[OpenAFS] Problem with IP-Based ACLs

Adnoh adnoh@users.sourceforge.net
Thu, 3 May 2007 06:46:25 -0700 (PDT)


fantastic - It works !! 
I'ts like administering a windows-workstation - If you have a problem, wait
some couple of time and if you are lucky it went away by itself ;-)  ... and
if not - do a new install - but thats a other story ;-)

Thnaks for the explanation - seems clear to me. I read about 400 Pages
AFS-Dokumentation today - there was nothing told about that issue. 

Afs is really cool - but for a noob not the easiest to understand -
particularly cause most of the dokumentation is in english - and my english
issn't the best as you can probably read ;-)

Thanks for the very,very fast response !!

maybe wrong place here, but I need to setup a afs->Samba gateway as our
workstations are all running windows and we have a samba server in our
districts.
is it a goot way I'm going or would you prefer something like "kstart" or so
for the samba acess to afs !?
we have a ADS where all our users are authenticating against from their
windows side - and I dont wanne to create a pts-entry for every user we
have. I would do the ACL over samba - so I think I can use that IP-Based ACL
- or not?
Any better suggestions or links to a "easy" How-To - maybe in German ;-))) ?



Todd M. Lewis wrote:
> 
> 
> It can take a couple of hours for file servers to become aware of IP group 
> members. The process is fundamentally different for authenticated users 
> vs. unauthenticated hosts, but think about it this way: if the file 
> servers were to check every access for changes in IP group memberships in 
> every directory, they would basically melt down your network and 
> performance would fall through the floor. Instead, they slowly over time 
> pick up those changes in what is generally an slow moving target set of 
> data, and after a couple of hours they have a pretty complete picture of 
> what IP entities are in which groups.
> 
> Or think about it another way. When you become a member of a new group, 
> you (may) have to re-authenticate for the change to take effect for ACLs 
> in a given directory. Your group memberships are refreshed when you 
> authenticate. Hosts don't authenticate, so there's no event to trigger 
> refreshing their group memberships. So the file servers pick that up over 
> time.
> 
> Or maybe I'm blowing smoke, but that's what I was told once.
> -- 
>     +--------------------------------------------------------------+
>    / Todd_Lewis@unc.edu  919-445-9302  http://www.unc.edu/~utoddl /
>   /            Atheism is a non-prophet organization.            /
> +--------------------------------------------------------------+
> -- 
>     +--------------------------------------------------------------+
>    / Todd_Lewis@unc.edu  919-445-9302  http://www.unc.edu/~utoddl /
>   /              He who laughs last thinks slowest.              /
> +--------------------------------------------------------------+
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 

-- 
View this message in context: http://www.nabble.com/Problem-with-IP-Based-ACLs-tf3684854.html#a10305210
Sent from the OpenAFS - General mailing list archive at Nabble.com.