(Illustration by Gaich Muramatsu)
Hi Tod, On Fri, Nov 07, 2008 at 11:55:17AM -0500, Tod O. Detre wrote: > I'm setting up a new coda install with kerberos, but I very strongly suggest you using the client available via the binary installer (http://www.aetey.se/index.php?Static&pg=CodaInstHowto) if you have Intel-compatible hosts with Linux. The client contains the "new" modular clog with full and better support for Kerberos. clog behaviour on the clients can be customized if necessary but there is no need for kerberos-related configuration at the clients. You do not either need any kerberos libraries (they are included). I suggest also using the server package from the same place, it contains Kerberos support with a straightforward configuration. It is what we use in production and we are picky about the packaging being convenient. Drop me (or the list) a note if you would consider setting it up. I think we could arrange a howto on the Coda wiki. Otherwise with the old code you will have to make realm-specific client-side configuration and/or let the clients make guesses (e.g. derive the Kerberos realm name from the Coda realm name or from the actual server dns name or even from the client dns name) which will not make them work with other Kerberos-aware Coda realms. > it looks like the clients, etc default to using the hostname with all caps, but everything else (like ssh) defaults to using lowercase. Is there a way to change the coda behavior in the config files? Hostnames are irrelevant for Kerberos authentication and it is essentially a design mistake to make use of them. The dependency on hostnames and DNS names (of some of the concerned network interfaces) is unfortunately deeply hardwired in Kerberos-based GSSAPI. I think gssapi behaviour is what you mean when you mention ssh. This is not relevant for Kerberos and Coda working together. We have several Coda realms using Kerberos for authentication (for the moment 3 in regular use and 1 for Coda tests, using 2 independently administrated Kerberos realms). They are used via about 450 clients by about as many identities. I guess Aetey and Chalmers are suitable reference places for Coda-Kerberos interoperability. If you don't like binary packages, you may of course use the supplied source code, including the modular clog, to build all that from the source. I wouldn't, unless your platform is other than Linux on Intel. Hope this helps! Cheers, RuneReceived on 2008-11-07 13:50:13