| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 2125.1 | A common banana-skin | IOSG::CARLIN | Dick Carlin IOSG, Reading, England | Tue Jan 19 1993 18:57 | 17 |
| The sharing has taken place, but probably not in the way you intended.
You should not proxy BANANA::SMITH into CLARKE unless you really want
SMITH to have all CLARKE's access rights on APPLE. For example if
CLARKE creates a drawer on APPLE then CLARKE, as owner of the drawer,
has access rights right up to CONTROL level - probably more than you
want to give to SMITH.
Better to proxy BANANA::SMITH into, say, the VMS account SMITH_P. Then,
when you share the drawer, mention (SMITH_P) when you specify the
access rights you want for SMITH.
Mentioning (CLARKE) was an error since CLARKE owns the drawer and gets
rights by default anyway.
Cheers
Dick
|
| 2125.2 | Sharing without shared drawer ? | 42408::CLARKE | The Cat in the Hat comes back. | Wed Jan 20 1993 09:18 | 16 |
| Dick
Yes, this is exactly what I want, what I didn't tell you is the remote user and
local user are actualy the same person and hence all drawer access can be happily
passed onto the remote user.
Are you saying that the remote user will have exactly the same access to local
drawers via DSO as the account he has proxy access to, even drawers which are
not shared?
e.g. When I set up the proxy for BANANA::SMITH into CLARKE he will be able to
access CLARKE's Main drawer (and any other of Clarke's drawers) without them
having to be shared.
Thanks
Aston
|
| 2125.3 | Hope this doesn't sound too negative! | IOSG::CARLIN | Dick Carlin IOSG, Reading, England | Wed Jan 20 1993 10:21 | 16 |
| Yes, that's right. Sharing is really based on the VMS account. So the
CLARKE VMS account has the access - whether it's required by the local
CLARKE ALL-IN-1 account or the remote BANANA::SMITH account is
transparent.
A word of warning. If both users are going to simultaneously access the
drawer, which is technically unshared as you have discovered, then
things will be mainly ok, but the sharing will not be as clean as if
you had separate VMS accounts. If it's really just one person, and only
one access is ever active, then no problem.
In general sharing of VMS accounts between ALL-IN-1 users is something
we would like to discourage, but I hasten to add it is still supported
since it is an established practice at several sites.
Dick
|
| 2125.4 | Yup | CHRLIE::HUSTON | | Wed Jan 20 1993 12:57 | 11 |
|
Just to expand on what Dick says is .3 about proxy into a VMS account.
When the FCS authenticates you by proxy, you are for all security
checks from that point on, that user. If you proxy BANANA::SMITH
into CLARKE, then on the remote node (which CLARKE lives on), you
ARE CLARKE, you are no longer BANANA::SMITH, so yes you will be treated
exactly like you were him.
--Bob
|
| 2125.5 | Customer's want the strangest things! | WAYOUT::CLARKE | The Cat in the Hat comes back. | Wed Jan 20 1993 16:53 | 19 |
| I understand all of the previous replies.
However, the customer has this situation. Machine NODEA with user CLARKE and
drawer MAIN not shared, NODEB has same user name CLARKE with proxy access from
NODEB into CLARKE on NODEA. When CLARKE on NODEB attempts to access user CLARKE
on NODEA's Main drawer, they get the error that the drawer is not shared (which
it isn't).
Am I trying to select the remote drawer incorrectly, he is doing it using Gold E
from the WP SEL Drawer field. The Proxy/Syntax being used must be ok because if
the local drawer is modified to be shared the remote user can access it in this
way.
It doesn't seem to hold that a remote user gets the access of the account he is
proxied into for unshared drawers as the FCS doesn't seem to recognise them.
Please enlighten me!
Aston
|
| 2125.6 | Hmm. | IOSG::CARLIN | Dick Carlin IOSG, Reading, England | Thu Jan 21 1993 10:58 | 22 |
| Now I'm really puzzled. I've just tried this successfully on V3.0 and
V3.0-1 (and a mixture!).
Let's recap:
1. What version are you running on each machine? Any customisations?
2. When CLARKE on NODEB uses GOLD-E to select NODEA/CLARKE/MAIN he gets
a "drawer not shared" error? Can you give the precise message please.
This is the strange bit; as Bob says, the access checking is against
the VMS account CLARKE on NODEA.
3. When you "share" the drawer, I assume you mean by adding a dummy
(local?) sharer , everything is ok?
4. Yes, as far as I can see you are selecting the drawer correctly. You
can either use GOLD-E to fill in system/user/drawer or directly enter
something like NODEA::"[CLARKE]MAIN" into the drawer field.
5. If possible could you trace the failed drawer selection attempt?
Dick
|
| 2125.7 | Can you also put a FCS trace on the remote server | CHRLIE::HUSTON | | Thu Jan 21 1993 13:48 | 15 |
|
re .5
>It doesn't seem to hold that a remote user gets the access of the account he is
>proxied into for unshared drawers as the FCS doesn't seem to recognise them.
The FCS does not understand shared/non-shared drawers. All drawers
are the same to the FCS, they are all shared drawers.
re .6 Puzzled...
Me to.
--Bob
|
| 2125.8 | Stand down lads... | WAYOUT::CLARKE | The Cat in the Hat comes back. | Mon Jan 25 1993 11:22 | 11 |
| I have managed to set this up as per the previous notes and when I spoke the
customer through it in detail to get the exact errors and trace etc his started
working correctly also.
I believe that what has been happening is that he has been changing proxies,
drawer access etc without logging out of ALL-IN-1 on the remote node, and the
file cab server doesn't seem to pick up the change immediately.
Thanks for all your help.
Aston
|
| 2125.9 | FCS is like an elephant sometimes - never forgets. | IOSG::STANDAGE | Oink...Oink...Mooooooooooooooooooooooooooooooooo | Mon Jan 25 1993 11:32 | 13 |
|
Aston,
You are indeed correct, the FCS will remember quite a bit about any
remote connection it's done in the recent past. It's always more safe
to exit ALL-IN-1 and re-enter before connecting to a drawer you've
changed it's configuration.
Glad things are working OK now,
Kevin.
|