[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Subtle problems with AFS tokens after migration from 0.6 to 0.7.1
- To: firstname.lastname@example.org
- Subject: Subtle problems with AFS tokens after migration from 0.6 to 0.7.1
- From: Andrei Maslennikov <email@example.com>
- Date: Fri, 2 Dec 2005 16:38:18 +0100
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ovLKPNYtjjijgf4rO6Z18UF30OnukMxmYqd0v36e5UTFnhaChGG7IGbprz5ptcwi6fjAlgvKpyLd29gDkSsTIB7xp+U1xw6ND3+Oo9LJnJHVX9quqKg6AKeXA2Vxt0RhKRLbZYSeIz1Dobc7i/gy9dmI+ywidjORwX8n5M9Neys=
- Sender: firstname.lastname@example.org
We have migrated to from 0.6 to 0.7.1 and seemingly all went quite well.
However we have soon discovered a problem with AFS tokens that
only manifests itself with a subset of users.
That' what we have observed:
1) A user obtains a token with a normal "klog" command (our kdc runs with
the "-K" flag; the "tokens" command reports that the token is there.
2) However the token is apparently not good enough as the user cannot
operate in his home directory - permission denied. The best point is that
this happens only with *some* users, in most of the cases everything
works as it should.
3) We have also mentioned that "kinit" followed by "afslog" produces
instead a "good" token for "problematic" users, on the same machine.
With the token obtained in this manner user can always operate in his
4) We have then tried to create new users, and recreate some of the preexisting
ones but the problem was always there. Interesting, it looks like it happens with
users that have their username composed of 5 characters.
In the end, we have rolled back to 0.6 (had to use the older copy of heimdal.db,
as apparently the one which was modified with kadmin from 0.7.1 cannot be
reused with 0.6, neither dump-load helps).
Any comment is very welcome, thanks ahead.