Hi Jeffrey- Thank you for the quick reply! If I understand you correctly, that essentially means that there's no way to access the /afs filespace without setting up some sort of authentication infrastrcture, even in an "emergency" basis.
Thank you! -Ben ________________________________ From: Jeffrey E Altman Sent: Tuesday, May 2, 2023 11:44 AM To: Ben Huntsman; [email protected] Subject: Re: [OpenAFS] NoAuth not working? On 5/2/2023 12:32 PM, Ben Huntsman ([email protected]) wrote: > Hi there! > I'm trying to test a few things without having all the kerberos and > auth stuff in place. I run the following command: > > bos setuath <machine> off > > I'm using Transarc paths, so this creates the NoAuth file in > /usr/afs/local. bosserver is running with -noauth. I am logged in as > a user who is listed in UserList. The NoAuth file only applies to services that rely upon the UserList for authorization (bosserver, vlserver and volserver) or that have an explicit check (ptserver). It does not include services that have an ACL based model such as the the fileserver. The ptserver only checks at startup so the service needs to be restarted after the NoAuth file is created. > However, I still can't run fs setacl commands, nor even do an ls of > /afs. I get various messages such as: > > fs: You don't have the required access rights on '/afs' > ls: /afs: The file access permissions do not allow the specified action. Correct because the authorization decisions are made based upon the authenticated identity and the contents of the applicable ACL. The NoAuth(5) man page is incorrect when it implies that all AFS server processes running on the machine look for it. > > Do I have to do something else to get afsd to skip permissions checks? I have not tried it but after restarting the ptserver with NoAuth in place you might try adding "anonymous" to the "system:administrators" group. > > Again, this is just for testing. But it appears that the NoAuth > file is not honored. > > Thank you! > > -Ben > Anytime. Jeffrey Altman
