[OpenAFS] pts removeuser not resulting in loss of access

Oguzhan Eris eris@ekls.com
Fri, 16 Mar 2012 18:27:32 -0400


I've been trying to figure out if this is documented/expected behavior
 with openafs (1.4.11).

UserA has valid tokens  and does not have access to directory /foo
/foo  has an acl giving group:bar all access  (UserA is not part of this group)
UserB adds UserA to group:bar
UserA still can't access /foo  until he does a ak5log (I think
understand why this is the case)
With the renewed tokens he is able to access /foo
UserB removes UserA from group:bar
UserA can still read from /foo and still write to it as well, and will
continue to do so on each machine he has a session until his tokens
expire (length of kerberos ticket, so upto 7 days)  or does an
ak5log/kinit himself.

Can someone explain why the "writes" don't at least try to recheck the
pts memberships?

Thank you
Oguzhan Eris