[OpenAFS] admin problem with AFS - krb5

Ken Hornstein kenh@cmf.nrl.navy.mil
Mon, 30 Apr 2001 11:30:26 -0400


>I created a afs user ('pts createuser') with a not-yet-used afs id, I
>added the new principal to the system:administratos group and put him
>into the UserList on my afs server, but something must still be
>missing:

As Derek already pointed out, you need to use schulz.admin, not
schultz/admin.  It's probably not obvious, but since the V5 service
ticket is getting translated to V4, you need to use V4 format principal
names, which means using "." instead of "/" to seperate the name and
the instance.

>Tokens for afs@iwrmm.uni-karlsruhe.de [Expires May  1 00:38]
>   --End of list--
>--------------------------------------------------------------------
>
>Usually this read like:
>--------------------------------------------------------------------
>User's (AFS ID 1) tokens for afs@iwrmm.uni-karlsruhe.de [Expires May  1 15:47]
>--------------------------------------------------------------------

However ... while this is a symptom of your problem, this is an
extremely misunderstood feature of AFS.  The same thing can happen if
you use the -noprdb switch to aklog ... it's completely benign.  As far
as I've been able to determine, the whole point of the "AFS ID N"
information in your kernel token cache is to make the output of
"tokens" prettier.  I don't believe it serves any other purpose.

--Ken