[OpenAFS-devel] nss_afspag

[Jeffrey Hutzelman]

On Monday, October 15, 2007 11:06:54 PM -0400 Tim Abbott <tabbott@MIT.EDU> 
wrote:

> On Linux, AFS stores its PAG information in one or two fake GIDs.
> Unfortunately, AFS doesn't give the fake GIDs names, and thus a number of
> tools (like groups) get confused and return errors, for example:
>
> $ groups > /dev/null
> id: cannot find name for group ID 1106112751
>
> This results in various programs that run groups (including WinSCP) to
> fail unecessarily.
>
> We created a NSS module, libnss-afspag, to give the AFS PAG fake GIDs
> names.  libnss-afspag works by using the AFS's algorithm to check whether
> the GID being resolved is part of an AFS PAG, and if so, returns a name
> for the group of the form afspag-1106112751.
>
> Obviously, if you're using the kernel keyring support, you don't need
> nss_afspag, but kernel keyring support doesn't seem to be used everywhere
> quite yet.

This works for platforms where PAG's are represented in a single 32-bit GID 
in the range 0x41000000..0x41ffffff, because you can generally tell only 
from the GID whether it's intended to indicate a PAG.  That includes recent 
Linux and a couple of other platforms as well.

This approach will not work as well on older platforms where the PAG is 
represented in a pair of groups, and the primary way of knowing they are 
intended to represent a PAG is that they're in the first two slots of the 
group list (an approach that doesn't work on newer Linux kernels which 
insist that the supplementary group list be sorted by GID).


Still, there are plenty of systems where this does work, and it's a clever 
idea.  Thanks for sharing.

-- Jeff