[OpenAFS] pts groups -> unix groups

Finke, Jon E finkej@rpi.edu
Sat, 1 Sep 2007 09:32:09 -0400

For historic reasons, we store our /etc/group assignments in an Oracle
database - this data was used to generate /etc/group files and later
used to populate our LDAP group attributes.  Being an AFS shop, we did
not have a lot of need for /etc/group control at the user level, but
some access control (authorization to sign on to private machines) which
used to rely on PTS groups broke in some upgrade in the distant past, so
we added a job that nightly synchronizes the entries in selected
/etc/group entries with the membership in PTS groups (easy to delegate).

Later on we reversed the process, to synchronize membership in selected
/etc/group entries be mapped to PTS groups.  This was to support a
software licensing system - user goes to a secure web page, agrees to
certain conditions, and is granted a license for a short time (generally
measured in days).  This results in their account being added to a
particular Unix group (which is mostly irrelevant, it just was a data
structure we had readily available in the database), and this is them
synchronized with the appropriate PTS group (this is in close to real
time, usually within seconds), and email is generated that tells them
they can go download their software.  A few days or weeks later, their
download license expires, and they are deleted from the PTS group (and
/etc/group, but that doesn't matter).  =20

All that being said, I hope you can find a script that does what you
need without all of this additional overhead.  Starting from scratch,
just attempting to solve your particular request, I would not design it
the way we do it.  Given our history, other projects, organizational
constraints (I did not have access to the web servers, but I could add
secure applications that talked to the database, and I already had
database driven applications that talked to PTS, this approach allowed
me to provide the service quickly, using existing tools in my control.)

Although I am willing to share code, it is NOT packaged in a format what
you can just drop it in and run it, and you need an Oracle database
(although you can get a small Oracle database for "free", you still need
to administer it.)  Some aspects of this project date back 15 years (how
many lifetimes is that in software terms?) and need to be revised if not
completely rewritten.

Alternately, can you put your problem in the greater context of group
management as part of a more general Identity Management (IdM) project?
You may find that the interface that can populate PTS groups (ie - based
on major, course enrollment, department affiliation, special project)
can also read back the membership of PTS groups, and interact with other
group management systems (/etc/group, LDAP, Active Directory, Badge
Reading systems (yes, membership in PTS groups can unlock doors for you
on our campus, albeit given some delays for cron jobs to synchronize
things), SMTP groups) and turn your problem into simply adding a mapping
table and a few lines of PL/SQL (or equivalent).=20

Jon Finke - Senior Systems Programmer - CMT - RPI
518 276 8185 (voice) - 518 276 2809 (fax) - http://www.rpi.edu/~finkej

-----Original Message-----
From: openafs-info-admin@openafs.org
[mailto:openafs-info-admin@openafs.org] On Behalf Of Stephen Joyce
Sent: Friday, August 31, 2007 12:37 AM
To: openafs-info@openafs.org
Subject: [OpenAFS] pts groups -> unix groups

I'm installing a new workstation for a group of my users and it has a
direct attached raid... I'd rather they store their data in AFS, but the

quantity of data and their required transfer rates dictate the DAS, so I

agree with their decision.

Anyway, to control access to their data, they're going to want unix
with similar levels of granularity and end-user configurability that=20
they're used to with AFS PTS groups.

Does anyone have a solution to use AFS PTS group memberships for unix=20
groups? My first impulse was to regenerate /etc/group periodically with=20
userlists obtained from PTS group memberships. Has anyone written such a

script already?

It actually seems that there should be an easier solution. Is there a
to use PTS groups from nsswitch.conf directly?

This seems like a problem that someone has likely solved before, so I=20
wanted to ask before re-solving it. (Actually, it'd be nice if I could=20
store the groups in ldap and have both AFS and unix be able to use

Cheers, Stephen
Stephen Joyce
Systems Administrator                                            P A N I
Physics & Astronomy Department                         Physics &
University of North Carolina at Chapel Hill         Network
voice: (919) 962-7214                                        and
fax: (919) 962-0480
OpenAFS-info mailing list