[OpenAFS] Stuck in Quick start guide at "fs: You don't have the required access rights on '/afs'"

Benjamin Kaduk kaduk@mit.edu
Mon, 7 Mar 2016 00:18:20 -0500 (EST)

On Sat, 5 Mar 2016, Karl-Philipp Richter wrote:

> Am 06.03.2016 um 00:46 schrieb Brandon Allbery:
> > That documentation sounds out of date, or possibly just incomplete.
> The sequence described in 2.24 doesn't correspond to what you mention...
> and to make sense.
> > When the client is using an actual root.afs volume, the command you gave will only work before a read-only replica has been created and released (vos addsite / vos release);
> I'm running the command on the first AFS machine where client
> functionality is installed in order to minimize issues which might occur
> due to client server communication. `vos addsite` and `vos release`
> succeed, but don't change the behavior.
> It's very hard to figure this out without an explanation. Can the quick
> start guide be updated, please?

It is certainly possible to update the quickstart guide.  Concrete
references to a section number or HTML url wherein you want the change to
be made would help.

Looking at http://docs.openafs.org/QuickStartUnix/HDRWQ80.html, I see:

% The top-level AFS directory, typically /afs, is a special case: when the
% client is configured to run in dynroot mode (e.g. afsd -dynroot,
% attempts to set the ACL on this directory will return Connection timed
% out. This is because the dynamically- generated root directory is not a
% part of the global AFS space, and cannot have an access control list set
% on it.

Prior to that is a note about "When the root.afs volume is replicated, the
Cache Manager is programmed to access its read-only version
(root.afs.readonly) whenever possible.", and a note that mounting the
read-write copy elsewhere is needed in order to make modifications.

To me (as someone who already understands what's going on), that seems
sufficient, so I really need more concrete input as to what should be
improved before I can go about making useful changes.

> In the meantime I found
> https://lists.openafs.org/pipermail/openafs-info/2008-December/030553.html
> which suggest to fix the kerberos key algorithms which I checked.

That posting predates
http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt; you should not
use des-cbc-crc (or des-cbc-md5 or other single-des enctypes) for the AFS
cell-wide key.  (If the Quick Start guide indicates to create a single-des
key, please let me know -- I thought I had removed all such references.)