[OpenAFS] Re: Odd token/fileserver permission denied problem

Andrew Deason adeason@sinenomine.net
Thu, 30 Jul 2009 18:11:25 -0400


On Thu, 30 Jul 2009 13:51:06 -0400 (EDT)
Gedaliah Wolosh <gwolosh@njit.edu> wrote:

> 
> 
> On Thu, the 9th of Av, 5769 (07/30/2009) Jeffrey Altman wrote:
> 
> > Gedaliah Wolosh wrote:
> >>
> >> Currently our cell is authenticating to both the KA server and
> >> Krb5. The AFS Keyfile contains principals for both afs and
> >> afs/cellname.  The KeyFile is distributed via upclient.  This has
> >> been working for several months without issue.
> >>
> >> A new file server was put in place. If aklog is used to get a
> >> token, the token does not give the user permission in any volume
> >> served by this new file server. A token obtained by klog is fine.
> >
> > The kaserver token will be issued from a realm with the same name
> > as the cell.  What is the name of the Kerberos v5 realm and if it
> > is not the same, does it exist in the afs krb.conf file?
> 
> The Kerberos v5 realm is different from the name of the cell, however
> the realm name IS in the afs krb.conf file.

Just to be sure; what is the full path to the krb.conf you're talking
about?

When you aklog, does 'tokens' still show that you have tokens after you
try something where you are denied permission?

Have you tried restarting the fileserver processes after you've verified
that /usr/afs/etc is the same as the others?

-- 
Andrew Deason
adeason@sinenomine.net