[OpenAFS] pts removeuser not resulting in loss of access
Sat, 17 Mar 2012 00:17:05 -0400
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
On 3/16/2012 6:27 PM, Oguzhan Eris wrote:
> I've been trying to figure out if this is documented/expected behavior
> with openafs (1.4.11).
> UserA has valid tokens and does not have access to directory /foo
> /foo has an acl giving group:bar all access (UserA is not part of thi=
> UserB adds UserA to group:bar
> UserA still can't access /foo until he does a ak5log (I think
> understand why this is the case)
> With the renewed tokens he is able to access /foo
> UserB removes UserA from group:bar
> UserA can still read from /foo and still write to it as well, and will
> continue to do so on each machine he has a session until his tokens
> expire (length of kerberos ticket, so upto 7 days) or does an
> ak5log/kinit himself.
Authentication and Group Memberships are computed each time a new
RPC connection is established from a client to a file server. New
connections are created as one of the side effects of acquiring new
tokens, token expiration, token destruction (unlog), or PAG creation.
In AFS, there is no mechanism for the Protection Service to notify a
file server when an issued CPS response would need to change. Polling
the Protection service on each incoming RPC has significant performance
The cacheout command (src/venus/cacheout.c) can be used to force
ACL invalidation across file servers for specific userids and client
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----