[OpenAFS] correct usage of supergroups

scorch scorch@muse.net.nz
Tue, 11 Oct 2005 01:03:11 +0200

dear AFSers

I have some questions about supergroup functionality. I'd expected that 
I can create the following:

Access list for /afs/.muse.net.nz/pub/images is
Normal rights:
   write:images rlidwk
   admin:images rlidwka
   read:images rl

this mirrors how security is currently set up on a large windows 
environment. it helps migrating the permissions via script & keeping the 
existing controls of who can change permissions in place - users can 
control the membership of groups, but not the permissions themselves.

and then have membership of each group as follows:
$ pts mem admin:images
Members of admin:images (id: -212) are:

$ pts mem read:images
Members of read:images (id: -211) are:

$ pts mem write:images
Members of write:images (id: -213) are:

however this doesn't allow the expected result - nobody can read the 
volume, & joeuser can't write.

I have created 3 dummy PTS accounts (read, write, admin) to own the 
various groups, this is just for neatness' sake.

OpenAFS is on OpenBSD 3.7 & windows, running 1.4 rc6, using
./configure --enable-transarc-paths --enable-fast-restart 
--enable-bitmap-later --quiet --enable-debug --enable-bos-new-config 
--enable-supergroups --enable-namei-fileserver --disable-kernel-module

-> windows client is 1.4 rc6
-> openbsd clients are all arla from 3.7 release

4 questions:
does anybody use supergroups?
am I using them correctly?
is there any other information I could collect that would help?
are there any other docs other than the wiki for reference? google 
doesn't return much.

cheers, scorch
out of the frying pan and into the fire