[OpenAFS] fs la /afs fails : You don't have the required access rights

Russ Allbery rra@stanford.edu
Mon, 25 Sep 2006 10:51:39 -0700 

Jean-Fabrice <jeanfabrice@gmail.com> writes:

> Here at work, we're trying to set up our first openafs fileserver
> under debian stable, sparc64, kernel 2.6.16.18
> The openafs server suite is fully taken from debian stable repository,
> while openafs-modules sources is 1.4.2~fc2 taken from unstable since
> stable is only 1.3.81 and does not support sparc64 2.6 kernel.

> I followed the guide located at
> http://www.debianplanet.org/node.php?id=816 and my problems begins
> with 'fs setacl /afs system:anyuser rl'.
> The error is : "fs: You don't have the required access rights on '/afs'"

That's pretty much equivalent to the scripts that come with the OpenAFS
package, but either way I think you'd still have problems given what you
have below:

> When I issue 'fs la /afs', I got this in logfile :
> 2.079415] afs: Tokens for user of AFS id 1 for cell ral.admin are
> discarded (rxkad error=19270410)
> translate_et 19270410 says "sealed data inconsistent". Could this be
> due to the fact that I'm using 1.4.2fc2 client against a 1.3.81
> fileserver ?

No, I'd be more inclined to suspect that what you have in your OpenAFS
KeyFile and what's in your KDC database doesn't match, either in key or in
kvno.  When you did the asetkey, what did you use for the kvno?  The
instructions you followed aren't as comprehensive as the ones that come
with the OpenAFS package about exactly how to do that.

Compare bos listkeys with kadmin getprinc on the afs principal.  (Hm, I
forget how to do the bos listkeys equivalent without having authentication
working with bosserver but without restarting it with -noauth.)

> while investigating, I found that 'aklog' produces the following in
> krb5kdc.log :
> Sep 25 11:43:18 ralingwb06 krb5kdc[14155](info): TGS_REQ (1 etypes
> {1}) 172.24.0.8: UNKNOWN_SERVER: authtime 1159177388,  admin@RAL.ADMIN
> for afs/ral.admin@RAL.ADMIN, Server not found in Kerberos database
> Sep 25 11:43:18 ralingwb06 krb5kdc[14155](info): TGS_REQ (1 etypes
> {1}) 172.24.0.8: ISSUE: authtime 1159177388, etypes {rep=16 tkt=1
> ses=1}, admin@RAL.ADMIN for afs@RAL.ADMIN

aklog tries afs/cell@REALM first since that's the recommended principal
name (and allows such things as multiple cells with one realm).  So the
above is normal given that you used the old principal name format.

> The "server not found" sounds strange.. Are this two lines related to
> the same authentication ? I mean, does aklog first try
> afs/ral.admin@RAL.ADMIN which fails and then afs@RAL.ADMIN which
> successes ?

Right.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>