Re: [HCoop-SysAdmin] [afs client on deleuze] AFS groups

Thu, 05 Apr 2007 18:59:24 -0700 

Something is wrong with how the the AFS *client* on deleuze -- nested
groups work properly in the hcoop.net cell when accessed using other
machines as clients:

   [EMAIL PROTECTED]:~$kinit [EMAIL PROTECTED]
   Password for [EMAIL PROTECTED]: 
   [EMAIL PROTECTED]:~$aklog -c hcoop.net
   [EMAIL PROTECTED]:~$cd /afs/hcoop.net/user/m/me/megacz/
   [EMAIL PROTECTED]:/afs/hcoop.net/user/m/me/megacz$ls test
   [EMAIL PROTECTED]:/afs/hcoop.net/user/m/me/megacz$fs la test
   Access list for test is
   Normal rights:
     system:databases rl
     system:administrators rlidwka
   [EMAIL PROTECTED]:/afs/hcoop.net/user/m/me/megacz$pts mem system:databases 
-cell hcoop.net
   Members of system:databases (id: -216) are:
     system:postgres
   [EMAIL PROTECTED]:/afs/hcoop.net/user/m/me/megacz$pts mem system:postgres 
-cell hcoop.net
   Members of system:postgres (id: -218) are:
     megacz
     postgres.deleuze

Davor, are you sure you compiled the *client* with --enable-supergroups?

Also, it is a Bad Idea to create AFS groups that don't have a colon
(":") in their name.  Please don't do this.

  - a


Davor Ocelic <[EMAIL PROTECTED]> writes:
> On Wed, Apr 04, 2007 at 12:26:52PM -0700, Adam Megacz wrote:
>> 
>> Sorry, I'm still not getting it.  Could you post the command that
>> isn't working and the error you're getting?
>
> (A side note: You may notice that I chowned files in /etc/keytabs/ to
> $USER:wheel, mode 440, so now admins can invoke 
> kinit -k -t /etc/keytabs/some.file some/principal
> without need for sudo or anything.. Which is great!)
>
>
> Ok back to the problem at hand Adam... 
>
> kinit adamc_admin
> aklog
> cd /afs/hcoop/..somewhere.../
> mkdir test
> fs sa test databases rl
>
> And then,
>
> kinit -k -t /etc/keytabs/postgres.service postgres/deleuze
> aklog
>
> then as that user, try to cd into the test directory which has permissions
> 'databases rl'.
>
> You should be able to do that (since postgres/deleuze is member of
> postgres.service, which is member of 'databases'), but it is giving
> permission denied instead.

-- 
PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380


_______________________________________________
HCoop-SysAdmin mailing list
[email protected]
http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin

Reply via email to