Hello, I am seeing a problem with certain PTS behavior in our multi-realm OpenAFS configuration. I can't quite seem to figure out the common denominator with the particular groups that are affected; and the ones that are not.
The gist of the issue is when authenticated against foreign realm EXAMPLE.B.COM I am unable to get the membership listing for my own username based group. 12:29 bmtorbich@host-a ~> pts mem bmtorbich pts: Permission denied ; unable to get membership of bmtorbich (id: 8701) However, I have no problem getting AFS tokens or traversing the AFS volumes that I have permission to when using my foreign realm credentials. The problem is fortunately not affecting normal operation of the cell for foreign realm users. I do have both realms (EXAMPLE.A.COM and EXAMPLE.B.COM) setup in 'krb.conf'. I also have a 2-way cross-realm trust setup between the two realms. And what is even more interesting is how I can get the membership listing of other groups via my foreign realm credentials without any problems - it is only certain groups that are affected. Specifically username based groups. 12:39 bmtorbich@host-a ~> pts mem bmtorbich:instances Members of bmtorbich:instances (id: -7731) are: bmtorbich bmtorbich_mgr bmtorbich_adm bmtorbich_dev What is it about other groups, or 'bmtorbich:instances' in this example, that is different from the 'bmtorbich' group? I can get the membership listing of 'bmtorbich:instances' with my foreign realm credentials, but not the membership listing of 'bmtorbich' with my foreign realm credentials. Why do I have problems with the foreign realm credentials and not the native realm credentials? I can get membership listings of all groups just fine with the native realm (EXAMPLE.A.COM) credentials. Is this potentially a bug relating to OpenAFS multi-realm support or is there some other foreign realm configuration setting I am missing? None of it makes much sense because if it were a misconfiguration I would think I would see the problem across the board, not just in certain places. Thanks in advance for any help anyone can offer. -Brian
