.
Thu, 15 Feb 2007 15:46:57 -0500
Jeffrey Altman wrote:
> John W. Sopko Jr. wrote:
>> Is there any good reason(s) for NOT deploying a
>> Kerberos REALM name that is different from the
>> AFS cell name. When we move to a K5 server I may
>> have to use a different REALM name on the db/file servers.
>> I want to be sure this will not be a problem in the future.
>> I have tested different realm/cell names and it works now.
>> I would prefer to have my cell name and realm name match as
>> it does now and I know that is the recommendation. For
>> political reasons I may not have that luxury when moving
>> to K5 authentication.
>> Thanks for your input.
> There is no requirement that the cell name and the realm
> name match. The purpose behind the convention of
> service tickets is so that you can have multiple cells
> that all authenticate against a common realm. They can't
> all have the name of the realm.
> Where you will experience great pain is if the realm derived
> from the name of the db servers does not match the authentication
> realm of the cell. The heuristic used by aklog to obtain the
> correct service ticket is to perform a domain to realm mapping
> on the hostname of the first db server. This is either derived
> from the hostname itself or by looking at the domain_realm
> section of the local machine's krb5.conf file.
Thanks for the info. My cell name and dns domain name will be the
same but the K5 REALM may be different. I have to support the
[domain_realm] section anyway and it seems to work fine. I was
hoping to not have to support that section forever...
> Jeffrey Altman
John W. Sopko Jr. University of North Carolina
email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-962-1844 Sitterson Hall; Room 044
Fax: 919-962-1799 Chapel Hill, NC 27599-3175