[OpenAFS] Administrators with a slash
Jonathan Billings
jsbillin@umich.edu
Thu, 5 Jan 2012 08:34:34 -0500
On Thu, Jan 05, 2012 at 12:40:32PM +0000, Bobb Crosbie wrote:
> Both principles are in the system:administrators group (this run when
> authenticated as bobb.crosbie)
Here's your problem. Due to OpenAFS's history, krb5 principals with a
slash (such as username/admin@REALM) are converted to their krb4 form,
username.admin.
By default, the ptserver disallows dotted principals to avoid the
confusion of equivocating the krb5 principals user.admin@REALM and
user/admin@REALM.
If you are absolutely sure there are no such collisions in your realm,
you can run your servers with -allow-dotted-principals.
For more documentation:
http://docs.openafs.org/Reference/8/ptserver.html
--
Jonathan Billings <jsbillin@umich.edu>
College of Engineering - CAEN - Unix and Linux Support