(Illustration by Gaich Muramatsu)
On Thu, Feb 11, 2010 at 04:12:50PM -0800, root wrote: > >There is no such requirement. ~/.codafs/clog/pref is completely optional. > > Clarification: If I don't put those settings in pref along with codaauth2, > I end up having to define the settings on the command line. I would like This means that something else in the setup is broken. > clog to pull as much as it can from dns, then codaauth2, then pref, and > finally command line (overrides working in reverse order, or course). If > codaauth2 has the kerberos definitions in it, why does clog need those same > definitions set in pref? It doesn't. Your authentication advertisement is apparently not working. Please recheck. > We have no "users" per se, just services trying to get at files. For us, > the keytab is very handy. Obviously we could pass in the user password to > clog, but that seems unrefined somehow. ;) Then use keytabs. > It has a single kerberos realm, which matches our single coda realm, which > matches the domain of all the hosts everything is running on (both servers This coincidence is actually irrelevant and does not make it "simpler". I would say it makes it harder to distinguish between things which matter and the ones which don't. > The key is linking the coda user (pdbtool) to the kerberos "principal" > (user or service, being irrelevent). It is to be the same string in both Coda and Kerberos databases, e.g. "bob" or "NhjsTfw" or "abc/xyz/dont.bother/me" or "coda_user". > What I don't understand is how to link a coda user to a kerberos service > principal, as the syntax of the principal (displayed, at least) is > different between the two types. For instance, the following is very The syntax includes realm names which actually refer to the databases' instances and do not belong to the records in the databases. > strait forward: > coda_user_at_coda.realm > coda_user_at_KERBEROS.REALM Exactly. > What I want to do is associate this same coda user to a service instead. > Can this be done by simply creating a kerberos service in the form of: > coda_user_at_coda.realm > coda_user/KERBEROS.REALM Now what do you mean by "a kerberos service"? Sorry, I can't help this. > I would love to modify these scripts to add a backup query flag and > non-interactive flag, and even provide patches to you, but when I ran file > against these files, they were reported as binaries: > # file cocli-2.0-20090214-linux-ia32-1.bin > cocli-2.0-20090214-linux-ia32-1.bin: ELF 32-bit LSB executable, Intel > 80386, version 1 (GNU/Linux), statically linked, stripped > # file coser-1.5-20090214-linux-ia32-3.bin > coser-1.5-20090214-linux-ia32-3.bin: ELF 32-bit LSB executable, Intel > 80386, version 1 (GNU/Linux), statically linked, stripped Look at the site where you downloaded the files, there are the sources. > I will patch in support for a backup cli option and provide the patch. I > should have something along shortly for your review. I guess I will not have time for some time so do not hold your breath. I would also suggest learning more about the internals before spending your (and the reviewer's) time on modifications. Otherwise you may try to fix a wrong thing at a wrong place. Regards, RuneReceived on 2010-02-12 17:22:40