[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subtle problems with AFS tokens after migration from 0.6 to 0.7.1

We have migrated to from 0.6 to 0.7.1 and seemingly all went quite well.
However we have soon discovered a problem with AFS tokens that
only manifests itself with a subset of users.

That' what we have observed:

1) A user obtains a token with a normal "klog" command (our kdc runs with
    the "-K" flag; the "tokens" command reports that the token is there.

2) However the token is apparently not good enough as the user cannot
    operate in his home directory - permission denied. The best point is that
    this happens only with *some* users, in most of the cases everything
    works as it should.

3) We have also mentioned that "kinit" followed by "afslog" produces
    instead a "good" token for "problematic" users, on the same machine.
    With the token obtained in this manner user can always operate in his

4) We have then tried to create new users, and recreate some of the preexisting
    ones but the problem was always there. Interesting, it looks like it happens with
    users that have their username composed of 5 characters.

In the end, we have rolled back to 0.6 (had to use the older copy of heimdal.db,
as apparently the one which was modified with kadmin from 0.7.1 cannot be
reused with 0.6, neither dump-load helps).

Any comment is very welcome, thanks ahead.