[OpenAFS] Re: klog.krb5 on mac os x 10.6.8

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 07 Nov 2011 06:56:52 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

For starts, klog !=3D kinit+aklog.   The algorithm used for obtaining the=

AFS service ticket in klog.krb5 differs from that used by aklog.  This
is an unfortunate artifact of them being written by different
individuals prior to their contribution to OpenAFS.  Authentication is
not performed by a common library.

There are several important differences at present:

1. aklog always requests AFS tickets as TGS requests.  klog.krb5 attempt
to obtain the AFS ticket as an AS request.  (no intermediate TGT.)

2. aklog understands Kerberos referrals and klog.krb5 does not.

3. aklog will attempt to obtain a ticket for afs/cell@CLIENT.REALM in
addition to afs/cell@CELL.REALM and afs@CELL.REALM.  klog.krb5 only
attempts to obtain tickets from the CELL.REALM.

On 11/7/2011 5:32 AM, Salvatore Podda wrote:
> Surely I do not understand the meaning of default realm in the kerberos=

> configuration file
> (I am a beginners!):
> [libdefaults]
>  default_realm =3D REALM.XX

The configuration section header attempts to be clear about what this
section applies to.  It applies to the Kerberos v5 library.  This is not
a configuration setting that applies to application defaults.  The
primary purpose of the value is for use in constructing Kerberos
principals when no realm has been specified.

> but I was induced to believe that this is the realm assumed if you miss=

> to declare the=20
> -k REALM.XX=20
> in the klog.krb5 or a at least that is what you may desume in the
> relative man page.

-k REALM.XX is the realm of the cell.  Not the realm of the user
principal.  In the absence of -k, the realm of the cell is determined by
obtaining the DNS name of a vlserver and then applying the host to realm
rules as determined by krb5.conf.

> Following the dispute it is even incomprehensible (to me!) why having
> declared the default
> realm in the kerberos configuration file, the klog.krb5 command does no=
> work in the forms
> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX
> or
> klog.krb5 -pr xxxxx@CELL.XX <mailto:xxxxx@CELL.XX> -c cell.xx -k CELL.X=
> but works in the form
> klog.krb5 -pr xxxxx@CELL.XX <mailto:xxxxx@CELL.XX> -c cell.xx

What are the DNS names of the vlservers?

Is host to realm information specified in the krb5.conf file?

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)