[OpenAFS] Re: klog.krb5 on mac os x 10.6.8
Wed, 09 Nov 2011 01:12:17 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
On 11/8/2011 10:46 AM, Salvatore Podda wrote:
> OK, I got it.=20
> `klog.krb5' can be considered like other applications (kinit, telnet ..=
> specific kerberos appdefaults?
Except that there are no [appdefaults] settings that are read from the
profile by klog.krb5.
> I read a post by Russ Allbery (actually a little be old) where he state=
> "...*Everything* uses libdefaults. Ideally, IMO, kinit and the like sho=
> take their defaults from libdefaults and then override those with appde=
> settings, if present."
The settings in [libdefaults] for lifetime, renewal, forwardable, etc
are used by the Kerberos library.
There are no klog.krb5 overrides in the krb5.conf.
>>> but I was induced to believe that this is the realm assumed if you mi=
ss to declare the
>>> -k REALM.XX
>>> in the klog.krb5 or a at least that is what you may desume in the rel=
ative man page.
>> -k REALM.XX is the realm of the cell. Not the realm of the user
>> principal. =20
> I understand the eventual difference between the realm of the cell
> and the realm of the user principal but in the usual (my) case where=20
> the two realms coincide which the difference between
> `klog.krb5 -pr xxxx@REALM.XX' and `klog.krb5 -pr xxxx -k REALM.XX'
> This is enforced (or misleaded) form the klog.krb5 man page=20
> where for the flag `-k' you can read:
> -k <realm>
> Obtain tickets and tokens from the <realm> Kerberos realm. =
> option is not given, klog.krb5 defaults to using the default=
> realm. The Kerberos realm name need not match the AFS cell =
That text is almost correct if it was written in a world where the local
AFS cell has a single Kerberos realm and that realm is the same as the
local workstation Kerberos realm.
Unfortunately, that is not true for all environments.
>> In the absence of -k, the realm of the cell is determined by
>> obtaining the DNS name of a vlserver and then applying the host to rea=
>> rules as determined by krb5.conf.
>>> Following the dispute it is even incomprehensible (to me!) why having=
>>> declared the default
>>> realm in the kerberos configuration file, the klog.krb5 command does =
>>> work in the forms
>>> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX
This doesn't work because you have not specified a realm as part of the
client principal name.
>>> klog.krb5 -pr xxxxx@CELL.XX -c cell.xx -k CELL.XX
Is CELL.XX the name of the realm in the afs/cell.xx@REALM or afs@REALM
>>> but works in the form
>>> klog.krb5 -pr xxxxx@CELL.XX -c cell.xx
I would guess that CELL.XX is not the name of the realm that is a part
of the afs/cell.xx@REALM or afs@REALM service principal.
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----