[OpenAFS] Fileserver doesn't recognise host-principals

Douglas E. Engert deengert@anl.gov
Wed, 03 Sep 2008 09:49:06 -0500 

Frank Burkhardt wrote:
> Hi,
> 
> I've got a strange problem here. Some of my AFS-client-machines must
> put some stuff into AFS on a regular basis. Since all of them have
> a host/...-Keytab, I wanted to use it as AFS-identity:
> 
>  admin@afs $ pts create host.somehost.cbs.mpg.de
>  User host.somehost.cbs.mpg.de has id 2000000044
> 
>  root@somehost # kinit -k -t /etc/krb5.keytab
>  root@somehost # klist -e
>  Ticket cache: FILE:/tmp/krb5cc_0
>  Default principal: host/somehost.cbs.mpg.de@CBS.MPG.DE
> 
>  Valid starting     Expires            Service principal
>  08/26/08 16:22:11  08/27/08 18:22:11  krbtgt/CBS.MPG.DE@CBS.MPG.DE
>         Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
>  08/26/08 16:22:49  08/27/08 18:22:11  afs@CBS.MPG.DE
>          Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
> 
> 
>  Kerberos 4 ticket cache: /tmp/tkt0
>  klist: You have no tickets cached
>  root@somehost # aklog
>  root@somehost # tokens
> 
>  Tokens held by the Cache Manager:
> 
>  User's (AFS ID 2000000044) tokens for afs@cbs.mpg.de [Expires Aug 27 18:22]
>     --End of list--
> 
> However, when I try to create a file in AFS, I'm recognised as anonymous:
> 
>  root@somehost # cd /afs/cbs.mpg.de/tmp/leipzig;rm -f xxx
>  root@somehost # touch xxx
>  root@somehost # ls -la xxx
>  -rw-r--r-- 1 anonymous root 0 Aug 26 16:25 xxx

ls -l uses the host's mapping of UID to names.

So was the file written with the anonymous UID?
ls -ln  should show the UID.
What mappings are /etc/passwd, NIS or LDAP?

> 
> There's nothing suspicious in the AFS-client's dmesg or in the fileserver's
> FileLog.
> 
> Does anyone have an idea, what might cause this problem? I use keytabs+AFS
> all the time. The problem just affects host-keytabs - on at least 3 of my
> machines.
>

What systems? Do they may unknown UIDs to anonymous?

> Thank you for any hints.
> 
> Regards,
> 
> Frank
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444