On 5/2/2023 12:32 PM, Ben Huntsman ([email protected]) wrote:
Hi there!I'm trying to test a few things without having all the kerberos and auth stuff in place. I run the following command:bos setuath <machine> offI'm using Transarc paths, so this creates the NoAuth file in /usr/afs/local. bosserver is running with -noauth. I am logged in as a user who is listed in UserList.
The NoAuth file only applies to services that rely upon the UserList for authorization (bosserver, vlserver and volserver) or that have an explicit check (ptserver). It does not include services that have an ACL based model such as the the fileserver. The ptserver only checks at startup so the service needs to be restarted after the NoAuth file is created.
However, I still can't run fs setacl commands, nor even do an ls of /afs. I get various messages such as:fs: You don't have the required access rights on '/afs' ls: /afs: The file access permissions do not allow the specified action.
Correct because the authorization decisions are made based upon the authenticated identity and the contents of the applicable ACL.
The NoAuth(5) man page is incorrect when it implies that all AFS server processes running on the machine look for it.
I have not tried it but after restarting the ptserver with NoAuth in place you might try adding "anonymous" to the "system:administrators" group.Do I have to do something else to get afsd to skip permissions checks?
Again, this is just for testing. But it appears that the NoAuth file is not honored.Thank you! -Ben
Anytime. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
