From c02258eb8ef255b74d3ba707038f73082867ac33 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Nov 2006 04:23:33 +0000 Subject: [PATCH] * Document (at least partially) AFS's mapping of Kerberos v5 principal names to Kerberos v4 format in the aklog man page. Thanks, Daniel J. Priem. (Closes: #394832) * Document that aklog -setpag may not always work. --- debian/changelog | 6 +++++- doc/man-pages/pod1/aklog.pod | 15 ++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 1ec83b53d..c3fc430b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,8 +2,12 @@ openafs (1.4.2-3) unstable; urgency=low * Change the documentation of afsd -shutdown to be less dire and more accurate. Thanks, Daniel J. Priem. (Closes: #394990) + * Document (at least partially) AFS's mapping of Kerberos v5 principal + names to Kerberos v4 format in the aklog man page. Thanks, Daniel + J. Priem. (Closes: #394832) + * Document that aklog -setpag may not always work. - -- Russ Allbery Sun, 5 Nov 2006 20:11:36 -0800 + -- Russ Allbery Sun, 5 Nov 2006 20:23:21 -0800 openafs (1.4.2-2) unstable; urgency=low diff --git a/doc/man-pages/pod1/aklog.pod b/doc/man-pages/pod1/aklog.pod index aec8b0db0..5351dd878 100644 --- a/doc/man-pages/pod1/aklog.pod +++ b/doc/man-pages/pod1/aklog.pod @@ -33,6 +33,17 @@ ticket from the realm corresponding to that cell (the upcase version of the cell name), but a different realm for a particular cell can be specified with B<-k>. B<-k> cannot be used in B<-path> mode (see below). +When using B, be aware that AFS uses the Kerberos v4 principal +naming format, not the Kerberos v5 format, when referring to principals in +PTS ACLs, F, and similar locations. AFS will internally map +Kerberos v5 principal names to the Kerberos v4 syntax by removing any +portion of the instance after the first period (generally the domain name +of a host principal), changing any C to C<.>, and changing an initial +principal part of C to C. In other words, to create a PTS +entry for the Kerberos v5 principal C, refer to it as +C, and for the principal C, refer to +it as C. + =head1 OPTIONS =over 4 @@ -113,7 +124,9 @@ C<..>. When setting tokens, attempt to put the parent process in a new PAG. This is usually used as part of the login process but can be used any time to -create a new AFS authentication context. +create a new AFS authentication context. Note that this in some cases +relies on dangerous and tricky manipulations of kernel records and will +not work on all platforms or with all Linux kernels. =item B<-zsubs> -- 2.39.5