[OpenAFS] Tickets, tokens, foreign cells, etc.

Kevin openafs@gnosys.biz
Tue, 9 Mar 2004 12:44:17 -0500 

Hi All-

This started as a much longer post which I just filed 
away in my drafts folder because I may be able to 
distill it down to something more succinct:

Questions:
1) As an AFS user defined in the pts database (without 
admin privileges), should I be able to see foreign 
cells that are mounted at /afs/foreign_cell when 
logged in to any client machine that mounts the AFS 
filesystem at /afs?  I can see them when I'm logged in 
as such as user to the _server_ machine (also 
configured as a client), but not when logged in as 
such a user to a client-only machine.  Do I have to 
explicitly make each foreign cell available on each 
client machine somehow?

2) The login process on the client machine 
automatically (using pam) obtains both a krbtgt and an 
afs service ticket (I'm using MIT kerby 5 for auth).  
Immediately after logging in, the output of the tokens 
command is:
jg@athena:~> /usr/afsws/bin/tokens

Tokens held by the Cache Manager:

Tokens for afs@folkvang.org [Expires ...]
   --End of list--
jg@athena:~> 

(It doesn't list the user's AFS ID)

But when I kinit as this same user on the server 
machine, and then do aklog (not the pam guided login 
process on the client-only machine), and then do a 
tokens command, I get:

Tokens held by the Cache Manager:

User's (AFS ID 1000) tokens for afs@folkvang.org 
[Expires...]

the tokens command is the very same binary file in each 
case, made available to the client-only machine via 
the AFS filesystem.

Apparently, the kinit/aklog process does something 
slightly different than the pam assisted one-step 
login process: it is seeing and pulling in to the 
Cache Manager the AFS ID whereas the pam assisted 
login process (which does obtain krbtgt as kinit 
would, and the afs/folkvang.org@FOLKVANG.ORG service 
ticket, and apparently also the AFS token 
afs@folkvang.org) does not bring the AFS ID along.

So my question (2) is: is this absence of the AFS ID as 
seen in the output of the tokens command going to 
cause me any problems?

Both AFS server/client and AFS client-only machines are 
i386_linux24 machines running the SuSE 9 distro as a 
base, but with MIT Kerberos 5 built from source and 
OpenAFS 1.2.11 also built from source.  The pam 
configuration queries an OpenLDAP server for user data 
first, then the local /etc/passwd files if that fails, 
then gets kerberos tickets (I think I have the 
ordering correct here).  But I'm worried that 
something subtle (and problematic) may be associated 
with the absence of the AFS ID in the output of the 
tokens command.

As this user, I can see files in my local cell's AFS 
filesystem with ACL of system:authuser rl, so that 
much is working, but could this be a problem 
elsewhere?

This turned out to be longer than I had hoped, but 
still much less lengthy than what I filed away.  
Apologies for the length.  TIA for any help.

-Kevin