Re: [OpenAFS] Re: OpenAFS and AD trusts

[Danko Antolovic]

Let me revisit the discussion about AD trusts and foreign users. I 
authenticate to my AFS as a foreign user, danto...@iu.edu, via the AD 
trust that the AFS authentication domain, RESOURCE.NET, has with my 
user-authentication domain, IU.EDU.  aklog sets up the appropriate 
foreign-realm group and user:

[root@afs1c afs]# pts  listentries -groups  -noauth
Name                          ID  Owner Creator
system:administrators       -204   -204    -204
system:backup               -205   -204    -204
system:anyuser              -101   -204    -204
system:authuser             -102   -204    -204
system:ptsviewers           -203   -204    -204
system:authu...@iu.edu      -207   -204       2
[root@afs1c afs]# pts  membership  system:authu...@iu.edu  -noauth
Members of system:authu...@iu.edu (id: -207) are:
 danto...@iu.edu

[root@afs1c afs]# pts  listentries -users  -noauth
Name                          ID  Owner Creator
anonymous                  32766   -204    -204
afs                            1   -204   32766
dantolov                       2   -204   32766
danto...@iu.edu          1507121   -204    -204

and I get a normal-looking token as a foreign user:

[root@afs1c afs]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1507121) tokens for a...@afs1.bedrock.iu.edu [Expires Sep 
15 19:08]
  --End of list--


However, this does not let me touch the files in the cell. Trying to add 
the foreign-realm group to the directory ACL, like this:

[root@afs1c afs]# fs  setacl -dir  /afs/afs1.bedrock.iu.edu  -acl 
system:authu...@iu.edu  rlidwka

does not seem to work, and just adds the group system:authuser to the 
ACL once more:

[root@afs1c afs]# fs listacl  /afs/afs1.bedrock.iu.edu
Access list for /afs/afs1.bedrock.iu.edu is
Normal rights:
 system:administrators rlidwka
 system:authuser rlidwka
 system:authuser rlidwka
 system:anyuser rl


The documentation says that broadening the privileges of system:anyuser 
grants access to foreign users, but that is too indiscriminate. Is there 
a way to selectively assign access rights to foreign-realm groups?

Thanks,

Danko Antolovic


Andrew Deason wrote:
On Tue, 19 Jul 2011 13:52:08 -0400
"Danko Antolovic" <danto...@indiana.edu> wrote:

  
[root@afs1c afs]# pts adduser -user dantolov  -group  system:authu...@iu.edu
-noauth
    

No, don't do this. In your setup, the _only_ user that will be
recognized as "dantolov" is someone that authenticates with the
principal danto...@resource.net, which, if I understand correctly, does
not exist, so there should not be a user called "dantolov" at all. The
user that authenticates via the kerberos principal danto...@iu.edu will
have the AFS PT name "danto...@iu.edu" if IU.EDU is not in krb.conf.

  
Predictably, when I authenticate as a foreign user (via trust), I can't
touch the files in /afs/afs1.bedrock.iu.edu  
    

aklog is supposed to automatically create the user danto...@iu.edu and
add it to system:authu...@iu.edu for you; you don't need to do it
yourself. Does danto...@iu.edu exist? What does aklog say when you give
it the -d option when you authenticate with danto...@iu.edu ?

  

_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info