[OpenAFS] fs la /afs fails : You don't have the required access rights

Jean-Fabrice [gmail] jeanfabrice@gmail.com
Mon, 25 Sep 2006 11:55:13 +0200 

Hi,
Here at work, we're trying to set up our first openafs fileserver
under debian stable, sparc64, kernel 2.6.16.18
The openafs server suite is fully taken from debian stable repository,
while openafs-modules sources is 1.4.2~fc2 taken from unstable since
stable is only 1.3.81 and does not support sparc64 2.6 kernel.

I followed the guide located at
http://www.debianplanet.org/node.php?id=816 and my problems begins
with 'fs setacl /afs system:anyuser rl'.
The error is : "fs: You don't have the required access rights on '/afs'"

Here is the list of commands I issued :
ralingwb06:/usr/src# /etc/init.d/openafs-client start
which produces
[    0.026700] Warning: failed to find address of 32-bit system call table
[    0.104942] System call hooks will not be installed; proceeding anyway
[    0.223647] Starting AFS cache scan...found 0 non-empty cache files (0%).

then
ralingwb06:/usr/src# kinit
Password for admin@RAL.ADMIN:
ralingwb06:/usr/src# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@RAL.ADMIN
Valid starting     Expires            Service principal
09/25/06 11:28:50  09/25/06 21:28:48  krbtgt/RAL.ADMIN@RAL.ADMIN
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

ralingwb06:/usr/src# aklog

ralingwb06:/usr/src# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@ral.admin [Expires Sep 25 21:28]
   --End of list--

ralingwb06:/usr/src# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@RAL.ADMIN
Valid starting     Expires            Service principal
09/25/06 11:28:50  09/25/06 21:28:48  krbtgt/RAL.ADMIN@RAL.ADMIN
09/25/06 11:28:55  09/25/06 21:28:48  afs@RAL.ADMIN
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

When I issue 'fs la /afs', I got this in logfile :
2.079415] afs: Tokens for user of AFS id 1 for cell ral.admin are
discarded (rxkad error=19270410)
translate_et 19270410 says "sealed data inconsistent". Could this be
due to the fact that I'm using 1.4.2fc2 client against a 1.3.81
fileserver ?

while investigating, I found that 'aklog' produces the following in
krb5kdc.log :
Sep 25 11:43:18 ralingwb06 krb5kdc[14155](info): TGS_REQ (1 etypes
{1}) 172.24.0.8: UNKNOWN_SERVER: authtime 1159177388,  admin@RAL.ADMIN
for afs/ral.admin@RAL.ADMIN, Server not found in Kerberos database
Sep 25 11:43:18 ralingwb06 krb5kdc[14155](info): TGS_REQ (1 etypes
{1}) 172.24.0.8: ISSUE: authtime 1159177388, etypes {rep=16 tkt=1
ses=1}, admin@RAL.ADMIN for afs@RAL.ADMIN

The "server not found" sounds strange.. Are this two lines related to
the same authentication ? I mean, does aklog first try
afs/ral.admin@RAL.ADMIN which fails and then afs@RAL.ADMIN which
successes ?


PS : The admin member seems ok :
ralingwb06:/var/log# pts membership admin
Groups admin (id: 1) is a member of:
  system:administrators

Any idea where I could be wrong ?

Thx.

JF