[OpenAFS-devel] pts examine

Neulinger, Nathan nneul@umr.edu
Tue, 3 Dec 2002 11:31:34 -0600


> Would someone believe that I'm so stupid to put into UserList=20
> usernames in
> a syntax of kerberos5 and NOT kerberos4? Thanks to Johan Danielson who
> pointed me to this problem.

>From changelog:

        * src/auth/userok.c: DELTA
        afs-superuser-foreign-realm-checks-20010514 AUTHOR nneul@umr.edu
       =20
        This rewrite cleans up the code a bit, removes any athena =
specific
        references (not needed anymore in this version), and adds =
support
        for multi realm management of afs servers (you can now specify
        "admin@OTHERREALM" in your userlist).
       =20
        Code now checks as follows:
       =20
        tname tinst  - remote user info from conn tcell lcell - local =
cell
        lrealm - local realm (defaults to lcell if not avail)
       =20
        if no remote cell or instance         allow localauth if the =
cell
        of the remote connection matches local cell or local realm       =
=20
        if not tinst                 allow if tname in UserList         =
if
        tinst                 allow if tname.tinst in UserList if cell
        doesn't match local cell or realm         if not tinst           =
 =20
           allow if tname@cell in UserList                 allow if
        tname@CELL in UserList         if tinst                 allow if
        tname.tinst@cell in UserList                 allow if
        tname.tinst@CELL in UserList
       =20
        modified per openafs-devel discussion such that krb5 versions
        (/tinst rather than .tinst) code path disabled for now DELTA
        some-name-yyyymmdd AUTHOR contributor@some.site



Sounds like we just have the krb5 style syntax disabled at the moment... =
I don't remember the discussion, so I'm not sure why that is the case.

Seems to me that enabling the krb5 syntax is a step in the right =
direction.


> Yes, having mokrejs/admin@GSF.DE there was my problem and that was the
> reason why my AFS authentication did not work (kerberos KDC worked and
> issued tickes for me, also AFS tokens), but ptserver/fs and=20
> others said
> always "Permission denied".
>=20
> Would be nice if bosserver and ptserver would check that=20
> users specified
> are entered in the mokrejs.admin@GSF.DE way. Probably syntax=20
> checking of
> the whole UserList file during startup would be the best and when
> inserting new users into the list. :)
>=20
>=20
> > > # pts examine -nameorid 3 -force -noauth
> > > Name: mokrejs/admin, id: 3, owner: system:administrators,=20
> creator: anonymous,
> > >   membership: 1, flags: S----, group quota: unlimited.
> > > # pts examine -nameorid 4 -force -noauth
> > > Name: mokrejs, id: 4, owner: system:administrators,=20
> creator: anonymous,
> > >   membership: 0, flags: S----, group quota: 20.
> > > # pts examine mokrejs/admin -noauth
> > > Name: mokrejs/admin, id: 3, owner: system:administrators,=20
> creator: anonymous,
> > >   membership: 1, flags: S----, group quota: unlimited.
> > > #
> > >
> > > I think mokrejs/admin@GSF.DE might not be converted to=20
> mokrejs/admin@gsf.de at least,
> > > at the best the "@GSF.DE" could be removed from the=20
> string, if it's really
> > > causing lookup failure. Any opinions?
>=20
> --=20
> Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
> PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
> MIPS / Institute for Bioinformatics <http://mips.gsf.de>
> GSF - National Research Center for Environment and Health
> Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
> tel.: +49-89-3187 3683 , fax:=A0+49-89-3187 3585
>=20
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>=20