[OpenAFS] permission denied with all rights

Michal Svamberg svamberg@gmail.com
Wed, 13 Apr 2011 18:19:24 +0200


I update krb5.conf on fileserver elektra2, after 2 hours was all in order.
But same old krb5.conf file is on elektra1 without problems. I was this
problem with group "system:av", when I used system:administrators, then
priviledges were applied correctly.

Now is this problem solved, thanks for ideas.
Michal.

On Wed, Apr 13, 2011 at 17:04, Derrick Brashear <shadow@gmail.com> wrote:
> On Wed, Apr 13, 2011 at 9:33 AM, Michal Svamberg <svamberg@gmail.com> wro=
te:
>> Hello,
>> I have two same fileservers for user volumes - elektra1.zcu.cz and
>> elektra2.zcu.cz
>> The problem is only on all (I tested on 4 volumes) volumes at elektra2 s=
erver.
>> The group 'system:av' have rlidwka rights, but the rights is not applied=
.
>>
>> $ fs la .
>> Access list for . is
>> Normal rights:
>> =A0system:av rlidwka
>> =A0meta-hosts l
>> =A0zcu.cz rl
>> =A0jvarga rl
>>
>> $ pts mem svamberg.root
>> Groups svamberg.root (id: 129) is a member of:
>> =A0adm:backup
>> =A0system:av
>> =A0lps.root
>> =A0system:faidev
>> =A0system:faiadministrators
>> =A0system:administrators
>> =A0system:tftpboot
>> =A0system:root
>>
>> $ tokens
>> Tokens held by the Cache Manager:
>>
>> User's (AFS ID 129) tokens for afs@zcu.cz [Expires Apr 13 18:35]
>> =A0 --End of list--
>>
>> $ touch x
>> touch: cannot touch `x': Permission denied
>>
>> $ fs exa .
>> File . (876024890.1.1) contained in volume 876024890
>> Volume status for vid =3D 876024890 named user.jvarga
>> Current disk quota is 1000000
>> Current blocks used are 583253
>> The partition has 157451567 blocks available out of 292871036
>>
>> I don't know where is problem. I haven't this problem on volumes at
>> elektra1.zcu.cz.
>> Any ideas?
>
> is the time wrong on elektra2, or anything of note in the FileLog? my
> guess here would be that the fileserver
> can't verify your identity, meaning you'd presumably see a
> pr_Initialize failure in the FileLog.
>
> if you enable auditlogs (the -auditlog parameter to the fileserver) it
> will tell you what identity it believes you have
> in the audit event for your request (in this case, presumably a createfil=
e)
>
>
> --
> Derrick
>