[OpenAFS] permission issue when trying to switch kerberos realms.
Tim Piessens
piessens@icsense.com
Mon, 15 Jan 2018 12:49:37 +0100
--Apple-Mail=_6A89DC86-9A24-41E5-8A50-07F77B2E6F33
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Hi all,
can somebody shed some light on this issue ?=20
We are trying to switch between kerberos realms ( and servers ).
original : X.COM <http://xxx.com/>
new : X.BIZ
cell : x.com <http://x.com/>
I have created a new kerberos service principal afs/x.com@X.BIZ =
<mailto:afs/x.com@x.biz> in the new kerberos server.
I have added the realm to the krb5.conf file.=20
On the client, I can kinit / aklog for both the user@X.COM =
<mailto:user@x.com> and user@X.BIZ <mailto:user@x.biz>=20
Both give me a token for afs-UID 1000.
But when I try to access a folder with the X.COM <http://x.com/> token, =
it works, with the X.BIZ token, I get a permission denied.
What could be the root cause ?=20
How can I debug this ?=20
Thanks,
Tim
--Apple-Mail=_6A89DC86-9A24-41E5-8A50-07F77B2E6F33
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Hi all,<div class=3D""><br class=3D""></div><div class=3D"">can=
somebody shed some light on this issue ? </div><div class=3D"">We =
are trying to switch between kerberos realms ( and servers ).</div><div =
class=3D"">original : <a href=3D"http://xxx.com" =
class=3D"">X.COM</a></div><div class=3D"">new : X.BIZ</div><div =
class=3D""><br class=3D""></div><div class=3D"">cell : <a =
href=3D"http://x.com" class=3D"">x.com</a></div><div class=3D""><br =
class=3D""></div><div class=3D"">I have created a new kerberos service =
principal <a href=3D"mailto:afs/x.com@x.biz" =
class=3D"">afs/x.com@X.BIZ</a> in the new kerberos =
server.</div><div class=3D"">I have added the realm to the krb5.conf =
file. </div><div class=3D""><br class=3D""></div><div class=3D"">On =
the client, I can kinit / aklog for both the <a href=3D"mailto:user@x.com"=
class=3D"">user@X.COM</a> and <a href=3D"mailto:user@x.biz" =
class=3D"">user@X.BIZ</a> </div><div class=3D"">Both give me a =
token for afs-UID 1000.</div><div class=3D""><br class=3D""></div><div =
class=3D"">But when I try to access a folder with the <a =
href=3D"http://x.com" class=3D"">X.COM</a> token, it works, with =
the X.BIZ token, I get a permission denied.</div><div class=3D""><br =
class=3D""></div><div class=3D"">What could be the root cause =
? </div><div class=3D"">How can I debug this ? </div><div =
class=3D""><br class=3D""></div><div class=3D""><br class=3D""></div><div =
class=3D"">Thanks,</div><div class=3D""><br class=3D""></div><div =
class=3D"">Tim</div><div class=3D""><br class=3D""></div></body></html>=
--Apple-Mail=_6A89DC86-9A24-41E5-8A50-07F77B2E6F33--