Coda File System

Re: modular clog + kerberos

From: <u+codalist-wk5r_at_chalmers.se>
Date: Thu, 21 Jan 2010 09:09:27 +0100
Hi Don,

On Wed, Jan 20, 2010 at 06:06:19PM -0800, root wrote:
> Ok, I tried changing the clog to: 
> 
> [root_at_sandbox3 ~]# clog \
>  -method kerberos5 coda_admin_user_at_coda.realm \
>  -tokenserver sandbox2.host.domain 370 \
>  -krealm KERBEROS.REALM \
>  -kdc sandbox2.host.domain \
>  -servprinc coda/coda.realm 
> 
> Basically, the method user_at_realm was changed to the coda realm from the 
> kerberos realm.  Also, the servprinc was changed to the coda.realm from 
> sandbox2.host.domain. 
> 
> Does this appear sane? 

Not totally, the principal should be codaauth/coda.realm.

> The discourse on host/ vs coda/ vs codaauth/ ended with a misunderstanding. 
> This subject is not important, please disregard. 

It _is_ important to use the standard name. See the comment on
the wiki. You do not want to maintain all of your client computers
and/or accounts to include the reference to a non-standard service
principal. Note that your Coda realm can be used from any computer in
the world, not only from the ones you happen to administrate.

As an example, I would be able to get an account and a password
at your realm and then use data under /coda/your.coda.realm
transparently. I do not want to remember and supply your non-standard
service principal at clog on all workstations I happen to use.
It would be your headache to instruct all the users to do so - better
just use the standard name instead!

Cheers,
Rune
Received on 2010-01-21 03:11:11