[OpenAFS] Cross-realm PTS issue
Brian M. Torbich
bmtorbich@sei.cmu.edu
Fri, 20 Mar 2015 17:09:35 +0000
--_000_3CBA1F55A377F244A004481F74D656F8D88AB25Amarathon_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hello,
I am seeing a problem with certain PTS behavior in our multi-realm OpenAFS =
configuration. I can't quite seem to figure out the common denominator wit=
h the particular groups that are affected; and the ones that are not.
The gist of the issue is when authenticated against foreign realm EXAMPLE.B=
.COM I am unable to get the membership listing for my own username based gr=
oup.
12:29 bmtorbich@host-a ~> pts mem bmtorbich
pts: Permission denied ; unable to get membership of bmtorbich (id: 8701)
However, I have no problem getting AFS tokens or traversing the AFS volumes=
that I have permission to when using my foreign realm credentials. The pr=
oblem is fortunately not affecting normal operation of the cell for foreign=
realm users. I do have both realms (EXAMPLE.A.COM and EXAMPLE.B.COM) setu=
p in 'krb.conf'. I also have a 2-way cross-realm trust setup between the t=
wo realms.
And what is even more interesting is how I can get the membership listing o=
f other groups via my foreign realm credentials without any problems - it i=
s only certain groups that are affected. Specifically username based group=
s.
12:39 bmtorbich@host-a ~> pts mem bmtorbich:instances
Members of bmtorbich:instances (id: -7731) are:
bmtorbich
bmtorbich_mgr
bmtorbich_adm
bmtorbich_dev
What is it about other groups, or 'bmtorbich:instances' in this example, th=
at is different from the 'bmtorbich' group? I can get the membership listi=
ng of 'bmtorbich:instances' with my foreign realm credentials, but not the =
membership listing of 'bmtorbich' with my foreign realm credentials.
Why do I have problems with the foreign realm credentials and not the nativ=
e realm credentials? I can get membership listings of all groups just fine=
with the native realm (EXAMPLE.A.COM) credentials.
Is this potentially a bug relating to OpenAFS multi-realm support or is the=
re some other foreign realm configuration setting I am missing? None of it=
makes much sense because if it were a misconfiguration I would think I wou=
ld see the problem across the board, not just in certain places.
Thanks in advance for any help anyone can offer.
-Brian
--_000_3CBA1F55A377F244A004481F74D656F8D88AB25Amarathon_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Hello,<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">I am seeing a problem with certain PTS behavior in o=
ur multi-realm OpenAFS configuration. I can’t quite seem to fig=
ure out the common denominator with the particular groups that are affected=
; and the ones that are not.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">The gist of the issue is when authenticated against =
foreign realm EXAMPLE.B.COM I am unable to get the membership listing for m=
y own username based group.
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">12:29 bmtorbich@host-a ~> pts mem bmtorbich<o:p><=
/o:p></p>
<p class=3D"MsoNormal">pts: Permission denied ; unable to get membership of=
bmtorbich (id: 8701)<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">However, I have no problem getting AFS tokens or tra=
versing the AFS volumes that I have permission to when using my foreign rea=
lm credentials. The problem is fortunately not affecting normal opera=
tion of the cell for foreign realm users.
I do have both realms (EXAMPLE.A.COM and EXAMPLE.B.COM) setup in ‘kr=
b.conf’. I also have a 2-way cross-realm trust setup between th=
e two realms.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">And what is even more interesting is how I can get t=
he membership listing of other groups via my foreign realm credentials with=
out any problems – it is only certain groups that are affected. =
Specifically username based groups.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">12:39 bmtorbich@host-a ~> pts mem bmtorbich:insta=
nces<o:p></o:p></p>
<p class=3D"MsoNormal">Members of bmtorbich:instances (id: -7731) are:<o:p>=
</o:p></p>
<p class=3D"MsoNormal"> bmtorbich<o:p></o:p></p>
<p class=3D"MsoNormal"> bmtorbich_mgr<o:p></o:p></p>
<p class=3D"MsoNormal"> bmtorbich_adm<o:p></o:p></p>
<p class=3D"MsoNormal"> bmtorbich_dev<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">What is it about other groups, or ‘bmtorbich:i=
nstances’ in this example, that is different from the ‘bmtorbic=
h’ group? I can get the membership listing of ‘bmtorbich:=
instances’ with my foreign realm credentials, but not the membership
listing of ‘bmtorbich’ with my foreign realm credentials. <o:p=
></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Why do I have problems with the foreign realm creden=
tials and not the native realm credentials? I can get membership list=
ings of all groups just fine with the native realm (EXAMPLE.A.COM) credenti=
als.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Is this potentially a bug relating to OpenAFS multi-=
realm support or is there some other foreign realm configuration setting I =
am missing? None of it makes much sense because if it were a misconfi=
guration I would think I would see the
problem across the board, not just in certain places.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Thanks in advance for any help anyone can offer.<o:p=
></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">-Brian<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
--_000_3CBA1F55A377F244A004481F74D656F8D88AB25Amarathon_--