On Thursday, April 28, 2005 01:55:05 AM -0700 Adam Megacz <[EMAIL PROTECTED]> wrote:
"Douglas E. Engert" <[EMAIL PROTECTED]> writes:Looks like they let you register the principal gssklog/[EMAIL PROTECTED]
Correct; I requested that a few days ago and imported the secret key they generated for me into /etc/krb5.keytab.
-s gssklog/[EMAIL PROTECTED] \
The -s option is for the GSSAPI import name, which is not the same as a krb5 principal name, as the gss is expecting <service>@<host> If the krb5 gss is being used, you should not need the -s option, as the defaults for creating a principal will be gssklog/<host>@<realm>
Right, but if I don't specify the "-s" option, it tries:
len=69, name=gssklog/[EMAIL PROTECTED]
... it's using the "home" realm for the "@<realm>" part. It ought to be using the foriegn realm. If I use "-s [EMAIL PROTECTED]", it's *almost* right:
len=41, name=gssklog/[EMAIL PROTECTED]
Again, I have no clue what arachne is. How do I forcibly override this?
I think you missed a point that Doug made, and in fact he missed part of its significance...
The argument to -s is not a Kerberos principal name.
It is a GSSAPI host-based service name, as described in section 4.1 of RFC2743. The form of such a name is '[EMAIL PROTECTED]'; since GSSAPI is generic, it has no concept of "realm".
In the case of the Kerberos V5 mechanism, a GSSAPI host-based service name of the form '[EMAIL PROTECTED]' is mapped onto a Kerberos principal name like 'service/[EMAIL PROTECTED]', where the realm is derived from the hostname in the standard fashion. So, when you give a service name like
'gssklog/[EMAIL PROTECTED]', the mechanism takes 'gssklog/reconfigurable.cs.berkeley.edu' as the service name, and 'BERKELEY.EDU' as the hostname. Following a bad recommendation in RFC2743, it then attempts to "canonicalize" the hostname by looking it up in DNS.
If you look up BERKELEY.EDU's address in DNS, and then do a reverse lookup on that address, you'll find that arachne.berkeley.edu is BERKELEY.EDU's canonical hostname.
Doug is also right that you don't need the -s in this case, because the default service name '[EMAIL PROTECTED]' is correct. However, you do need to add an appropriate domain_realm mapping to your krb5.conf so that this hostname is mapped into the BERKELEY.EDU realm.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
_______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info