Greetings all:
I have made significant progress, but have a few remaining questions.
First, please take a look at these configs. Why must authmethod and
krb5realm be explicitly defined in both pref and codaauth2 -- did I foul up
a config somewhere, or perhaps dns? And is there no way to define the
location of the -keytab krb5.conf declaration in a config (pref?), or
perhaps a default location it looks for the keytab so that I can place the
krb5.keytab there and omit the explicit declaration entirely?
[r...@sandbox1]# cat /vice/codaauth2.conf
4 {
authorities {
coda.realm {
authmethod = kerberos5
methodopts {
krb5realm = KERBEROS.REALM
}
}
}
}
[r...@sandbox1]# cat ~/.codafs/clog/pref
5 {
loginto = coda.realm
identities {
coda.realm {
desc = coda.realm
identity = codaadmin/codaa...@coda.realm
authmethod = kerberos5
methodopts {
krb5realm = KERBEROS.REALM
}
}
}
[r...@sandbox1]# clog -keytab ~/.codafs/clog/krb5.keytab
Regarding keytab auth, I found this site referring to kerberos _service_
principal keytab based afs auth (3rd paragraph from the top, under
"Background" section):
http://www.stanford.edu/services/kerberos/sysadmin/keytabs.html
A service key would be ideal for my application. We are simply wanting to
provide configuration data and some media content from our coda fileserver
to an application on our application server. Having to deal with user
names, passwords, password policies (and expiration!) simply adds unneeded
head aches. Do you know of a way to swap out a kerberos user principal for
a kerberos service principal for the purpose of coda user authentication?
Lastly, the following scripts/binaries are annoyingly interactive:
*) cocli
*) coser
*) createvol_rep
Is there a automation friendly flag I can pass in to make unattended
roll-outs possible? I don't want to have to resort to expect just to pass
through a few [enter] key strokes.
Regards,
-Don
{void}
Regardless, I'll start converting my command line into codaauth2.conf
(and perhaps .codafs/clog/pref if it's worth doing).
I have fixed the DNS SRV records, so the krb and tokens entries have been
striken, however, it appears the following have to be in both codaauth2
and pref:
authmethod = kerberos5
methodopts { krb5realm = KERBEROS.REALM
methodopts { krb5service { coda/coda.realm
NOTE: I know this syntax is incorrect, I'm simply displaying linear
container hierarchy to provide scope for the end config option.
Is there any way to push these settings to dns, or at least push them to
codaauth2 only? I'm sure there is some distinction between codaauth2 and
pref that I as yet do not understand.
yes, I know coda/ is non-standard, and I wouldn't need it if I used
codaauth, but I'd still like to know why this can't be set in codaauth2
and striken from pref.
Most important, is it at all possible to define the keytab in codaauth2 or
pref? Is there a default location that the keytab is looked for by clog?
Regards,
-Don
{void}
