[OpenAFS] OpenAFS, Debian, Kerberos and no permissions
Derek Atkins
warlord@MIT.EDU
06 Aug 2002 10:05:23 -0400
Adrian Knoth <adi@drcomp.erfurt.thur.de> writes:
> adi@ppc201:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: adi@MINET.UNI-JENA.DE
>
> Valid starting Expires Service principal
> 08/06/02 15:33:15 08/07/02 01:33:13 krbtgt/MINET.UNI-JENA.DE@MINET.UNI-JENA.DE
Note that your principal is "adi"
> adi@ppc201:~$ aklog
> adi@ppc201:~$ tokens
>
> Tokens held by the Cache Manager:
>
> Tokens for afs@minet.uni-jena.de [Expires Aug 7 01:33]
> --End of list--
This implies that there is no user "adi" in your PTDB...
> Now I think I'm more or less "online", but at home AFS-IDs are shown for
> tokens (they are missing here).
>
> adi@ppc201:~$ bos listusers localhost
> SUsers are: adi/admin adi
>
> ppc201:/home/adi# pt_util -m
> Ubik Version is: 1237667645.33554432
> system:backup 2/0 -205 -204 -204
> system:administrators 130/20 -204 -204 -204
> adi/admin 1
> system:ptsviewers 2/0 -203 -204 -204
> system:authuser 2/0 -102 -204 -204
> system:anyuser 2/0 -101 -204 -204
This shows that you do not have "adi" in your PTDB, which confirms my
diagnosis. Also, note that you should use adi.admin, not adi/admin!
AFS uses krb4 names, not krb5 names.
> But every other action fails:
>
> adi@ppc201:~$ pts listentries
> Name ID Owner Creator
> pts: Permission denied ; unable to list entries
>
> adi@ppc201:~$ fs sa /afs/ system:anyuser rl
> fs: You don't have the required access rights on '/afs/'
>
> and so on. What is wrong? Why does Kerberos fails?
Right, because "adi" is not an admin.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available