[OpenAFS] ADS and MIT Kerberos transition auth continued
Wed, 1 Jul 2009 12:27:42 -0400
On Jul 1, 2009, at 12:17, Eric Chris Garrison <firstname.lastname@example.org>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>> From: Andrew Deason <email@example.com>
>>> I've added an afs service principal from each of two realms to the
>>> KeyFile using asetkey. I've added both realms in /etc/krb.conf,
>>> first two lines of the file being the two realms.
>> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or
> Thanks, that did help, I've gotten further now.
> What I'm seeing now though, is that although used asetkey to add the
> service principal from the ADS realm to my test cell, permissions
> working as I'd expect.
> So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU. Both in the
> KeyFile and
> in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf.
which is in ThisCell? is the same first in krb.conf?
do you have an afs key from each in KeyFile? are the kvnos different?
> On a client machine, I can kinit as the original, as
> ecgarris@AFSTEST.IU.EDU and can get permissions as expected to OpenAFS
> directories with ACLs granted to OpenAFS user ecgarris.
> I would expect on a multi-realm cell, that I could come in as
> ecgarris@ADS.IU.EDU and have the same permissions as
> ecgarris@AFSTEST.IU.EDU, but I don't, I get permission denied. If I
> create a file in an anyuser-writable directory, the UNIX permissions
> it as owned by ecgarris, but I still get Permission Denied when I
> try to
> access directories owned by OpenAFS ecgarris.
> If I make the ONLY realm ADS.IU.EDU I have the same problem as well.
> Does this mean if we switch domains, all existing users will need
> ACLs inserted to accommodate the new domain?
> Is there a better answer?
> Am I just missing something simple?
> - --
> Eric Chris Garrison | Principal Mass Storage Specialist
> firstname.lastname@example.org | Indiana University - Research
> W: 317-278-1207 M: 317-250-8649 | Jabber IM: email@example.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> OpenAFS-info mailing list