RE: [OpenAFS] Re: OpenAFS and AD trusts

Danko Antolovic Tue, 19 Jul 2011 11:57:03 -0700

You are correct, there is no danto...@resource.net; there is
danto...@iu.edu, and there is also a local user dantolov with AFS ID 2.  I
did not see  danto...@iu.edu as a member of  system:authu...@iu.edu at any
time. Are you saying that the presence of the local user is the problem?

Below is what  kinit and aklog produce. Thanks,

Danko

[root@afs1c afs]# kinit  danto...@iu.edu
Password for danto...@iu.edu:
[root@afs1c afs]#
[root@afs1c afs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: danto...@iu.edu

Valid starting     Expires            Service principal
07/19/11 14:38:38  07/20/11 00:38:45  krbtgt/iu....@iu.edu
        renew until 07/20/11 14:38:38

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@afs1c afs]#
[root@afs1c afs]# aklog  -d  -c afs1.bedrock.iu.edu
Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu).
Trying to authenticate to user's realm IU.EDU.
Getting tickets: afs/afs1.bedrock.iu....@iu.edu
Using Kerberos V5 ticket natively
About to resolve name dantolov to id in cell afs1.bedrock.iu.edu.
Id 2
Set username to AFS ID 2
Setting tokens. AFS ID 2 /  @ IU.EDU
[root@afs1c afs]#
[root@afs1c afs]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 2) tokens for a...@afs1.bedrock.iu.edu [Expires Jul 20 00:38]
   --End of list--
[root@afs1c afs]#                

-----Original Message-----
From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org]
On Behalf Of Andrew Deason
Sent: Tuesday, July 19, 2011 2:12 PM
To: openafs-info@openafs.org
Subject: [OpenAFS] Re: OpenAFS and AD trusts

On Tue, 19 Jul 2011 13:52:08 -0400
"Danko Antolovic" <danto...@indiana.edu> wrote:

> [root@afs1c afs]# pts adduser -user dantolov  -group
system:authu...@iu.edu
> -noauth

No, don't do this. In your setup, the _only_ user that will be
recognized as "dantolov" is someone that authenticates with the
principal danto...@resource.net, which, if I understand correctly, does
not exist, so there should not be a user called "dantolov" at all. The
user that authenticates via the kerberos principal danto...@iu.edu will
have the AFS PT name "danto...@iu.edu" if IU.EDU is not in krb.conf.

> Predictably, when I authenticate as a foreign user (via trust), I can't
> touch the files in /afs/afs1.bedrock.iu.edu  

aklog is supposed to automatically create the user danto...@iu.edu and
add it to system:authu...@iu.edu for you; you don't need to do it
yourself. Does danto...@iu.edu exist? What does aklog say when you give
it the -d option when you authenticate with danto...@iu.edu ?

-- 
Andrew Deason
adea...@sinenomine.net

_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

RE: [OpenAFS] Re: OpenAFS and AD trusts

Reply via email to