On Wed, Jul 1, 2009 at 4:52 PM, Eric Chris Garrison<[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeffrey Altman wrote: >> Eric Chris Garrison wrote: >>>> From: Andrew Deason <[email protected]> >>>>> I've added an afs service principal from each of two realms to the >>>>> KeyFile using asetkey. I've added both realms in /etc/krb.conf, the >>>>> first two lines of the file being the two realms. >>>> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or >>>> /etc/openafs/server/krb.conf. >>> Thanks, that did help, I've gotten further now. >>> >>> What I'm seeing now though, is that although used asetkey to add the >>> service principal from the ADS realm to my test cell, permissions aren't >>> working as I'd expect. >>> >>> So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU. Both in the KeyFile and >>> in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf. >>> >>> On a client machine, I can kinit as the original, as >>> [email protected] and can get permissions as expected to OpenAFS >>> directories with ACLs granted to OpenAFS user ecgarris. >>> >>> I would expect on a multi-realm cell, that I could come in as >>> [email protected] and have the same permissions as >>> [email protected], but I don't, I get permission denied. If I >>> create a file in an anyuser-writable directory, the UNIX permissions show >>> it as owned by ecgarris, but I still get Permission Denied when I try to >>> access directories owned by OpenAFS ecgarris. >>> >>> If I make the ONLY realm ADS.IU.EDU I have the same problem as well. >>> >>> Does this mean if we switch domains, all existing users will need extra >>> ACLs inserted to accommodate the new domain? Is there a better answer? >>> Am I just missing something simple? >> >> it means you have done something wrong. > > I'm sure I have, I just don't know what yet. > >> what adding multiple realm names to /usr/afs/etc/krb.conf tells the AFS >> services after a restart is that all of the specified realms should be >> considered as sources of local authentication identities. If the >> krb.conf file states >> >> ADS.IU.EDU AFSTEST.IU.EDU
wait, they should be one per line. are they? > ...but as [email protected]: > > Wed Jul 1 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR AFS_SRX_StData > Wed Jul 1 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth-- > HOST 149.166.144.33 ID 32766 FID 536870933:2:2 > > So the ADS.IU.EDU user is showing as unauthorized? Strange that if I > create a file, its UNIX permissions show as owned by ecgarris though. it's unauthenticated, not unauthorized. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
