On Monday, October 15, 2007 11:06:54 PM -0400 Tim Abbott <[EMAIL PROTECTED]> wrote:
On Linux, AFS stores its PAG information in one or two fake GIDs. Unfortunately, AFS doesn't give the fake GIDs names, and thus a number of tools (like groups) get confused and return errors, for example: $ groups > /dev/null id: cannot find name for group ID 1106112751 This results in various programs that run groups (including WinSCP) to fail unecessarily. We created a NSS module, libnss-afspag, to give the AFS PAG fake GIDs names. libnss-afspag works by using the AFS's algorithm to check whether the GID being resolved is part of an AFS PAG, and if so, returns a name for the group of the form afspag-1106112751. Obviously, if you're using the kernel keyring support, you don't need nss_afspag, but kernel keyring support doesn't seem to be used everywhere quite yet.
This works for platforms where PAG's are represented in a single 32-bit GID in the range 0x41000000..0x41ffffff, because you can generally tell only from the GID whether it's intended to indicate a PAG. That includes recent Linux and a couple of other platforms as well.
This approach will not work as well on older platforms where the PAG is represented in a pair of groups, and the primary way of knowing they are intended to represent a PAG is that they're in the first two slots of the group list (an approach that doesn't work on newer Linux kernels which insist that the supplementary group list be sorted by GID).
Still, there are plenty of systems where this does work, and it's a clever idea. Thanks for sharing.
-- Jeff _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
