People I have exchanged email with have shown me that they are able
to create and remove volumes with the following setup:
1. PTS group admin contains the IDs of people who are sysadmins
2. Those same people in PTS group admin are also members of
PTS group system:administrators
Now, the way we have things setup is:
1. PTS group admin contains one member, system:administrators
2. All of the sysadmins here are members of system:administrators
Yet at our site, members of system:administrators (and SUPPOSEDLY indirectly
members of PTS group admin) are unable to create and remove volumes.
# remove token
~ : mail 11:08am > unlog
# klog as myself, a member of system:administrators (and SUPPOSEDLY indirectly
# a member of admin)
~ : mail 11:09am > klog
Password:
# Try to create a volume
~ : mail 11:09am > vos create afs1 f jeff.test2
Could not get an Id for volume jeff.test2
VLDB: no permission access for call
Error in vos create command
# klog as admin
~ : mail 11:10am > klog admin
Password:
# can create a volume fine
~ : mail 11:10am > vos create afs1 f jeff.test2
Volume 1986621633 created on partition /vicepf of afs1
# can make mount points fine (I can do this without the admin token as well)
~ : mail 11:10am > fs mkmount foo jeff.test2
# can delete mount points fine (I can do this without the admin token as well)
~ : mail 11:10am > fs rmmount foo
Here is what things look like PTS group wise:
=============================================
~ : manos 11:06am > pts exa jblaine
Name: jblaine, id: 30379, owner: system:administrators, creator: admin,
membership: 3, flags: S----, group quota: unlimited.
~ : manos 11:18am > pts membership jblaine
Groups jblaine (id: 30379) is a member of:
texusers
operations
system:administrators
~ : manos 11:18am > pts exa admin
Name: admin, id: 1, owner: system:administrators, creator: anonymous,
membership: 1, flags: S----, group quota: unlimited.
~ : manos 11:18am > pts membership admin
Groups admin (id: 1) is a member of:
system:administrators
~ : manos 11:18am > pts membership system:administrators
Members of system:administrators (id: -204) are:
admin
kalpesh
schorn
jblaine
gary
What am I missing here? Is there something simple we have misconfigured?
This setup was done 2 years ago before I started working here, and we're
still trying to figure out certain areas which appear to be black magic.
Is the admin group not inheriting system:administrators like I think it
should?
Thanks.
-------
Jeff Blaine
CIESIN Operations
