Todd, I saw the following: Name: bmtorbich, id: 8701, owner: system:administrators, creator: bmtorbich_adm, membership: 4, flags: S----, group quota: 20.
Name: bmtorbich:instances, id: -7731, owner: 0, creator: bmtorbich, membership: 4, flags: S-M--, group quota: 0. I added the M flag to my 'bmtorbich' group and the issue is fixed. I can now see the membership listing via the foreign realm credentials, as well as the native realm credentials. Thanks for your help! -Brian From: Todd Lewis [mailto:[email protected]] Sent: Friday, March 20, 2015 1:27 PM To: Brian M. Torbich Subject: Re: [OpenAFS] Cross-realm PTS issue flags? What do you get for pts exa bmtorbich bmtorbich:instances especially wrt flags? On 03/20/2015 01:09 PM, Brian M. Torbich wrote: Hello, I am seeing a problem with certain PTS behavior in our multi-realm OpenAFS configuration. I can't quite seem to figure out the common denominator with the particular groups that are affected; and the ones that are not. The gist of the issue is when authenticated against foreign realm EXAMPLE.B.COM I am unable to get the membership listing for my own username based group. 12:29 bmtorbich@host-a ~> pts mem bmtorbich pts: Permission denied ; unable to get membership of bmtorbich (id: 8701) However, I have no problem getting AFS tokens or traversing the AFS volumes that I have permission to when using my foreign realm credentials. The problem is fortunately not affecting normal operation of the cell for foreign realm users. I do have both realms (EXAMPLE.A.COM and EXAMPLE.B.COM) setup in 'krb.conf'. I also have a 2-way cross-realm trust setup between the two realms. And what is even more interesting is how I can get the membership listing of other groups via my foreign realm credentials without any problems - it is only certain groups that are affected. Specifically username based groups. 12:39 bmtorbich@host-a ~> pts mem bmtorbich:instances Members of bmtorbich:instances (id: -7731) are: bmtorbich bmtorbich_mgr bmtorbich_adm bmtorbich_dev What is it about other groups, or 'bmtorbich:instances' in this example, that is different from the 'bmtorbich' group? I can get the membership listing of 'bmtorbich:instances' with my foreign realm credentials, but not the membership listing of 'bmtorbich' with my foreign realm credentials. Why do I have problems with the foreign realm credentials and not the native realm credentials? I can get membership listings of all groups just fine with the native realm (EXAMPLE.A.COM) credentials. Is this potentially a bug relating to OpenAFS multi-realm support or is there some other foreign realm configuration setting I am missing? None of it makes much sense because if it were a misconfiguration I would think I would see the problem across the board, not just in certain places. Thanks in advance for any help anyone can offer. -Brian -- +--------------------------------------------------------------+ / [email protected]<mailto:[email protected]> 919-445-0091 http://www.unc.edu/~utoddl / / Those who jump off a Paris bridge are in Seine. / +--------------------------------------------------------------+
