[OpenAFS] Re: Change ID of admin user

Andrew Deason adeason@sinenomine.net
Mon, 10 Oct 2011 16:28:31 -0500


On Mon, 3 Oct 2011 15:47:07 -0400
Dan Scott <danieljamesscott@gmail.com> wrote:

> Hi,
> 
> I've had to re-install my Kerberos/LDAP installation which provides
> authentication for OpenAFS. As part of this process, the admin user
> has been given a new ID. Is it possible to delete and re-create the
> admin user with the new ID in OpenAFS?
> 
> i.e.
> 
> pts delete admin
> pts createuser -name admin -id $NEW_ID

Yes, that should work; have you tried it and encountered problems, or
anything?

> And then change ownership on all of the admin user's files.

You also need to check if any ACLs mention that user. Any ACLs
mentioning 'admin' will need to be set again ('fs cleanacl' will delete
ACL entries for nonexistant users, if that helps)

> I'm guessing there's not a way to change the ID of a user?

There actually appears to be server-side support to do this, but none of
the user-friendly tools support it. If you can figure out how to run
'ptclient', running the command "ce $OLD_ID admin $OWNER_ID $NEW_ID"
looks like it should change the id. But that's really not much different
than just deleting and recreating the user.

> One more thing is there an upper limit on the IDs that can be used by
> OpenAFS?

The ID numbers are 32-bit integers. They should be unsigned, but some
things probably treat them as signed and assume they are always
positive, so anything above 2^31-1 may cause trouble. But I'm just
basing that on IDs in that range not being thoroughly tested; if there
are sites with IDs in that range and there aren't obvious problems, then
they're fine.

ID numbers 2^16 and above are treated a little specially when dealing
with foreign users. If you need to deal with foreign users as well,
there may be some slight problems when those ID-spaces collide. We can
provide more details, but if you don't deal with them at all, then it
shouldn't ever matter to you.

-- 
Andrew Deason
adeason@sinenomine.net