[OpenAFS] Re: OpenAFS and AD trusts

Andrew Deason adeason@sinenomine.net
Thu, 15 Sep 2011 11:17:35 -0500

On Thu, 15 Sep 2011 11:10:40 -0400
Danko Antolovic <dantolov@indiana.edu> wrote:

> However, this does not let me touch the files in the cell. Trying to
> add the foreign-realm group to the directory ACL, like this:
> [root@afs1c afs]# fs  setacl -dir  /afs/afs1.bedrock.iu.edu  -acl 
> system:authuser@iu.edu  rlidwka
> does not seem to work, and just adds the group system:authuser to the 
> ACL once more:

To be clear: this is supposed to work (and does for me, here). Have you
been changing around the names or IDs of these groups?
system:authuser@id.edu doesn't appear to exist anymore.

This would suggest something along the way is screwing up the id<->name
mapping, but that may not necessarily prevent the actual access from
working. Are you actually lacking those rights? (that is, when trying to
do one of those operations)

You can look at a network dump to verify what names are going across the
wire, to see if the setacl and listacl requests are what you think
they are. You don't need to be familiar with the protocol or anything;
it should be pretty easy to see where the acl data is (it is transmitted
in the clear, when 'fs crypt' is turned off).

Andrew Deason