[OpenAFS] Kerberos 5, AFS, and no krb524d
Douglas E. Engert
deengert@anl.gov
Mon, 09 Jun 2003 13:19:08 -0500
Nicholas Henke wrote:
>
> On Mon, 2003-06-09 at 11:59, Douglas E. Engert wrote:
> > I think you are asking if the ak5log I have can run with the standard
> > Kerberos krb524 lib and krb524d.
>
> Sorry for the confusion -- yes that is what I was asking.
> I have gotten ak5log to compile and run -- and it appears to be
> succeeding.
Was this with afs/<cell>@<realm> or with afsx/<cell>@<realm>?
> The problem I now have is that AFS refuses to see me as the username
> That I kinit/ak5log'd as. How does one ask afs what permissions or
> membership it sees you as having ?
Is this just an admin problem?
Does it work with an ordinary user?
>
> I am assuming that afs/ak5log needs afsadmin/roughneck.liniac.upenn.edu
> as the real k5 username and will translate it into
> afsadmin.roughneck.liniac.upenn.edu --
You are trying to use a multipart user name, which might be making it harder.
If you had a principal like henkeadmin@<realm> and gave the AFS user henkeadmin
all privilages and listed it in /usr/afs/etc/UserList, I think that would work.
(Each of our AFS admins has his own account so we dont have a shared afsadmin.)
If you must use the multpart name, I don't think it gets converted
like you might want. The krb524d appears to eventially call the
krb5_524_conv_principal routine, and I don't see afsadmin listed.
> at least the latter is what I
> needed to add to bos/pts to get ak5log/aklog to succeed in resolving the
> former to an AFS ID.
>
> Nic
> --
> Nicholas Henke
> Penguin Herder & Linux Cluster System Programmer
> Liniac Project - Univ. of Pennsylvania
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444