[OpenAFS] OpenAFS+KerberosV permission problem
Richard Wallace
rwallace@a--i--m.com
27 May 2003 21:48:45 -0700
Hello all,
I'm almost to the end of setting up openafs and having it authenticate
to a kerberosV server. I've followed the steps in the "AFS to Kerberos
Migration kit" and gone over my steps as in the (popular) posting here
(https://lists.openafs.org/pipermail/openafs-info/2002-March/003872.html).
For the most part things seem to work. I can do the following with
success (note: rwallace is a principal in the krb5 database and the
realm is HABITAT.THEWALLACEPACK.NET with the cell being
thewallacepack.net):
1) kinit rwallace
2) aklog -d
The output of the commands and the result of running klist and tokens
after executing them is listed below:
1)
--output:
--klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rwallace@HABITAT.THEWALLACEPACK.NET
Valid starting Expires Service principal
05/27/03 21:41:58 05/28/03 07:41:58
krbtgt/HABITAT.THEWALLACEPACK.NET@HABITAT.THEWALLACEPACK.NET
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--tokens:
Tokens held by the Cache Manager:
--End of list--
2)
--output:
Authenticating to cell thewallacepack.net (server dev).
We've deduced that we need to authenticate to realm
HABITAT.THEWALLACEPACK.NET.
Getting tickets: afs/thewallacepack.net@HABITAT.THEWALLACEPACK.NET
About to resolve name rwallace to id in cell thewallacepack.net.
Id 32766
Set username to rwallace
Setting tokens. rwallace / @ HABITAT.THEWALLACEPACK.NET
--klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rwallace@HABITAT.THEWALLACEPACK.NET
Valid starting Expires Service principal
05/27/03 21:41:58 05/28/03 07:41:58
krbtgt/HABITAT.THEWALLACEPACK.NET@HABITAT.THEWALLACEPACK.NET
05/27/03 21:43:09 05/28/03 07:41:58
afs/thewallacepack.net@HABITAT.THEWALLACEPACK.NET
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--tokens:
Tokens held by the Cache Manager:
Tokens for afs@thewallacepack.net [Expires May 28 07:41]
--End of list--
Everything looks correct to me, from what I understand. But when I try
and do 'ls /afs/thewallacepack.net' I get a 'Permissioned denied'
error. The acl on that directory is 'system:authusers rl' so I should
be able to look in it once aklog has successfully run.
Is there something I'm missing somewhere in my setup?
Thanks
Rich