[131] in athena10
Re: Missing pieces in Athena 10
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Mar 19 12:16:43 2008
From: Greg Hudson <ghudson@MIT.EDU>
To: Nelson Elhage <nelhage@mit.edu>
Cc: athena10@mit.edu
In-Reply-To: <20080319161031.GE13267@mit.edu>
Content-Type: text/plain
Date: Wed, 19 Mar 2008 12:16:00 -0400
Message-Id: <1205943360.5882.9.camel@error-messages.mit.edu>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Aha, I missed that subtlety.
On Wed, 2008-03-19 at 12:10 -0400, Nelson Elhage wrote:
> They are resolving CNAME's; the problem isn't the lack of keytab for
> $USERNAME.mail.mit.edu; the problem is that they resolve to
> poNN.*mail*.mit.edu, and they only have keytabs for poNN.mit.edu
>
> Compare the results of:
>
> [nelhage@lunatique:~]$ hesinfo nelhage poboxOOh.
> POP PO10.MIT.EDU nelhage
>
> [nelhage@lunatique:~]$ host -t CNAME nelhage.mail.mit.edu
> nelhage.mail.mit.edu is an alias for PO10.mail.mit.edu.
>
> - Nelson
>
>
> On Wed, Mar 19, 2008 at 12:03:58PM -0400, Greg Hudson wrote:
> >
> > On Wed, 2008-03-19 at 03:41 -0400, Evan Broder wrote:
> > > If you're planning to actually push the username.mail.mit.edu in the
> > > official Athena release, you should talk with Network. Currently, it's
> > > not possible to do Kerberos authentication to username.mail.mit.edu,
> > > because they're CNAMEs for poN.mail.mit.edu, and the servers only have
> > > keytabs for poN.mit.edu.
> >
> > Huh, I can verify this in practice, but it's not what I would expect.
> > Normally krb4 and krb5 libraries will resolve cnames before selecting a
> > principal to use. I'm not sure why this is an exception, or whether it
> > would be an exception for krb5 auth if we could do it.
> >
> > I doubt Network can do much about that; installing keytabs for every
> > username.mail.mit.edu hostname would seem prohibitive.
> >
> >
