[OpenAFS] PAGs and group ids

FB fbo2@gmx.net
Wed, 6 Jun 2007 16:52:25 +0200


Hi,

On Tue, Jun 05, 2007 at 11:42:19AM -0400, Christopher Allen Wing wrote:
> There is no good, portable way to do this.  The traditional way that OpenAFS kept track of PAGs was to 
> assign a 24-bit identifier; this is then extended to a 32-bit integer by setting the first 8 bits to the 
> ASCII value 'A' (for "AFS"), and letting the last 24 bits be the PAG ID.
> 
> This number is then encoded into the two special group IDs to make it less likely that someone might 
> accidentally end up with group IDs that happen to map to a PAG.  See: (inside the OpenAFS source)

Yes, that's what I used until now.

[snip]

> Some linux systems may not use the keyring; in that case, recent openafs uses only a single group ID instead 
> of two group IDs to represent the PAG. Here, the single group ID is equal to the 32-bit PAG identifier.  
> (i.e., the first 8 bits are equal to ASCII 'A' as mentioned previously)

Perfect - that's exactly what I was looking for.

[snip]

> I suppose that it might be an option to add a utility program to OpenAFS at some point to determine this 
> information.  Out of curiosity, what are you trying to do that requires this?

I wrote a NSS-plugin (*) which assigns Names like "AfsPag..." to group IDs
which are expressing a PAG membership. It's just for not having mysterious
numbers in the /usr/bin/groups output.

Thank you very much,

Frank

(*) The plugin is part of the libnss-ptdb package which can be used to prevent
    ldap/nis/... in AFS-cells.