Moving Admin Staff from AFS to DataStore (Samba)

This project's aim is to move admin staff off AFS group space. This has a notional deadline of September 2017, when it's expected that admin machines will be upgraded to Windows 10 on which no AFS support is expected.

Technical detail


However, Webmark generates output into various areas of the existing AFS space and that will need to now be redirected, first as a test (for example, /afs/

There are various aspects

  • identifying all the Webmark generated content
  • separating this from the other manually maintained files, maybe restructuring output directories
  • managing remote filesystem mount on webmark server
    • includes creation of a functional account for webmark (and sharing these credentials with each webmark server).
  • changing Webmark form config to generate into the new space

The group space access details we have used for testing are below. At the moment admin staff don't have access to this space but we can add them later.


We are planning to run an sshfs mount on the webmark server using the functional account and done on server reboot, e.g. via cron entry.

mkdir /tmp/tc
sshfs -o intr,large_read,auto_cache,workaround=all -oPort=22222 /tmp/tc
cd /tmp/tc/datastore/inf/groups/inf/
ls -l
touch x

This also worked:

smbclient \\\\\\csce -W ED -U timc


Can be managed thus:

$ smbcacls -U ED/gdutton // /inf/groups/inf/test -a 'ACL:ED\gdutton:ALLOWED/OI|CI/FULL'
Enter ED/gdutton's password: 
$ smbcacls -U ED/gdutton // /inf/groups/inf/test
Enter ED/gdutton's password: 
GROUP:ED\domain users
ACL:Creator Owner:ALLOWED/CI|IO|I/0x001b01ff
ACL:Creator Owner:ALLOWED/OI|IO|I/0x001b01df

...therefore can be managed automatically.

In practice we don't want to allocate ACLs for accounts, but instead for groups - so the missing link is a prometheus conduit which synchronises Informatics groups with AD security groups.

Functional account

We now have a functional account webadmin. It also looks as though we can create ad-hoc groups (via the Visitor and Identity Management system).

DataStore spaces

The following spaces were created by IS on 11/5/18

  • athena
  • dataCDT
  • hands
  • PParCDT
  • recadmin
  • refadmin
  • techs


-- TimColles - 10 Jan 2017

Topic revision: r9 - 11 May 2018 - 09:12:31 - AlisonDownie
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies