[129] in athena10
Re: Missing pieces in Athena 10
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Mar 19 12:04:48 2008
From: Greg Hudson <ghudson@MIT.EDU>
To: Evan Broder <broder@mit.edu>
Cc: Timothy G Abbott <tabbott@mit.edu>, athena10@mit.edu
In-Reply-To: <47E0C3A0.7060003@mit.edu>
Content-Type: text/plain
Date: Wed, 19 Mar 2008 12:03:58 -0400
Message-Id: <1205942638.5882.5.camel@error-messages.mit.edu>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
On Wed, 2008-03-19 at 03:41 -0400, Evan Broder wrote:
> If you're planning to actually push the username.mail.mit.edu in the
> official Athena release, you should talk with Network. Currently, it's
> not possible to do Kerberos authentication to username.mail.mit.edu,
> because they're CNAMEs for poN.mail.mit.edu, and the servers only have
> keytabs for poN.mit.edu.
Huh, I can verify this in practice, but it's not what I would expect.
Normally krb4 and krb5 libraries will resolve cnames before selecting a
principal to use. I'm not sure why this is an exception, or whether it
would be an exception for krb5 auth if we could do it.
I doubt Network can do much about that; installing keytabs for every
username.mail.mit.edu hostname would seem prohibitive.
