[OpenAFS] How to modify AFS uid after user has been created
Michael Meffie
mmeffie@sinenomine.net
Thu, 21 May 2015 12:49:12 -0400
On Thu, 21 May 2015 18:02:50 +0200
Jan Iven <jan.iven@cern.ch> wrote:
> On 05/21/2015 05:37 PM, Susan Litzinger wrote:
> > We have a situation where we need to change the AFS uids for a handful
> > of long-time users who have uids that are < 1000. I can't seem to find
> > any way to change the AFS uid for anyone after they have been created.
> > Has anyone else run into this problem, and if so, how did you resolve it?
>
> I guess the major issue is finding all files owned by the user. Per my
> understanding the numeric ID is used everywhere, so this mean crawling
> the full cell. Which is why we never have done this ourselves.. despite
> having some inconveniently low-IDed users.
>
> Naive approach:
>
> pts rename -oldname OLD -newname TMP
> pts createuser -name OLD -id NEWID
>
> pts mem TMP
> # and then add the new user OLD to all the groups that TMP is member of,
> this presumably could be scripted..
> pts listowned TMP
> # and then pts chown these to OLD
>
> # then: crawl all directories in cell, fs la, identify ACLs owned by
> TMP, add same ACL for OLD.
> # For beautification: also "chown" at file system level for
> files/directories created by TMP, in order to not leave the previous
> (numeric) userID all over the place.
>
> # there might be a way to do this in parallel directly on the
> fileservers via "volscan" (new in 1.6.10), would look at "-find acl
> -output path aid arights"; similar for -find file dir -output path owner
> # still need to cope with the volume-relative path names
>
> # if you are sure the user could not possibly ever have created a file
> elsewhere, you might be able to constrain this to subtrees they had
> write to (ex: the home directory).
>
> # eventually:
> pts deleteuser TMP
Hello,
IBM published this description of how you can do such a migration:
http://www-01.ibm.com/support/docview.wss?uid=swg21104412
The user ids are used in multiple places, and all of them will need to be updated.
- the ptserver database
- possibly in ACLs in the volume metadata
- in the file and directory ownerships
volscan can be helpful for this transition, by searching for places that need
to be updated without resorting to find.
I've done a renumbering migration in the past by creating a new set of
usernames (with new pts ids), adding the new pts ids to the groups that need
them, changing ownerships, renaming the users to move them to the new id, then
after all is well, removing the old ids. It's a tedious process, but is doable.
Mike --
--
Michael Meffie <mmeffie@sinenomine.net>