[OpenAFS] Re: OpenAFS and AD trusts
Tue, 19 Jul 2011 14:56:01 -0400
You are correct, there is no dantolov@RESOURCE.NET; there is
dantolov@IU.EDU, and there is also a local user dantolov with AFS ID 2. I
did not see firstname.lastname@example.org as a member of system:email@example.com at any
time. Are you saying that the presence of the local user is the problem?
Below is what kinit and aklog produce. Thanks,
[root@afs1c afs]# kinit dantolov@IU.EDU
Password for dantolov@IU.EDU:
[root@afs1c afs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: dantolov@IU.EDU
Valid starting Expires Service principal
07/19/11 14:38:38 07/20/11 00:38:45 krbtgt/IU.EDU@IU.EDU
renew until 07/20/11 14:38:38
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@afs1c afs]# aklog -d -c afs1.bedrock.iu.edu
Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu).
Trying to authenticate to user's realm IU.EDU.
Getting tickets: afs/afs1.bedrock.iu.edu@IU.EDU
Using Kerberos V5 ticket natively
About to resolve name dantolov to id in cell afs1.bedrock.iu.edu.
Set username to AFS ID 2
Setting tokens. AFS ID 2 / @ IU.EDU
[root@afs1c afs]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 2) tokens for firstname.lastname@example.org [Expires Jul 20 00:38]
--End of list--
From: email@example.com [mailto:firstname.lastname@example.org]
On Behalf Of Andrew Deason
Sent: Tuesday, July 19, 2011 2:12 PM
Subject: [OpenAFS] Re: OpenAFS and AD trusts
On Tue, 19 Jul 2011 13:52:08 -0400
"Danko Antolovic" <email@example.com> wrote:
> [root@afs1c afs]# pts adduser -user dantolov -group
No, don't do this. In your setup, the _only_ user that will be
recognized as "dantolov" is someone that authenticates with the
principal dantolov@RESOURCE.NET, which, if I understand correctly, does
not exist, so there should not be a user called "dantolov" at all. The
user that authenticates via the kerberos principal dantolov@IU.EDU will
have the AFS PT name "firstname.lastname@example.org" if IU.EDU is not in krb.conf.
> Predictably, when I authenticate as a foreign user (via trust), I can't
> touch the files in /afs/afs1.bedrock.iu.edu
aklog is supposed to automatically create the user email@example.com and
add it to system:firstname.lastname@example.org for you; you don't need to do it
yourself. Does email@example.com exist? What does aklog say when you give
it the -d option when you authenticate with dantolov@IU.EDU ?
OpenAFS-info mailing list