Почему я не могу установить ACL для AFS, хотя я в нужной группе?

467
Torandi

У меня есть каталог, который я потерял контроль в системе AFS. По словам системных администраторов, моя подгруппа adminin (dsekt: admin) находится rlidwkaв каталоге. Я являюсь членом этой группы (и я могу перечислить членов группы и увидеть там свой ник), но я не могу установить ACL.

Очки:

$>pts membership dsekt:admin  Members of dsekt:admin (id: -6813) are: /.../ taran

И мой клист:

$>klist Credentials cache: FILE:/tmp/krb5cc_56782 Principal: taran@NADA.KTH.SE

И dsekt: admin, и каталог находятся на узле NADA.KTH.SE.

1

3 ответа на вопрос

1
Paul Blackburn

With AFS, Access Control Lists (ACLs) are used to set access rights on directories (not files). (ACL ref: http://www.angelfire.com/hi/plutonic/afs-faq.html#sub2.04 )

First, display the ACL on the directory: fs la $directory

For example:

tweety@toontown $ fs listacl . Access list for . is Normal rights: fac:coords rlidwka system:anyuser rl

Second, look at the ACL and confirm that your AFS-ID is either in the ACL or is a member of any group in the ACL. You can check group membership with: pts mem $afs_group_name

Third, examine the AFS access rights (ref: http://www.angelfire.com/hi/plutonic/afs-faq.html#sub2.04 ) and confirm you have the access rights needed.

To administer an ACL, you only need the "a" access right. However, in practice, it's easier to have all rights: "rwlidka".

Fourth, confirm you have authenticated into your AFS cell and have an active token:

For example:

elmer@toontown $ tokens Tokens held by the Cache Manager: User's (AFS ID 9997) tokens for afs@ny.acme.com [Expires Sep 15 06:50] User's (AFS ID 5391) tokens for afs@sf.acme.com [Expires Sep 15 06:48] --End of list--

It is possible in AFS to authenticate into more than one cell.

1
adeason

The fs getcalleraccess command can be useful to see what access rights AFS thinks you have on a directory. Just run:

$ fs getcalleraccess Callers access to . is rlidwka

One possibility not covered by other answers yet is that you may be listed in a "negative" ACL on the relevant directory. Negative ACLs are not very common, but they are applied "after" the normal positive ACLs, so negative ACLs trump positive ACLs.

For example:

$ fs la Access list for . is Normal rights: system:administrators rlidwka system:anyuser rl foo1 rlidwka Negative rights: foo1 rlidwka

User 'foo1' in that example cannot access the directory at all, even though they are listed with positive "rlidwka" rights. To remove the negative ACL entry:

$ fs sa . foo1 none -negative $ fs la Access list for . is Normal rights: system:administrators rlidwka system:anyuser rl foo1 rlidwka
0
kmarsh

Я не очень знаком с Эндрю, но, как правило, некоторые разрешения хранятся в родительском каталоге, вам также могут понадобиться разрешения.

Похожие вопросы