[OpenAFS] Can't get tokens since upgrading to 1.7.6 and Heimdal
Jeffrey Altman
jaltman@secure-endpoints.com
Wed, 22 Feb 2012 10:47:42 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1F9C16CB7298859315FEAA5C
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 2/22/2012 10:30 AM, Jeff Blaine wrote:
> The problem isn't "it's not finding afs/sub.my.org@SUB.MY.ORG"
>=20
> The problem is: "it's not looking for afs@SUB.MY.ORG"
>=20
> It should do that.
>=20
> OpenAFS Quick Start Guide:
> ...
> Begin by creating the following two entires in your site's Kerberos
> database:
> ...
>=20
> The entry for AFS server processes, called either afs or afs/cell.
> ...
afs@REALM can only safely be used when the client knows 100% for sure
that the "afs" service principal is associated with the cell that is
being accessed. aklog will only search for afs@ in the realm that is
guessed as being associated with the DNS name of one of the VLDB servers
for the realm selected at random.
This is why we strongly recommend that the afs/cell@REALM form of
service tickets be used in all cases. afs/cell can be used with
Kerberos referrals and when dns realm hierarchies must be searched.
Jeffrey Altman
--------------enig1F9C16CB7298859315FEAA5C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJPRQ4iAAoJENxm1CNJffh4wBoH+wetCJePBo1/bSxq1xYH5SV4
WQrd/eOHrY+v6ZqJoEwYrCaEVwQ5GjSxIDarzx4UNgvNgLtxTet3/jgJPoK7mQdI
U1DjyNZiPl3mCknOmGPokd0D50mK72fJCt4SpMIDyGJYOb2xE+AvjvmTC/RBoh+b
QmgwhhkYtAYxvOvjnVsAOmdsQOBOqNZ1A8HNDWZZN/N3Cc8G4InpnWH+yg+fzHty
Mu3TJ/EB8HWJW6wgCcHrFR1DEl4hFBbCufrP2sIySdPCcHkXDmenChWQzevAwmE6
nGd3RXP27t4iPZjkXmDElMx0hZapY96Qxe1XCZ8/XHkWnQUlBnZM4ATJ5idPlG8=
=ItEv
-----END PGP SIGNATURE-----
--------------enig1F9C16CB7298859315FEAA5C--