[OpenAFS] OpenAFS+KerberosV permission problem
Derek Atkins
warlord@MIT.EDU
29 May 2003 13:22:30 -0400
Um, afs/cell@REALM works just fine.. I've got a krb5 ticket for
afs/sipb.mit.edu@ATHENA.MIT.EDU using principal warlord@ATHENA.MIT.EDU
and I've got a valid token for "user warlord in cellsipb.mit.edu".
So the fact that cell != REALM shouldn't matter.
-derek
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> I am kinda surprised that neither of the Derr?[ie]c?ks noticed something
> which I think is very likely your problem:
>
> >For the most part things seem to work. I can do the following with
> >success (note: rwallace is a principal in the krb5 database and the
> >realm is HABITAT.THEWALLACEPACK.NET with the cell being
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> >thewallacepack.net):
> ^^^^^^^^^^^^^^^^^^
>
> The "normal" configuration is to have your Kerberos realm match your
> AFS cell name (except for case differences, of course). Now, you _can_
> operate them with two different names, but unless you understand exactly
> what the downsides of this approach are, I would _not_ recommend it.
>
> If your Kerberos realm name does _not_ match your AFS cell name, then you
> will appear as a foreign realm user to AFS, and you will get all sorts of
> "permission denied" problems (like you're getting, and that's why I think
> that's your problem).
>
> --Ken
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available