[OpenAFS] Re: Problems with ACLS

Andrew Deason adeason@sinenomine.net
Mon, 7 May 2012 12:11:16 -0500

On Mon, 7 May 2012 17:49:05 +0200
Stefan Michael Guenther <s.guenther@in-put.de> wrote:

> Is it correct, that the user stefan doesn't have to exist on the
> client as a Unix account, because user management is done by AFS?


> > the other thing to try is aklog -force; if you added the user to the
> > pts group after they got tokens, they need new tokens.
> using -force didn't solve it.

Try providing the output of 'aklog -d -force', just to see if anything
looks odd.

> BTW: Should this permission problem be recorded by the server? The
> logfiles in /usr/afs/logs were changed more than 3 hours ago, while I
> was just getting another "permission denied".

By default, no, this kind of thing normally doesn't appear in the log.
There are two different things you can do to see specifically why you're
getting that error:

 - Turn the fileserver debug log level all the way up. To do this, give
   the 'fileserver' (or 'dafileserver') process a TSTP signal 4 times,
   then look in FileLog after you get the 'permission denied' error.
   Give it a HUP signal to turn the debug level back down to 0.

 - Turn on audit logging. You can turn this on by passing the
   '-auditlog </path/to/auditlog>' option to the fileserver when you
   create the 'fs' process (or 'dafileserver'/'dafs'). That will record
   what identity the fileserver thinks you have when you do stuff, so
   look in the auditlog path after you get an error.

Both of these can create a _lot_ of output when under a lot of load,
which is why they're normally not turned on.

Andrew Deason