[OpenAFS] How to modify AFS uid after user has been created

Susan Litzinger susan@psc.edu
Thu, 21 May 2015 15:02:37 -0400 

--001a113fb186e78d9205169c2f93
Content-Type: text/plain; charset=UTF-8

Thanks all -- I followed the directions set out by IBM and things worked
fine ..

Much appreciated ,

Susan


On Thu, May 21, 2015 at 12:49 PM, Michael Meffie <mmeffie@sinenomine.net>
wrote:

> On Thu, 21 May 2015 18:02:50 +0200
> Jan Iven <jan.iven@cern.ch> wrote:
>
> > On 05/21/2015 05:37 PM, Susan Litzinger wrote:
> > > We have a situation where we need to change the AFS uids for a handful
> > > of long-time users who have uids that are < 1000.  I can't seem to find
> > > any way to change the AFS uid for anyone after they have been created.
> > > Has anyone else run into this problem, and if so, how did you resolve
> it?
> >
> > I guess the major issue is finding all files owned by the user. Per my
> > understanding the numeric ID is used everywhere, so this mean crawling
> > the full cell. Which is why we never have done this ourselves.. despite
> > having some inconveniently low-IDed users.
> >
> > Naive approach:
> >
> > pts rename -oldname OLD -newname TMP
> > pts createuser -name OLD -id NEWID
> >
> > pts mem TMP
> > # and then add the new user OLD to all the groups that TMP is member of,
> > this presumably could be scripted..
> > pts listowned TMP
> > # and then pts chown these to OLD
> >
> > # then: crawl all directories in cell, fs la, identify ACLs owned by
> > TMP, add same ACL for OLD.
> > # For beautification: also "chown" at file system level for
> > files/directories created by TMP, in order to not leave the previous
> > (numeric) userID all over the place.
> >
> > # there might be a way to do this in parallel directly on the
> > fileservers via "volscan" (new in 1.6.10), would look at "-find acl
> > -output path aid arights"; similar for -find file dir -output path owner
> > # still need to cope with the volume-relative path names
> >
> > # if you are sure the user could not possibly ever have created a file
> > elsewhere, you might be able to constrain this to subtrees they had
> > write to (ex: the home directory).
> >
> > # eventually:
> > pts deleteuser TMP
>
>
> Hello,
>
> IBM published this description of how you can do such a migration:
>
>    http://www-01.ibm.com/support/docview.wss?uid=swg21104412
>
> The user ids are used in multiple places, and all of them will need to be
> updated.
>
>   - the ptserver database
>   - possibly in ACLs in the volume metadata
>   - in the file and directory ownerships
>
> volscan can be helpful for this transition, by searching for places that
> need
> to be updated without resorting to find.
>
> I've done a renumbering migration in the past by creating a new set of
> usernames (with new pts ids), adding the new pts ids to the groups that
> need
> them, changing ownerships, renaming the users to move them to the new id,
> then
> after all is well, removing the old ids. It's a tedious process, but is
> doable.
>
> Mike --
>
> --
> Michael Meffie <mmeffie@sinenomine.net>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>

--001a113fb186e78d9205169c2f93
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Thanks all -- I followed the directions set out =
by IBM and things worked fine .. <br><br></div>Much appreciated , <br><br><=
/div>Susan <br><br></div><div class=3D"gmail_extra"><br><div class=3D"gmail=
_quote">On Thu, May 21, 2015 at 12:49 PM, Michael Meffie <span dir=3D"ltr">=
&lt;<a href=3D"mailto:mmeffie@sinenomine.net" target=3D"_blank">mmeffie@sin=
enomine.net</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div cl=
ass=3D"HOEnZb"><div class=3D"h5">On Thu, 21 May 2015 18:02:50 +0200<br>
Jan Iven &lt;<a href=3D"mailto:jan.iven@cern.ch">jan.iven@cern.ch</a>&gt; w=
rote:<br>
<br>
&gt; On 05/21/2015 05:37 PM, Susan Litzinger wrote:<br>
&gt; &gt; We have a situation where we need to change the AFS uids for a ha=
ndful<br>
&gt; &gt; of long-time users who have uids that are &lt; 1000.=C2=A0 I can&=
#39;t seem to find<br>
&gt; &gt; any way to change the AFS uid for anyone after they have been cre=
ated.<br>
&gt; &gt; Has anyone else run into this problem, and if so, how did you res=
olve it?<br>
&gt;<br>
&gt; I guess the major issue is finding all files owned by the user. Per my=
<br>
&gt; understanding the numeric ID is used everywhere, so this mean crawling=
<br>
&gt; the full cell. Which is why we never have done this ourselves.. despit=
e<br>
&gt; having some inconveniently low-IDed users.<br>
&gt;<br>
&gt; Naive approach:<br>
&gt;<br>
&gt; pts rename -oldname OLD -newname TMP<br>
&gt; pts createuser -name OLD -id NEWID<br>
&gt;<br>
&gt; pts mem TMP<br>
&gt; # and then add the new user OLD to all the groups that TMP is member o=
f,<br>
&gt; this presumably could be scripted..<br>
&gt; pts listowned TMP<br>
&gt; # and then pts chown these to OLD<br>
&gt;<br>
&gt; # then: crawl all directories in cell, fs la, identify ACLs owned by<b=
r>
&gt; TMP, add same ACL for OLD.<br>
&gt; # For beautification: also &quot;chown&quot; at file system level for<=
br>
&gt; files/directories created by TMP, in order to not leave the previous<b=
r>
&gt; (numeric) userID all over the place.<br>
&gt;<br>
&gt; # there might be a way to do this in parallel directly on the<br>
&gt; fileservers via &quot;volscan&quot; (new in 1.6.10), would look at &qu=
ot;-find acl<br>
&gt; -output path aid arights&quot;; similar for -find file dir -output pat=
h owner<br>
&gt; # still need to cope with the volume-relative path names<br>
&gt;<br>
&gt; # if you are sure the user could not possibly ever have created a file=
<br>
&gt; elsewhere, you might be able to constrain this to subtrees they had<br=
>
&gt; write to (ex: the home directory).<br>
&gt;<br>
&gt; # eventually:<br>
&gt; pts deleteuser TMP<br>
<br>
<br>
</div></div>Hello,<br>
<br>
IBM published this description of how you can do such a migration:<br>
<br>
=C2=A0 =C2=A0<a href=3D"http://www-01.ibm.com/support/docview.wss?uid=3Dswg=
21104412" target=3D"_blank">http://www-01.ibm.com/support/docview.wss?uid=
=3Dswg21104412</a><br>
<br>
The user ids are used in multiple places, and all of them will need to be u=
pdated.<br>
<br>
=C2=A0 - the ptserver database<br>
=C2=A0 - possibly in ACLs in the volume metadata<br>
=C2=A0 - in the file and directory ownerships<br>
<br>
volscan can be helpful for this transition, by searching for places that ne=
ed<br>
to be updated without resorting to find.<br>
<br>
I&#39;ve done a renumbering migration in the past by creating a new set of<=
br>
usernames (with new pts ids), adding the new pts ids to the groups that nee=
d<br>
them, changing ownerships, renaming the users to move them to the new id, t=
hen<br>
after all is well, removing the old ids. It&#39;s a tedious process, but is=
 doable.<br>
<br>
Mike --<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
Michael Meffie &lt;<a href=3D"mailto:mmeffie@sinenomine.net">mmeffie@sineno=
mine.net</a>&gt;<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5">_____________________=
__________________________<br>
OpenAFS-info mailing list<br>
<a href=3D"mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</a><br=
>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" target=
=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-info</a><br>
</div></div></blockquote></div><br></div>

--001a113fb186e78d9205169c2f93--