[OpenAFS] Re: OpenAFS and AD trusts

Danko Antolovic dantolov@indiana.edu
Tue, 19 Jul 2011 14:56:01 -0400

You are correct, there is no dantolov@RESOURCE.NET; there is
dantolov@IU.EDU, and there is also a local user dantolov with AFS ID 2.  I
did not see  dantolov@iu.edu as a member of  system:authuser@iu.edu at any
time. Are you saying that the presence of the local user is the problem?

Below is what  kinit and aklog produce. Thanks,


[root@afs1c afs]# kinit  dantolov@IU.EDU
Password for dantolov@IU.EDU:
[root@afs1c afs]#
[root@afs1c afs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: dantolov@IU.EDU

Valid starting     Expires            Service principal
07/19/11 14:38:38  07/20/11 00:38:45  krbtgt/IU.EDU@IU.EDU
        renew until 07/20/11 14:38:38

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@afs1c afs]#
[root@afs1c afs]# aklog  -d  -c afs1.bedrock.iu.edu
Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu).
Trying to authenticate to user's realm IU.EDU.
Getting tickets: afs/afs1.bedrock.iu.edu@IU.EDU
Using Kerberos V5 ticket natively
About to resolve name dantolov to id in cell afs1.bedrock.iu.edu.
Id 2
Set username to AFS ID 2
Setting tokens. AFS ID 2 /  @ IU.EDU
[root@afs1c afs]#
[root@afs1c afs]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 2) tokens for afs@afs1.bedrock.iu.edu [Expires Jul 20 00:38]
   --End of list--
[root@afs1c afs]#                

-----Original Message-----
From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org]
On Behalf Of Andrew Deason
Sent: Tuesday, July 19, 2011 2:12 PM
To: openafs-info@openafs.org
Subject: [OpenAFS] Re: OpenAFS and AD trusts

On Tue, 19 Jul 2011 13:52:08 -0400
"Danko Antolovic" <dantolov@indiana.edu> wrote:

> [root@afs1c afs]# pts adduser -user dantolov  -group
> -noauth

No, don't do this. In your setup, the _only_ user that will be
recognized as "dantolov" is someone that authenticates with the
principal dantolov@RESOURCE.NET, which, if I understand correctly, does
not exist, so there should not be a user called "dantolov" at all. The
user that authenticates via the kerberos principal dantolov@IU.EDU will
have the AFS PT name "dantolov@iu.edu" if IU.EDU is not in krb.conf.

> Predictably, when I authenticate as a foreign user (via trust), I can't
> touch the files in /afs/afs1.bedrock.iu.edu  

aklog is supposed to automatically create the user dantolov@iu.edu and
add it to system:authuser@iu.edu for you; you don't need to do it
yourself. Does dantolov@iu.edu exist? What does aklog say when you give
it the -d option when you authenticate with dantolov@IU.EDU ?

Andrew Deason

OpenAFS-info mailing list