[OpenAFS] New setup. Strange permission denied! For *some* of my users. :(
Sat, 9 May 2009 17:01:04 +0100
On 9 May 2009, at 16:29, Michael Joyner =E1=8F=A9=E1=8F=AF wrote:
> Yes, there are dots. no slashes or other special characters.
By default, OpenAFS disallows principals with dots in them.
This is due to the way it translates principals with instances into =20
pts names - essentially it does a Kerberos 5 -> Kerberos 4 name =20
mapping, so that sxw/admin (for example) would become sxw.admin. In =20
this case, the Kerberos principal sxw/admin is then indistinguishable =20=
from the sxw.admin prinicpal - which is potentially dangerous. To play =20=
it safe, principals with a dot in the first component are simply =20
If you are confident that there are (and will be) no principals in =20
your domain which collide in this way, then you can disable this check =20=
by starting all of your servers with the -allow-dotted-principals =20