Adam Megacz wrote: > Modifying all those krb5.conf's is not an option (clueless users can't > be expected to do this), so I have no other choice. Fortunately many > libkrb5's _do_ know about RFC2052.
But they will only use DNS SRV records if the krb5.conf file permits it and there is no domain/realm mapping entry in the krb5.conf file for the resulting hostname or domain. > BTW, I think understanding and valuing this sort of scenario -- where > the AFS admin does not control the client machines and users are > unsophisticated -- is an important hurdle that the OpenAFS community > still needs to get over. Afsdb/dynroot were a big step in this > direction, though! A good solution for this would be to provide a new RPC that can be sent to any AFS service that requires authentication that would return a list of local authentication domains: * Kerberos 4: KERBEROS.REALM * Kerberos 5: KERBEROS.REALM * Kerberos 5: ANOTHER.REALM etc. Then aklog could obtain the list of AFSDB records and query the servers directly. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
