On 3/16/2012 6:27 PM, Oguzhan Eris wrote: > Hi, > > I've been trying to figure out if this is documented/expected behavior > with openafs (1.4.11). > > UserA has valid tokens and does not have access to directory /foo > /foo has an acl giving group:bar all access (UserA is not part of this > group) > UserB adds UserA to group:bar > UserA still can't access /foo until he does a ak5log (I think > understand why this is the case) > With the renewed tokens he is able to access /foo > UserB removes UserA from group:bar > UserA can still read from /foo and still write to it as well, and will > continue to do so on each machine he has a session until his tokens > expire (length of kerberos ticket, so upto 7 days) or does an > ak5log/kinit himself.
Authentication and Group Memberships are computed each time a new RPC connection is established from a client to a file server. New connections are created as one of the side effects of acquiring new tokens, token expiration, token destruction (unlog), or PAG creation. In AFS, there is no mechanism for the Protection Service to notify a file server when an issued CPS response would need to change. Polling the Protection service on each incoming RPC has significant performance limitations. The cacheout command (src/venus/cacheout.c) can be used to force ACL invalidation across file servers for specific userids and client IP addresses. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
