Hey,
We are trying to tidy things up with our administrator principles in
kerberos and AFS.
Rather than having our normal accounts in the AFS system:administrators
group, we thought it would be better to use the /admin principles we use in
Kerberos.
However, we are having some difficulties which seem to be caused by the
slashes in the principle names.
Both principles are in the system:administrators group (this run when
authenticated as bobb.crosbie)
bobb@ophelia:~$ pts membership bobb.crosbie
Groups bobb.crosbie (id: 5021) is a member of:
system:administrators
bobb@ophelia:~$ pts membership bobb.crosbie/admin
Groups bobb.crosbie/admin (id: 4021) is a member of:
system:administrators
Both principles are also SUsers:
bobb@ophelia:~$ bos listusers -server afs01
bos: running unauthenticated
SUsers are: admin bobb.crosbie bobb.crosbie/admin [....]
Authenticating as bobb.crosbie works fine:
bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie; aklog
Password for [email protected]:
bobb@ophelia:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
01/05/12 12:24:06 01/05/12 20:24:06 krbtgt/
[email protected]
renew until 01/06/12 12:23:03
01/05/12 12:24:06 01/05/12 20:24:06 afs/[email protected]
renew until 01/06/12 12:23:03
bobb@ophelia:~$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 5021) tokens for [email protected] [Expires Jan 5
20:24]
--End of list--
I can authenticate against kerberos as bobb.crosbie/admin
bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie/admin; aklog;
klist; tokens
Password for bobb.crosbie/[email protected]:
bobb@ophelia:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bobb.crosbie/[email protected]
Valid starting Expires Service principal
01/05/12 12:24:46 01/05/12 20:24:46 krbtgt/
[email protected]
renew until 01/06/12 12:23:44
01/05/12 12:24:46 01/05/12 20:24:46 afs/[email protected]
renew until 01/06/12 12:23:44
But I don't seem to get a proper token from AFS - There's no: "(AFS ID
4021)" bit
bobb@ophelia:~$ tokens
Tokens held by the Cache Manager:
Tokens for [email protected] [Expires Jan 5 20:24]
--End of list--
And bobb.crosbie/admin doesn't have permission to look at group memberships
bobb@ophelia:~$ pts membership bobb.crosbie/admin
pts: Permission denied ; unable to get membership of
bobb.crosbie/admin (id: 4021)
Everything seems to work fine if we create another principle in kerberos
without the slash (bobbadmin, say), create that user user in pts and add it
to the system:administrators group. The slash seems to be the only issue.
Any Ideas ?
Are users/principles with slashes supported ? Or is it recommended to do
things another way ?
A number of documents (like this:
http://techpubs.spinlocksolutions.com/dklar/afs.html) suggest that slashes
are used.
Many Thanks,
- bobb
