[OpenAFS] Re: Moving Magic Trio to another domain

Jukka Tuominen jukka.tuominen@finndesign.fi
Wed, 25 Sep 2013 00:37:19 +0300 (EEST)

> On Tue, 24 Sep 2013 23:31:22 +0300 (EEST)
> "Jukka Tuominen" <jukka.tuominen@finndesign.fi> wrote:
>> > Okay, I thought you meant they were just offline or something. If
>> > that's the problem, then it probably is related to authentication;
>> > it seems more like the authentication setup is broken, not related
>> > to the migration. Are your tokens not working at all, then? (A way
>> > to test would be to try writing to, say, a new file in /afs/.cell/ )
>> mkdir saids it cannot be done because it's readonly.
> For a dir in /afs/.cell? Not /afs/cell, but /afs/.cell; that is,
> /afs/.[new.domain]. Can you 'fs lsm' /afs/.[new.domain] ?

'/afs/.[new.domain]' is a mount point for volume '%[new.domain]:root.cell'

>> According to the syslog, the cause might be the ldap service which is
>> still somehow off sync, eventhough it is trying to contact the new
>> domain.  But I don't know whether it should prevent root/admin
>> accessing dirs?
> No, it should not. What you're looking for are messages that say
> something like 'invalid tokens' or 'tokens discarded' from AFS. If you
> see anything like that, the kerberos stuff is broken, so you won't be
> able to access anything that requires authentication.

Yes, indeed:
afs: Tokens for user of AFS id 1 for cell liitin.org are discarded (rxkad
error=19270408, server x.x.x.x)

br, jukka

> If you do not see that, you can turn up debugging in the fileserver to
> see who the fileserver thinks you are when you are accessing it, and it
> may provide insight into why you are getting permissions errors.
> To turn up debugging all the way in the fileserver, 'pkill -TSTP
> fileserver' 4 times (or 'pkill -TSTP dafileserver' if you're running
> DAFS). Then run 'fs la' on the directory you're getting an error for,
> and you should see a bunch of entries in FileLog. Run 'pkill -HUP
> fileserver' to turn off debugging (or 'pkill -HUP dafileserver' for
> DAFS).
> Then provide the debugging FileLog entries. Either just send it to me
> privately or post it with obfuscation or whatever you want to do :)
> --
> Andrew Deason
> adeason@sinenomine.net
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info