Path: utzoo!attcan!uunet!ogicse!ucsd!ucbvax!PAN.SSEC.HONEYWELL.COM!thompson From: thompson@PAN.SSEC.HONEYWELL.COM (John Thompson) Newsgroups: comp.sys.apollo Subject: re: Registry problems AGAIN Message-ID: <9010260420.AA11366@pan.ssec.honeywell.com> Date: 26 Oct 90 04:20:17 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 46 <> > In article <9010250649.AA01789@vlsi-mentor.jpl.nasa.gov> root@VLSI-MENTOR.JPL.NASA.GOV (The vlsi-mentor SysAdmin) writes: > >What is this? I am logged in as 'root' and edrgy tells me I am > >"not authorized to perform operation"? > > > >According to the properties, my SID *owns* the registry and the > >files the registry is based on. What gives? > > This is what I learned. It may not apply to your situation. Following the > example instructions in creating registries, I set up them to be "owned" by > %.sys_admin.%. This was done during the cvtrgy (converting 9.7 registries) > and not the same as the acls of the directories. > > However, %.sys_admin.% is not the same as root.%.% which is different since > root usually has access to everything. It turns out that if you are logged > on as root on the machine with the master registries, you can perform > add/changes, etc. anyway. This is either a feature or a bug. However, > if you are logged onto another machine, then the %.sys_admin.% is enforced > and you are not allowed to perform operations even if you are root. 1 Of course %.sys_admin.% is not the same as root.%.% ! The sys_admin group is just another group. Normally, they have some added ACLs, but it's totally up to _you_ as the implementor of the system. In fact, I don't believe that %.sys_admin.% even needs to exist, at sr10! 2 Yes, there is a FEATURE (it's documented) to allow root.%.% AND %.locksmith.% to muck with the registries, even if they aren't the owner, IFF they are logged onto the node that holds the master registry. Even if it weren't documented, I'd consider it a feature. What do you do when you hose up your owner-of-registry account? WHat happens if all the sys-admins decide to quit? Or die? 3 The reason that I have heard for the original problem is that you must have logged in to the window/pad/terminal/console/whatever as the owner-of- registry. In other words, if you do a 'crp -on //node -me' and try from there, it won't work, since your password hasn't been truly validated when you CRPed over. I haven't verified this, but it seems to match my earlier hassles with registry modifying, and I haven't had any since. John Thompson (jt) Honeywell, SSEC Plymouth, MN 55441 thompson@pan.ssec.honeywell.com As ever, my opinions do not necessarily agree with Honeywell's or reality's. (Honeywell's do not necessarily agree with mine or reality's, either)