[OpenAFS] Administrators with a slash

Bobb Crosbie bobb.crosbie@cremeglobal.com
Thu, 5 Jan 2012 12:40:32 +0000


--90e6ba6e87d0799cb704b5c73f3a
Content-Type: text/plain; charset=ISO-8859-1

Hey,

We are trying to tidy things up with our administrator principles in
kerberos and AFS.
Rather than having our normal accounts in the AFS system:administrators
group, we thought it would be better to use the /admin principles we use in
Kerberos.
However, we are having some difficulties which seem to be caused by the
slashes in the principle names.

Both principles are in the system:administrators group  (this run when
authenticated as bobb.crosbie)

     bobb@ophelia:~$ pts membership bobb.crosbie
     Groups bobb.crosbie (id: 5021) is a member of:
      system:administrators

     bobb@ophelia:~$ pts membership bobb.crosbie/admin
     Groups bobb.crosbie/admin (id: 4021) is a member of:
      system:administrators

Both principles are also SUsers:

     bobb@ophelia:~$ bos listusers -server afs01
     bos: running unauthenticated
     SUsers are: admin bobb.crosbie bobb.crosbie/admin [....]


Authenticating as bobb.crosbie works fine:

     bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie; aklog
     Password for bobb.crosbie@CREMELABS.COM:

     bobb@ophelia:~$ klist
     Ticket cache: FILE:/tmp/krb5cc_1000
     Default principal: bobb.crosbie@CREMELABS.COM

     Valid starting     Expires            Service principal
     01/05/12 12:24:06  01/05/12 20:24:06  krbtgt/
CREMELABS.COM@CREMELABS.COM
         renew until 01/06/12 12:23:03
     01/05/12 12:24:06  01/05/12 20:24:06  afs/cremelabs.com@CREMELABS.COM
         renew until 01/06/12 12:23:03

     bobb@ophelia:~$ tokens
     Tokens held by the Cache Manager:

     User's (AFS ID 5021) tokens for afs@cremelabs.com [Expires Jan  5
20:24]
       --End of list--


I can authenticate against kerberos as bobb.crosbie/admin

     bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie/admin; aklog;
klist; tokens
     Password for bobb.crosbie/admin@CREMELABS.COM:

     bobb@ophelia:~$ klist
     Ticket cache: FILE:/tmp/krb5cc_1000
     Default principal: bobb.crosbie/admin@CREMELABS.COM

     Valid starting     Expires            Service principal
     01/05/12 12:24:46  01/05/12 20:24:46  krbtgt/
CREMELABS.COM@CREMELABS.COM
         renew until 01/06/12 12:23:44
     01/05/12 12:24:46  01/05/12 20:24:46  afs/cremelabs.com@CREMELABS.COM
        renew until 01/06/12 12:23:44

But I don't seem to get a proper token from AFS - There's no: "(AFS ID
4021)" bit

     bobb@ophelia:~$ tokens
     Tokens held by the Cache Manager:

     Tokens for afs@cremelabs.com [Expires Jan  5 20:24]
        --End of list--

And bobb.crosbie/admin doesn't have permission to look at group memberships

     bobb@ophelia:~$ pts membership bobb.crosbie/admin
     pts: Permission denied ; unable to get membership of
bobb.crosbie/admin (id: 4021)


Everything seems to work fine if we create another principle in kerberos
without the slash (bobbadmin, say), create that user user in pts and add it
to the system:administrators group.  The slash seems to be the only issue.

Any Ideas ?
Are users/principles with slashes supported ?  Or is it recommended to do
things another way ?
A number of documents (like this:
http://techpubs.spinlocksolutions.com/dklar/afs.html) suggest that slashes
are used.


Many Thanks,

- bobb

--90e6ba6e87d0799cb704b5c73f3a
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hey,<br><br>We are trying to tidy things up with our administrator principl=
es in kerberos and AFS.<br>Rather than having our normal accounts in the AF=
S system:administrators group, we thought it would be better to use the /ad=
min principles we use in Kerberos.<br>

However, we are having some difficulties which seem to be caused by the sla=
shes in the principle names.<br><br>Both principles are in the system:admin=
istrators group=A0 (this run when authenticated as bobb.crosbie)<br><br>

=A0=A0=A0=A0 bobb@ophelia:~$ pts membership bobb.crosbie<br>
=A0=A0=A0=A0 Groups bobb.crosbie (id: 5021) is a member of:<br>
=A0=A0=A0=A0=A0  system:administrators<br>
<br>
=A0=A0=A0=A0 bobb@ophelia:~$ pts membership bobb.crosbie/admin<br>
=A0=A0=A0=A0 Groups bobb.crosbie/admin (id: 4021) is a member of:<br>
=A0=A0=A0=A0=A0  system:administrators<br>
<br>Both principles are also SUsers:<br><br>=A0=A0=A0=A0 bobb@ophelia:~$ bo=
s listusers -server afs01 <br>=A0=A0=A0=A0 bos: running unauthenticated<br>=
=A0=A0=A0=A0 SUsers are: admin bobb.crosbie bobb.crosbie/admin [....]<br><b=
r><br>Authenticating as bobb.crosbie works fine:<br>

<br>=A0=A0=A0=A0 bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie; aklog=
<br>=A0=A0=A0=A0 Password for <a href=3D"mailto:bobb.crosbie@CREMELABS.COM"=
>bobb.crosbie@CREMELABS.COM</a>: <br><br>=A0=A0=A0=A0 bobb@ophelia:~$ klist=
<br>=A0=A0=A0=A0 Ticket cache: FILE:/tmp/krb5cc_1000<br>

=A0=A0=A0=A0 Default principal: <a href=3D"mailto:bobb.crosbie@CREMELABS.CO=
M">bobb.crosbie@CREMELABS.COM</a><br><br>=A0=A0=A0=A0 Valid starting=A0=A0=
=A0=A0 Expires=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 Service principal<br>=A0=A0=
=A0=A0 01/05/12 12:24:06=A0 01/05/12 20:24:06=A0 krbtgt/<a href=3D"mailto:C=
REMELABS.COM@CREMELABS.COM">CREMELABS.COM@CREMELABS.COM</a><br>

=A0 =A0 =A0 =A0=A0 renew until 01/06/12 12:23:03<br>=A0=A0=A0=A0 01/05/12 1=
2:24:06=A0 01/05/12 20:24:06=A0 afs/<a href=3D"mailto:cremelabs.com@CREMELA=
BS.COM">cremelabs.com@CREMELABS.COM</a><br>=A0 =A0 =A0 =A0=A0 renew until 0=
1/06/12 12:23:03<br><br>=A0=A0=A0=A0 bobb@ophelia:~$ tokens<br>

=A0=A0=A0=A0 Tokens held by the Cache Manager:<br><br>=A0=A0=A0=A0 User&#39=
;s (AFS ID 5021) tokens for <a href=3D"mailto:afs@cremelabs.com">afs@cremel=
abs.com</a> [Expires Jan=A0 5 20:24]<br>=A0=A0=A0=A0=A0=A0  --End of list--=
<br><br><br>I can authenticate against kerberos as bobb.crosbie/admin <br>

<br>=A0=A0=A0=A0 bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie/admin;=
 aklog; klist; tokens<br>=A0=A0=A0=A0 Password for bobb.crosbie/<a href=3D"=
mailto:admin@CREMELABS.COM">admin@CREMELABS.COM</a>: <br><br>=A0=A0=A0=A0 b=
obb@ophelia:~$ klist<br>

=A0=A0=A0=A0 Ticket cache: FILE:/tmp/krb5cc_1000<br>=A0=A0=A0=A0 Default pr=
incipal: bobb.crosbie/<a href=3D"mailto:admin@CREMELABS.COM">admin@CREMELAB=
S.COM</a><br><br>=A0=A0=A0=A0 Valid starting=A0=A0=A0=A0 Expires=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0 Service principal<br>=A0=A0=A0=A0 01/05/12 12:24:4=
6=A0 01/05/12 20:24:46=A0 krbtgt/<a href=3D"mailto:CREMELABS.COM@CREMELABS.=
COM">CREMELABS.COM@CREMELABS.COM</a><br>

=A0=A0=A0=A0=A0 =A0=A0 renew until 01/06/12 12:23:44<br>=A0=A0=A0=A0 01/05/=
12 12:24:46=A0 01/05/12 20:24:46=A0 afs/<a href=3D"mailto:cremelabs.com@CRE=
MELABS.COM">cremelabs.com@CREMELABS.COM</a><br>=A0=A0=A0=A0=A0=A0=A0  renew=
 until 01/06/12 12:23:44<br><br>But I don&#39;t seem to get a proper token =
from AFS - There&#39;s no: &quot;(AFS ID 4021)&quot; bit<br>

<br>=A0=A0=A0=A0 bobb@ophelia:~$ tokens<br>=A0=A0=A0=A0 Tokens held by the =
Cache Manager:<br><br>=A0=A0=A0=A0 Tokens for <a href=3D"mailto:afs@cremela=
bs.com">afs@cremelabs.com</a> [Expires Jan=A0 5 20:24]<br>=A0=A0 =A0=A0=A0=
=A0 --End of list--<br><br>And bobb.crosbie/admin doesn&#39;t have permissi=
on to look at group memberships<br>

<br>=A0=A0=A0=A0 bobb@ophelia:~$ pts membership bobb.crosbie/admin<br>=A0=
=A0=A0=A0 pts: Permission denied ; unable to get membership of bobb.crosbie=
/admin (id: 4021)<br><br><br>Everything seems to work fine if we create ano=
ther principle in kerberos without the slash (bobbadmin, say), create that =
user user in pts and add it to the system:administrators group.=A0 The slas=
h seems to be the only issue.<br>

<br>Any Ideas ?<br>Are users/principles with slashes supported ?=A0 Or is i=
t recommended to do things another way ?<br>A number of documents (like thi=
s: <a href=3D"http://techpubs.spinlocksolutions.com/dklar/afs.html">http://=
techpubs.spinlocksolutions.com/dklar/afs.html</a>) suggest that slashes are=
 used.<br>

<br><br>Many Thanks,<br><br>- bobb<br><br><br>

--90e6ba6e87d0799cb704b5c73f3a--