Coda File System

Re: kerberos all caps

From: <u+codalist-wk5r_at_chalmers.se>
Date: Fri, 7 Nov 2008 19:51:03 +0100
Hi Tod,

On Fri, Nov 07, 2008 at 11:55:17AM -0500, Tod O. Detre wrote:
> I'm setting up a new coda install with kerberos, but

I very strongly suggest you using the client available via the binary installer
(http://www.aetey.se/index.php?Static&pg=CodaInstHowto)
if you have Intel-compatible hosts with Linux.

The client contains the "new" modular clog with full and better support 
for Kerberos. clog behaviour on the clients can be customized if necessary
but there is no need for kerberos-related configuration at the clients.
You do not either need any kerberos libraries (they are included).

I suggest also using the server package from the same place,
it contains Kerberos support with a straightforward configuration.
It is what we use in production and we are picky about the packaging
being convenient.

Drop me (or the list) a note if you would consider setting it up.
I think we could arrange a howto on the Coda wiki.

Otherwise with the old code you will have to make realm-specific
client-side configuration and/or let the clients make guesses
(e.g. derive the Kerberos realm name from the Coda realm name
or from the actual server dns name or even from the client dns name)
which will not make them work with other Kerberos-aware Coda realms.

> it looks like the clients, etc default to using the hostname with all caps, but everything else (like ssh) defaults to using lowercase. Is there a way to change the coda behavior in the config files?

Hostnames are irrelevant for Kerberos authentication and it is
essentially a design mistake to make use of them. The dependency on hostnames
and DNS names (of some of the concerned network interfaces) is unfortunately
deeply hardwired in Kerberos-based GSSAPI. I think gssapi behaviour is what
you mean when you mention ssh. This is not relevant for Kerberos and Coda
working together.

We have several Coda realms using Kerberos for authentication (for the moment
3 in regular use and 1 for Coda tests, using 2 independently administrated
Kerberos realms). They are used via about 450 clients by about as many
identities. I guess Aetey and Chalmers are suitable reference places
for Coda-Kerberos interoperability.

If you don't like binary packages, you may of course use the supplied
source code, including the modular clog, to build all that from the source.
I wouldn't, unless your platform is other than Linux on Intel.

Hope this helps!

Cheers,
Rune
Received on 2008-11-07 13:50:13