[OpenAFS] Puzzler: lack of access to AFS files
Wed, 12 Dec 2007 13:53:17 CST
> > Russ Allbery wrote:
> > > John Hascall <email@example.com> writes:
> > >> I'm sure I must be doing something embarrassingly stupid here,
> > >> but I just can't figure out why this script is not able to
> > >> access the files in AFS that it should be able to.
> > >> Default principal: sysadmin/asw.iastate.edu@IASTATE.EDU
> > > There's a hard-coded table of principals for which the Kerberos v5 support
> > > in rxkad will do realm conversion in src/rxkad/ticket5.c, and sysadmin
> > > isn't one of them.
> Ah, I'll bet that's it -- we also just switched to using K5 aklog
> instead of K4 aklog.
> > You can add a new entry to 'sconv_list' in src/rxkad/ticket5.c. Use:
> > R("sysadmin")
> Hmmm, that's pretty ugly. For the KDC, I made this table be in
> krb5.conf (I posted a diff for this back about 1.0.5 or so), but
> I'm not sure I really want to go that way for AFS. I think maybe
> just an instance-free name is the way for me to go, thanks,
Hmmm, another thought just occurred to me.
I'm presuming the problem is that the ticket inside of the
token has sysadmin/asw.iastate.edu@IASTATE.EDU inside of it
even though aklog was able to convert that to sysadmin.asw
and thus correctly to the 'AFS ID 99940' (which is sysadmin.asw
in the pts db).
Would it work to modify the KDC such that when it hands out
an afs/<cell>@REALM ticket for a TGT with a client name that
is in the sconv table (like my sysadmin/asw.iastate.edu@IASTATE.EDU)
that it 'K4-izes' that name (to sysadmin/asw in this case) in the
returned ticket? (Thus obviating the need to futz with the code
on every AFS server.)
Or is that just too hideous?