[OpenAFS] Problem with IP-Based ACLs

Todd M. Lewis Todd_Lewis@unc.edu
Thu, 03 May 2007 08:48:15 -0400 

Adnoh wrote:
> Hello @all
> I'm new to afs and have a litte problem which I'm not able to solve:
> 
> I'm using openafs 1.4.1-r1 on a Gentoo-Linux box. I've created a folder
> /afs/.mydomain/test and a pts user 192.168.0.1 + 192.168.10.1 and a pts
> group afshosts with these users as members.
> then I "fs setacl /afs/.mydomain/test afshosts all"
> when I try to get to that dir from one of these hosts (unauthenticated) i
> come to /afs/.mydomain/ but when I wanne to get infos on "test" i get
> permission denied.
> 
> can someone explain me why? maybe I've missunderstood something...? Just
> wanne to allow every daemon running on that 2 hosts full access to that
> "test" - folder.
> 
> Thanks for responses

It can take a couple of hours for file servers to become aware of IP group 
members. The process is fundamentally different for authenticated users 
vs. unauthenticated hosts, but think about it this way: if the file 
servers were to check every access for changes in IP group memberships in 
every directory, they would basically melt down your network and 
performance would fall through the floor. Instead, they slowly over time 
pick up those changes in what is generally an slow moving target set of 
data, and after a couple of hours they have a pretty complete picture of 
what IP entities are in which groups.

Or think about it another way. When you become a member of a new group, 
you (may) have to re-authenticate for the change to take effect for ACLs 
in a given directory. Your group memberships are refreshed when you 
authenticate. Hosts don't authenticate, so there's no event to trigger 
refreshing their group memberships. So the file servers pick that up over 
time.

Or maybe I'm blowing smoke, but that's what I was told once.
-- 
    +--------------------------------------------------------------+
   / Todd_Lewis@unc.edu  919-445-9302  http://www.unc.edu/~utoddl /
  /            Atheism is a non-prophet organization.            /
+--------------------------------------------------------------+
-- 
    +--------------------------------------------------------------+
   / Todd_Lewis@unc.edu  919-445-9302  http://www.unc.edu/~utoddl /
  /              He who laughs last thinks slowest.              /
+--------------------------------------------------------------+