Re: [OpenAFS] NoAuth not working?
On 5/2/2023 4:42 PM, Ben Huntsman ([email protected]) wrote: Hi Jeffrey- Thank you for the quick reply! If I understand you correctly, that essentially means that there's no way to access the /afs filespace without setting up some sort of authentication infrastrcture, even in an "emergency" basis. Thank you! -Ben Did you try adding "anonymous" to the "system:administrators" group? smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] NoAuth not working?
Hi Jeffrey- Thank you for the quick reply! If I understand you correctly, that essentially means that there's no way to access the /afs filespace without setting up some sort of authentication infrastrcture, even in an "emergency" basis. Thank you! -Ben From: Jeffrey E Altman Sent: Tuesday, May 2, 2023 11:44 AM To: Ben Huntsman; [email protected] Subject: Re: [OpenAFS] NoAuth not working? On 5/2/2023 12:32 PM, Ben Huntsman ([email protected]) wrote: > Hi there! >I'm trying to test a few things without having all the kerberos and > auth stuff in place. I run the following command: > > bos setuath off > >I'm using Transarc paths, so this creates the NoAuth file in > /usr/afs/local. bosserver is running with -noauth. I am logged in as > a user who is listed in UserList. The NoAuth file only applies to services that rely upon the UserList for authorization (bosserver, vlserver and volserver) or that have an explicit check (ptserver). It does not include services that have an ACL based model such as the the fileserver. The ptserver only checks at startup so the service needs to be restarted after the NoAuth file is created. > However, I still can't run fs setacl commands, nor even do an ls of > /afs. I get various messages such as: > > fs: You don't have the required access rights on '/afs' > ls: /afs: The file access permissions do not allow the specified action. Correct because the authorization decisions are made based upon the authenticated identity and the contents of the applicable ACL. The NoAuth(5) man page is incorrect when it implies that all AFS server processes running on the machine look for it. > >Do I have to do something else to get afsd to skip permissions checks? I have not tried it but after restarting the ptserver with NoAuth in place you might try adding "anonymous" to the "system:administrators" group. > >Again, this is just for testing. But it appears that the NoAuth > file is not honored. > > Thank you! > > -Ben > Anytime. Jeffrey Altman
Re: [OpenAFS] NoAuth not working?
On 5/2/2023 12:32 PM, Ben Huntsman ([email protected]) wrote: Hi there! I'm trying to test a few things without having all the kerberos and auth stuff in place. I run the following command: bos setuath off I'm using Transarc paths, so this creates the NoAuth file in /usr/afs/local. bosserver is running with -noauth. I am logged in as a user who is listed in UserList. The NoAuth file only applies to services that rely upon the UserList for authorization (bosserver, vlserver and volserver) or that have an explicit check (ptserver). It does not include services that have an ACL based model such as the the fileserver. The ptserver only checks at startup so the service needs to be restarted after the NoAuth file is created. However, I still can't run fs setacl commands, nor even do an ls of /afs. I get various messages such as: fs: You don't have the required access rights on '/afs' ls: /afs: The file access permissions do not allow the specified action. Correct because the authorization decisions are made based upon the authenticated identity and the contents of the applicable ACL. The NoAuth(5) man page is incorrect when it implies that all AFS server processes running on the machine look for it. Do I have to do something else to get afsd to skip permissions checks? I have not tried it but after restarting the ptserver with NoAuth in place you might try adding "anonymous" to the "system:administrators" group. Again, this is just for testing. But it appears that the NoAuth file is not honored. Thank you! -Ben Anytime. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
[OpenAFS] NoAuth not working?
Hi there! I'm trying to test a few things without having all the kerberos and auth stuff in place. I run the following command: bos setuath off I'm using Transarc paths, so this creates the NoAuth file in /usr/afs/local. bosserver is running with -noauth. I am logged in as a user who is listed in UserList. However, I still can't run fs setacl commands, nor even do an ls of /afs. I get various messages such as: fs: You don't have the required access rights on '/afs' ls: /afs: The file access permissions do not allow the specified action. Do I have to do something else to get afsd to skip permissions checks? Again, this is just for testing. But it appears that the NoAuth file is not honored. Thank you! -Ben
Re: [OpenAFS] -noauth not working
> > I've found no "-localauth" parameter to the "pts" command. > > However it is clear now. If I understand it right, the "-noauth" is > > available only if bosserver was started with "noauth" parameter too. > > thanks > > True, pts does not provide -localauth. I do not know why. Many > of the other commands do. I think ptclient does, but of course the interface is different. ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] -noauth not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 11 Aug 2003, Derek Atkins wrote: > Lukas Kubin <[EMAIL PROTECTED]> writes: > > > Partly answering myself: I've already found a way to put the user back > > into system:administrators group by temporarily disabling authorization > > checking (command 'bos setauth serverhostname off'). > > But still I don't know why the '-noauth' parameter doesn't work? > > I think what you really want is "-localauth", not noauth... I've found no "-localauth" parameter to the "pts" command. However it is clear now. If I understand it right, the "-noauth" is available only if bosserver was started with "noauth" parameter too. thanks lukas > > > lukas > > -derek > > > On Mon, 11 Aug 2003, Lukas Kubin wrote: > > > > > By a mistake I removed my user with administrative rights from > > > system:administrators group in pts database. After finding that I wanted > > > to add it back on the database server locally using the -noauth parameter > > > to pts command. But it returned: > > > > > > pts: Permission denied > > > > > > Now the only user I have in system:administrators is user user/admin which > > > doesn't work. If I get credentials for that user, it doesn't help. > > > How should I solve this situation? > > > > > > Thank you. > > > > > > lukas > > > > > > -- > > > Lukas Kubin > > > > > > phone: +420596398285 > > > email: [EMAIL PROTECTED] > > > > > > Information centre > > > The School of Business Administration in Karvina > > > Silesian University in Opava > > > Czech Republic > > > http://www.opf.slu.cz > > > > > > > > > ___ > > > OpenAFS-info mailing list > > > [EMAIL PROTECTED] > > > https://lists.openafs.org/mailman/listinfo/openafs-info > > > > > > Output from gpg > > > gpg: Signature made Mon Aug 11 13:50:03 2003 CEST using DSA key ID 266BC2EE > > > gpg: Good signature from "Lukas Kubin <[EMAIL PROTECTED]>" > > > gpg: aka "Lukas Kubin <[EMAIL PROTECTED]>" > > > gpg: WARNING: This key is not certified with a trusted signature! > > > gpg: There is no indication that the signature belongs to the owner. > > > Primary key fingerprint: 5E66 C9C5 E804 3D09 8559 9A37 86E9 1D22 266B C2EE > > > > > > > > > > -- > > Lukas Kubin > > > > phone: +420596398285 > > email: [EMAIL PROTECTED] > > > > Information centre > > The School of Business Administration in Karvina > > Silesian University in Opava > > Czech Republic > > http://www.opf.slu.cz > > > > > > ___ > > OpenAFS-info mailing list > > [EMAIL PROTECTED] > > https://lists.openafs.org/mailman/listinfo/openafs-info > > -- >Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory >Member, MIT Student Information Processing Board (SIPB) >URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH >[EMAIL PROTECTED]PGP key available > > - -- Lukas Kubin phone: +420596398285 email: [EMAIL PROTECTED] Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE/OIZ6hukdIiZrwu4RArv/AJ0d26YVVKzdTxXaPleKwNEoRuumCACghNSX MMvkC/IrlNsNPseWdSuOWZ4= =zLwk -END PGP SIGNATURE- ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
