[OpenAFS] ACL for single files

Derek Atkins warlord@MIT.EDU
Wed, 15 Sep 2004 09:59:38 -0400

Sensei <senseiwa@tin.it> writes:

> On Wed, 2004-09-15 at 15:04, Derek Atkins wrote:
>> The short answer is: no, you cannot set ACLs on files.  To handle this
>> particular create a Public directory, setacl Public to system:anyuser
>> rl, move your .bashrc into Public, and symlink .bashrc from your
>> homedir to your Public dir.
> It doesn't work nicely. Most of the times it waits, gives an error on X
> authority and then it gets the token, so bashrc is read (from the public
> directory).

Ok, this is going on because you're running xauth before aklog, and it
can't write the XAUTHORITY file because your homedir isn't accessible.
This means your ONLY option is to get PAM working.

>> Or you can change your login system to get tokens during the login
>> process (ala PAM).
> It would be quite nice, but I did NOT succeed in doing it. I use SSH
>>From ssh.com, using kerberos tgt authentication (we need it), and
> pam_openafs_session (it runs aklog).
> OpenSSH didn't work (any version with any patch) passwordless, so I used
> ssh.com, but it seems that it won't use the pam session (optional) for
> aklog.
> If anyone ever succeeded in compiling openssh with passwordless k5
> ticket passing and having successfully opened a session with
> pam_openafs_session, well please let me know!!!

It works for lots of people.  Most likely you're running a version of
OpenSSH that specifically disables that feature, or you don't have it
set up properly.  Go through the archives of this list to find patches
and configurations for successful OpenSSH + AFS setup.

       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available