[OpenAFS] Re: Ubik problem
Marcus Watts
mdw@umich.edu
Fri, 16 Apr 2010 19:44:42 -0400
> Date: Sat, 17 Apr 2010 02:04:07 +0300
> To: openafs-info@openafs.org
> From: Atro Tossavainen <atro.tossavainen+openafs@helsinki.fi>
> Subject: Re: [OpenAFS] Re: Ubik problem
>
> > So, here's how to diagnose that.
> >
> > Try to reproduce these results:
> >
> > strawdogs-root# bos listkeys strawdogs -localauth
>
> The keys have the same cksums on both hosts and were last changed
> on the same date. This is hardly surprising since I copied the
> keyfiles over from the old server to the new server.
>
> > strawdogs-root# kas inter admin -server strawdogs
> > Administrator's (admin) Password:
> > ka> e afs
>
> The results are again identical and consistent between the two servers.
>
> > You'll only see one key for afs in each copy of ka.
> > The key version and checksum should be the same on all servers. The
> > cksum and kvno that appear that should match one entry in the keyfile.
>
> They do.
>
> > You ought to also be able to dump out kadb using "kadb_check".
>
> I've just unpacked a fresh copy of openafs-1.4.12-src.tar.bz2 and
> I don't see any files named 'kadb*' in the OpenAFS source tree.
> What am I missing?
>
> --
> Atro Tossavainen (Mr.) / The Institute of Biotechnology at
> Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
> +358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
> < URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
You should try doing this this again:
$ kas -a dsakfksda
Administrator's (dsakfksda) Password:
ka> exa useraccount
examine: ticket contained unknown key version number getting information for useraccount.
If you get something different, congrats. You apparently fixed something.
If you still get this, then there's something different
between the path this went through, and what I suggested you check
by hand above. Is your client talking to the right db hosts?
Here's a wrinkle to consider: for almost everything, only
the key of afs matters. For ka service, and its service ticket, "examine" uses
something different,
ka> e AuthServer.Admin
User data for AuthServer.Admin (NOTGS+NOSEAL)
key (1) cksum is 3726591373, last cpw: Fri Apr 16 01:59:52 2010
password will never expire.
An unlimited number of unsuccessful authentications is permitted.
entry never expires. Max ticket lifetime 10.00 hours.
last mod on Fri Apr 16 01:59:52 2010 by <none>
permit password reuse
ka>
You might want to check that on each of your servers.
I've no idea how this could get out of sync. Although...
At one point, I think kaserver was capable of doing automatic
rekeying for at least tgt. I can't find the logic in openafs
today-- was this IBM only?
So far as kadb_check goes, You didn't build and install it, did you?
And you didn't try "find . -type f -print | xargs egrep kadb_check"
Here's what you missed:
in src/kauth/Makefile.in, find these lines:
${DEST}/etc/kadb_check: rebuild
${INSTALL} -f $? $@
...
${DESTDIR}${afssrvsbindir}/kadb_check: rebuild
${INSTALL} -f $? $@
That says, take the binary "rebuild" (built from rebuild.c and
other sources), and install it as "kadb_check". Yes, it's a bit strange.
-Marcus Watts