[OpenAFS] Re: OpenAFS and AD trusts
Andrew Deason
adeason@sinenomine.net
Mon, 11 Jul 2011 17:07:12 -0500
On Mon, 11 Jul 2011 17:31:30 -0400
"Danko Antolovic" <dantolov@indiana.edu> wrote:
> The Open AFS configuration knows only about RESOURCE.NET, which is the
> default (and only) Kerb domain in /etc/krb5.conf, and is also the
> domain listed in /usr/afs/etc/krb.conf.
If I'm understanding your setup correctly, I'd think you want the IU.EDU
realm in krb.conf. You want 'user@IU.EDU' to be 'user' to AFS, right?
Then you want IU.EDU to be considered a local realm, and so you want it
in krb.conf.
You can get some more information about what's going on with name
mapping if you raise the fileserver debug level and/or turn on audit
logs. The fileserver manpage should have enough to let you know how
(look for mentions of TSTP and HUP for how to change the debug level on
the fly; you probably want to turn it up to at least 5). I'd expect
right now what you'd see is that user@IU.EDU is being considered a
foreign user; so the fileserver thinks they are 'user@iu.edu' instead of
'user'.
--
Andrew Deason
adeason@sinenomine.net