[OpenAFS] ADS and MIT Kerberos transition auth continued

Derrick Brashear shadow@gmail.com
Wed, 1 Jul 2009 12:27:42 -0400



On Jul 1, 2009, at 12:17, Eric Chris Garrison <ecgarris@iupui.edu>  
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> From: Andrew Deason <adeason@sinenomine.net>
>>> I've added an afs service principal from each of two realms to the
>>> KeyFile using asetkey.   I've added both realms in /etc/krb.conf,  
>>> the
>>> first two lines of the file being the two realms.
>>
>> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or
>> /etc/openafs/server/krb.conf.
>
> Thanks, that did help, I've gotten further now.
>
> What I'm seeing now though, is that although used asetkey to add the
> service principal from the ADS realm to my test cell, permissions  
> aren't
> working as I'd expect.
>
> So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU.  Both in the  
> KeyFile and
> in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf.
>
which is in ThisCell? is the same first in krb.conf?

do you have an afs key from each in KeyFile? are the kvnos different?

> On a client machine, I can kinit as the original, as
> ecgarris@AFSTEST.IU.EDU and can get permissions as expected to OpenAFS
> directories with ACLs granted to OpenAFS user ecgarris.
>
> I would expect on a multi-realm cell, that I could come in as
> ecgarris@ADS.IU.EDU and have the same permissions as
> ecgarris@AFSTEST.IU.EDU, but I don't, I get permission denied.  If I
> create a file in an anyuser-writable directory, the UNIX permissions  
> show
> it as owned by ecgarris, but I still get Permission Denied when I  
> try to
> access directories owned by OpenAFS ecgarris.
>
> If I make the ONLY realm ADS.IU.EDU I have the same problem as well.
>
> Does this mean if we switch domains, all existing users will need  
> extra
> ACLs inserted to accommodate the new domain?

No

> Is there a better answer?

Probably
> Am I just missing something simple?
>
Maybe

> Thanks!
>
> Chris
> - --
> Eric Chris Garrison             | Principal Mass Storage Specialist
> ecgarris@iupui.edu              | Indiana University - Research  
> Storage
> W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFKS4wHG2WsK8XoJWURAj7iAJ93SBiiIfWe46WE0DQtmMll55ZzLwCdEJab
> Xf+/tniHRRZ9sUtIfDQZ3wo=
> =LASt
> -----END PGP SIGNATURE-----
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info