[OpenAFS] Re: OpenAFS and AD trusts

Danko Antolovic dantolov@indiana.edu
Tue, 19 Jul 2011 13:52:08 -0400


Everything works fine up to a point: I can set up a FOREIGN.REALM group =
(in
this case system:authuser@iu.edu) and add users to it. However, when I =
try
to add the group to the ACLs of the /afs tree, it adds the group
system:authuser  instead. These are the steps, with me authenticated as =
the
user in  iu.edu (no trust relationships):

[root@afs1c afs]# pts creategroup -name  system:authuser@IU.EDU  -owner
system:administrators
[root@afs1c afs]# pts setfields   system:authuser@iu.edu  -groupquota  =
50
-noauth
[root@afs1c afs]# pts adduser -user dantolov  -group  =
system:authuser@iu.edu
-noauth

[root@afs1c afs]# pts examine   system:authuser@iu.edu  -noauth
Name: system:authuser@iu.edu, id: -207, owner: system:administrators,
creator: dantolov,
  membership: 1, flags: S-M--, group quota: 50.

[root@afs1c afs]# pts membership   system:authuser@iu.edu  -noauth
Members of system:authuser@iu.edu (id: -207) are:
  dantolov

[root@afs1c afs]# fs setacl -dir  /afs/afs1.bedrock.iu.edu  -acl
system:authuser@iu.edu rliwdka

[root@afs1c afs]# fs listacl  /afs/afs1.bedrock.iu.edu
Access list for /afs/afs1.bedrock.iu.edu is
Normal rights:
  system:administrators rlidwka
  system:authuser rlidwka
  system:anyuser rl

Predictably, when I authenticate as a foreign user (via trust), I can't
touch the files in /afs/afs1.bedrock.iu.edu =20

Can you spot what I'm missing?  Thanks,

Danko Antolovic



-----Original Message-----
From: openafs-info-admin@openafs.org =
[mailto:openafs-info-admin@openafs.org]
On Behalf Of Andrew Deason
Sent: Friday, July 15, 2011 4:18 PM
To: openafs-info@openafs.org
Subject: [OpenAFS] Re: OpenAFS and AD trusts

On Fri, 15 Jul 2011 15:58:12 -0400
"Danko Antolovic" <dantolov@indiana.edu> wrote:

> If I understand the documentation correctly, there needs to be one
> group, named precisely system:authuser@FOREIGN.REALM, which will
> contain all the users from foreign realms:
>[...]=20
> http://docs.openafs.org/AdminGuide/ch02s03.html

The "FOREIGN.REALM" part of that is in italics on that page, which means
it is not a literal string, but should be replaced. You need to put the
name of the foreign realm in the place of FOREIGN.REALM. There is one
such group for each foreign realm you grant access to, and granting
rights to it grants rights to everyone in that particular foreign realm.

> Also, on a na=EFve note, how do you create a group with the ownership
> "system"? I am working as an admin, of course, but  pts creategroup
> throws up the message "Badly formed name (group prefix doesn't match
> owner?)" regardless of what I do.

pts creategroup system:authuser@whatever -owner system:administrators

--=20
Andrew Deason
adeason@sinenomine.net

_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info