Jeffrey Altman wrote:
John W. Sopko Jr. wrote:
Is there any good reason(s) for NOT deploying a
Kerberos REALM name that is different from the
AFS cell name. When we move to a K5 server I may
have to use a different REALM name on the db/file servers.
I want to be sure this will not be a problem in the future.
I have tested different realm/cell names and it works now.
I would prefer to have my cell name and realm name match as
it does now and I know that is the recommendation. For
political reasons I may not have that luxury when moving
to K5 authentication.
Thanks for your input.
There is no requirement that the cell name and the realm
name match. The purpose behind the convention of
afs/[EMAIL PROTECTED]
service tickets is so that you can have multiple cells
that all authenticate against a common realm. They can't
all have the name of the realm.
Where you will experience great pain is if the realm derived
from the name of the db servers does not match the authentication
realm of the cell. The heuristic used by aklog to obtain the
correct service ticket is to perform a domain to realm mapping
on the hostname of the first db server. This is either derived
from the hostname itself or by looking at the domain_realm
section of the local machine's krb5.conf file.
Thanks for the info. My cell name and dns domain name will be the
same but the K5 REALM may be different. I have to support the
[domain_realm] section anyway and it seems to work fine. I was
hoping to not have to support that section forever...
Jeffrey Altman
--
John W. Sopko Jr. University of North Carolina
email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-962-1844 Sitterson Hall; Room 044
Fax: 919-962-1799 Chapel Hill, NC 27599-3175
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
