[OpenAFS] New setup. Strange permission denied! For *some* of my users. :(

Simon Wilkinson sxw@inf.ed.ac.uk
Sat, 9 May 2009 17:01:04 +0100


On 9 May 2009, at 16:29, Michael Joyner =E1=8F=A9=E1=8F=AF wrote:
>>
> Yes, there are dots. no slashes or other special characters.

By default, OpenAFS disallows principals with dots in them.

This is due to the way it translates principals with instances into =20
pts names - essentially it does a Kerberos 5 -> Kerberos 4 name =20
mapping, so that sxw/admin (for example) would become sxw.admin. In =20
this case, the Kerberos principal sxw/admin is then indistinguishable =20=

from the sxw.admin prinicpal - which is potentially dangerous. To play =20=

it safe, principals with a dot in the first component are simply =20
disallowed.

If you are confident that there are (and will be) no principals in =20
your domain which collide in this way, then you can disable this check =20=

by starting all of your servers with the -allow-dotted-principals =20
option.

Cheers,

Simon.