[OpenAFS] Re: klog.krb5 on mac os x 10.6.8
Tue, 8 Nov 2011 16:46:10 +0100
Thank you very much for the enlightening comments.
However, for the sake of clarity, I have some comments.
Thanks for this point, most of people believe the contrary: klog.krb5 =3D =
> For starts, klog !=3D kinit+aklog. The algorithm used for obtaining =
> AFS service ticket in klog.krb5 differs from that used by aklog. This
> is an unfortunate artifact of them being written by different
> individuals prior to their contribution to OpenAFS. Authentication is
> not performed by a common library.
> There are several important differences at present:
> 1. aklog always requests AFS tickets as TGS requests. klog.krb5 =
> to obtain the AFS ticket as an AS request. (no intermediate TGT.)
> 2. aklog understands Kerberos referrals and klog.krb5 does not.
> 3. aklog will attempt to obtain a ticket for afs/cell@CLIENT.REALM in
> addition to afs/cell@CELL.REALM and afs@CELL.REALM. klog.krb5 only
> attempts to obtain tickets from the CELL.REALM.
> On 11/7/2011 5:32 AM, Salvatore Podda wrote:
>> Surely I do not understand the meaning of default realm in the =
kerberos configuration file=20
>> (I am a beginners!):
>> default_realm =3D REALM.XX
> The configuration section header attempts to be clear about what this
> section applies to. It applies to the Kerberos v5 library. This is =
> a configuration setting that applies to application defaults. The
> primary purpose of the value is for use in constructing Kerberos
> principals when no realm has been specified.
OK, I got it.=20
`klog.krb5' can be considered like other applications (kinit, telnet =
specific kerberos appdefaults?
I read a post by Russ Allbery (actually a little be old) where he =
"...*Everything* uses libdefaults. Ideally, IMO, kinit and the like =
take their defaults from libdefaults and then override those with =
settings, if present."
>> but I was induced to believe that this is the realm assumed if you =
miss to declare the
>> -k REALM.XX
>> in the klog.krb5 or a at least that is what you may desume in the =
relative man page.
> -k REALM.XX is the realm of the cell. Not the realm of the user
> principal. =20
I understand the eventual difference between the realm of the cell
and the realm of the user principal but in the usual (my) case where=20
the two realms coincide which the difference between
`klog.krb5 -pr xxxx@REALM.XX' and `klog.krb5 -pr xxxx -k REALM.XX'
This is enforced (or misleaded) form the klog.krb5 man page=20
where for the flag `-k' you can read:
Obtain tickets and tokens from the <realm> Kerberos realm. =
option is not given, klog.krb5 defaults to using the default =
realm. The Kerberos realm name need not match the AFS cell =
> In the absence of -k, the realm of the cell is determined by
> obtaining the DNS name of a vlserver and then applying the host to =
> rules as determined by krb5.conf.
>> Following the dispute it is even incomprehensible (to me!) why having
>> declared the default
>> realm in the kerberos configuration file, the klog.krb5 command does =
>> work in the forms
>> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX
>> klog.krb5 -pr xxxxx@CELL.XX -c cell.xx -k CELL.XX
>> but works in the form
>> klog.krb5 -pr xxxxx@CELL.XX -c cell.xx
> What are the DNS names of the vlservers?
> Is host to realm information specified in the krb5.conf file?
I will check better the list of the vlserver we suggest to the user
client, but I think that the mechanism you mention for=20
determining the realm of the cell is assured.
Thanks for your patience and best regards
> Jeffrey Altman