> Hope,
>
> This is a *very* common issue for new AFS sites: root doesn't have
> implicit read access to all AFS files as it does for local files.
> Many daemon programs need complete read access to the filesystem and
> assume that being run by root is sufficient. One of our customers
> worked with an AFS Product Support Rep on a wrapper script that
> provides the appropriate authentication to long-running daemons. This
> is a general solution that you can reuse for just about any daemon.
... etc.
The one thing that's not obvious is that even a user name with
system:administrators privs may not have access to all AFS files. If a user
does a "fs sa . system:administrators none" on one or more of his directories,
the files can't be dumped by a mere administrator. I discovered this once
with a user who had a 50 MB AFS volume, but du showed only about 1/2 MB. He
had removed system:administrators access to one subdirectory. If you are
backing up by files, be sure to reset the access or warn users not to do that.
Or am I just setting up the user's home directory acls wrong?
Steve
