[OpenAFS] Supergroups and ACL inheritance

Thomas Smith theitsmith@gmail.com
Thu, 24 Feb 2011 18:01:10 -0700 

--0016e646110cac4252049d10dd5c
Content-Type: text/plain; charset=ISO-8859-1

Hi,

I setup a supergroup and assigned some ACLs based on that group and it
didn't provide me with the expected result. Here's an example of what I
setup:

Groups:
* group0 - The primary group for office location "group0".
* group0:admins - Office administrations for "group0".

Directory Structure:
* /afs/domain/Offices/Group0/ with group permissions:
* * group0 rlidwk
* /afs/domain/Offices/Group0/Admins/ with group permissions:
* * group0:admins rlidwk
* * -neg group0 rlidwk

(Also note that Offices/Group0/ is a volume, Admins is just a directory
within the volume.)

Setting it up like this, group0:admins are not able to access the Admins
directory. I also tried just removing group0 (rather than adding the
negative permissions) but that didn't work either--in fact, doing this
allows group0 to gain access to that directory.

I ended up removing both groups and just adding ACLs for each user
individually to get it to work as I needed.

I've looked for examples of how to setup supergroups as well as how to work
with AFS's ACL inheritance and haven't found much.

Can someone offer some pointers here? Am I missing something? References to
documentation would be great too! :-)

~ Tom

--0016e646110cac4252049d10dd5c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,<br><br>I setup a supergroup and assigned some ACLs based on that group =
and it didn&#39;t provide me with the expected result. Here&#39;s an exampl=
e of what I setup:<br><br>Groups:<br>* group0 - The primary group for offic=
e location &quot;group0&quot;.<br>
* group0:admins - Office administrations for &quot;group0&quot;.<br><br>Dir=
ectory Structure:<br>* /afs/domain/Offices/Group0/ with group permissions:<=
br>* * group0 rlidwk<br>* /afs/domain/Offices/Group0/Admins/ with group per=
missions:<br>
* * group0:admins rlidwk<br>* * -neg group0 rlidwk<br><br>(Also note that O=
ffices/Group0/ is a volume, Admins is just a directory within the volume.)<=
br><br>Setting it up like this, group0:admins are not able to access the Ad=
mins directory. I also tried just removing group0 (rather than adding the n=
egative permissions) but that didn&#39;t work either--in fact, doing this a=
llows group0 to gain access to that directory.<br>
<br>I ended up removing both groups and just adding ACLs for each user indi=
vidually to get it to work as I needed.<br><br>I&#39;ve looked for examples=
 of how to setup supergroups as well as how to work with AFS&#39;s ACL inhe=
ritance and haven&#39;t found much.<br>
<br>Can someone offer some pointers here? Am I missing something? Reference=
s to documentation would be great too! :-)<br><br>~ Tom<br>

--0016e646110cac4252049d10dd5c--