-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > From: Andrew Deason <[email protected]> > > I've added an afs service principal from each of two realms to the > > KeyFile using asetkey. I've added both realms in /etc/krb.conf, the > > first two lines of the file being the two realms. > > You probably want /usr/afs/etc/krb.conf (if using transarc paths), or > /etc/openafs/server/krb.conf.
Thanks, that did help, I've gotten further now. What I'm seeing now though, is that although used asetkey to add the service principal from the ADS realm to my test cell, permissions aren't working as I'd expect. So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU. Both in the KeyFile and in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf. On a client machine, I can kinit as the original, as [email protected] and can get permissions as expected to OpenAFS directories with ACLs granted to OpenAFS user ecgarris. I would expect on a multi-realm cell, that I could come in as [email protected] and have the same permissions as [email protected], but I don't, I get permission denied. If I create a file in an anyuser-writable directory, the UNIX permissions show it as owned by ecgarris, but I still get Permission Denied when I try to access directories owned by OpenAFS ecgarris. If I make the ONLY realm ADS.IU.EDU I have the same problem as well. Does this mean if we switch domains, all existing users will need extra ACLs inserted to accommodate the new domain? Is there a better answer? Am I just missing something simple? Thanks! Chris - -- Eric Chris Garrison | Principal Mass Storage Specialist [email protected] | Indiana University - Research Storage W: 317-278-1207 M: 317-250-8649 | Jabber IM: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKS4wHG2WsK8XoJWURAj7iAJ93SBiiIfWe46WE0DQtmMll55ZzLwCdEJab Xf+/tniHRRZ9sUtIfDQZ3wo= =LASt -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
