[OpenAFS] OpenAFS+KerberosV permission problem

Richard Wallace rwallace@a--i--m.com
28 May 2003 11:49:42 -0700 

Hello all,
 
I'm almost to the end of setting up openafs and having it authenticate
to a kerberosV server.  I've followed the steps in the "AFS to Kerberos
Migration kit" and gone over my steps as in the (popular) posting here
(https://lists.openafs.org/pipermail/openafs-info/2002-March/003872.html).  I'm running Gentoo Linux with mit-krb v1.2.7 and openafs v1.2.8.  Kerberos was compiled with afs (--with-afs=/usr/afsws).
 
For the most part things seem to work.  I can do the following with
success (note: rwallace is a principal in the krb5 database and the
realm is HABITAT.THEWALLACEPACK.NET with the cell being
thewallacepack.net):
 
1) kinit rwallace
2) aklog -d
 
The output of the commands and the result of running klist and tokens
after executing them is listed below:
 
1)
--output:
--klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rwallace@HABITAT.THEWALLACEPACK.NET
  
Valid starting     Expires            Service principal
05/27/03 21:41:58  05/28/03 07:41:58
krbtgt/HABITAT.THEWALLACEPACK.NET@HABITAT.THEWALLACEPACK.NET
  
  
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--tokens:
  
Tokens held by the Cache Manager:
  
   --End of list--
 
2)
--output:
Authenticating to cell thewallacepack.net (server dev).
We've deduced that we need to authenticate to realm
HABITAT.THEWALLACEPACK.NET.
Getting tickets: afs/thewallacepack.net@HABITAT.THEWALLACEPACK.NET
About to resolve name rwallace to id in cell thewallacepack.net.
Id 32766
Set username to rwallace
Setting tokens. rwallace /  @ HABITAT.THEWALLACEPACK.NET
 
--klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rwallace@HABITAT.THEWALLACEPACK.NET
  
Valid starting     Expires            Service principal
05/27/03 21:41:58  05/28/03 07:41:58
krbtgt/HABITAT.THEWALLACEPACK.NET@HABITAT.THEWALLACEPACK.NET
05/27/03 21:43:09  05/28/03 07:41:58
afs/thewallacepack.net@HABITAT.THEWALLACEPACK.NET
  
  
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
 
--tokens:
  
Tokens held by the Cache Manager:
  
Tokens for afs@thewallacepack.net [Expires May 28 07:41]
   --End of list--
 
 
Everything looks correct to me, from what I understand.  But when I try
and do 'ls /afs/thewallacepack.net' I get a 'Permissioned denied'
error.  The acl on that directory is 'system:authusers rl' so I should
be able to look in it once aklog has successfully run.
 
Is there something I'm missing somewhere in my setup?
 
Thanks

-- 
Richard Wallace
AIM, Inc. (www.a--i--m.com)
Information Systems Consultants
                                                                                
"Providing New Technology,
     the Old-Fashioned Way"