[OpenAFS] Re: OpenAFS and AD trusts

Andrew Deason adeason@sinenomine.net
Tue, 19 Jul 2011 13:11:51 -0500

On Tue, 19 Jul 2011 13:52:08 -0400
"Danko Antolovic" <dantolov@indiana.edu> wrote:

> [root@afs1c afs]# pts adduser -user dantolov  -group  system:authuser@iu.edu
> -noauth

No, don't do this. In your setup, the _only_ user that will be
recognized as "dantolov" is someone that authenticates with the
principal dantolov@RESOURCE.NET, which, if I understand correctly, does
not exist, so there should not be a user called "dantolov" at all. The
user that authenticates via the kerberos principal dantolov@IU.EDU will
have the AFS PT name "dantolov@iu.edu" if IU.EDU is not in krb.conf.

> Predictably, when I authenticate as a foreign user (via trust), I can't
> touch the files in /afs/afs1.bedrock.iu.edu  

aklog is supposed to automatically create the user dantolov@iu.edu and
add it to system:authuser@iu.edu for you; you don't need to do it
yourself. Does dantolov@iu.edu exist? What does aklog say when you give
it the -d option when you authenticate with dantolov@IU.EDU ?

Andrew Deason