[OpenAFS] Re: klog.krb5 on mac os x 10.6.8

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 07 Nov 2011 06:56:52 -0500 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig175BD8B39D1FC971F4A5D0C7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

For starts, klog !=3D kinit+aklog.   The algorithm used for obtaining the=

AFS service ticket in klog.krb5 differs from that used by aklog.  This
is an unfortunate artifact of them being written by different
individuals prior to their contribution to OpenAFS.  Authentication is
not performed by a common library.

There are several important differences at present:

1. aklog always requests AFS tickets as TGS requests.  klog.krb5 attempt
to obtain the AFS ticket as an AS request.  (no intermediate TGT.)

2. aklog understands Kerberos referrals and klog.krb5 does not.

3. aklog will attempt to obtain a ticket for afs/cell@CLIENT.REALM in
addition to afs/cell@CELL.REALM and afs@CELL.REALM.  klog.krb5 only
attempts to obtain tickets from the CELL.REALM.

On 11/7/2011 5:32 AM, Salvatore Podda wrote:
> Surely I do not understand the meaning of default realm in the kerberos=

> configuration file
> (I am a beginners!):
>=20
> [libdefaults]
>  default_realm =3D REALM.XX


The configuration section header attempts to be clear about what this
section applies to.  It applies to the Kerberos v5 library.  This is not
a configuration setting that applies to application defaults.  The
primary purpose of the value is for use in constructing Kerberos
principals when no realm has been specified.

> but I was induced to believe that this is the realm assumed if you miss=

> to declare the=20
>=20
> -k REALM.XX=20
>=20
> in the klog.krb5 or a at least that is what you may desume in the
> relative man page.

-k REALM.XX is the realm of the cell.  Not the realm of the user
principal.  In the absence of -k, the realm of the cell is determined by
obtaining the DNS name of a vlserver and then applying the host to realm
rules as determined by krb5.conf.

> Following the dispute it is even incomprehensible (to me!) why having
> declared the default
> realm in the kerberos configuration file, the klog.krb5 command does no=
t
> work in the forms
>=20
> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX
>=20
> or
>=20
> klog.krb5 -pr xxxxx@CELL.XX <mailto:xxxxx@CELL.XX> -c cell.xx -k CELL.X=
X
>=20
> but works in the form
>=20
> klog.krb5 -pr xxxxx@CELL.XX <mailto:xxxxx@CELL.XX> -c cell.xx

What are the DNS names of the vlservers?

Is host to realm information specified in the krb5.conf file?

Jeffrey Altman


--------------enig175BD8B39D1FC971F4A5D0C7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJOt8eJAAoJENxm1CNJffh4pKkIAMhiZQ87vGiA9Oc2hmWiUWr+
8wqJ9EX/L7nC94qgY3cXXHznBLgdnv4HZlrVOblxQStKL6lbLVw8QpWLKpr7Zgt1
M6cunEaV/cUpJJIG9Z7u5HtLAjqifRn5x2fs/rYxd+Dh5FOA1ycgY7qkHNjhRIeD
HzfFWrpkkHNrZVzFNpWYaUBmhTUwNOY5KyMgr4WW+DdDPzEb2X3ZVZtfE9Site0A
s3laYb4Jj781bDi2hHMPiLxf82E3kBj02fvJ8O4eA8bzXLQXxaovqKVUgyJbITzI
13pX6t/QZ+ZhL8h+S/h+21bkYaN9lUCpZLbeIEMAFYslBh2T68Y4JpTYhuXHm9A=
=7OTu
-----END PGP SIGNATURE-----

--------------enig175BD8B39D1FC971F4A5D0C7--