[OpenAFS] Re: klog.krb5 on mac os x 10.6.8

[Andrew Deason]

On Mon, 07 Nov 2011 06:56:52 -0500
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:

> > but I was induced to believe that this is the realm assumed if you miss
> > to declare the 
> > 
> > -k REALM.XX 
> > 
> > in the klog.krb5 or a at least that is what you may desume in the
> > relative man page.
> 
> -k REALM.XX is the realm of the cell.  Not the realm of the user
> principal.  In the absence of -k, the realm of the cell is determined by
> obtaining the DNS name of a vlserver and then applying the host to realm
> rules as determined by krb5.conf.

This is not quite true; at least, it is not what klog.krb5 attempts to
do. We call krb5_set_default_realm with the name of the realm given on
the command line, so it can be used as the realm for the user princ.
However, in 1.4, we do so incorrectly (we pass as->parms[foo].items
instead of as->parms[foo].items->data), and so it looks like we gave an
empty string. This was fixed in 8229e668deee3eb00a295a8c9ea96a66b7049687
but I do not believe was ever pulled up to 1.4. This usage works in 1.6
and master klog.krb5 (that is, the user principal will use the -k realm
in the absence of anything else to base the realm on).

> What are the DNS names of the vlservers?
> 
> Is host to realm information specified in the krb5.conf file?

I agree this is probably why it worked on the OP's linux boxes and not
os x, though.

-- 
Andrew Deason
adeason@sinenomine.net