[OpenAFS] Re: Multiple Kerberos realm support

Andrew Deason adeason@sinenomine.net
Thu, 10 May 2012 14:53:52 -0500


On Thu, 10 May 2012 15:08:09 -0400
Brandon Allbery <allbery.b@gmail.com> wrote:

> On Thu, May 10, 2012 at 2:36 PM, Jeff White <jaw171@pitt.edu> wrote:
> 
> > ** I found something else.  If I change /usr/afs/etc/krb.conf to
> > include both realm names I can get it to give me a permission denied
> > rather than hanging and generating thousands of errors:
> 
> I have to admit I've been wondering about that since you mentioned
> that you had only the foreign domain listed in krb.conf; I'd always
> understood it to need both, although that seems like a very
> unfortunate failure mode (which I bet nobody'd ever tested
> previously).  Guess I should have spoken up then.

No, the local cell name is treated as one of the 'realm' names to
accept. If your cell name is foo.bar, we accept @FOO.BAR regardless of
what's in krb.conf. Older servers don't even support more than one realm
in krb.conf, which is why the traditional advice is just to list the
foreign one in there.

The change in behavior is probably just a coincidence; there doesn't
appear to be any change in fileserver behavior since we get the same
error code both times (19270407). The different client behavior is just
due to when we get the error; the 'spin on reporting tokens error' is a
known bug when we try to contact vlservers with invalid creds; that's
probably what it is.

-- 
Andrew Deason
adeason@sinenomine.net