[OpenAFS] pts removeuser not resulting in loss of access
Oguzhan Eris
eris@ekls.com
Fri, 16 Mar 2012 18:27:32 -0400
Hi,
I've been trying to figure out if this is documented/expected behavior
with openafs (1.4.11).
UserA has valid tokens and does not have access to directory /foo
/foo has an acl giving group:bar all access (UserA is not part of this group)
UserB adds UserA to group:bar
UserA still can't access /foo until he does a ak5log (I think
understand why this is the case)
With the renewed tokens he is able to access /foo
UserB removes UserA from group:bar
UserA can still read from /foo and still write to it as well, and will
continue to do so on each machine he has a session until his tokens
expire (length of kerberos ticket, so upto 7 days) or does an
ak5log/kinit himself.
Can someone explain why the "writes" don't at least try to recheck the
pts memberships?
Thank you
Oguzhan Eris