(Illustration by Gaich Muramatsu)
Greetings all: I have made significant progress, but have a few remaining questions. First, please take a look at these configs. Why must authmethod and krb5realm be explicitly defined in both pref and codaauth2 -- did I foul up a config somewhere, or perhaps dns? And is there no way to define the location of the -keytab krb5.conf declaration in a config (pref?), or perhaps a default location it looks for the keytab so that I can place the krb5.keytab there and omit the explicit declaration entirely? [root_at_sandbox1]# cat /vice/codaauth2.conf 4 { authorities { coda.realm { authmethod = kerberos5 methodopts { krb5realm = KERBEROS.REALM } } } } [root_at_sandbox1]# cat ~/.codafs/clog/pref 5 { loginto = coda.realm identities { coda.realm { desc = coda.realm identity = codaadmin/codaauth_at_coda.realm authmethod = kerberos5 methodopts { krb5realm = KERBEROS.REALM } } } [root_at_sandbox1]# clog -keytab ~/.codafs/clog/krb5.keytab Regarding keytab auth, I found this site referring to kerberos _service_ principal keytab based afs auth (3rd paragraph from the top, under "Background" section): http://www.stanford.edu/services/kerberos/sysadmin/keytabs.html A service key would be ideal for my application. We are simply wanting to provide configuration data and some media content from our coda fileserver to an application on our application server. Having to deal with user names, passwords, password policies (and expiration!) simply adds unneeded head aches. Do you know of a way to swap out a kerberos user principal for a kerberos service principal for the purpose of coda user authentication? Lastly, the following scripts/binaries are annoyingly interactive: *) cocli *) coser *) createvol_rep Is there a automation friendly flag I can pass in to make unattended roll-outs possible? I don't want to have to resort to expect just to pass through a few [enter] key strokes. Regards, -Don {void} >>>> Regardless, I'll start converting my command line into codaauth2.conf >>>> (and perhaps .codafs/clog/pref if it's worth doing). > > I have fixed the DNS SRV records, so the krb and tokens entries have been > striken, however, it appears the following have to be in both codaauth2 > and pref: > authmethod = kerberos5 > methodopts { krb5realm = KERBEROS.REALM > methodopts { krb5service { coda/coda.realm > > NOTE: I know this syntax is incorrect, I'm simply displaying linear > container hierarchy to provide scope for the end config option. > > Is there any way to push these settings to dns, or at least push them to > codaauth2 only? I'm sure there is some distinction between codaauth2 and > pref that I as yet do not understand. > > yes, I know coda/ is non-standard, and I wouldn't need it if I used > codaauth, but I'd still like to know why this can't be set in codaauth2 > and striken from pref. > > Most important, is it at all possible to define the keytab in codaauth2 or > pref? Is there a default location that the keytab is looked for by clog? > > > Regards, > -Don > {void} >Received on 2010-02-10 11:38:45