You are correct, there is no danto...@resource.net; there is danto...@iu.edu, and there is also a local user dantolov with AFS ID 2. I did not see danto...@iu.edu as a member of system:authu...@iu.edu at any time. Are you saying that the presence of the local user is the problem?
Below is what kinit and aklog produce. Thanks, Danko [root@afs1c afs]# kinit danto...@iu.edu Password for danto...@iu.edu: [root@afs1c afs]# [root@afs1c afs]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: danto...@iu.edu Valid starting Expires Service principal 07/19/11 14:38:38 07/20/11 00:38:45 krbtgt/iu....@iu.edu renew until 07/20/11 14:38:38 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@afs1c afs]# [root@afs1c afs]# aklog -d -c afs1.bedrock.iu.edu Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu). Trying to authenticate to user's realm IU.EDU. Getting tickets: afs/afs1.bedrock.iu....@iu.edu Using Kerberos V5 ticket natively About to resolve name dantolov to id in cell afs1.bedrock.iu.edu. Id 2 Set username to AFS ID 2 Setting tokens. AFS ID 2 / @ IU.EDU [root@afs1c afs]# [root@afs1c afs]# tokens Tokens held by the Cache Manager: User's (AFS ID 2) tokens for a...@afs1.bedrock.iu.edu [Expires Jul 20 00:38] --End of list-- [root@afs1c afs]# -----Original Message----- From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On Behalf Of Andrew Deason Sent: Tuesday, July 19, 2011 2:12 PM To: openafs-info@openafs.org Subject: [OpenAFS] Re: OpenAFS and AD trusts On Tue, 19 Jul 2011 13:52:08 -0400 "Danko Antolovic" <danto...@indiana.edu> wrote: > [root@afs1c afs]# pts adduser -user dantolov -group system:authu...@iu.edu > -noauth No, don't do this. In your setup, the _only_ user that will be recognized as "dantolov" is someone that authenticates with the principal danto...@resource.net, which, if I understand correctly, does not exist, so there should not be a user called "dantolov" at all. The user that authenticates via the kerberos principal danto...@iu.edu will have the AFS PT name "danto...@iu.edu" if IU.EDU is not in krb.conf. > Predictably, when I authenticate as a foreign user (via trust), I can't > touch the files in /afs/afs1.bedrock.iu.edu aklog is supposed to automatically create the user danto...@iu.edu and add it to system:authu...@iu.edu for you; you don't need to do it yourself. Does danto...@iu.edu exist? What does aklog say when you give it the -d option when you authenticate with danto...@iu.edu ? -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info