> Would someone believe that I'm so stupid to put into UserList
> usernames in
> a syntax of kerberos5 and NOT kerberos4? Thanks to Johan Danielson who
> pointed me to this problem.
>From changelog:
* src/auth/userok.c: DELTA
afs-superuser-foreign-realm-checks-20010514 AUTHOR [EMAIL PROTECTED]
This rewrite cleans up the code a bit, removes any athena specific
references (not needed anymore in this version), and adds support
for multi realm management of afs servers (you can now specify
"admin@OTHERREALM" in your userlist).
Code now checks as follows:
tname tinst - remote user info from conn tcell lcell - local cell
lrealm - local realm (defaults to lcell if not avail)
if no remote cell or instance allow localauth if the cell
of the remote connection matches local cell or local realm
if not tinst allow if tname in UserList if
tinst allow if tname.tinst in UserList if cell
doesn't match local cell or realm if not tinst
allow if tname@cell in UserList allow if
tname@CELL in UserList if tinst allow if
tname.tinst@cell in UserList allow if
tname.tinst@CELL in UserList
modified per openafs-devel discussion such that krb5 versions
(/tinst rather than .tinst) code path disabled for now DELTA
some-name-yyyymmdd AUTHOR [EMAIL PROTECTED]
Sounds like we just have the krb5 style syntax disabled at the moment... I don't
remember the discussion, so I'm not sure why that is the case.
Seems to me that enabling the krb5 syntax is a step in the right direction.
> Yes, having [EMAIL PROTECTED] there was my problem and that was the
> reason why my AFS authentication did not work (kerberos KDC worked and
> issued tickes for me, also AFS tokens), but ptserver/fs and
> others said
> always "Permission denied".
>
> Would be nice if bosserver and ptserver would check that
> users specified
> are entered in the [EMAIL PROTECTED] way. Probably syntax
> checking of
> the whole UserList file during startup would be the best and when
> inserting new users into the list. :)
>
>
> > > # pts examine -nameorid 3 -force -noauth
> > > Name: mokrejs/admin, id: 3, owner: system:administrators,
> creator: anonymous,
> > > membership: 1, flags: S----, group quota: unlimited.
> > > # pts examine -nameorid 4 -force -noauth
> > > Name: mokrejs, id: 4, owner: system:administrators,
> creator: anonymous,
> > > membership: 0, flags: S----, group quota: 20.
> > > # pts examine mokrejs/admin -noauth
> > > Name: mokrejs/admin, id: 3, owner: system:administrators,
> creator: anonymous,
> > > membership: 1, flags: S----, group quota: unlimited.
> > > #
> > >
> > > I think [EMAIL PROTECTED] might not be converted to
> [EMAIL PROTECTED] at least,
> > > at the best the "@GSF.DE" could be removed from the
> string, if it's really
> > > causing lookup failure. Any opinions?
>
> --
> Martin Mokrejs <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
> MIPS / Institute for Bioinformatics <http://mips.gsf.de>
> GSF - National Research Center for Environment and Health
> Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
> tel.: +49-89-3187 3683 , fax: +49-89-3187 3585
>
> _______________________________________________
> OpenAFS-devel mailing list
> [EMAIL PROTECTED]
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
_______________________________________________
OpenAFS-devel mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-devel
