[OpenAFS] Cross-realm PTS issue
Brian M. Torbich
bmtorbich@sei.cmu.edu
Fri, 20 Mar 2015 17:35:43 +0000
--_000_3CBA1F55A377F244A004481F74D656F8D88AB2E5marathon_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Todd, I saw the following:
Name: bmtorbich, id: 8701, owner: system:administrators, creator: bmtorbich=
_adm,
membership: 4, flags: S----, group quota: 20.
Name: bmtorbich:instances, id: -7731, owner: 0, creator: bmtorbich,
membership: 4, flags: S-M--, group quota: 0.
I added the M flag to my 'bmtorbich' group and the issue is fixed. I can n=
ow see the membership listing via the foreign realm credentials, as well as=
the native realm credentials.
Thanks for your help!
-Brian
From: Todd Lewis [mailto:utoddl@email.unc.edu]
Sent: Friday, March 20, 2015 1:27 PM
To: Brian M. Torbich
Subject: Re: [OpenAFS] Cross-realm PTS issue
flags? What do you get for
pts exa bmtorbich bmtorbich:instances
especially wrt flags?
On 03/20/2015 01:09 PM, Brian M. Torbich wrote:
Hello,
I am seeing a problem with certain PTS behavior in our multi-realm OpenAFS =
configuration. I can't quite seem to figure out the common denominator wit=
h the particular groups that are affected; and the ones that are not.
The gist of the issue is when authenticated against foreign realm EXAMPLE.B=
.COM I am unable to get the membership listing for my own username based gr=
oup.
12:29 bmtorbich@host-a ~> pts mem bmtorbich
pts: Permission denied ; unable to get membership of bmtorbich (id: 8701)
However, I have no problem getting AFS tokens or traversing the AFS volumes=
that I have permission to when using my foreign realm credentials. The pr=
oblem is fortunately not affecting normal operation of the cell for foreign=
realm users. I do have both realms (EXAMPLE.A.COM and EXAMPLE.B.COM) setu=
p in 'krb.conf'. I also have a 2-way cross-realm trust setup between the t=
wo realms.
And what is even more interesting is how I can get the membership listing o=
f other groups via my foreign realm credentials without any problems - it i=
s only certain groups that are affected. Specifically username based group=
s.
12:39 bmtorbich@host-a ~> pts mem bmtorbich:instances
Members of bmtorbich:instances (id: -7731) are:
bmtorbich
bmtorbich_mgr
bmtorbich_adm
bmtorbich_dev
What is it about other groups, or 'bmtorbich:instances' in this example, th=
at is different from the 'bmtorbich' group? I can get the membership listi=
ng of 'bmtorbich:instances' with my foreign realm credentials, but not the =
membership listing of 'bmtorbich' with my foreign realm credentials.
Why do I have problems with the foreign realm credentials and not the nativ=
e realm credentials? I can get membership listings of all groups just fine=
with the native realm (EXAMPLE.A.COM) credentials.
Is this potentially a bug relating to OpenAFS multi-realm support or is the=
re some other foreign realm configuration setting I am missing? None of it=
makes much sense because if it were a misconfiguration I would think I wou=
ld see the problem across the board, not just in certain places.
Thanks in advance for any help anyone can offer.
-Brian
--
+--------------------------------------------------------------+
/ Todd_Lewis@unc.edu<mailto:Todd_Lewis@unc.edu> 919-445-0091 http://www=
.unc.edu/~utoddl /
/ Those who jump off a Paris bridge are in Seine. /
+--------------------------------------------------------------+
--_000_3CBA1F55A377F244A004481F74D656F8D88AB2E5marathon_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3D"white" lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Todd, I saw the follow=
ing:<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Name: bmtorbich, id: 8=
701, owner: system:administrators, creator: bmtorbich_adm,<o:p></o:p></span=
></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"> membership: 4, =
flags: S----, group quota: 20.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Name: bmtorbich:instan=
ces, id: -7731, owner: 0, creator: bmtorbich,<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"> membership: 4, =
flags: S-M--, group quota: 0.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">I added the M flag to =
my ‘bmtorbich’ group and the issue is fixed. I can now se=
e the membership listing via the foreign realm credentials, as well as the =
native realm credentials.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Thanks for your help!<=
o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">-Brian<o:p></o:p></spa=
n></p>
</div>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"color:windowtext">From:</span></b>=
<span style=3D"color:windowtext"> Todd Lewis [mailto:utoddl@email.unc.edu]
<br>
<b>Sent:</b> Friday, March 20, 2015 1:27 PM<br>
<b>To:</b> Brian M. Torbich<br>
<b>Subject:</b> Re: [OpenAFS] Cross-realm PTS issue<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">flags? What do you ge=
t for<br>
<br>
pts exa bmtorbich bmtorbich:instances<br>
<br>
especially wrt flags?<span style=3D"font-size:12.0pt"><o:p></o:p></span></p=
>
<div>
<p class=3D"MsoNormal">On 03/20/2015 01:09 PM, Brian M. Torbich wrote:<o:p>=
</o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal">Hello,<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">I am seeing a problem with certain PTS behavior in o=
ur multi-realm OpenAFS configuration. I can’t quite seem to fig=
ure out the common denominator with the particular groups that are affected=
; and the ones that are not.<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">The gist of the issue is when authenticated against =
foreign realm EXAMPLE.B.COM I am unable to get the membership listing for m=
y own username based group.
<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">12:29 bmtorbich@host-a ~> pts mem bmtorbich<o:p><=
/o:p></p>
<p class=3D"MsoNormal">pts: Permission denied ; unable to get membership of=
bmtorbich (id: 8701)<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">However, I have no problem getting AFS tokens or tra=
versing the AFS volumes that I have permission to when using my foreign rea=
lm credentials. The problem is fortunately not affecting normal opera=
tion of the cell for foreign realm users.
I do have both realms (EXAMPLE.A.COM and EXAMPLE.B.COM) setup in ‘kr=
b.conf’. I also have a 2-way cross-realm trust setup between th=
e two realms.<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">And what is even more interesting is how I can get t=
he membership listing of other groups via my foreign realm credentials with=
out any problems – it is only certain groups that are affected. =
Specifically username based groups.<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">12:39 bmtorbich@host-a ~> pts mem bmtorbich:insta=
nces<o:p></o:p></p>
<p class=3D"MsoNormal">Members of bmtorbich:instances (id: -7731) are:<o:p>=
</o:p></p>
<p class=3D"MsoNormal"> bmtorbich<o:p></o:p></p>
<p class=3D"MsoNormal"> bmtorbich_mgr<o:p></o:p></p>
<p class=3D"MsoNormal"> bmtorbich_adm<o:p></o:p></p>
<p class=3D"MsoNormal"> bmtorbich_dev<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">What is it about other groups, or ‘bmtorbich:i=
nstances’ in this example, that is different from the ‘bmtorbic=
h’ group? I can get the membership listing of ‘bmtorbich:=
instances’ with my foreign realm credentials, but not the membership
listing of ‘bmtorbich’ with my foreign realm credentials. <o:p=
></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">Why do I have problems with the foreign realm creden=
tials and not the native realm credentials? I can get membership list=
ings of all groups just fine with the native realm (EXAMPLE.A.COM) credenti=
als.<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">Is this potentially a bug relating to OpenAFS multi-=
realm support or is there some other foreign realm configuration setting I =
am missing? None of it makes much sense because if it were a misconfi=
guration I would think I would see the
problem across the board, not just in certain places.<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">Thanks in advance for any help anyone can offer.<o:p=
></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">-Brian<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;font-family:"Ti=
mes New Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre> +-----------------------------------------------=
---------------+<o:p></o:p></pre>
<pre> / <a href=3D"mailto:Todd_Lewis@unc.edu">Todd_Lewis@unc.edu</a>&=
nbsp; 919-445-0091 <a href=3D"http://www.unc.edu/~utoddl">http://www.=
unc.edu/~utoddl</a> /<o:p></o:p></pre>
<pre> / Those who jump off a Pari=
s bridge are in Seine. /<o:p></o:p></pr=
e>
<pre>+--------------------------------------------------------------=
3;<o:p></o:p></pre>
</div>
</body>
</html>
--_000_3CBA1F55A377F244A004481F74D656F8D88AB2E5marathon_--