[OpenAFS] ADS and MIT Kerberos transition auth continued
Eric Chris Garrison
Wed, 01 Jul 2009 16:52:05 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Jeffrey Altman wrote:
> Eric Chris Garrison wrote:
>>> From: Andrew Deason <firstname.lastname@example.org>
>>>> I've added an afs service principal from each of two realms to the
>>>> KeyFile using asetkey. I've added both realms in /etc/krb.conf, the
>>>> first two lines of the file being the two realms.
>>> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or
>> Thanks, that did help, I've gotten further now.
>> What I'm seeing now though, is that although used asetkey to add the
>> service principal from the ADS realm to my test cell, permissions aren't
>> working as I'd expect.
>> So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU. Both in the KeyFile and
>> in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf.
>> On a client machine, I can kinit as the original, as
>> ecgarris@AFSTEST.IU.EDU and can get permissions as expected to OpenAFS
>> directories with ACLs granted to OpenAFS user ecgarris.
>> I would expect on a multi-realm cell, that I could come in as
>> ecgarris@ADS.IU.EDU and have the same permissions as
>> ecgarris@AFSTEST.IU.EDU, but I don't, I get permission denied. If I
>> create a file in an anyuser-writable directory, the UNIX permissions show
>> it as owned by ecgarris, but I still get Permission Denied when I try to
>> access directories owned by OpenAFS ecgarris.
>> If I make the ONLY realm ADS.IU.EDU I have the same problem as well.
>> Does this mean if we switch domains, all existing users will need extra
>> ACLs inserted to accommodate the new domain? Is there a better answer?
>> Am I just missing something simple?
> it means you have done something wrong.
I'm sure I have, I just don't know what yet.
> what adding multiple realm names to /usr/afs/etc/krb.conf tells the AFS
> services after a restart is that all of the specified realms should be
> considered as sources of local authentication identities. If the
> krb.conf file states
> ADS.IU.EDU AFSTEST.IU.EDU
> then both the name ecgarris@ADS.IU.EDU and ecgarris@AFSTEST.IU.EDU will
> be treated as "ecgarris".
> When debugging authentication you should turn auditing on for all of
> your services so that you can see what the authentication identities are
> from the perspective of each service.
I turned auditing on and I do see a difference in the fileserver audit:
Wed Jul 1 15:59:13 2009  EVENT AFS_SRX_FchStat CODE 0 NAME ecgarris
HOST 188.8.131.52 ID 32766 FID 536870918:1:1
...but as ecgarris@ADS.IU.EDU:
Wed Jul 1 15:58:37 2009  EVENT AFS_Aud_Unauth CODE -1 STR AFS_SRX_StData
Wed Jul 1 15:58:37 2009  EVENT AFS_SRX_StData CODE 0 NAME --UnAuth--
HOST 184.108.40.206 ID 32766 FID 536870933:2:2
So the ADS.IU.EDU user is showing as unauthorized? Strange that if I
create a file, its UNIX permissions show as owned by ecgarris though.
> I would also verify that the keytabs that you are using are in fact
> correct. You can do so using the MIT Kerberos kvno command. Obtain a
> TGT for ecgarris@ADS.IU.EDU and then issue:
> kvno -k <keytab> afs/afstest.iu.edu@ADS.IU.EDU
> If the key verifies then it can be imported into the AFS KeyFile and
> distributed to all of your services.
It does verify, with kvno = 6, which is no the same as the other service
So what else could be wrong?
Eric Chris Garrison | Principal Mass Storage Specialist
email@example.com | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: firstname.lastname@example.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----