On Thursday, January 26, 2006 09:41:06 PM -0800 Russ Allbery
<[EMAIL PROTECTED]> wrote:
Adam Megacz <[EMAIL PROTECTED]> writes:
I may be abandoning this because there doesn't seem to be any reliable
way for clients to figure out that the cell is its own realm (without
requiring end-users to manually edit or replace their krb5.conf, which
is way beyond the abilities of many people, sad as that fact may be).
Doesn't manipulating the names of the VLDB servers help? Or does Berkeley
not want to let you create an additional level in DNS?
Indeed, it should. What Russ is alluding to here is the fact that most
aklog's determine what realm to use by applying the normal Kerberos
host-to-realm mapping on the hostname of one of the DB servers. Of course,
this introduces all sorts of security issues related to trusting the names
in AFSDB records, but that's been true for a while.
Is there some reason you _need_ to operate your own realm?
Wouldn't it be easier to get the CS.BERKELEY.EDU admins to create the
service principal afs/[EMAIL PROTECTED] ?
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
