Coda File System

Re: modular clog + kerberos uid mis-match (fwd)

From: <u+codalist-wk5r_at_chalmers.se>
Date: Tue, 2 Mar 2010 09:46:39 +0100
Hi Don,

On Mon, Mar 01, 2010 at 08:08:16PM -0800, root wrote:
> When I am logged in to coda as coda_admin, the ctokens ID matches the 
> pdbtool ID, and the ACL grants access to view the admin shares/dirs. 
> 
> When I am logged in to coda as coda_user, the ctokens ID does NOT match the 
> pdbtool ID, and the ACL does NOT grant access to view the user shares/dirs. 

A-ha, now I see what the problem is.

> The coda admin was created using pdbtool clone user feature (from the coda 
> realmadmin user), while the coda user was created using pdbtool new user 
> feature. 
> 
> 
> In any case, there is no such ID as 484, so I have no idea where coda is 
> getting that ID from. 
> 
> 
> Here is pdbtool and ctokens output to illustrate my situation: 
> 
> sandbox1# /vice/bin/pdbtool list

Is this the whole output? Note that "pdbtool list" may be not reliable,
it does not necessarily output the whole database (not big databases
anyway). The reliable way to examine the whole contents is
"pdbtool export".

> USER realmadmin
> *  id: 83885
> *  belongs to groups: [ -1 ]
> *  cps: [ -1 83885 ]
> *  owns groups: [ -1 ]
> USER codaadmin
> *  id: 83886
> *  belongs to groups: [ -1 ]
> *  cps: [ -1 83886 ]
> *  owns groups: [ -1 ]
> USER codauser
> *  id: 83896
> *  belongs to groups: [ -8 ]
> *  cps: [ -8 83896 ]
> *  owns groups: [ -8 ]
> GROUP GROUP:codauser OWNED BY codauser
> *  id: -8
> *  owner id: 83896
> *  belongs to no groups
> *  cps: [ -8 ]
> *  has members: [ 83896 ]
> GROUP System:Administrators OWNED BY realmadmin
> *  id: -1
> *  owner id: 83885
> *  belongs to no groups
> *  cps: [ -1 ]
> *  has members: [ 83885 83886 ] 

> sandbox4# cunlog @coda.realm; clog admin -keytab admin-krb5.keytab; ctokens 
> @coda.realm 

Another remark, it would help a lot if you use "clog account_at_realm",
otherwise you implicitely refer to your clog config, which is
an additional source of possible errors.

Let you make the situation as explicit as possible.
Additional layers of transformation make it look simple but are not.

> Tokens [local user id: root] 
> 
> @coda.realm
>     Coda user id:    83886 

Looks good.

> sandbox4# cunlog @coda.realm; clog user -keytab user-krb5.keytab; ctokens 
> @coda.realm 

What is "user" ??? (see my remark above)

> Tokens [local user id: root] 
> 
> @coda.realm
>     Coda user id:    484 

What does your /vice/auth2/AuthLog say at the time of clog?
Note that in a multiserver realm clog may talk to any of the authentication
servers. Have the servers (if multiple) synchronized data?

> Logged in as coda admin, IDs match and everything works.  Logged in as any 
> other coda user, and IDs do NOT match, and cannot access anything. 

This is odd.

Does it happen even if you use Coda password authentication?

Regards,
Rune
Received on 2010-03-02 03:47:31