[OpenAFS] creating alternate admin accounts for OpenAFS & krb 5
Lee Damon
nomad@ssli-mail.ee.washington.edu
Wed, 22 Jan 2003 09:45:09 -0800
I am trying to create alternate admin accounts in AFS. I won't want to have
to give all the SAs here the password to the main one. However, the alternate
accounts, even though they are in the correct AFS group (system:administrators)
don't have any access. I am suspecting that the link between the krb 5
account (administered by another department) and the pts entry isn't being
properly established, but I'm darned if I can figure out what I missed. It
must be something very simple, of course.
krb authentication to all accounts does work. I can get AFS tokens as
nomad and as admin, but apparently not as nomad/afs.
Here's what I have:
Script started on Wed Jan 22 09:33:14 2003
: || stefen [1] ; kinit admin
Password for admin@EE.WASHINGTON.EDU:
: || stefen [2] ; aklog
: || stefen [3] ; pts exa admin
Name: admin, id: 1, owner: system:administrators, creator: anonymous,
membership: 1, flags: S----, group quota: unlimited.
: || stefen [4] ; pts exa nomad
Name: nomad, id: 666, owner: system:administrators, creator: admin,
membership: 1, flags: S----, group quota: 20.
: || stefen [5] ; pts exa nomad/afs
Name: nomad/afs, id: 667, owner: system:administrators, creator: admin,
membership: 1, flags: S----, group quota: unlimited.
: || stefen [6] ; pts mem system:administrators
Members of system:administrators (id: -204) are:
admin
nomad/afs
#
#Admin's klist & tokens: (this account works with full admin rights)
#
: || stefen [7] ; klist
Ticket cache: FILE:/tmp/krb5cc_666_R6VWUu
Default principal: admin@EE.WASHINGTON.EDU
Valid starting Expires Service principal
01/22/03 09:33:18 01/22/03 19:33:18 krbtgt/EE.WASHINGTON.EDU@EE.WASHINGTON.ED
U
01/22/03 09:33:23 01/22/03 19:33:18 afs/ee.washington.edu@EE.WASHINGTON.EDU
Kerberos 4 ticket cache: /tmp/tkt666
klist: You have no tickets cached
: || stefen [8] ; tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@ee.washington.edu [Expires Jan 22 19:33]
--End of list--
#
#nomad's klist & tokens: (this account does not have admin rights, but
#group rights work correctly.)
#
: || stefen [9] ; kinit nomad
Password for nomad@EE.WASHINGTON.EDU:
: || stefen [10] ; aklog
: || stefen [11] ; klist
Ticket cache: FILE:/tmp/krb5cc_666_R6VWUu
Default principal: nomad@EE.WASHINGTON.EDU
Valid starting Expires Service principal
01/22/03 09:33:56 01/22/03 19:33:56 krbtgt/EE.WASHINGTON.EDU@EE.WASHINGTON.ED
U
01/22/03 09:34:00 01/22/03 19:33:56 afs/ee.washington.edu@EE.WASHINGTON.EDU
Kerberos 4 ticket cache: /tmp/tkt666
klist: You have no tickets cached
: || stefen [12] ; tokens
Tokens held by the Cache Manager:
User's (AFS ID 666) tokens for afs@ee.washington.edu [Expires Jan 22 19:33]
--End of list--
#
#nomad/afs's klist & tokens (this account *should* have admin rights, but
#doesn't have any. I note the lack of "User's (AFS ID 667)" in the token
output)
#
: || stefen [13] ; kinit nomad/afs
Password for nomad/afs@EE.WASHINGTON.EDU:
: || stefen [14] ; aklog
: || stefen [15] ; klist ; tokens
Ticket cache: FILE:/tmp/krb5cc_666_R6VWUu
Default principal: nomad/afs@EE.WASHINGTON.EDU
Valid starting Expires Service principal
01/22/03 09:34:31 01/22/03 19:34:31 krbtgt/EE.WASHINGTON.EDU@EE.WASHINGTON.ED
U
01/22/03 09:34:54 01/22/03 19:34:31 afs/ee.washington.edu@EE.WASHINGTON.EDU
Kerberos 4 ticket cache: /tmp/tkt666
klist: You have no tickets cached
Tokens held by the Cache Manager:
Tokens for afs@ee.washington.edu [Expires Jan 22 19:34]
--End of list--
: || stefen [16] ; exit
Script done on Wed Jan 22 09:35:13 2003
Any pointers would be greatly appreciated.
nomad
----------- - Lee "nomad" Damon - \
work: nomad@ee.washington.edu \
play: nomad@castle.org or castle!nomad \
/\
Sr. Systems Admin, UWEE SSLI Lab / \
"Celebrate Diversity" / \