-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > From: Andrew Deason <adea...@sinenomine.net> > > I've added an afs service principal from each of two realms to the > > KeyFile using asetkey. I've added both realms in /etc/krb.conf, the > > first two lines of the file being the two realms. > > You probably want /usr/afs/etc/krb.conf (if using transarc paths), or > /etc/openafs/server/krb.conf.
Thanks, that did help, I've gotten further now. What I'm seeing now though, is that although used asetkey to add the service principal from the ADS realm to my test cell, permissions aren't working as I'd expect. So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU. Both in the KeyFile and in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf. On a client machine, I can kinit as the original, as ecgar...@afstest.iu.edu and can get permissions as expected to OpenAFS directories with ACLs granted to OpenAFS user ecgarris. I would expect on a multi-realm cell, that I could come in as ecgar...@ads.iu.edu and have the same permissions as ecgar...@afstest.iu.edu, but I don't, I get permission denied. If I create a file in an anyuser-writable directory, the UNIX permissions show it as owned by ecgarris, but I still get Permission Denied when I try to access directories owned by OpenAFS ecgarris. If I make the ONLY realm ADS.IU.EDU I have the same problem as well. Does this mean if we switch domains, all existing users will need extra ACLs inserted to accommodate the new domain? Is there a better answer? Am I just missing something simple? Thanks! Chris - -- Eric Chris Garrison | Principal Mass Storage Specialist ecgar...@iupui.edu | Indiana University - Research Storage W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgar...@iupui.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKS4wHG2WsK8XoJWURAj7iAJ93SBiiIfWe46WE0DQtmMll55ZzLwCdEJab Xf+/tniHRRZ9sUtIfDQZ3wo= =LASt -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info