SL6.4, lustre 2.4.1

These are Kerberos functions.

Colin, I'm not sure what you are expecting here? Do these commands actually do anything useful today? Is there any documentation that might explain what they are or what they are supposed to do? Now that you've alerted me to their existence, I'm almost inclined to delete this code since I'm not even sure there is anyone who understands it anymore.

Hi Andreas,

The only thing I can find on them is an HLD from Fan Yong back in 2007 (attached to the ticket). Likely unless further work is done on remote ACL control these can be removed, IU may be utilizing part of this, but without talking with them directly I'm not sure.

-cf

Remote ACL HLD PDF

Fan Yong,
does the remote ACL code work at all, or is it dead code that could be removed? Indiana is implementing a remote UID/GID mapping feature that does not depend on Kerberos, so the question is whether this code will become obsolete, or if it is still needed for remote Kerberos priciples?

Joshua,
will the IU UID/GID feature correctly handle mapping of UID/GID entries in ACLs on both the client and server? IMHO, this should be transparent, and I'm not even sure why lsetfacl and rsetfacl are needed. From reading the attached HLD, it appears that rsetfacl is needed to allow users in one mapping to access files from users in a different mapping? To me this seems like a possible security hole. Instead, it seems to me the remote user should get an entry in each mapping.

Hopefully we can get some more understanding of these commands and come to a clean solution for both Kerberos and UIDmap.

The lsetfacl and rsetfacl commands have been removed.