[OpenAFS] Cross-realm access
Jeffrey Altman
jaltman@your-file-system.com
Mon, 21 Jul 2014 10:29:38 -0400
--Apple-Mail-0F766B90-A743-4845-BDE2-108D286BE52F
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Your observation of the behavior is correct. A foreign system:authuser gro=
up is not equivalent to the system:authuser group. There is no method to a=
dd groups to system:authuser.
If you wish to grant privileges to a foreign system:authuser group to portio=
ns of the tree you must add the group to all directories.
Jeffrey Altman
> On Jul 21, 2014, at 10:16 AM, Jaap Winius <jwinius@umrk.nl> wrote:
>=20
> Hi folks,
>=20
> After setting up Kerberos cross-realm access and then creating a system:au=
thuser@<MY_REALM> group in a foreign cell, it seems that basic rl access to t=
he cell's contents is only possible after that group is given rl access to e=
very single directory that system:authuser has access to. Not very convenien=
t.
>=20
> Is there an easy way around this, like something equivalent to making syst=
em:authuser@<MY_REALM> a member of system:authuser?
>=20
> Thanks,
>=20
> Jaap
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--Apple-Mail-0F766B90-A743-4845-BDE2-108D286BE52F
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Disposition: attachment;
filename=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIG2zCCBtcw
ggW/oAMCAQICEHiwwaDblI88SsZkARSRB5MwDQYJKoZIhvcNAQEFBQAwgaYxCzAJBgNVBAYTAlVT
MR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3Qg
TmV0d29yazEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRl
YyBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQSAtIEc0MB4XDTEzMTIyMzAwMDAwMFoX
DTE1MDExNjIzNTk1OVowgc4xLjAsBgNVBAMMJVBlcnNvbmEgTm90IFZhbGlkYXRlZCAtIDEzNTgy
NzYxMDg2MzExKzApBgkqhkiG9w0BCQEWHGphbHRtYW5AeW91ci1maWxlLXN5c3RlbS5jb20xDzAN
BgNVBAsMBlMvTUlNRTEeMBwGA1UECwwVUGVyc29uYSBOb3QgVmFsaWRhdGVkMR8wHQYDVQQLDBZT
eW1hbnRlYyBUcnVzdCBOZXR3b3JrMR0wGwYDVQQKDBRTeW1hbnRlYyBDb3Jwb3JhdGlvbjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANKuphSC69uC62HEY2ozXmeg9gYsyemNEpPZVLzw
zE0BntFqmUHwDOuTy84f6r4hadcKtqn4F69jbs9lbpSA0A9wRMYVOL+p1gC6QfCcJXt++NdckQ7D
eOD54r/TpuGvS5OG+auNP6NYeWnMreZIM+0QFKSBcNsuQv8tB9i9rLQhrufrmXlHLjMeWuDq4n5S
q9YlnBdrNeOjYfgSSwYIziesodN5WiPmhKq6+qze1J8HK1csZWpI4eqNdv6WuLWC2Wi9fsCMxPaB
041GuNHfC6fq2Me+iqNQ1naZSzRdeHS8jQbJMp21rPbrFj6IpujEU7Zq0NtvUabwp1Reo79SK+UC
AwEAAaOCAtUwggLRMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMCAGA1UdJQEB/wQWMBQG
CCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUwLVIy5F59fI0DCRkz4uC7uInqcUwJwYDVR0R
BCAwHoEcamFsdG1hbkB5b3VyLWZpbGUtc3lzdGVtLmNvbTAfBgNVHSMEGDAWgBSt+cOTci21uShh
5KTXYNXECl4aATCCASsGCCsGAQUFBwEBBIIBHTCCARkwggEVBggrBgEFBQcwAoaCAQdsZGFwOi8v
ZGlyZWN0b3J5LnZlcmlzaWduLmNvbS9DTiUyMCUzRCUyMFN5bWFudGVjJTIwQ2xhc3MlMjAxJTIw
SW5kaXZpZHVhbCUyMFN1YnNjcmliZXIlMjBDQSUyMC0lMjBHNCUyQyUyME9VJTIwJTNEJTIwUGVy
c29uYSUyME5vdCUyMFZhbGlkYXRlZCUyQyUyME9VJTIwJTNEJTIwU3ltYW50ZWMlMjBUcnVzdCUy
ME5ldHdvcmslMkMlMjBPJTIwJTNEJTIwU3ltYW50ZWMlMjBDb3Jwb3JhdGlvbiUyQyUyMEMlMjAl
M0QlMjBVUz9jQUNlcnRpZmljYXRlO2JpbmFyeTBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vcGtp
LWNybC5zeW1hdXRoLmNvbS9jYV81NjFjMTAzNjkwYzk3YTY5MjQ3YTBlZjA3MWFjODFhZi9MYXRl
c3RDUkwuY3JsMGwGA1UdIARlMGMwYQYLYIZIAYb4RQEHFwEwUjAmBggrBgEFBQcCARYaaHR0cDov
L3d3dy5zeW1hdXRoLmNvbS9jcHMwKAYIKwYBBQUHAgIwHBoaaHR0cDovL3d3dy5zeW1hdXRoLmNv
bS9ycGEwKgYKYIZIAYb4RQEQAwQcMBoGEWCGSAGG+EUBEAECAgQBhrMXFgUxMDkyMjANBgkqhkiG
9w0BAQUFAAOCAQEARTJpwm+hF9B2CViCdTBpMyxFGDRh4CWNudvwzkS8FKje78uG9te2+7724TxH
pQ4Tga8offzYjbu+O4zbygep+KLThREAHWJyYDxvuvFhCj05vYj82SRBEHBsDccYtZcWO6k4NZs/
lbKXLJIAAjsfEbbFsThf7z6EwlU4p/ElvonRJQ4GWeYySaCcDGA4zi96dKaWLpTejScAMc0tkQmO
rKbZCy2R5g+ENnqxI7e3/K/4nJht9vTWGI52EawMGJ+g9OpxZG8D6WptYwckben24v+QjiNsuP39
mQx91EMelA1UC4bHHKPtvWnEzSMG5M/QmatzPdTBTBPmSMIIO3aAYDGCA+QwggPgAgEBMIG7MIGm
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5
bWFudGVjIFRydXN0IE5ldHdvcmsxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUG
A1UEAxMuU3ltYW50ZWMgQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNAIQeLDB
oNuUjzxKxmQBFJEHkzAJBgUrDgMCGgUAoIIB/TAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0xNDA3MjExNDI5MzlaMCMGCSqGSIb3DQEJBDEWBBT9qXfzi80xaPl2qeE2
y5XQxVjy5zCBzAYJKwYBBAGCNxAEMYG+MIG7MIGmMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3lt
YW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHjAcBgNV
BAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMgQ2xhc3MgMSBJbmRp
dmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNAIQeLDBoNuUjzxKxmQBFJEHkzCBzgYLKoZIhvcNAQkQ
Agsxgb6ggbswgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEf
MB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFs
aWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBD
QSAtIEc0AhB4sMGg25SPPErGZAEUkQeTMA0GCSqGSIb3DQEBAQUABIIBAJWrApD4JwhmeSp6LGH0
4BtNmH8cjdm928vqpsbGnVS8ppb+ukhfp6fbMgv9ZVUjjSxnVbfz3NjsawJguhjlh4guouZbdbpM
bixDrrfDXyBmEDZR938/fICHmL+OP9qbLwsCfrh1FYwc9dOkjZSU6eUD56k1APnp+f8Ic3aeRmIZ
MGxIoYIr66IfyIDNcUpxVoaQl6nufgjKiMFH8PIM1pz0wfDVaFonxTsiRqGirQ+UYc10wwrkknpi
mnlI7izP0cJNPABgVjcmbHtiMEKSISY9PjhebmR4LDRBDHQlZvciqUUuSuxkJILiXtSIcgybFVoT
lICbvFSIHEF/aGK0pVMAAAAAAAA=
--Apple-Mail-0F766B90-A743-4845-BDE2-108D286BE52F--