[OpenAFS] Re: foreign-realm members of system:administrators
have weakened powers?
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 27 Jan 2006 15:15:51 -0500
On Thursday, January 26, 2006 10:00:42 PM -0800 Adam Megacz
<megacz@cs.berkeley.edu> wrote:
>
> Jeffrey Hutzelman <jhutz@cmu.edu> writes:
>>>>> using my "main" principal -- I executed these commands while holding
>>>>> tokens for megacz@megacz.com in cell research.cs.berkeley.edu:
>>>>> $ pts creategroup project.sbp system:administrators -cell
>>>>> research.cs.berkeley.edu pts: Permission denied ; unable to create
>>>>> group project.sbp with id 0 owned by 'system:administrators'
>>>
>>>> Since you've shown that megacz@megacz.com is clearly a member of s:a,
>>>> my first guess is that for some reason your request was not really
>>>> authenticated as megacz@megacz.com. I suggest looking at the logs;
>>>> there should be a log message corresponding to the attempt which will
>>>> tell you the parameters used and who the ptserver actually thought you
>>>> were.
>>
>> No; I think you're just not running with enough debugging.
>> The interesting message happens at LogLevel >= 25.
>
> megacz@maxwell:~$kinit megacz@MEGACZ.COM
> Please enter the password for megacz@MEGACZ.COM:
> megacz@maxwell:~$aklog -c research.cs.berkeley.edu
> megacz@maxwell:~$pts creategroup project.test system:administrators -cell
> research.cs.berkeley.edu pts: Permission denied ; unable to create group
> project.test with id 0 owned by 'system:administrators'
>
> Fri Jan 27 05:58:36 2006 Set Debug On level = 25
[...]
> Fri Jan 27 05:59:10 2006 PTS_NewEntry: code 267269 cid -204 aid
> -1212129404 aname project.test oid -204
Congratulations; you have found a bug. There is code in the ptserver which
allows cross-realm users to create their own PTS entries, under certain
circumstances. Such entries are always recorded with creator
system:administrators, which is the only time a _group_ appears as the
creator of an entry (except perhaps for certain entries created during
database creation). An unintended side-effect of this code is that users
from foreign realms cannot be treated as administrators for the purpose of
creating PTS entries.
I have a fix in mind for this; if you forward this message to
openafs-bugs@openafs.org and CC me, I will try to get you a patch shortly.
-- Jeff