[OpenAFS] groups in groups, ptsviewers etc...

Marcus Watts mdw@umich.edu
Tue, 18 Mar 2008 05:51:25 -0400

Anders Magnusson <ragge@ltu.se> writes:
> Date:    Tue, 18 Mar 2008 10:26:26 BST
> To:      openafs-info@openafs.org
> From:    Anders Magnusson <ragge@ltu.se>
> Subject: [OpenAFS] groups in groups, ptsviewers etc...
> Hi,
> a few questions for which I don't seem able to find docs :-)
> It seems like it is possible to recompile 1.4.6 with an option to get 
> the possibility to put groups in groups.
> - Is this feature considered stable for production use?

umich.edu has run with older versions of this feature for ages.
Obviously we consider it "ready for production".

> - Will it allow for multiple levels of groups in groups?

Yes.  There's a fairly modest depth limit (defaults to 5).

> - Is this a server-only feature or is the client affected as well (i.e. 
> must the clients be recompiled?)

Mostly this affects ptserver.  Fileservers and clients do not need to
be recompiled.  "ListSuperGroups" is an rpc operation which only works
on supergroup aware clients, which would affect "ptclient" lsg command
and any custom code you wrote that called ubik_PR_ListSuperGroups.
For most ordinary purposes you won't need this and can use standard

Older versions of openafs only enabled some other useful but
unrelated features of pts if you compiled in supergroups support.
This should not be an issue with 1.4.6.

> Also, for people to be able to see what's in the protection database, 
> they must obviously be members
> of the (undocumented?) ptsviewers group. Is it safe just to add all 
> people to this group or are there other
> implications of doing so?

Depends on if you ever want private groups or not.

If you want everybody in your cell to be able to see group
membership by default, you're probably better off running ptserver this way:
	/usr/afs/bin/ptserver -p 16 -default SOM-- SOM--
probably you will need to remake your ptserver instances in bos to do this.

> -- Ragge

				-Marcus Watts