[OpenAFS] Re: RHEL4 kdc/afs server - using "afs" vs "afs/<cellname>" in
kerberos
Lars Wilke
lw@lwilke.de
Tue, 23 Sep 2008 21:55:37 +0200
* avison48 wrote:
> > I see both atest.phy and ktest.phy used as the cell/realm name. They
> > should be the same.
>
> I wished to differentiate btw DNS, kdc realm & afs cellname to ensure it
> was understood where in a given string (like afs/whatever@whatever) which
> is which.
>
> But it sounds like acell must = krealm. Ok.
It makes things easier but it is not a strict requirement.
But note that a kerberos realm is always written in UPPERCASE and afs
cell names are in lowercase.
An example, if your FQDN is www01.dom.tld and your realm is named SIX.PACK
and your AFS Cell name is empty_bottles, than your principal name could look
like
<user>/empty_bottles@SIX.PACK or the old form
<user>@SIX.PACK
so on host www01.dom.tld your /etc/krb5.conf looks something like
[libdefaults]
default_realm = SIX.PACK
[realms]
SIX.PACK = {
kdc = www04.dom.tld
kdc = www11.dom.tld
admin_server = www04.dom.tld
default_domain = dom.tld
}
[domain_realm]
.dom.tld = SIX.PACK
dom.tld = SIX.PACK
you issue kinit afs or kinit afs/empty_bottles and
aklog -c empty_bottles -k SIX.PACK
If your hosts DNS domainname differs from entries under domain_realm i.e.
your hosts FQDN is www01.coffee.tld you can use kinit <user>/empty_bottles
and the default_realm will be used.
If you do not want the default realm to be used, use
kinit <user>/empty_bottles@REALM
hth
--lars