[OpenAFS] Re: fileserver user CPS duration

Andrew Deason adeason@sinenomine.net
Tue, 3 Sep 2013 10:45:30 -0500

On Tue, 3 Sep 2013 10:20:24 -0400 (EDT)
stephen@physics.unc.edu wrote:

> Thanks for the explanation.
> The use case I was thinking of is exactly what you mention: revoking
> someone's rights by removing them from a group. Right or wrong, users'
> expectations seem to be "I removed a user from a group, s/he is
> immediately denied access to the affected directories."

I don't mean it's "wrong"; I just mean, if they're surprised by that,
they're in for some surprises on other systems, too. (e.g. Unix groups;
and I thought AD put your group info in the similarly-session-y PAC.)

> What's the 1.6.6 command to recalculate user CPSes, just for my 
> edification?

The command is called 'cacheout'. It's not new to 1.6.6, and has existed
for a long time, but it's been one of those utilities that was only
mostly-implemented. Using it for this purpose will not work in many
cases when used against servers running 1.6.5 or earlier. It's kinda in
the process of turning into a "real" command now, and should be useful
for this as of 1.6.6, assuming certain patches intended for 1.6.6 do not
get pulled out.

It's probably not packaged with whatever you're using, but it's in
src/venus/cacheout if you want to look at it.

Andrew Deason