[OpenAFS] New setup. Strange permission denied! For *some* of my users. :(

Michael Joyner ᏩᏯ mjoyner@vbservices.net
Sat, 09 May 2009 12:41:44 -0400 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig234DB270978DB84BDFA44CE4
Content-Type: multipart/alternative;
 boundary="------------070509080505000606070007"

This is a multi-part message in MIME format.
--------------070509080505000606070007
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Simon Wilkinson wrote:
>
> On 9 May 2009, at 16:29, Michael Joyner =E1=8F=A9=E1=8F=AF wrote:
>>>
>> Yes, there are dots. no slashes or other special characters.
>
> By default, OpenAFS disallows principals with dots in them.
>
> This is due to the way it translates principals with instances into
> pts names - essentially it does a Kerberos 5 -> Kerberos 4 name
> mapping, so that sxw/admin (for example) would become sxw.admin. In
> this case, the Kerberos principal sxw/admin is then indistinguishable
> from the sxw.admin prinicpal - which is potentially dangerous. To play
> it safe, principals with a dot in the first component are simply
> disallowed.
>
> If you are confident that there are (and will be) no principals in
> your domain which collide in this way, then you can disable this check
> by starting all of your servers with the -allow-dotted-principals optio=
n.
>
> Cheers,
>
> Simon.
>
Is it even possible to setup principals with '/' in their names on W2K8 ?=


--=20
LyX: http://www.lyx.org/ OpenOffice: http://www.openoffice.org/
Inkscape: http://www.inkscape.org/ Scribus: http://www.scribus.net/
GIMP: http://www.gimp.org/ PDF: http://www.pdfforge.org/


--------------070509080505000606070007
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content=3D"text/html;charset=3DUTF-8" http-equiv=3D"Content-Type"=
>
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
Simon Wilkinson wrote:
<blockquote cite=3D"mid:DC78967E-4E2B-40F4-8D5C-35473290E806@inf.ed.ac.uk=
"
 type=3D"cite"><br>
On 9 May 2009, at 16:29, Michael Joyner =E1=8F=A9=E1=8F=AF wrote:
  <br>
  <blockquote type=3D"cite">
    <blockquote type=3D"cite"><br>
    </blockquote>
Yes, there are dots. no slashes or other special characters.
    <br>
  </blockquote>
  <br>
By default, OpenAFS disallows principals with dots in them.
  <br>
  <br>
This is due to the way it translates principals with instances into pts
names - essentially it does a Kerberos 5 -&gt; Kerberos 4 name mapping,
so that sxw/admin (for example) would become sxw.admin. In this case,
the Kerberos principal sxw/admin is then indistinguishable from the
sxw.admin prinicpal - which is potentially dangerous. To play it safe,
principals with a dot in the first component are simply disallowed.
  <br>
  <br>
If you are confident that there are (and will be) no principals in your
domain which collide in this way, then you can disable this check by
starting all of your servers with the -allow-dotted-principals option.
  <br>
  <br>
Cheers,
  <br>
  <br>
Simon.
  <br>
  <br>
</blockquote>
<font face=3D"Aboriginal Sans">Is it even possible to setup principals
with '/' in their names on W2K8 ?</font><br>
<br>
<pre class=3D"moz-signature" cols=3D"72">--=20
LyX: <a class=3D"moz-txt-link-freetext" href=3D"http://www.lyx.org/">http=
://www.lyx.org/</a> OpenOffice: <a class=3D"moz-txt-link-freetext" href=3D=
"http://www.openoffice.org/">http://www.openoffice.org/</a>
Inkscape: <a class=3D"moz-txt-link-freetext" href=3D"http://www.inkscape.=
org/">http://www.inkscape.org/</a> Scribus: <a class=3D"moz-txt-link-free=
text" href=3D"http://www.scribus.net/">http://www.scribus.net/</a>
GIMP: <a class=3D"moz-txt-link-freetext" href=3D"http://www.gimp.org/">ht=
tp://www.gimp.org/</a> PDF: <a class=3D"moz-txt-link-freetext" href=3D"ht=
tp://www.pdfforge.org/">http://www.pdfforge.org/</a>
</pre>
</body>
</html>

--------------070509080505000606070007--

--------------enig234DB270978DB84BDFA44CE4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoFskgACgkQtX52dpJWQ8dTRwCfcTNu+2WqWZbsZYzOFxeicBG2
3rcAn3EEYToqyOjCNfuog75SOJ8ZeTUs
=g9X5
-----END PGP SIGNATURE-----

--------------enig234DB270978DB84BDFA44CE4--