[OpenAFS] Re: Odd token/fileserver permission denied problem

Gedaliah Wolosh gwolosh@njit.edu
Fri, 31 Jul 2009 08:45:18 -0400 (EDT)


On Thu, the 9th of Av, 5769 (07/30/2009) Andrew Deason wrote:

> On Thu, 30 Jul 2009 13:51:06 -0400 (EDT)
> Gedaliah Wolosh <gwolosh@njit.edu> wrote:
>
>>
>>
>> On Thu, the 9th of Av, 5769 (07/30/2009) Jeffrey Altman wrote:
>>
>>> Gedaliah Wolosh wrote:
>>>>
>>>> Currently our cell is authenticating to both the KA server and
>>>> Krb5. The AFS Keyfile contains principals for both afs and
>>>> afs/cellname.  The KeyFile is distributed via upclient.  This has
>>>> been working for several months without issue.
>>>>
>>>> A new file server was put in place. If aklog is used to get a
>>>> token, the token does not give the user permission in any volume
>>>> served by this new file server. A token obtained by klog is fine.
>>>
>>> The kaserver token will be issued from a realm with the same name
>>> as the cell.  What is the name of the Kerberos v5 realm and if it
>>> is not the same, does it exist in the afs krb.conf file?
>>
>> The Kerberos v5 realm is different from the name of the cell, however
>> the realm name IS in the afs krb.conf file.
>
> Just to be sure; what is the full path to the krb.conf you're talking
> about?

/usr/afs/etc/krb.conf

>
> When you aklog, does 'tokens' still show that you have tokens after you
> try something where you are denied permission?

Yes


>
> Have you tried restarting the fileserver processes after you've verified
> that /usr/afs/etc is the same as the others?

Yes


Gedaliah Wolosh
University Computing Systems - IST
New Jersey Institute of Technology


>
> -- 
> Andrew Deason
> adeason@sinenomine.net
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>