[EMAIL PROTECTED] (Don Doering) writes:
> Does anyone out there know how to correctly use pagsh?
>
> To begin with, the AFS Installation Guide instructs in 2.28.1, Step 2 on
> page 2-65 to set the ACL for system:anyuser to none for
> /afs/<cell>/@sys/usr/afsws/* and then reset the ACL for system:anyuser to
> rl on ./bin, only.
>
> That leaves pagsh in ../etc with the ACL for system:anyuser set to none,
> making it impossible for anyone to use it, except system:authuser. Thus,
> one must first klog in, before using pagsh.
>
> Then the AFS System Administrator's Guide states in 2.9.8 on page 2-37 to
> include the following commands in .login to create a PAG and authenticate
> the user with AFS:
>
> pagsh
> echo -n "klog "
> klog
This is an inconsistancy in the documentation. I'd suggest moving the
pagsh binary to the bin directory to avoid the problem.
> And finally, in the AFS User's Guide on page A-48, the pagsh "man" page
> finally states that pagsh creates a new command shell. It doesn't state
> that it creates a Bourne shell, whether you like it or not. To get to a C
> shell, you have to run csh after the pagsh.
The pagsh command has a switch "-c" that specifies what shell should
be exec'ed. Try using "pagsh -c /bin/csh" if you prefer to use the C
shell. The documentation will probably be updated for AFS 3.3 to
include the "-c" option.
> Now, the problems with this approach is, first of all the pagsh won't work,
> because you have to klog, first. That's because of the ACL setup on the
> ./etc directory. Secondly, because of the UNIX shell hierarchy, all
> instructions following the pagsh instruction in your .login would be
> ignored (if the pagsh did work) until you exit the pagsh Bourne shell
> (after you exit the C shell, if you are using it, too). So the echo and
> klog are a bit belated.
I've never tested this sitation thoroughly, so I can't say much about
the rest of .login being ignored. Generally, I'd suggest installing
the AFS version of "login" whenever possible so that every user
automatically gets a new pag. If an AFS username and password is
entered, tokens are also obtained. I understand that sometimes using
the AFS version of login is not an option, however.
(If you would like to have this investigated further, you should report
the problem to Transarc through the official support channels.)
> Also, there seems to be an undocumented fact that the PAG number can be
> viewed the the UNIX command "groups" which displays all of the groups that
> the user is a member of. The PAG numbers are listed, first. Normally,
> groups displays the UNIX groups listed in /etc/groups. Here we see AFS
> uses it to display PAG as well; thus, at last, we see the full meaning of
> "PAG: process authentication group". It IS a group.
The PAG is associated with a process by way of two large group
numbers. We aren't using these group entries just for displaying PAG
membership; they are actually used by the system to encode the
membership. The AFS Command Reference Manual mentions that two group
slots are used in this manner.
As a side effect, the "groups" command is very helpful for tracking
down authentication problems because it indicates whether a process is
in a PAG or not.
> (Now I wonder if
> "groups" will also display AFS group memberships defined in ACLs. Is THIS
> documented, anywhere?)
No, AFS group membership is not displayed by groups. The Unix groups
are used for PAGs only because they provide a convenient means of
propagating credential information using existing Unix functionality.
The "pts membership" command is the only way to find AFS group
membership, unless you write your own interface to the PTS library.
Joe Jackson,
AFS Product Support,
Transarc Corp.
