When searching for a service principal, aklog will search for principals in this orderOn Wed, Sep 14, 2022 at 02:00:02PM -0400, Jeffrey E Altman wrote:If your cell name is "your-cell-name.com" then these need to be addprinc -randkey -e aes256-cts-hmac-sha1-96 afs/your-cell-name.com ktadd -k /root/rxkad.keytab afs/your-cell-name.com The use of "afs@REALM" is ambiguous in environment where there are multiple cells authenticated by a single REALM.Good to know, in my case I am setting up new kerberos realm and new OpenAFS cells just for testing. This ambiguos afs principal is good for me, but maybe not enough for other people.
1. afs/your-cell-name.com@ referral request sent to the client principal's REALM 2. afs/your-cell-name.com@REALM 3. afs@REALMIf afs/your-cell-name.com@REALM does not exist, there will be a negative lookup and the cost of the extra round trips.
"afs@REALM" should not be used for a new cell. That name made sense when there was a one-to-one mapping between cell and realm due to the existence of "kaserver".
The preference for afs/your-cell-name.com@REALM over afs@REALM has been present in OpenAFS since the MIT AFS-Kerberos 5 Migration Kit was merged in November 2004.
OpenAFS 1.4.0 was the first release which integrated Kerberos v5 support. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
