Coda File System

Re: modular clog + kerberos

From: <>
Date: Wed, 20 Jan 2010 10:00:04 +0100
Hi Don,

On Tue, Jan 19, 2010 at 11:29:23AM -0800, root wrote:
> Realm, with respect to Kerberos authentication realm.  The coda realm (or 
> is it cell??) is, in fact, lower case. 
> Please feel free to make the assumption that I have false understandings.  
> If "KERBEROS.REALM" is stated, but from syntax it should be "coda.realm", 
> please correct me. 

Yes, it should be "codaaccount_at_coda.realm", not otherwise.

> There are references to kerberos service principals being stored in a 
> keytab for coda -- old standard was host/[fqdn]@[KERBEROS.REALM], but this 

I don't think there are any such references in the relevant wiki page... :)

> has changed to coda/ (don't want confusion/collision with telnet/ssh/etc., 
> I guess), and now codaauth/.  I don't really know what these are for, but 
> it is said you have to copy the keytab around after you create them. 

I can not take any responsibility for any other documents floating
around on the *net (including old Coda documentation).

Kerberos-specific documentation and howtos are largely inappropriate for
our/your purposes as they make a lot of assumptions which are invalid
in a general case. What they describe is usual (I do not say "best" :)
practices for an oversimplified (even if often encountered) scenario.

> >Did you really mean "refreshing Kerberos credentials" or rather
> >"refreshing Coda credentials"?
> Probably.  I don't, as yet, understand the distinction.  When using clog 

Kerberos credentials are stored in the Kerberos "credentials cache", 
usually a small file, often pointed at by KRB5CCNAME environment variable.
Its contents is shown by "klist". The credentials are represented
as a collection of "tickets". Tickets expire as time goes.

Coda credentials are so called tokens, shown by "ctokens", stored
in the Venus cache manager. Tokens expire, usually in 25 hours.
At Venus' or host restart they disappear as well.

> To be abundantly clear, when I refer to a "kerberos ticket", or 
> authenticating, I am referring to the process by which I fetch a current 
> and valid "tgt" ticket as I currently do not understand any other 
> distinction. 

I think this list is a wrong place to go into Kerberos basics.
Unfortunately, I don't feel I can undertake the effort to write
a suitable Kerberos introduction on the wiki either.

> [root_at_sandbox3 ~]# k5start --help         2>&1|grep -iE 'afs|KINIT_PROG|-t'

> In essence, you are, of course, correct.  It appears, simply, that the 
> notion of running clog (or any other app, including a script) is built in 
> to the kerberos utilities. 

Good. Use this if you need to refresh both Kerberos and Coda credentials.

Received on 2010-01-20 04:01:12