-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeffrey Altman wrote: > Eric Chris Garrison wrote: >>> From: Andrew Deason <[email protected]> >>>> I've added an afs service principal from each of two realms to the >>>> KeyFile using asetkey. I've added both realms in /etc/krb.conf, the >>>> first two lines of the file being the two realms. >>> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or >>> /etc/openafs/server/krb.conf. >> Thanks, that did help, I've gotten further now. >> >> What I'm seeing now though, is that although used asetkey to add the >> service principal from the ADS realm to my test cell, permissions aren't >> working as I'd expect. >> >> So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU. Both in the KeyFile and >> in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf. >> >> On a client machine, I can kinit as the original, as >> [email protected] and can get permissions as expected to OpenAFS >> directories with ACLs granted to OpenAFS user ecgarris. >> >> I would expect on a multi-realm cell, that I could come in as >> [email protected] and have the same permissions as >> [email protected], but I don't, I get permission denied. If I >> create a file in an anyuser-writable directory, the UNIX permissions show >> it as owned by ecgarris, but I still get Permission Denied when I try to >> access directories owned by OpenAFS ecgarris. >> >> If I make the ONLY realm ADS.IU.EDU I have the same problem as well. >> >> Does this mean if we switch domains, all existing users will need extra >> ACLs inserted to accommodate the new domain? Is there a better answer? >> Am I just missing something simple? > > it means you have done something wrong.
I'm sure I have, I just don't know what yet. > what adding multiple realm names to /usr/afs/etc/krb.conf tells the AFS > services after a restart is that all of the specified realms should be > considered as sources of local authentication identities. If the > krb.conf file states > > ADS.IU.EDU AFSTEST.IU.EDU It does. > then both the name [email protected] and [email protected] will > be treated as "ecgarris". They aren't. > When debugging authentication you should turn auditing on for all of > your services so that you can see what the authentication identities are > from the perspective of each service. I turned auditing on and I do see a difference in the fileserver audit: [email protected]: Wed Jul 1 15:59:13 2009 [7] EVENT AFS_SRX_FchStat CODE 0 NAME ecgarris HOST 129.79.43.73 ID 32766 FID 536870918:1:1 ...but as [email protected]: Wed Jul 1 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR AFS_SRX_StData Wed Jul 1 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth-- HOST 149.166.144.33 ID 32766 FID 536870933:2:2 So the ADS.IU.EDU user is showing as unauthorized? Strange that if I create a file, its UNIX permissions show as owned by ecgarris though. > I would also verify that the keytabs that you are using are in fact > correct. You can do so using the MIT Kerberos kvno command. Obtain a > TGT for [email protected] and then issue: > > kvno -k <keytab> afs/[email protected] > > If the key verifies then it can be imported into the AFS KeyFile and > distributed to all of your services. It does verify, with kvno = 6, which is no the same as the other service principal's kvno. So what else could be wrong? Chris - -- Eric Chris Garrison | Principal Mass Storage Specialist [email protected] | Indiana University - Research Storage W: 317-278-1207 M: 317-250-8649 | Jabber IM: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKS8x1G2WsK8XoJWURArWGAJ9Hkb9cIuqtoJj3v4kR7fIdFYlLfgCfaq+z eV7XbBY4PF/db9qkNq4eua0= =i22i -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
