[OpenAFS] Re: Moving Magic Trio to another domain

Jukka Tuominen jukka.tuominen@finndesign.fi
Wed, 2 Oct 2013 20:42:18 +0300 (EEST)

> On Wed, 2 Oct 2013 14:32:00 +0300 (EEST)
> "Jukka Tuominen" <jukka.tuominen@finndesign.fi> wrote:
>> gdm-simple-slave[749]: WARNING: Failed to add user authorization: could
>> not find user "username" on system
>> **
>> ERROR:gdm-simple-slave.c:397:start_session_timeout: assertion failed:
>> (auth_file != NULL)
>> The working client machine is much faster than the others, so it can
>> be a timeout issue, but then again, I never had that issue in the
>> old-domain setup. The rejection happens in just about 1-2 seconds.
>> Any ideas what could be the cause and how to fix it?
> Where is your passwd information? That is, your database of usernames
> and uids and such. It just looks like one machine can resolve 'username'
> to a uid, but on the other machine it cannot.

If I log in as a local unix user, then both machines can find the same
information on command line.

So far, all the services are on a single virtual machine to ease the
development work. It now consists of a kerberos server, all openafs
servers, and a libnss-afs package to pass on (afs?) metadata (+ other
irrelevant services). None of the user information resides on the client
side. In fact, the client machine is a read-only system, with a
live-cd-type-of temporary ram-disk, and only the afs-homedirs are
persistent over booting. Only the afs-cache partition survives boots to
speed-up WAN connections.

The two different client instances are identical (VM snapshots), and I
also tried a USB memory stick boot that doesn't work anymore either. The
working client runs under the same VM host as the server, so the
connection is LAN. The clients that don't work are on another VM host, and
neither LAN nor WAN connection work.

nsswitch.conf BTW

passwd:  afs files
group:   afs files afspag
shadow:  files

> This doesn't seem to have much to do with openafs anymore.

The reason why I ask this here was because when I had a faulty host-princ
generated and added to the client's keytab, an authorization error was
raised, similarly. So, I'm unsure whether the gdm is the source of the
problem or the symptom of the authorization error elsewhere. AFAIU, afs is
responsible of the authorization, am I wrong?. But if you feel this is out
of the scope of this mailing list, I will seek the solution elsewhere.

br, jukka

> --
> Andrew Deason
> adeason@sinenomine.net
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info