Re: [OpenAFS] foreign-realm members of system:administrators have weakened powers?

Wed, 25 Jan 2006 11:45:18 -0800 



On Tuesday, January 24, 2006 08:35:59 PM -0800 Adam Megacz 
<[EMAIL PROTECTED]> wrote:




Hrm, I thought that any member of system:administrators could create
pts groups with arbitrary ownership, but it seems that I can't do this
using my "main" principal -- I executed these commands while holding
tokens for [EMAIL PROTECTED] in cell research.cs.berkeley.edu:

  $ pts membership system:administrators -cell research.cs.berkeley.edu
  Members of system:administrators (id: -204) are:
    afsadmin
    [EMAIL PROTECTED]
    [EMAIL PROTECTED]

  $ pts creategroup project.sbp system:administrators -cell
research.cs.berkeley.edu   pts: Permission denied ; unable to create
group project.sbp with id 0 owned by 'system:administrators'

Are there some powers that are withheld from administrators using a
cross-realm pts id?  The command succeeds when authenticated as
afsadmin.



As far as I can tell, the ptserver does not withhold any powers (admin or 
otherwise) from foreign users, provided they are properly registered in the 
database.



A foreign user cannot be the owner of a normal group, but that is because 
the ptserver's naming policy requires normal groups to have the user's name 
as a prefix, and does not permit group names containing an '@' except for 
the foreign-cell authuser groups.  But this is a result of applying the 
standard rules, and does not result from a check on whether the creator is 
a foreign user.



Since you've shown that [EMAIL PROTECTED] is clearly a member of s:a, my 
first guess is that for some reason your request was not really 
authenticated as [EMAIL PROTECTED]  I suggest looking at the logs; there 
should be a log message corresponding to the attempt which will tell you 
the parameters used and who the ptserver actually thought you were.


-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
  Sr. Research Systems Programmer
  School of Computer Science - Research Computing Facility
  Carnegie Mellon University - Pittsburgh, PA

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to