On 11/8/2011 10:46 AM, Salvatore Podda wrote: > > OK, I got it. > `klog.krb5' can be considered like other applications (kinit, telnet ...) > with > specific kerberos appdefaults?
Except that there are no [appdefaults] settings that are read from the profile by klog.krb5. > I read a post by Russ Allbery (actually a little be old) where he stated: > "...*Everything* uses libdefaults. Ideally, IMO, kinit and the like should > take their defaults from libdefaults and then override those with appdefaults > settings, if present." > > http://fixunix.com/kerberos/60055-kinit-uses-libdefaults-krb5-conf-instead-appdefaults.html The settings in [libdefaults] for lifetime, renewal, forwardable, etc are used by the Kerberos library. There are no klog.krb5 overrides in the krb5.conf. >>> but I was induced to believe that this is the realm assumed if you miss to >>> declare the >>> >>> -k REALM.XX >>> >>> in the klog.krb5 or a at least that is what you may desume in the relative >>> man page. > >> -k REALM.XX is the realm of the cell. Not the realm of the user >> principal. > > I understand the eventual difference between the realm of the cell > and the realm of the user principal but in the usual (my) case where > the two realms coincide which the difference between > > `klog.krb5 -pr [email protected]' and `klog.krb5 -pr xxxx -k REALM.XX' > > This is enforced (or misleaded) form the klog.krb5 man page > where for the flag `-k' you can read: > > -k <realm> > Obtain tickets and tokens from the <realm> Kerberos realm. If this > option is not given, klog.krb5 defaults to using the default local > realm. The Kerberos realm name need not match the AFS cell name. That text is almost correct if it was written in a world where the local AFS cell has a single Kerberos realm and that realm is the same as the local workstation Kerberos realm. Unfortunately, that is not true for all environments. >> In the absence of -k, the realm of the cell is determined by >> obtaining the DNS name of a vlserver and then applying the host to realm >> rules as determined by krb5.conf. > > OK > > >>> >>> Following the dispute it is even incomprehensible (to me!) why having >>> declared the default >>> realm in the kerberos configuration file, the klog.krb5 command does not >>> work in the forms >>> >>> klog.krb5 -pr xxxxx -c cell.xx -k CELL.XX This doesn't work because you have not specified a realm as part of the client principal name. >>> or >>> >>> klog.krb5 -pr [email protected] -c cell.xx -k CELL.XX Is CELL.XX the name of the realm in the afs/cell.xx@REALM or afs@REALM service principal? >>> but works in the form >>> >>> klog.krb5 -pr [email protected] -c cell.xx I would guess that CELL.XX is not the name of the realm that is a part of the afs/cell.xx@REALM or afs@REALM service principal.
signature.asc
Description: OpenPGP digital signature
