gabriel rosenkoetter on Mon, 03 Feb 2003 20:41:03 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Moving a lot of user accounts


On Mon, Feb 03, 2003 at 07:26:24PM -0500, sean finney wrote:
> but if you're exporting
> the file system over nfs, the rpc routines are the same.  thus a solaris
> box with ACL's set on it could provide ACL'able files to any client OS
> over NFS as long as the client speaks ACL's in NFS.

Right, and the NFS clients speaking ACLs at all is the real issue.
If they do, they'd better do it right, or they're liable to come
from Redmond.

> unfortunately, that
> ain't in linux without a patch yet, don't know about the BSD's.

I said what I know about that already. :^>

Incidentally, the standard for ACLs in tar, dump, and cpio files is
all clearly defined and completely cross-platform if you use the
right utilities to perform the backup. Here is a very good
rundown on ACL support:
  ftp://ftp.berlios.de/pub/star/alpha/README.ACL,
especially as it applies to various OSes and various tar (and dd,
cpio, and dump) implementations, written by Jörg Schilling, the
author of the most POSIX compliant (and, incidentally, wicked fast)
tar implementation. (He's also the author of a fast dd implementation.
And cdrecord. And some other handy stuff. So he does, in fact, know
and code whereof he speaks.)

Footnote on Schily (nickname): he's a bit ornery. He comes off, in
fact, a lot like I do via email. But he's wicked smart, and very
interested in doing the Right thing with his code. So if you ask
him a question, and he acts like you're a moron, what he really
meant to say was "Oh, sure, I see your problem, but I'm kind of
busy. Here, check this reference for more information ..." On the
bright side, he's easier to deal with than certain individuals in
(and one now OUT) of the NetBSD community...

> i think that's a rather broad generalization, yo.  acl's are extensively
> used in both the windows network of my college and the unix-based network
> of my computer science dept (for the latter i am a student SA)

... and I used to be. :^>

Oh, as for Windows ACLs, they're a clean rip of VMS's implementation.
Go chew on that one a bit.

> yeah, but the problem with that is it requires the SA to create these
> groups.  imagine an academic environment, where users pair off with
> different partners every week for a project.

No reason to limit this to academics (beyond your not having much
experience outside it, Sean :^>). I have different developers
working together on different projects. And they're long running,
which means that group affiliations from sophomore year can't just
be blown away when we hit the hard limit for group membership, they
must be maintained indefinitely. This hasn't hit my work place yet,
but it's going to. I really hope Linux is up to speed by then...
it'd be a moderate shame if I had to quietly replace everything that's
not Solaris with FreeBSD at that point.

(I'd be glad to, but the process would be a touch painful, no doubt.
Though I could just quietly run Linux-specific applications with
no trouble, I might get some hassle on support from vendors. :^>)

> we used to make groups
> for them, but first of all, it requires our time and privs,

Bear in mind, btw, that this is a site with between seven and nine
active sysadmins at all times.

> and it's
> a huge headache to keep track of which groups can be safely deleted
> and when you delete them, you have to worry about stranding files
> that no longer belong to any group.

... and you're luck Swat doesn't do graduate work, or you'd have
people there for ~8 years, and you *would* hit the group limit.

> the biggest problem we had is that setfacl and getfacl for solaris has
> a god-awful commandline syntax that scares away most folks.

It does, actually, make a certain internal sense. It is, in fact,
far more internally sensical than, say, Veritas's command line
utilities. But yeah, not for those who don't intrinsically
understand how operating systems and file systems interact at a
conceptual level.

> attached is
> a solution that i wrote to it my sophomore year at swat after having been
> a sysadmin for only 4 or 5 months (and using any kind of unix for about a year
> past that), mind you.

Thanks. I'd bugged Jeff for that when I was getting ready to enforce
(yeah, well) ACL usage at work, but he never got back to me (erm, or
maybe he did... more immediately relevant:) and I got distracted
anyhow.

I'll spare you the code audit you deserved back then until I've
rewritten it in Perl (which may never happen, considering that it
does, in fact, *work*). ;^>

> not quite correct.  bob and alice need to edit web pages.  they send
> an email to the SA, asking "please create this group for us, we need
> to edit web pages".  the SA, when he/she has time to get around to it
> (when not busy actually doing _real_ administration) will create the
> group, and then give them instructions on how they can ensure they
> can read/write eachother's files. 

An important, and already prominent, subtext here: systems
administrators should NOT be janitors. There are FAR more important
things for them to be doing than letting users share files. If so
many end up as janitors, it's because the systems they administrate
are poorly configured, most often in the scalability department.

(My workplace definitely qualifies: I spend way longer washing out
toilet bowels than I'd like, and way to little time playing with
the shiny toys that, properly played with, directly make us money.
But it's a fixable situation, not one that should just be accepted.
There is NO reason for network and systems administration to become
a sanitation engineer type of job... it's entirely possible to
design and plumb both so that they never need cleaning, just
expansion.)

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpTuXpXjaF6f.pgp
Description: PGP signature