[OpenAFS] OpenAFS 1.8.X token problems
Florian Möller
fmoeller@mathematik.uni-wuerzburg.de
Wed, 22 May 2019 11:34:08 +0200
Hi,
we are experiencing problems with the 1.8.X client.
The servers of our cell run OpenAFS 1.8.3. Everything works fine using
the 1.6.X client. When using 1.8.X the following strange behaviour occurs:
aklog seems to obtain a token; "aklog -d username" gives
Authenticating to cell ifm (server [correct name]).
Trying to authenticate to user's realm IFM.
Getting tickets: afs/ifm@IFM
Using Kerberos V5 ticket natively
About to resolve name username to id in cell ifm.
Id [correct id]
Setting tokens. username @ ifm
But the token is not stored properly. "tokens" gives
Tokens held by the Cache Manager:
tokens: failed to get token info for cell ifm (code 11862788)
--End of list--
Here are the relevant portions of "strace tokens":
openat(AT_FDCWD, "/proc/fs/openafs/afs_ioctl", O_RDONLY) = 3
ioctl(3, _IOC(_IOC_WRITE, 0x43, 0x1, 0x8), 0x7ffc3529aae0) = -1 EDOM
(Numerical argument out of domain)
close(3)
write(1, "tokens: failed to get token info"..., 62tokens: failed to get
token info for cell ifm (code 11862788)
) = 62
openat(AT_FDCWD, "/proc/fs/openafs/afs_ioctl", O_RDONLY) = 3
ioctl(3, _IOC(_IOC_WRITE, 0x43, 0x1, 0x8), 0x7ffc3529aaf0) = -1 EDOM
(Numerical argument out of domain)
close(3)
[... The three lines above repeat several times ...]
write(1, " --End of list--\n", 19 --End of list--) = 19
exit_group(0) = ?
+++ exited with 0 +++
After issuing aklog, file access with the correct permissions is
possible. So afsd seems to be able to use the token.
But it is impossible to use the token for non file access-related
things, for instance:
pts exa username gives
libprot: unable to build security class (getting token)
libprot: Could not get afs tokens, running unauthenticated
vos rel somevolumename gives
vos: Could not get afs tokens, running unauthenticated.
Could not lock the VLDB entry for the volume [some number].
VLDB: no permission access for call
Error in vos release command.
VLDB: no permission access for call
Can anyone explain this behaviour? How can we solve the problem?
Thanks,
Florian
--
Dr. Florian Möller
Universität Würzburg