[OpenAFS] Administrators with a slash

Jonathan Billings jsbillin@umich.edu
Thu, 5 Jan 2012 08:34:34 -0500


On Thu, Jan 05, 2012 at 12:40:32PM +0000, Bobb Crosbie wrote:
> Both principles are in the system:administrators group  (this run when
> authenticated as bobb.crosbie)

Here's your problem.  Due to OpenAFS's history, krb5 principals with a
slash (such as username/admin@REALM) are converted to their krb4 form,
username.admin.  

By default, the ptserver disallows dotted principals to avoid the
confusion of equivocating the krb5 principals user.admin@REALM and
user/admin@REALM. 

If you are absolutely sure there are no such collisions in your realm,
you can run your servers with -allow-dotted-principals.

For more documentation:
http://docs.openafs.org/Reference/8/ptserver.html

-- 
Jonathan Billings <jsbillin@umich.edu>
College of Engineering - CAEN - Unix and Linux Support