[OpenAFS] Re: klog.krb5 on mac os x 10.6.8

Salvatore Podda salvatore.podda@enea.it
Tue, 8 Nov 2011 16:46:10 +0100 

Thank you very  much for the enlightening comments.
However, for the sake of clarity, I have some comments.

Thanks for this point, most of people believe the contrary: klog.krb5 =3D =
 kinit+aklog.
>=20
> For starts, klog !=3D kinit+aklog.   The algorithm used for obtaining =
the
> AFS service ticket in klog.krb5 differs from that used by aklog.  This
> is an unfortunate artifact of them being written by different
> individuals prior to their contribution to OpenAFS.  Authentication is
> not performed by a common library.
>=20
> There are several important differences at present:
>=20
> 1. aklog always requests AFS tickets as TGS requests.  klog.krb5 =
attempt
> to obtain the AFS ticket as an AS request.  (no intermediate TGT.)
>=20
> 2. aklog understands Kerberos referrals and klog.krb5 does not.
>=20
> 3. aklog will attempt to obtain a ticket for afs/cell@CLIENT.REALM in
> addition to afs/cell@CELL.REALM and afs@CELL.REALM.  klog.krb5 only
> attempts to obtain tickets from the CELL.REALM.
>=20
> On 11/7/2011 5:32 AM, Salvatore Podda wrote:

>> Surely I do not understand the meaning of default realm in the =
kerberos configuration file=20
>> (I am a beginners!):
>>=20
>> [libdefaults]
>> default_realm =3D REALM.XX
>=20
>=20
> The configuration section header attempts to be clear about what this
> section applies to.  It applies to the Kerberos v5 library.  This is =
not
> a configuration setting that applies to application defaults.  The
> primary purpose of the value is for use in constructing Kerberos
> principals when no realm has been specified.

OK, I got it.=20
`klog.krb5' can be considered like other applications (kinit, telnet =
...) with=20
specific kerberos appdefaults?
I read a post by Russ Allbery (actually a little be old) where he =
stated:=20
"...*Everything* uses libdefaults. Ideally, IMO, kinit and the like =
should
take their defaults from libdefaults and then override those with =
appdefaults
settings, if present."

=
http://fixunix.com/kerberos/60055-kinit-uses-libdefaults-krb5-conf-instead=
-appdefaults.html




>> but I was induced to believe that this is the realm assumed if you =
miss to declare the
>>=20
>> -k REALM.XX
>>=20
>> in the klog.krb5 or a at least that is what you may desume in the =
relative man page.

> -k REALM.XX is the realm of the cell.  Not the realm of the user
> principal. =20

I understand the eventual difference between the realm of the cell
and the realm of the user principal but in the usual (my) case where=20
the two realms coincide which the difference between

`klog.krb5 -pr xxxx@REALM.XX' and  `klog.krb5 -pr xxxx -k REALM.XX'

This is enforced (or misleaded) form the klog.krb5 man page=20
where for the flag `-k' you can read:

-k <realm>
           Obtain tickets and tokens from the <realm> Kerberos realm.  =
If this
           option is not given, klog.krb5 defaults to using the default =
local
           realm.  The Kerberos realm name need not match the AFS cell =
name.


> In the absence of -k, the realm of the cell is determined by
> obtaining the DNS name of a vlserver and then applying the host to =
realm
> rules as determined by krb5.conf.

OK


>>=20
>> Following the dispute it is even incomprehensible (to me!) why having
>> declared the default
>> realm in the kerberos configuration file, the klog.krb5 command does =
not
>> work in the forms
>>=20
>> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX
>>=20
>> or
>>=20
>> klog.krb5 -pr xxxxx@CELL.XX  -c cell.xx -k CELL.XX
>>=20
>> but works in the form
>>=20
>> klog.krb5 -pr xxxxx@CELL.XX -c cell.xx

>=20
> What are the DNS names of the vlservers?
>=20
> Is host to realm information specified in the krb5.conf file?
>=20

I will check better the list of the vlserver we suggest to the user
client, but I think that the mechanism you mention for=20
determining the realm of the cell is assured.

Thanks for your patience and best regards

Salvatore Podda
 =20
> Jeffrey Altman