All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
SUA and AFS
|
Logged in as: Guest |
Users viewing this topic: none |
|
Login |
|
|
SUA and AFS - Jun. 29, '06, 10:41:13 AM
|
|
|
edrosen
Posts: 7
Joined: Mar. 30, '06,
Status: offline
|
We make use of AFS for much of our UNIX env, including home directories. If I set my home directory under Win Users to my AFS home dir, I get the following when I login:
(BLDWIN03) login: edrosen
Password:
Copyright (c) Microsoft Corporation. All rights reserved.
Welcome to the SUA utilities.
DISPLAY=localhost:0.0
sh: /dev/fs/P/u/edrosen/.profile ignored: improper write permissions
I can run this file from the prompt. I saw a previous post re permissions, and set the perms to 600 for this file from another system, but the SUA session still shows this file as 777:
$ pwd
/dev/fs/P/u/edrosen
$
$ ls -l .profile
-rwxrwxrwx 1 0 0 1497 Jun 28 11:43 .profile
chmod under SUA returns:
$ pwd
/dev/fs/P/u/edrosen
$ chmod 600 .profile
chmod: .profile: Invalid argument
Are there known "issues" around AFS and SUA?
|
|
|
RE: SUA and AFS - Jun. 29, '06, 1:33:54 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The issue, per se and as you describe the error messages, isn't an SUA/Interix thing.
The underlying driver is queried for information and Interix reports it.
The driver is having a problem or the file server is or the file server isn't liking
what/how the driver is asking/requesting.
Given that permissions are showing as 777 I'd say it's a driver thing since the file was
(I'm assuming) created on a Unix system that in all likelyhood was using a umask of 022.
The ".profile" is thing is a security check added to both sh/ksh and csh/tcsh
as they ship to prevent Trojan Horses in login scripts. The code is unique to Interix.
Who's AFS driver are you using?
|
|
|
RE: SUA and AFS - Jun. 29, '06, 5:09:27 PM
|
|
|
edrosen
Posts: 7
Joined: Mar. 30, '06,
Status: offline
|
The Windows Client is OpenAFS 1.4.0101.
The server appears to be: AFS version: Base configuration afs3.6 2.57
I hope this is what you were asking for.
Is there some way to satisfy the security check so I can run my .profile from my AFS home dir? This is fairly crucial to being able to use the SUA subsystem for us.
Thanks.
|
|
|
RE: SUA and AFS - Jun. 29, '06, 6:58:56 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The security check can be satisfied when the permissions on the file are secure enough.
That is, not writable by anyone but the owner who is the same as the running user.
As a workaround, you can use the shells from here (/Tools) because I didn't add similar code.
I'll have to go read up more on OpenAFS later tonight.
|
|
|
RE: SUA and AFS - Jun. 29, '06, 10:43:23 PM
|
|
|
markfunk
Posts: 673
Joined: Mar. 31, '03,
Status: offline
|
Is AFS presenting itself as a FAT filesystem to Windows ?
Or is the Windows client making it look like a FAT file system ?
Historically, AFS has always had a problem.
I don't remember what all the problems were or
what the last status was. (it was many years ago).
|
|
|
RE: SUA and AFS - Jun. 30, '06, 2:30:26 AM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
Mark's point about your mount point presenting itself like a FAT filesystem might be it.
I've been scannning through the documentation. The documentation does indicate that AFS
is getting presented as SMB to Windows. But how well it presents itself might be questionable
since by default for "dot file" (i.e. ".login") it attaches the "hidden" attribute.
I also found that AFS can present itself by UNC pathnames.
The Interix equivalent is "/net" (/net/MACHINE/sharepoint/path...).
Try doing the access by the /net path instead of the letter drive.
The permissions may be presented better.
Another approach may be to export AFS to appear as NFS. Here's a man page on the web about it:
http://www.eyrie.org/~eagle/tmp/openafs/1/fs_exportafs.html
< Message edited by Rodney -- Jun. 30, '06, 2:32:12 AM >
|
|
|
RE: SUA and AFS - Jun. 30, '06, 1:12:37 PM
|
|
|
edrosen
Posts: 7
Joined: Mar. 30, '06,
Status: offline
|
I don't see a version of ksh in the /tools list of downloads. Is it part of some other package? I also don't see the afs cell under /net/...., and so far, can't get Windows to create a share for the afs cell.
|
|
|
RE: SUA and AFS - Jun. 30, '06, 2:37:40 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The ksh was only up as a test version for a couple of people to try out.
It hasn't been packaged. There was work on it that at some point I was going to
reverse engineer into it (the win path stuff) -- I have to clean code that and
a lot of people rely on it. The binary is sitting in /pub on the ftp site.
For /net look not for an AFS thing. Look for the name of the machine and then
the SMB sharename. That how it'll be there.
|
|
|
RE: SUA and AFS - Jun. 30, '06, 4:45:53 PM
|
|
|
edrosen
Posts: 7
Joined: Mar. 30, '06,
Status: offline
|
Nothing shows up inder the /net/ComputerName dir except if I share a local directory - I cannot get Windows to accept a net share command for an AFS directory.
The ksh binary from /pub core dumps on my Win2003 box.
Bummer.
|
|
|
RE: SUA and AFS - Jul. 1, '06, 4:06:56 AM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
> The ksh binary from /pub core dumps on my Win2003 box.
That likely because of DEP (xref the FAQ for more) since it's gcc built (on Interix 3.5).
A final release into a package would like be c89 built (bypassing DEP triggering).
Not much I can do about AFS though.
|
|
|
New Messages |
No New Messages |
Hot Topic w/ New Messages |
Hot Topic w/o New Messages |
|
Locked w/ New Messages |
Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|