[OpenAFS] Re: klog.krb5 on mac os x 10.6.8
Jeffrey Altman
jaltman@secure-endpoints.com
Wed, 09 Nov 2011 01:12:17 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigA4B5D1829654D802922F20E4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 11/8/2011 10:46 AM, Salvatore Podda wrote:
>=20
> OK, I got it.=20
> `klog.krb5' can be considered like other applications (kinit, telnet ..=
=2E) with=20
> specific kerberos appdefaults?
Except that there are no [appdefaults] settings that are read from the
profile by klog.krb5.
> I read a post by Russ Allbery (actually a little be old) where he state=
d:=20
> "...*Everything* uses libdefaults. Ideally, IMO, kinit and the like sho=
uld
> take their defaults from libdefaults and then override those with appde=
faults
> settings, if present."
>=20
> http://fixunix.com/kerberos/60055-kinit-uses-libdefaults-krb5-conf-inst=
ead-appdefaults.html
The settings in [libdefaults] for lifetime, renewal, forwardable, etc
are used by the Kerberos library.
There are no klog.krb5 overrides in the krb5.conf.
>>> but I was induced to believe that this is the realm assumed if you mi=
ss to declare the
>>>
>>> -k REALM.XX
>>>
>>> in the klog.krb5 or a at least that is what you may desume in the rel=
ative man page.
>=20
>> -k REALM.XX is the realm of the cell. Not the realm of the user
>> principal. =20
>=20
> I understand the eventual difference between the realm of the cell
> and the realm of the user principal but in the usual (my) case where=20
> the two realms coincide which the difference between
>=20
> `klog.krb5 -pr xxxx@REALM.XX' and `klog.krb5 -pr xxxx -k REALM.XX'
>=20
> This is enforced (or misleaded) form the klog.krb5 man page=20
> where for the flag `-k' you can read:
>=20
> -k <realm>
> Obtain tickets and tokens from the <realm> Kerberos realm. =
If this
> option is not given, klog.krb5 defaults to using the default=
local
> realm. The Kerberos realm name need not match the AFS cell =
name.
That text is almost correct if it was written in a world where the local
AFS cell has a single Kerberos realm and that realm is the same as the
local workstation Kerberos realm.
Unfortunately, that is not true for all environments.
>> In the absence of -k, the realm of the cell is determined by
>> obtaining the DNS name of a vlserver and then applying the host to rea=
lm
>> rules as determined by krb5.conf.
>=20
> OK
>=20
>=20
>>>
>>> Following the dispute it is even incomprehensible (to me!) why having=
>>> declared the default
>>> realm in the kerberos configuration file, the klog.krb5 command does =
not
>>> work in the forms
>>>
>>> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX
This doesn't work because you have not specified a realm as part of the
client principal name.
>>> or
>>>
>>> klog.krb5 -pr xxxxx@CELL.XX -c cell.xx -k CELL.XX
Is CELL.XX the name of the realm in the afs/cell.xx@REALM or afs@REALM
service principal?
>>> but works in the form
>>>
>>> klog.krb5 -pr xxxxx@CELL.XX -c cell.xx
I would guess that CELL.XX is not the name of the realm that is a part
of the afs/cell.xx@REALM or afs@REALM service principal.
--------------enigA4B5D1829654D802922F20E4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJOuhnEAAoJENxm1CNJffh49UMIANnJjAvkJU/8u9EbsdNclWHk
PkBsJEGP21gIXG3KZmvJ/98nlUsJyMOjHxguWJw2D41wHP+oIwlGQ4gdbWwcQplK
xwNE263HVZkIavg4Yn3hICEn0LLTLzwu+HRFvzI2KODmQx6jwuf3ZQpYTtHu0jIa
I075RPuZgGablDocWwM3gzuP7l9x2dpc6U2e9Jjew4k+TLubIR8eh8gwvE7ItE1E
cjrI2LtXOYQNJIkLBZTi8a7GMXSXZiGeafiqRBR6j1hW8kT/WAOs2Lu35SqW55hL
dqsi4gTPWxspLGsgJGzWNX+EseYm66Hn3BkAcFUCOrCQLsAznSUzdAydGjcHS0w=
=TpEf
-----END PGP SIGNATURE-----
--------------enigA4B5D1829654D802922F20E4--