Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!ucbvax!PAN.SSEC.HONEYWELL.COM!thompson
From: thompson@PAN.SSEC.HONEYWELL.COM (John Thompson)
Newsgroups: comp.sys.apollo
Subject: re: Registry problems AGAIN
Message-ID: <9010272135.AA16713@pan.ssec.honeywell.com>
Date: 27 Oct 90 21:35:22 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 36


> 	We have a situation here where my cohort created a couple of
> accounts (never having done it before) and for a person entry 
> named 'joe' set the owner as joe.%.%.  He then couldn't
> create the account 'joe.eng.none' ("not authorized to perform 
> operation" - sound familiar) because an account named "joe" was
> the only account authorized to mess with the person "joe"!!
>
> 	Once I returned from vacation, I logged in as root and tried 
> to delete the person 'joe', and got the message "not authorized 
> to perform operation".  AS ROOT!!!
> 
> 	The only way I found to get a valid account for person "joe"
> was to use import_passwd to import an account named "joe".  This
> allowed me to rename the original "joe" to "bogus", but now I have
> a person entry named "bogus" that is owned by an account "bogus.%.%".
>
> 	Why can't I delete this entry as root??

Because root doesn't own the entry!!!  Unlike Unix, Domain/OS doesn't
recognize GOD as the owner of all things.  As was mentioned in the
previous postings, you _can_ break the security by logging on to
the master-registry-server's node as 'root' or '%.locksmith.%' and
editing/deleting it there.  This is the 'back door' save-a?s mechanism
to get things corrected once you hose them up.

P.S.  If you don't know where your master registry node is, see your
system administrator, or use /etc/rgy_admin.

John Thompson (jt)
Honeywell, SSEC
Plymouth, MN  55441
thompson@pan.ssec.honeywell.com

As ever, my opinions do not necessarily agree with Honeywell's or reality's.
(Honeywell's do not necessarily agree with mine or reality's, either)