Thank you very much for the enlightening comments. However, for the sake of clarity, I have some comments.
Thanks for this point, most of people believe the contrary: klog.krb5 = kinit+aklog. > > For starts, klog != kinit+aklog. The algorithm used for obtaining the > AFS service ticket in klog.krb5 differs from that used by aklog. This > is an unfortunate artifact of them being written by different > individuals prior to their contribution to OpenAFS. Authentication is > not performed by a common library. > > There are several important differences at present: > > 1. aklog always requests AFS tickets as TGS requests. klog.krb5 attempt > to obtain the AFS ticket as an AS request. (no intermediate TGT.) > > 2. aklog understands Kerberos referrals and klog.krb5 does not. > > 3. aklog will attempt to obtain a ticket for afs/[email protected] in > addition to afs/[email protected] and [email protected]. klog.krb5 only > attempts to obtain tickets from the CELL.REALM. > > On 11/7/2011 5:32 AM, Salvatore Podda wrote: >> Surely I do not understand the meaning of default realm in the kerberos >> configuration file >> (I am a beginners!): >> >> [libdefaults] >> default_realm = REALM.XX > > > The configuration section header attempts to be clear about what this > section applies to. It applies to the Kerberos v5 library. This is not > a configuration setting that applies to application defaults. The > primary purpose of the value is for use in constructing Kerberos > principals when no realm has been specified. OK, I got it. `klog.krb5' can be considered like other applications (kinit, telnet ...) with specific kerberos appdefaults? I read a post by Russ Allbery (actually a little be old) where he stated: "...*Everything* uses libdefaults. Ideally, IMO, kinit and the like should take their defaults from libdefaults and then override those with appdefaults settings, if present." http://fixunix.com/kerberos/60055-kinit-uses-libdefaults-krb5-conf-instead-appdefaults.html >> but I was induced to believe that this is the realm assumed if you miss to >> declare the >> >> -k REALM.XX >> >> in the klog.krb5 or a at least that is what you may desume in the relative >> man page. > -k REALM.XX is the realm of the cell. Not the realm of the user > principal. I understand the eventual difference between the realm of the cell and the realm of the user principal but in the usual (my) case where the two realms coincide which the difference between `klog.krb5 -pr [email protected]' and `klog.krb5 -pr xxxx -k REALM.XX' This is enforced (or misleaded) form the klog.krb5 man page where for the flag `-k' you can read: -k <realm> Obtain tickets and tokens from the <realm> Kerberos realm. If this option is not given, klog.krb5 defaults to using the default local realm. The Kerberos realm name need not match the AFS cell name. > In the absence of -k, the realm of the cell is determined by > obtaining the DNS name of a vlserver and then applying the host to realm > rules as determined by krb5.conf. OK >> >> Following the dispute it is even incomprehensible (to me!) why having >> declared the default >> realm in the kerberos configuration file, the klog.krb5 command does not >> work in the forms >> >> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX >> >> or >> >> klog.krb5 -pr [email protected] -c cell.xx -k CELL.XX >> >> but works in the form >> >> klog.krb5 -pr [email protected] -c cell.xx > > What are the DNS names of the vlservers? > > Is host to realm information specified in the krb5.conf file? > I will check better the list of the vlserver we suggest to the user client, but I think that the mechanism you mention for determining the realm of the cell is assured. Thanks for your patience and best regards Salvatore Podda > Jeffrey Altman _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
