[870] in Moira
Re: Probable Moira export problem.
daemon@ATHENA.MIT.EDU (John Hawkinson)
Mon Mar 20 16:38:22 1995
Date: Mon, 20 Mar 1995 16:38:14 -0500
To: "Michael A. Patton" <MAP@MIT.EDU>
Cc: bugs@MIT.EDU, Marc@MIT.EDU, MAR@MIT.EDU, bug-moira@MIT.EDU
In-Reply-To: "[13343] in Athena Bugs"
From: John Hawkinson <jhawk@MIT.EDU>
map writes:
> Sometime in the last month, the working of lists and specifically the
> export from Moira to AFS seems to have become broken. The specific
> example which I have just noticed is the list "tmrc-request" which was
> fine in mid February, the last time I tried to access files controlled
> by it, but is now wrong. The AFS access list should have two people,
> mar and map, but only has mar.
>
> I suspect this is a general problem with entries of type "KERBEROS",
> specifically no longer exporting from Moira lists to AFS lists, but I
> can't be certain. In researching it further, I found that other
> places, some strictly within Moira, where this is supposed to be
> active, also no longer work. Specifically, I tried to patch around
> the problem by temporarily adding "USER map" to "tmrc-request", but
> listmaint said I lacked permission for that (note: I am not certain
> that this worked before, I don't remember testing it), but I should
> have been able to. This makes me suspect that sometime in the last
> month a bug was introduced that makes Moira list entries of type
> "KERBEROS" not work at all.
This is a known problem -- for more information you might want to
consult transaction 857 and following in /usr/spool/discuss/moira on
menelaus, and perhaps 13075 in bugs (netprob 2925), but in short,
KERBEROS -type entries for null instances seem to not work at all.
Since tmrc-request is writable by itself, and contains:
USER:mar
STRING:MAP=Request@BBN.com
KERBEROS:map@ATHENA.MIT.EDU
Kerberos-wise only the first entry does anything, and so mar is the only
one who can do anything. The same problem gets passed on to AFS... (for
another example of this, see the list jhawk-pts-keepers).
As far as I know this problem has been going on significantly longer
than the last month. I can definitively state that it was present
prior to 4 January of this year, and I'm fairly sure that it was
sometime towards November that I changed an ACL to
KERBEROS:jhawk@ATHENA.MIT.EDU and discovered I needed dbadmin access
to fix it.
Everything I've heard about this problem seems to suggest that it's
been around forever, so I'm somewhat puzzled how it might have worked
for you last month...
Aside from using USER:map, another possible workaround is to use
KERBEROS:map.extra@ATHENA.MIT.EDU (add sis; reg_extra to get one), but
then you need to kinit seperately to use it... This is particularly
reasonable for you as you're not a student and your .extra instance is
not tied to anything.
--jhawk
