Christopher Allen Wing wrote:
As Douglas suggests, adding the principal to your realm:
afs/[EMAIL PROTECTED]
would also likely solve your problem. pam_krb5 only tries the instanceless
principal:
[EMAIL PROTECTED]
when it can reverse map the IP address of the AFS server, and use that
domain name to come up with a Kerberos realm, using the [domain_realm]
section in /etc/krb5.conf.
(which is not my preferred behavior)
Hi Chris,
Will this break my existing and working RHEL 3.4 systems?
I'm trying to follow along with the Krb5 migration kit so that
I understand how all of this works. My understanding is that your
"afs" principal has to have a matching kvno as in your AFS Keyfile.
If I change the format of the name from [EMAIL PROTECTED] to
afs/[EMAIL PROTECTED], I believe I would also have
to add this new key into the AFS Keyfile (extract with ktadd,
add to AFS Keyfile with asetkey). However, unless the older
version of pam_krb5 used in RHEL 3.4 also uses the updated
name format, I believe I may "break" my working 3.4 machines.
Or, am I allowed to have both entries in the AFS Keyfile and
Krb database?
As a side note, I have verified that both forward and reverse
name mapping work for my primary and secondary KDC and AFS servers.
Thanks,
-Dj
--
Dj Merrill
Sportsman 2+2 Builder #7118
"TSA: Totally Screwing Aviation"
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
