[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference iosg::all-in-1_v30

Title:*OLD* ALL-IN-1 (tm) Support Conference
Notice:Closed - See Note 4331.l to move to IOSG::ALL-IN-1
Moderator:IOSG::PYE
Created:Thu Jan 30 1992
Last Modified:Tue Jan 23 1996
Last Successful Update:Fri Jun 06 1997
Number of topics:4343
Total number of notes:18308

1790.0. "Different FCS connections" by SIOG::T_REDMOND (Thoughts of an Idle Mind) Mon Nov 16 1992 17:34

    Bob (only person who can answer this question...)
    
    What, in the FCS code, explains the following:
    
    1. Unprivileged user on NODEA has a proxy account on NODEB.
    
    2. User does an IAD to see what drawers are available on NODEB.
    
    3. User adds a drawer from the list to his FILECAB.
    
    4. System manager on NODEB does SM MFC MS MSC to display client 
       connections.  Two connections are shown for the user from NODEA,
       both (quite correctly) coming in from the proxy account. However,
       one of the connections is shown with "Y" in the Mgt field 
       apparently indicating that the user possesses the OAFC$SYSMAN
       identifier, which is not held by the proxy account.
    
    5. User now exits from ALL-IN-1.
    
    6. User re-enters ALL-IN-1 and accesses the drawer.
    
    7. System Manager runs MSC again. This time we have one connection
       to the drawer with an "N" in the Mgt field.
    
    What's the difference between the connection made after IAD/ADR and the
    normal connection?
    
    Tony
T.RTitleUserPersonal
Name		DateLines
1790.1EasyIOSG::TALLETTGimmee an Alpha colour notebook...Tue Nov 17 1992 10:1412
    
    	Sorry if my name's not Bob! :-)
    
    	IAD uses OafcShowPartition which is actually a system management
    	routine (which is why you get a system management session) but
    	is special cased in the FCS so that you can call it even if you
    	don't hold OAFC$SYSMAN.
    
    	Is this for your new book? :-)
    
    Regards,
    Paul
1790.2Slight commericial includedSIOG::T_REDMONDThoughts of an Idle MindTue Nov 17 1992 13:088
    Hi Paul,
    
    Thanks for your answer.  No, it's not for the book (which has now gone
    to the printers and should be available at the end of this month), but
    rather as the answer to a question from the ALL-IN-1 seminar that's
    being taught here in VBO this week.
    
    Cheers, Tony
1790.3Guess I'm gonna hafta get here earlierCHRLIE::HUSTONTue Nov 17 1992 13:3863
    
    Geez, I get a personal, only for me question and Paul answers it, 
    some people, no respect at all :-) :-)
    
    Paul is 100% correct, I will try to give a little more detail, step
    by step, (just to show Paul up :-) )
    
    >1. Unprivileged user on NODEA has a proxy account on NODEB.
    
    Fair enough setup.
    
    >
    >2. User does an IAD to see what drawers are available on NODEB.
    >
    This creates a system management session directly to nodeB.
    
    IAD, as Paul said, is a special case, it actually uses the FCS routine
    OafcShowPartition which is a system management routine. If the user
    does not hold the OAFC$SYSMAN rights id, a bit is set in the session 
    block saying that he is not really a system manager. Then in 
    OafcShowPartition ONLY this bit is checked and if it indicates he is 
    not a system manager, security checks are done on a drawer by drawer
    basis as we walk the partition.dat on that node. Only those drawers
    which the user actually has access to will be returned. This is
    different from how it works if he holds the OAFC$SYSMAN rights id, in
    that case, every drawer would be returned since he is a system manager.
    
    >3. User adds a drawer from the list to his FILECAB.
    
    This creates a brokered session from the nodeA to nodeB on behalf of 
    the user.
    
    >4. System manager on NODEB does SM MFC MS MSC to display client 
    >   connections.  Two connections are shown for the user from NODEA,
    >   both (quite correctly) coming in from the proxy account. However,
    >   one of the connections is shown with "Y" in the Mgt field 
    >   apparently indicating that the user possesses the OAFC$SYSMAN
    >   identifier, which is not held by the proxy account.
    
    Both the above sessions show up as you saw, one is system mgmt, the
    other isn't
    
    >5. User now exits from ALL-IN-1.
    
    This deletes both sessions.
    
    >6. User re-enters ALL-IN-1 and accesses the drawer.
    
    This creates the brokered session from step 3 above.
    
    >7. System Manager runs MSC again. This time we have one connection
    >   to the drawer with an "N" in the Mgt field.
    
    Just the session established in 6 above is there.
    
    >What's the difference between the connection made after IAD/ADR and the
    >normal connection?
    
    See what Paul said :-)
    
    --Bob