[OpenAFS] OpenAFS+KerberosV permission problem

Richard Wallace rwallace@a--i--m.com
27 May 2003 21:48:45 -0700


Hello all,

I'm almost to the end of setting up openafs and having it authenticate
to a kerberosV server.  I've followed the steps in the "AFS to Kerberos
Migration kit" and gone over my steps as in the (popular) posting here
(https://lists.openafs.org/pipermail/openafs-info/2002-March/003872.html).

For the most part things seem to work.  I can do the following with
success (note: rwallace is a principal in the krb5 database and the
realm is HABITAT.THEWALLACEPACK.NET with the cell being
thewallacepack.net):

1) kinit rwallace
2) aklog -d

The output of the commands and the result of running klist and tokens
after executing them is listed below:

1)
--output:
--klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rwallace@HABITAT.THEWALLACEPACK.NET
 
Valid starting     Expires            Service principal
05/27/03 21:41:58  05/28/03 07:41:58 
krbtgt/HABITAT.THEWALLACEPACK.NET@HABITAT.THEWALLACEPACK.NET
 
 
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--tokens: 
 
Tokens held by the Cache Manager:
 
   --End of list--

2)
--output:
Authenticating to cell thewallacepack.net (server dev).
We've deduced that we need to authenticate to realm
HABITAT.THEWALLACEPACK.NET.
Getting tickets: afs/thewallacepack.net@HABITAT.THEWALLACEPACK.NET
About to resolve name rwallace to id in cell thewallacepack.net.
Id 32766
Set username to rwallace
Setting tokens. rwallace /  @ HABITAT.THEWALLACEPACK.NET

--klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rwallace@HABITAT.THEWALLACEPACK.NET
 
Valid starting     Expires            Service principal
05/27/03 21:41:58  05/28/03 07:41:58 
krbtgt/HABITAT.THEWALLACEPACK.NET@HABITAT.THEWALLACEPACK.NET
05/27/03 21:43:09  05/28/03 07:41:58 
afs/thewallacepack.net@HABITAT.THEWALLACEPACK.NET
 
 
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

--tokens:
 
Tokens held by the Cache Manager:
 
Tokens for afs@thewallacepack.net [Expires May 28 07:41]
   --End of list--


Everything looks correct to me, from what I understand.  But when I try
and do 'ls /afs/thewallacepack.net' I get a 'Permissioned denied'
error.  The acl on that directory is 'system:authusers rl' so I should
be able to look in it once aklog has successfully run. 

Is there something I'm missing somewhere in my setup?

Thanks
Rich