John W. Sopko Jr. wrote: > Is there any good reason(s) for NOT deploying a > Kerberos REALM name that is different from the > AFS cell name. When we move to a K5 server I may > have to use a different REALM name on the db/file servers. > I want to be sure this will not be a problem in the future. > > I have tested different realm/cell names and it works now. > I would prefer to have my cell name and realm name match as > it does now and I know that is the recommendation. For > political reasons I may not have that luxury when moving > to K5 authentication. > > Thanks for your input.
There is no requirement that the cell name and the realm name match. The purpose behind the convention of afs/[EMAIL PROTECTED] service tickets is so that you can have multiple cells that all authenticate against a common realm. They can't all have the name of the realm. Where you will experience great pain is if the realm derived from the name of the db servers does not match the authentication realm of the cell. The heuristic used by aklog to obtain the correct service ticket is to perform a domain to realm mapping on the hostname of the first db server. This is either derived from the hostname itself or by looking at the domain_realm section of the local machine's krb5.conf file. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
