[OpenAFS] Puzzler: lack of access to AFS files
Tue, 11 Dec 2007 15:48:50 CST
I'm sure I must be doing something embarrassingly stupid here,
but I just can't figure out why this script is not able to
access the files in AFS that it should be able to.
PATH=$PATH:/usr/local/bin:/usr/athena/bin:/usr/afsws/bin ; export PATH
KRBTKFILE=/tmp/tkt_asw_getwmf_v4.$$ ; export KRBTKFILE
KRB5CCNAME=/tmp/tkt_asw_getwmf_v5.$$ ; export KRB5CCNAME
authenticate -FACT -p sysadmin -i asw.iastate.edu -k $KEYTBFILE
which when ran as:
root@asw-1# ./getwmf /afs/iastate.edu/users/04/00/frank
Authenticating to cell iastate.edu (server afsdb-1.iastate.edu).
We've deduced that we need to authenticate to realm IASTATE.EDU.
Getting tickets: afs/iastate.edu@IASTATE.EDU
About to resolve name sysadmin.asw to id in cell iastate.edu.
Set username to AFS ID 99940
Setting tokens. AFS ID 99940 / @ IASTATE.EDU
Tokens held by the Cache Manager:
User's (AFS ID 99940) tokens for firstname.lastname@example.org [Expires Dec 11 23:39]
--End of list--
33538 38620 daemon system mem terminal opr lp gomsb usenet dba
Ticket cache: FILE:/tmp/tkt_asw_getwmf_v5.25562
Default principal: sysadmin/asw.iastate.edu@IASTATE.EDU
Valid starting Expires Service principal
12/11/07 15:39:09 12/11/07 23:39:08 krbtgt/IASTATE.EDU@IASTATE.EDU
12/11/07 15:39:09 12/11/07 23:39:08 afs/iastate.edu@IASTATE.EDU
cat: Cannot open /afs/iastate.edu/users/04/00/frank/.WebMail/messagefilters.
The file exists, and I with my account which is a member of
system:administrators cab read it.
The principal in question is also on system:administrators
> pts mem 99940
Groups sysadmin.asw (id: 99940) is a member of:
and system:administrators has rights all down that dir path:
> cd /
> foreach xx (afs iastate.edu users 04 00 frank .WebMail)
foreach? echo -n "$xx "
foreach? fs la $xx | grep system:administrators
foreach? cd $xx
afs system:administrators rlidwka
iastate.edu system:administrators rlidwka
users system:administrators rlidwka
04 system:administrators rlidwka
00 system:administrators rlidwka
frank system:administrators rlidwka
.WebMail system:administrators rlidwka
If anyone has any ideas, I'd be very happy to hear them.