[OpenAFS] foreign-realm members of system:administrators have weakened powers?

Adam Megacz megacz@cs.berkeley.edu
Tue, 24 Jan 2006 20:35:59 -0800

Hrm, I thought that any member of system:administrators could create
pts groups with arbitrary ownership, but it seems that I can't do this
using my "main" principal -- I executed these commands while holding
tokens for megacz@megacz.com in cell research.cs.berkeley.edu:

  $ pts membership system:administrators -cell research.cs.berkeley.edu
  Members of system:administrators (id: -204) are:

  $ pts creategroup project.sbp system:administrators -cell research.cs.berkeley.edu
  pts: Permission denied ; unable to create group project.sbp with id 0 owned by 'system:administrators'

Are there some powers that are withheld from administrators using a
cross-realm pts id?  The command succeeds when authenticated as

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380