Everything works fine up to a point: I can set up a FOREIGN.REALM group (in this case system:[email protected]) and add users to it. However, when I try to add the group to the ACLs of the /afs tree, it adds the group system:authuser instead. These are the steps, with me authenticated as the user in iu.edu (no trust relationships):
[root@afs1c afs]# pts creategroup -name system:[email protected] -owner system:administrators [root@afs1c afs]# pts setfields system:[email protected] -groupquota 50 -noauth [root@afs1c afs]# pts adduser -user dantolov -group system:[email protected] -noauth [root@afs1c afs]# pts examine system:[email protected] -noauth Name: system:[email protected], id: -207, owner: system:administrators, creator: dantolov, membership: 1, flags: S-M--, group quota: 50. [root@afs1c afs]# pts membership system:[email protected] -noauth Members of system:[email protected] (id: -207) are: dantolov [root@afs1c afs]# fs setacl -dir /afs/afs1.bedrock.iu.edu -acl system:[email protected] rliwdka [root@afs1c afs]# fs listacl /afs/afs1.bedrock.iu.edu Access list for /afs/afs1.bedrock.iu.edu is Normal rights: system:administrators rlidwka system:authuser rlidwka system:anyuser rl Predictably, when I authenticate as a foreign user (via trust), I can't touch the files in /afs/afs1.bedrock.iu.edu Can you spot what I'm missing? Thanks, Danko Antolovic -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Andrew Deason Sent: Friday, July 15, 2011 4:18 PM To: [email protected] Subject: [OpenAFS] Re: OpenAFS and AD trusts On Fri, 15 Jul 2011 15:58:12 -0400 "Danko Antolovic" <[email protected]> wrote: > If I understand the documentation correctly, there needs to be one > group, named precisely system:[email protected], which will > contain all the users from foreign realms: >[...] > http://docs.openafs.org/AdminGuide/ch02s03.html The "FOREIGN.REALM" part of that is in italics on that page, which means it is not a literal string, but should be replaced. You need to put the name of the foreign realm in the place of FOREIGN.REALM. There is one such group for each foreign realm you grant access to, and granting rights to it grants rights to everyone in that particular foreign realm. > Also, on a naïve note, how do you create a group with the ownership > "system"? I am working as an admin, of course, but pts creategroup > throws up the message "Badly formed name (group prefix doesn't match > owner?)" regardless of what I do. pts creategroup system:authuser@whatever -owner system:administrators -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
