Hi All- This started as a much longer post which I just filed away in my drafts folder because I may be able to distill it down to something more succinct:
Questions: 1) As an AFS user defined in the pts database (without admin privileges), should I be able to see foreign cells that are mounted at /afs/foreign_cell when logged in to any client machine that mounts the AFS filesystem at /afs? I can see them when I'm logged in as such as user to the _server_ machine (also configured as a client), but not when logged in as such a user to a client-only machine. Do I have to explicitly make each foreign cell available on each client machine somehow? 2) The login process on the client machine automatically (using pam) obtains both a krbtgt and an afs service ticket (I'm using MIT kerby 5 for auth). Immediately after logging in, the output of the tokens command is: [EMAIL PROTECTED]:~> /usr/afsws/bin/tokens Tokens held by the Cache Manager: Tokens for [EMAIL PROTECTED] [Expires ...] --End of list-- [EMAIL PROTECTED]:~> (It doesn't list the user's AFS ID) But when I kinit as this same user on the server machine, and then do aklog (not the pam guided login process on the client-only machine), and then do a tokens command, I get: Tokens held by the Cache Manager: User's (AFS ID 1000) tokens for [EMAIL PROTECTED] [Expires...] the tokens command is the very same binary file in each case, made available to the client-only machine via the AFS filesystem. Apparently, the kinit/aklog process does something slightly different than the pam assisted one-step login process: it is seeing and pulling in to the Cache Manager the AFS ID whereas the pam assisted login process (which does obtain krbtgt as kinit would, and the afs/[EMAIL PROTECTED] service ticket, and apparently also the AFS token [EMAIL PROTECTED]) does not bring the AFS ID along. So my question (2) is: is this absence of the AFS ID as seen in the output of the tokens command going to cause me any problems? Both AFS server/client and AFS client-only machines are i386_linux24 machines running the SuSE 9 distro as a base, but with MIT Kerberos 5 built from source and OpenAFS 1.2.11 also built from source. The pam configuration queries an OpenLDAP server for user data first, then the local /etc/passwd files if that fails, then gets kerberos tickets (I think I have the ordering correct here). But I'm worried that something subtle (and problematic) may be associated with the absence of the AFS ID in the output of the tokens command. As this user, I can see files in my local cell's AFS filesystem with ACL of system:authuser rl, so that much is working, but could this be a problem elsewhere? This turned out to be longer than I had hoped, but still much less lengthy than what I filed away. Apologies for the length. TIA for any help. -Kevin _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
