[OpenAFS] Request for Assistance with OpenAFS

Nicolas Melot melot.nicolas@free.fr
Wed, 16 Mar 2016 09:55:34 +0100


I'm trying to setup and use openafs for mobile nodes, not always having 
a connection to the openAFS server. I would like to use the openAFS 
caching mechanism as an offline disk that synchronizes everything once 
online again.

I installed an openAFS 1.6.9 server and client, together with a kerberos 
server on debian jessie. Everything works great, including offline 
operations and synch after the client is back online. However, I fail of 
open a afs session on the client machine while it is offline. To rule 
out a lack of kerberos ticket, I installed a kerberos replica on the 
client machine and I can get a ticket offline. However, even with a 
valid ticket, AFS's cache manager doesn't give access to the files.

Investigating more and reading the doc, my understanding is that the 
cache manager doesn't look for anything to confirm the authorization 
granted by the kerberos ticket presented. However, I still fail to open 
an AFS session with an offline machine. I think this is because the 
cache manager requests information from the protection database (I guess 
some kind of ACLs) and since it can't contact it, then it doesn't give 
access to files at all.

In a desperate attempt to reach my goal, I started to set up at 
protection database replication into the client and see what happens.. 
well, it looks like I need to identify protection database server 
(including the replication installed in my client machine) with ip 
addresses. The problem is that both databases (the original and replica) 
check if the ip address  of machines are the same in both ends before 
allowing a replication to happen. That means I can't configure the 
client so it connects to, which would be the only way t 
contact the local protection database when offline, so this solution 
doesn't seem to work either.

Then, finally my question (s): is it possible at all to have openafs 
working in offline mode, including opening a session, even if I need to 
run a Kerberos and a protection database replica on the client for it 
(even if that sounds like a bad idea). Is it possible to prevent the 
original and the replica protection databases from checking if the ip 
addresses are the same, so that I can have the client machine to contact 
its local replica of the protection database on and the 
original protection database server to contact the replica through its 
ip address on the network; better: through its dns name only.