[OpenAFS] ADS and MIT Kerberos transition auth continued

Derrick Brashear shadow@gmail.com
Wed, 1 Jul 2009 16:55:33 -0400 

On Wed, Jul 1, 2009 at 4:52 PM, Eric Chris Garrison<ecgarris@iupui.edu> wro=
te:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeffrey Altman wrote:
>> Eric Chris Garrison wrote:
>>>> From: Andrew Deason <adeason@sinenomine.net>
>>>>> I've added an afs service principal from each of two realms to the
>>>>> KeyFile using asetkey. =A0 I've added both realms in /etc/krb.conf, t=
he
>>>>> first two lines of the file being the two realms.
>>>> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or
>>>> /etc/openafs/server/krb.conf.
>>> Thanks, that did help, I've gotten further now.
>>>
>>> What I'm seeing now though, is that although used asetkey to add the
>>> service principal from the ADS realm to my test cell, permissions aren'=
t
>>> working as I'd expect.
>>>
>>> So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU. =A0Both in the KeyFile=
 and
>>> in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf.
>>>
>>> On a client machine, I can kinit as the original, as
>>> ecgarris@AFSTEST.IU.EDU and can get permissions as expected to OpenAFS
>>> directories with ACLs granted to OpenAFS user ecgarris.
>>>
>>> I would expect on a multi-realm cell, that I could come in as
>>> ecgarris@ADS.IU.EDU and have the same permissions as
>>> ecgarris@AFSTEST.IU.EDU, but I don't, I get permission denied. =A0If I
>>> create a file in an anyuser-writable directory, the UNIX permissions sh=
ow
>>> it as owned by ecgarris, but I still get Permission Denied when I try t=
o
>>> access directories owned by OpenAFS ecgarris.
>>>
>>> If I make the ONLY realm ADS.IU.EDU I have the same problem as well.
>>>
>>> Does this mean if we switch domains, all existing users will need extra
>>> ACLs inserted to accommodate the new domain? =A0Is there a better answe=
r?
>>> Am I just missing something simple?
>>
>> it means you have done something wrong.
>
> I'm sure I have, I just don't know what yet.
>
>> what adding multiple realm names to /usr/afs/etc/krb.conf tells the AFS
>> services after a restart is that all of the specified realms should be
>> considered as sources of local authentication identities. =A0If the
>> krb.conf file states
>>
>> =A0 ADS.IU.EDU AFSTEST.IU.EDU

wait, they should be one per line. are they?

> ...but as ecgarris@ADS.IU.EDU:
>
> Wed Jul =A01 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR AFS_SRX_S=
tData
> Wed Jul =A01 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth-=
-
> HOST 149.166.144.33 ID 32766 FID 536870933:2:2
>
> So the ADS.IU.EDU user is showing as unauthorized? =A0Strange that if I
> create a file, its UNIX permissions show as owned by ecgarris though.

it's unauthenticated, not unauthorized.