[OpenAFS] AFS Cell name vs K5 REALM name

John W. Sopko Jr. sopko@cs.unc.edu
Thu, 15 Feb 2007 15:46:57 -0500

Jeffrey Altman wrote:
> John W. Sopko Jr. wrote:
>> Is there any good reason(s) for NOT deploying a
>> Kerberos REALM name that is different from the
>> AFS cell name. When we move to a K5 server I may
>> have to use a different REALM name on the db/file servers.
>> I want to be sure this will not be a problem in the future.
>> I have tested different realm/cell names and it works now.
>> I would prefer to have my cell name and realm name match as
>> it does now and I know that is the recommendation. For
>> political reasons I may not have that luxury when moving
>> to K5 authentication.
>> Thanks for your input.
> There is no requirement that the cell name and the realm
> name match.  The purpose behind the convention of
>   afs/cell@REALM
> service tickets is so that you can have multiple cells
> that all authenticate against a common realm.  They can't
> all have the name of the realm.
> Where you will experience great pain is if the realm derived
> from the name of the db servers does not match the authentication
> realm of the cell.   The heuristic used by aklog to obtain the
> correct service ticket is to perform a domain to realm mapping
> on the hostname of the first db server.  This is either derived
> from the hostname itself or by looking at the domain_realm
> section of the local machine's krb5.conf file.

Thanks for the info. My cell name and dns domain name will be the
same but the K5 REALM may be different. I have to support the
[domain_realm] section anyway and it seems to work fine. I was
hoping to not have to support that section forever...

> Jeffrey Altman

John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175