[OpenAFS] NoAuth not working?

Ben Huntsman ben@huntsmans.net
Tue, 2 May 2023 20:42:42 +0000 

--_000_MWHPR0701MB3674E8D97620B77DD4A9EBC1A76F9MWHPR0701MB3674_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi Jeffrey-
   Thank you for the quick reply!  If I understand you correctly, that esse=
ntially means that there's no way to access the /afs filespace without sett=
ing up some sort of authentication infrastrcture, even in an "emergency" ba=
sis.

   Thank you!

-Ben




________________________________
From: Jeffrey E Altman
Sent: Tuesday, May 2, 2023 11:44 AM
To: Ben Huntsman; openafs-info@openafs.org
Subject: Re: [OpenAFS] NoAuth not working?

On 5/2/2023 12:32 PM, Ben Huntsman (ben@huntsmans.net) wrote:
> Hi there!
>    I'm trying to test a few things without having all the kerberos and
> auth stuff in place.  I run the following command:
>
> bos setuath <machine> off
>
>    I'm using Transarc paths, so this creates the NoAuth file in
> /usr/afs/local.  bosserver is running with -noauth.  I am logged in as
> a user who is listed in UserList.

The NoAuth file only applies to services that rely upon the UserList for
authorization (bosserver, vlserver and volserver) or that have an
explicit check (ptserver).  It does not include services that have an
ACL based model such as the the fileserver.   The ptserver only checks
at startup so the service needs to be restarted after the NoAuth file is
created.


> However, I still can't run fs setacl commands, nor even do an ls of
> /afs.  I get various messages such as:
>
> fs: You don't have the required access rights on '/afs'
> ls: /afs: The file access permissions do not allow the specified action.

Correct because the authorization decisions are made based upon the
authenticated identity and the contents of the applicable ACL.


The NoAuth(5) man page is incorrect when it implies that all AFS server
processes running on the machine look for it.

>
>    Do I have to do something else to get afsd to skip permissions checks?
I have not tried it but after restarting the ptserver with NoAuth in
place you might try adding "anonymous" to the "system:administrators" group=
.
>
>    Again, this is just for testing.  But it appears that the NoAuth
> file is not honored.
>
> Thank you!
>
> -Ben
>
Anytime.


Jeffrey Altman



--_000_MWHPR0701MB3674E8D97620B77DD4A9EBC1A76F9MWHPR0701MB3674_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
Hi Jeffrey-</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
&nbsp; &nbsp;Thank you for the quick reply!&nbsp; If I understand you corre=
ctly, that essentially means that there's no way to access the /afs filespa=
ce without setting up some sort of authentication infrastrcture, even in an=
 &quot;emergency&quot; basis.</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
&nbsp; &nbsp;Thank you!</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
-Ben</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div>
<div><br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);">
<br>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%;">
<b>From:</b> Jeffrey E Altman<br>
<b>Sent:</b> Tuesday, May 2, 2023 11:44 AM<br>
<b>To:</b> Ben Huntsman; openafs-info@openafs.org<br>
<b>Subject:</b> Re: [OpenAFS] NoAuth not working?
<div><br>
</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt;=
">
<div class=3D"PlainText">On 5/2/2023 12:32 PM, Ben Huntsman (ben@huntsmans.=
net) wrote:<br>
&gt; Hi there!<br>
&gt; &nbsp; &nbsp;I'm trying to test a few things without having all the ke=
rberos and <br>
&gt; auth stuff in place.&nbsp; I run the following command:<br>
&gt;<br>
&gt; bos setuath &lt;machine&gt; off<br>
&gt;<br>
&gt; &nbsp; &nbsp;I'm using Transarc paths, so this creates the NoAuth file=
 in <br>
&gt; /usr/afs/local.&nbsp; bosserver is running with -noauth.&nbsp; I am lo=
gged in as <br>
&gt; a user who is listed in UserList.<br>
<br>
The NoAuth file only applies to services that rely upon the UserList for <b=
r>
authorization (bosserver, vlserver and volserver) or that have an <br>
explicit check (ptserver).&nbsp; It does not include services that have an =
<br>
ACL based model such as the the fileserver.&nbsp;&nbsp; The ptserver only c=
hecks <br>
at startup so the service needs to be restarted after the NoAuth file is <b=
r>
created.<br>
<br>
<br>
&gt; However, I still can't run fs setacl commands, nor even do an ls of <b=
r>
&gt; /afs.&nbsp; I get various messages such as:<br>
&gt;<br>
&gt; fs: You don't have the required access rights on '/afs'<br>
&gt; ls: /afs: The file access permissions do not allow the specified actio=
n.<br>
<br>
Correct because the authorization decisions are made based upon the <br>
authenticated identity and the contents of the applicable ACL.<br>
<br>
<br>
The NoAuth(5) man page is incorrect when it implies that all AFS server <br=
>
processes running on the machine look for it.<br>
<br>
&gt;<br>
&gt; &nbsp; &nbsp;Do I have to do something else to get afsd to skip permis=
sions checks?<br>
I have not tried it but after restarting the ptserver with NoAuth in <br>
place you might try adding &quot;anonymous&quot; to the &quot;system:admini=
strators&quot; group.<br>
&gt;<br>
&gt; &nbsp; &nbsp;Again, this is just for testing.&nbsp; But it appears tha=
t the NoAuth <br>
&gt; file is not honored.<br>
&gt;<br>
&gt; Thank you!<br>
&gt;<br>
&gt; -Ben<br>
&gt;<br>
Anytime.<br>
<br>
<br>
Jeffrey Altman<br>
<br>
<br>
</div>
</span></font></div>
</div>
</body>
</html>

--_000_MWHPR0701MB3674E8D97620B77DD4A9EBC1A76F9MWHPR0701MB3674_--