[OpenAFS] ADS and MIT Kerberos transition auth continued

Eric Chris Garrison ecgarris@iupui.edu
Wed, 01 Jul 2009 12:17:11 -0400

Hash: SHA1

> From: Andrew Deason <adeason@sinenomine.net>
> > I've added an afs service principal from each of two realms to the
> > KeyFile using asetkey.   I've added both realms in /etc/krb.conf, the
> > first two lines of the file being the two realms.
> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or
> /etc/openafs/server/krb.conf.

Thanks, that did help, I've gotten further now.

What I'm seeing now though, is that although used asetkey to add the
service principal from the ADS realm to my test cell, permissions aren't
working as I'd expect.

So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU.  Both in the KeyFile and
in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf.

On a client machine, I can kinit as the original, as
ecgarris@AFSTEST.IU.EDU and can get permissions as expected to OpenAFS
directories with ACLs granted to OpenAFS user ecgarris.

I would expect on a multi-realm cell, that I could come in as
ecgarris@ADS.IU.EDU and have the same permissions as
ecgarris@AFSTEST.IU.EDU, but I don't, I get permission denied.  If I
create a file in an anyuser-writable directory, the UNIX permissions show
it as owned by ecgarris, but I still get Permission Denied when I try to
access directories owned by OpenAFS ecgarris.

If I make the ONLY realm ADS.IU.EDU I have the same problem as well.

Does this mean if we switch domains, all existing users will need extra
ACLs inserted to accommodate the new domain?  Is there a better answer?
Am I just missing something simple?


- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgarris@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org