Still can't assign privileges to foreign groups and users with the "fs
setacl" command:
[root@afs1c openafs-1.6.0]# fs listacl /afs/afs1.bedrock.iu.edu
Access list for /afs/afs1.bedrock.iu.edu is
Normal rights:
system:administrators rlidwka
[root@afs1c openafs-1.6.0]# fs setacl -dir /afs/afs1.bedrock.iu.edu
-acl [email protected] rlidwka
[root@afs1c openafs-1.6.0]# fs setacl -dir /afs/afs1.bedrock.iu.edu
-acl system:[email protected] rlidwka
[root@afs1c openafs-1.6.0]# fs listacl /afs/afs1.bedrock.iu.edu
Access list for /afs/afs1.bedrock.iu.edu is
Normal rights:
system:administrators rlidwka
system:authuser rlidwka
dantolov rlidwka
Is the "@" syntax implemented in the "fs setacl" command? It looks as
if only the first half of the foreign user/group name was considered.
What am I missing?
Danko Antolovic
Danko Antolovic wrote:
Well yes, the group system:[email protected] does exist:
[root@afs1c afs]# pts listentries -groups -noauth
Name ID Owner Creator
system:administrators -204 -204 -204
system:backup -205 -204 -204
system:anyuser -101 -204 -204
system:authuser -102 -204 -204
system:ptsviewers -203 -204 -204
system:[email protected] -207 -204 2
Also, system:[email protected] was created by 2, which is me as admin,
so it was there before my aklog as foreign user. Is the foreign-realm
group something that needs to be set in advance, or is that part of
the automatic registration thing?
And yes, as foreign user [email protected], I lack the "rlidwka" rights
to the cell directory /afs/afs1.bedrock.iu.edu. All I can do is "rl"
Danko
Andrew Deason wrote:
On Thu, 15 Sep 2011 11:10:40 -0400
Danko Antolovic <[email protected]> wrote:
However, this does not let me touch the files in the cell. Trying to
add the foreign-realm group to the directory ACL, like this:
[root@afs1c afs]# fs setacl -dir /afs/afs1.bedrock.iu.edu -acl
system:[email protected] rlidwka
does not seem to work, and just adds the group system:authuser to
the ACL once more:
To be clear: this is supposed to work (and does for me, here). Have you
been changing around the names or IDs of these groups?
system:[email protected] doesn't appear to exist anymore.
This would suggest something along the way is screwing up the id<->name
mapping, but that may not necessarily prevent the actual access from
working. Are you actually lacking those rights? (that is, when trying to
do one of those operations)
You can look at a network dump to verify what names are going across the
wire, to see if the setacl and listacl requests are what you think
they are. You don't need to be familiar with the protocol or anything;
it should be pretty easy to see where the acl data is (it is transmitted
in the clear, when 'fs crypt' is turned off).
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
