[OpenAFS] ADS and MIT Kerberos transition auth continued

Derrick Brashear shadow@gmail.com
Wed, 1 Jul 2009 16:55:33 -0400

On Wed, Jul 1, 2009 at 4:52 PM, Eric Chris Garrison<ecgarris@iupui.edu> wro=
> Hash: SHA1
> Jeffrey Altman wrote:
>> Eric Chris Garrison wrote:
>>>> From: Andrew Deason <adeason@sinenomine.net>
>>>>> I've added an afs service principal from each of two realms to the
>>>>> KeyFile using asetkey. =A0 I've added both realms in /etc/krb.conf, t=
>>>>> first two lines of the file being the two realms.
>>>> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or
>>>> /etc/openafs/server/krb.conf.
>>> Thanks, that did help, I've gotten further now.
>>> What I'm seeing now though, is that although used asetkey to add the
>>> service principal from the ADS realm to my test cell, permissions aren'=
>>> working as I'd expect.
>>> So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU. =A0Both in the KeyFile=
>>> in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf.
>>> On a client machine, I can kinit as the original, as
>>> ecgarris@AFSTEST.IU.EDU and can get permissions as expected to OpenAFS
>>> directories with ACLs granted to OpenAFS user ecgarris.
>>> I would expect on a multi-realm cell, that I could come in as
>>> ecgarris@ADS.IU.EDU and have the same permissions as
>>> ecgarris@AFSTEST.IU.EDU, but I don't, I get permission denied. =A0If I
>>> create a file in an anyuser-writable directory, the UNIX permissions sh=
>>> it as owned by ecgarris, but I still get Permission Denied when I try t=
>>> access directories owned by OpenAFS ecgarris.
>>> If I make the ONLY realm ADS.IU.EDU I have the same problem as well.
>>> Does this mean if we switch domains, all existing users will need extra
>>> ACLs inserted to accommodate the new domain? =A0Is there a better answe=
>>> Am I just missing something simple?
>> it means you have done something wrong.
> I'm sure I have, I just don't know what yet.
>> what adding multiple realm names to /usr/afs/etc/krb.conf tells the AFS
>> services after a restart is that all of the specified realms should be
>> considered as sources of local authentication identities. =A0If the
>> krb.conf file states

wait, they should be one per line. are they?

> ...but as ecgarris@ADS.IU.EDU:
> Wed Jul =A01 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR AFS_SRX_S=
> Wed Jul =A01 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth-=
> HOST ID 32766 FID 536870933:2:2
> So the ADS.IU.EDU user is showing as unauthorized? =A0Strange that if I
> create a file, its UNIX permissions show as owned by ecgarris though.

it's unauthenticated, not unauthorized.