[OpenAFS] foreign-realm members of system:administrators have weakened powers?

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 25 Jan 2006 14:44:10 -0500 

On Tuesday, January 24, 2006 08:35:59 PM -0800 Adam Megacz 
<megacz@cs.berkeley.edu> wrote:

>
> Hrm, I thought that any member of system:administrators could create
> pts groups with arbitrary ownership, but it seems that I can't do this
> using my "main" principal -- I executed these commands while holding
> tokens for megacz@megacz.com in cell research.cs.berkeley.edu:
>
>   $ pts membership system:administrators -cell research.cs.berkeley.edu
>   Members of system:administrators (id: -204) are:
>     afsadmin
>     megacz@megacz.com
>     megacz@eecs.berkeley.edu
>
>   $ pts creategroup project.sbp system:administrators -cell
> research.cs.berkeley.edu   pts: Permission denied ; unable to create
> group project.sbp with id 0 owned by 'system:administrators'
>
> Are there some powers that are withheld from administrators using a
> cross-realm pts id?  The command succeeds when authenticated as
> afsadmin.

As far as I can tell, the ptserver does not withhold any powers (admin or 
otherwise) from foreign users, provided they are properly registered in the 
database.

A foreign user cannot be the owner of a normal group, but that is because 
the ptserver's naming policy requires normal groups to have the user's name 
as a prefix, and does not permit group names containing an '@' except for 
the foreign-cell authuser groups.  But this is a result of applying the 
standard rules, and does not result from a check on whether the creator is 
a foreign user.

Since you've shown that megacz@megacz.com is clearly a member of s:a, my 
first guess is that for some reason your request was not really 
authenticated as megacz@megacz.com.  I suggest looking at the logs; there 
should be a log message corresponding to the attempt which will tell you 
the parameters used and who the ptserver actually thought you were.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA