[OpenAFS] Re: OpenAFS and AD trusts

Danko Antolovic dantolov@indiana.edu
Thu, 15 Sep 2011 13:04:39 -0400


Well yes, the group system:authuser@iu.edu does exist:

[root@afs1c afs]# pts  listentries -groups  -noauth
Name                          ID  Owner Creator
system:administrators       -204   -204    -204
system:backup               -205   -204    -204
system:anyuser              -101   -204    -204
system:authuser             -102   -204    -204
system:ptsviewers           -203   -204    -204
system:authuser@iu.edu      -207   -204       2

Also, system:authuser@iu.edu was created by 2, which is me as admin, so 
it was there before my aklog as foreign user.  Is the foreign-realm 
group something that needs to be set in advance, or is that part of the 
automatic registration thing?

And yes, as foreign user dantolov@iu.edu, I lack the "rlidwka" rights to 
the cell directory /afs/afs1.bedrock.iu.edu.  All I can do is "rl"

Danko

Andrew Deason wrote:
> On Thu, 15 Sep 2011 11:10:40 -0400
> Danko Antolovic <dantolov@indiana.edu> wrote:
>
>   
>> However, this does not let me touch the files in the cell. Trying to
>> add the foreign-realm group to the directory ACL, like this:
>>
>> [root@afs1c afs]# fs  setacl -dir  /afs/afs1.bedrock.iu.edu  -acl 
>> system:authuser@iu.edu  rlidwka
>>
>> does not seem to work, and just adds the group system:authuser to the 
>> ACL once more:
>>     
>
> To be clear: this is supposed to work (and does for me, here). Have you
> been changing around the names or IDs of these groups?
> system:authuser@id.edu doesn't appear to exist anymore.
>
> This would suggest something along the way is screwing up the id<->name
> mapping, but that may not necessarily prevent the actual access from
> working. Are you actually lacking those rights? (that is, when trying to
> do one of those operations)
>
> You can look at a network dump to verify what names are going across the
> wire, to see if the setacl and listacl requests are what you think
> they are. You don't need to be familiar with the protocol or anything;
> it should be pretty easy to see where the acl data is (it is transmitted
> in the clear, when 'fs crypt' is turned off).
>
>