[OpenAFS] Administrators with a slash
Bobb Crosbie
bobb.crosbie@cremeglobal.com
Thu, 5 Jan 2012 12:40:32 +0000
--90e6ba6e87d0799cb704b5c73f3a
Content-Type: text/plain; charset=ISO-8859-1
Hey,
We are trying to tidy things up with our administrator principles in
kerberos and AFS.
Rather than having our normal accounts in the AFS system:administrators
group, we thought it would be better to use the /admin principles we use in
Kerberos.
However, we are having some difficulties which seem to be caused by the
slashes in the principle names.
Both principles are in the system:administrators group (this run when
authenticated as bobb.crosbie)
bobb@ophelia:~$ pts membership bobb.crosbie
Groups bobb.crosbie (id: 5021) is a member of:
system:administrators
bobb@ophelia:~$ pts membership bobb.crosbie/admin
Groups bobb.crosbie/admin (id: 4021) is a member of:
system:administrators
Both principles are also SUsers:
bobb@ophelia:~$ bos listusers -server afs01
bos: running unauthenticated
SUsers are: admin bobb.crosbie bobb.crosbie/admin [....]
Authenticating as bobb.crosbie works fine:
bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie; aklog
Password for bobb.crosbie@CREMELABS.COM:
bobb@ophelia:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bobb.crosbie@CREMELABS.COM
Valid starting Expires Service principal
01/05/12 12:24:06 01/05/12 20:24:06 krbtgt/
CREMELABS.COM@CREMELABS.COM
renew until 01/06/12 12:23:03
01/05/12 12:24:06 01/05/12 20:24:06 afs/cremelabs.com@CREMELABS.COM
renew until 01/06/12 12:23:03
bobb@ophelia:~$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 5021) tokens for afs@cremelabs.com [Expires Jan 5
20:24]
--End of list--
I can authenticate against kerberos as bobb.crosbie/admin
bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie/admin; aklog;
klist; tokens
Password for bobb.crosbie/admin@CREMELABS.COM:
bobb@ophelia:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bobb.crosbie/admin@CREMELABS.COM
Valid starting Expires Service principal
01/05/12 12:24:46 01/05/12 20:24:46 krbtgt/
CREMELABS.COM@CREMELABS.COM
renew until 01/06/12 12:23:44
01/05/12 12:24:46 01/05/12 20:24:46 afs/cremelabs.com@CREMELABS.COM
renew until 01/06/12 12:23:44
But I don't seem to get a proper token from AFS - There's no: "(AFS ID
4021)" bit
bobb@ophelia:~$ tokens
Tokens held by the Cache Manager:
Tokens for afs@cremelabs.com [Expires Jan 5 20:24]
--End of list--
And bobb.crosbie/admin doesn't have permission to look at group memberships
bobb@ophelia:~$ pts membership bobb.crosbie/admin
pts: Permission denied ; unable to get membership of
bobb.crosbie/admin (id: 4021)
Everything seems to work fine if we create another principle in kerberos
without the slash (bobbadmin, say), create that user user in pts and add it
to the system:administrators group. The slash seems to be the only issue.
Any Ideas ?
Are users/principles with slashes supported ? Or is it recommended to do
things another way ?
A number of documents (like this:
http://techpubs.spinlocksolutions.com/dklar/afs.html) suggest that slashes
are used.
Many Thanks,
- bobb
--90e6ba6e87d0799cb704b5c73f3a
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hey,<br><br>We are trying to tidy things up with our administrator principl=
es in kerberos and AFS.<br>Rather than having our normal accounts in the AF=
S system:administrators group, we thought it would be better to use the /ad=
min principles we use in Kerberos.<br>
However, we are having some difficulties which seem to be caused by the sla=
shes in the principle names.<br><br>Both principles are in the system:admin=
istrators group=A0 (this run when authenticated as bobb.crosbie)<br><br>
=A0=A0=A0=A0 bobb@ophelia:~$ pts membership bobb.crosbie<br>
=A0=A0=A0=A0 Groups bobb.crosbie (id: 5021) is a member of:<br>
=A0=A0=A0=A0=A0 system:administrators<br>
<br>
=A0=A0=A0=A0 bobb@ophelia:~$ pts membership bobb.crosbie/admin<br>
=A0=A0=A0=A0 Groups bobb.crosbie/admin (id: 4021) is a member of:<br>
=A0=A0=A0=A0=A0 system:administrators<br>
<br>Both principles are also SUsers:<br><br>=A0=A0=A0=A0 bobb@ophelia:~$ bo=
s listusers -server afs01 <br>=A0=A0=A0=A0 bos: running unauthenticated<br>=
=A0=A0=A0=A0 SUsers are: admin bobb.crosbie bobb.crosbie/admin [....]<br><b=
r><br>Authenticating as bobb.crosbie works fine:<br>
<br>=A0=A0=A0=A0 bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie; aklog=
<br>=A0=A0=A0=A0 Password for <a href=3D"mailto:bobb.crosbie@CREMELABS.COM"=
>bobb.crosbie@CREMELABS.COM</a>: <br><br>=A0=A0=A0=A0 bobb@ophelia:~$ klist=
<br>=A0=A0=A0=A0 Ticket cache: FILE:/tmp/krb5cc_1000<br>
=A0=A0=A0=A0 Default principal: <a href=3D"mailto:bobb.crosbie@CREMELABS.CO=
M">bobb.crosbie@CREMELABS.COM</a><br><br>=A0=A0=A0=A0 Valid starting=A0=A0=
=A0=A0 Expires=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Service principal<br>=A0=A0=
=A0=A0 01/05/12 12:24:06=A0 01/05/12 20:24:06=A0 krbtgt/<a href=3D"mailto:C=
REMELABS.COM@CREMELABS.COM">CREMELABS.COM@CREMELABS.COM</a><br>
=A0 =A0 =A0 =A0=A0 renew until 01/06/12 12:23:03<br>=A0=A0=A0=A0 01/05/12 1=
2:24:06=A0 01/05/12 20:24:06=A0 afs/<a href=3D"mailto:cremelabs.com@CREMELA=
BS.COM">cremelabs.com@CREMELABS.COM</a><br>=A0 =A0 =A0 =A0=A0 renew until 0=
1/06/12 12:23:03<br><br>=A0=A0=A0=A0 bobb@ophelia:~$ tokens<br>
=A0=A0=A0=A0 Tokens held by the Cache Manager:<br><br>=A0=A0=A0=A0 User'=
;s (AFS ID 5021) tokens for <a href=3D"mailto:afs@cremelabs.com">afs@cremel=
abs.com</a> [Expires Jan=A0 5 20:24]<br>=A0=A0=A0=A0=A0=A0 --End of list--=
<br><br><br>I can authenticate against kerberos as bobb.crosbie/admin <br>
<br>=A0=A0=A0=A0 bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie/admin;=
aklog; klist; tokens<br>=A0=A0=A0=A0 Password for bobb.crosbie/<a href=3D"=
mailto:admin@CREMELABS.COM">admin@CREMELABS.COM</a>: <br><br>=A0=A0=A0=A0 b=
obb@ophelia:~$ klist<br>
=A0=A0=A0=A0 Ticket cache: FILE:/tmp/krb5cc_1000<br>=A0=A0=A0=A0 Default pr=
incipal: bobb.crosbie/<a href=3D"mailto:admin@CREMELABS.COM">admin@CREMELAB=
S.COM</a><br><br>=A0=A0=A0=A0 Valid starting=A0=A0=A0=A0 Expires=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0 Service principal<br>=A0=A0=A0=A0 01/05/12 12:24:4=
6=A0 01/05/12 20:24:46=A0 krbtgt/<a href=3D"mailto:CREMELABS.COM@CREMELABS.=
COM">CREMELABS.COM@CREMELABS.COM</a><br>
=A0=A0=A0=A0=A0 =A0=A0 renew until 01/06/12 12:23:44<br>=A0=A0=A0=A0 01/05/=
12 12:24:46=A0 01/05/12 20:24:46=A0 afs/<a href=3D"mailto:cremelabs.com@CRE=
MELABS.COM">cremelabs.com@CREMELABS.COM</a><br>=A0=A0=A0=A0=A0=A0=A0 renew=
until 01/06/12 12:23:44<br><br>But I don't seem to get a proper token =
from AFS - There's no: "(AFS ID 4021)" bit<br>
<br>=A0=A0=A0=A0 bobb@ophelia:~$ tokens<br>=A0=A0=A0=A0 Tokens held by the =
Cache Manager:<br><br>=A0=A0=A0=A0 Tokens for <a href=3D"mailto:afs@cremela=
bs.com">afs@cremelabs.com</a> [Expires Jan=A0 5 20:24]<br>=A0=A0 =A0=A0=A0=
=A0 --End of list--<br><br>And bobb.crosbie/admin doesn't have permissi=
on to look at group memberships<br>
<br>=A0=A0=A0=A0 bobb@ophelia:~$ pts membership bobb.crosbie/admin<br>=A0=
=A0=A0=A0 pts: Permission denied ; unable to get membership of bobb.crosbie=
/admin (id: 4021)<br><br><br>Everything seems to work fine if we create ano=
ther principle in kerberos without the slash (bobbadmin, say), create that =
user user in pts and add it to the system:administrators group.=A0 The slas=
h seems to be the only issue.<br>
<br>Any Ideas ?<br>Are users/principles with slashes supported ?=A0 Or is i=
t recommended to do things another way ?<br>A number of documents (like thi=
s: <a href=3D"http://techpubs.spinlocksolutions.com/dklar/afs.html">http://=
techpubs.spinlocksolutions.com/dklar/afs.html</a>) suggest that slashes are=
used.<br>
<br><br>Many Thanks,<br><br>- bobb<br><br><br>
--90e6ba6e87d0799cb704b5c73f3a--