[OpenAFS] Re: Create a group

Andrew Deason adeason@sinenomine.net
Sat, 15 Oct 2011 13:42:46 -0500


Catching up on some older posts... just wanted to clarify a few things.

On Sat, 10 Sep 2011 15:12:10 -0400
Jason Edgecombe <jason@rampaginggeek.com> wrote:

> I'm not even sure if any of these will work, but you might try  one of 
> the following:
> 
> 1. "pts creategroup user1:mygroup@mycell"

This won't work (nor will any variation). The only foreign groups that
can be created are the system:authuser@* groups.

It is probably possible to add support for creating foreign groups like
user1@cell:group. I assume it doesn't already exist due to complexities
in some of the details, like choosing cell-specific IDs for them. Or
it's just a limit on the amount of "abuse" foreign users can deal to the
cell.

> 2. ask an AFS admin at the mycell site to create two groups for you 
> "mygroup" and "mygroup_admin", then have mygroup_admin by the owner of 
> both groups, and add you to mygroup_admin.

This should work. It also appears to work to just get a normal user to
create a user1:foo group, and then 'pts chown' it to the foreign user
(or just chown the hypothetical 'mygroup' to the foreign user directly).

This results in the group being renamed to user1@cell:foo, which you
could not otherwise create. Huh. This may a bug of some kind, but I
don't immediately see what it would break.

> 3. Create mygroup in your local cell, then have it put on the ACL of a 
> folder in the mycell cell.

No, you can only specify groups and users for the cell in which the
directory resides. Even for foreign users; their entries exist in the
local pt database, too.

-- 
Andrew Deason
adeason@sinenomine.net