[OpenAFS] Re: OpenAFS and AD trusts
Andrew Deason
adeason@sinenomine.net
Fri, 16 Sep 2011 15:13:02 -0500
On Fri, 16 Sep 2011 15:33:09 -0400
Danko Antolovic <dantolov@indiana.edu> wrote:
> Is the "@" syntax implemented in the "fs setacl" command? It looks as
> if only the first half of the foreign user/group name was considered.
Yes; to just alleviate your fears (if I were in your situation, I would
be skeptical that 'fs' accepted that syntax), I can certainly do this:
$ fs sa /afs/.localcell system:authuser@iu.edu l
$ fs la /afs/.localcell
Access list for /afs/.localcell is
Normal rights:
system:authuser@iu.edu l
system:administrators rlidwka
system:anyuser rl
> What am I missing?
I'm not sure how the pt database managed to get in this state, but
something appears pretty screwed up. Just to show you what this would
normally look like:
$ pts examine system:authuser
Name: system:authuser, id: -102, owner: system:administrators, creator: system:administrators,
membership: 0, flags: S-M--, group quota: 0.
$ pts examine system:authuser@iu.edu
Name: system:authuser@iu.edu, id: -5029, owner: system:administrators, creator: adeason,
membership: 0, flags: S-M--, group quota: 0.
But your cell looks like:
$ pts examine system:authuser -cell afs1.bedrock.iu.edu -noauth
Name: system:authuser, id: -102, owner: system:administrators, creator: system:administrators,
membership: 0, flags: S-M--, group quota: 0.
$ pts examine system:authuser@ads.iu.edu -cell afs1.bedrock.iu.edu -noauth
Name: system:authuser, id: -102, owner: system:administrators, creator: system:administrators,
membership: 0, flags: S-M--, group quota: 0.
Note that both groups appear to be pointing at the same id, even though
'listent -groups' lists a different one, suggesting that the ptdb is
corrupt, probably due to a name hash chain pointing at the wrong thing.
Do you have the tool prdb_check? Copy prdb.DB0, and run
'prdb_check prdb.DB0.copy'.
--
Andrew Deason
adeason@sinenomine.net