[OpenAFS] Help setting up openafs on debian bookworm
Ernesto Alfonso
erjoalgo@gmail.com
Sat, 1 Jun 2024 21:44:15 -0400
--000000000000627a0f0619de5ba5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Thanks for getting back to me, I didn't see your message until now. Also
thanks for the explanation.
I've been able to get a little further by using `-localauth`. However, for
some reason `bos listkeys` now returns an empty list, whereas `asetkey`
does list 4 keys:
=E2=96=88[asus][openafs-1.8.9][1]$ sudo bos listkeys -localauth -server
asus.erjoalgo.com
All done.
=E2=96=88[asus][openafs-1.8.9][0]$ sudo asetkey list
rxkad_krb5 kvno 5 enctype 17; key is:
????????????????????????????????
rxkad_krb5 kvno 5 enctype 18; key is:
????????????????????????????????????????????????????????????????
rxkad_krb5 kvno 9 enctype 17; key is:
????????????????????????????????
rxkad_krb5 kvno 9 enctype 18; key is:
????????????????????????????????????????????????????????????????
All done.
=E2=96=88[asus][openafs-1.8.9][0]$
But according to this guide, which I have been trying to follow:
https://www.halolinux.us/debian-administration/openafs-installation-on-debi=
an.html
the `bos listkeys` command should return the same keys that were added via
asetkey/akeyconvert.
Using strace and adding some debug logs into the `bos.c` source, I noticed
that it makes an RPC call to UDP port 7007, the process listening there is
`bosserver` invoked as:
=E2=96=88[asus][openafs-1.8.9][0]$ pgrep -af bosserver
75323 /usr/sbin/bosserver -nofork
Looking at `man bosserver` tells me that the bosserver log files are in
/var/log/openafs/BosLog. But unfortunately I don't see anything interesting
in the BosLog:
=E2=96=88[asus][git][0]$ sudo tail -f /var/log/openafs/BosLog
Sat Jun 1 12:46:13 2024: Core limits now -1 -1
Sat Jun 1 12:46:13 2024: Listening on 0.0.0.0:7007
Sat Jun 1 13:54:03 2024: Shutdown of BOS server and processes in
response to signal 15
Sat Jun 1 13:54:03 2024: Server directory access is okay
Sat Jun 1 13:54:03 2024: Core limits now -1 -1
Sat Jun 1 13:54:03 2024: Listening on 0.0.0.0:7007
Sat Jun 1 21:24:42 2024: Shutdown of BOS server and processes in
response to signal 15
Sat Jun 1 21:24:42 2024: Server directory access is okay
Sat Jun 1 21:24:42 2024: Core limits now -1 -1
Sat Jun 1 21:24:42 2024: Listening on 0.0.0.0:7007
I tried restarting the openafs-fileserver service to restart bosserver but
nothing changed.
I guess I will next try to compile bosserver and do some debugging to try
to understand which files it is reading and why it is returning an empty
set of keys despite asetkey reporting 4 keys.
Ernesto
On Wed, May 29, 2024 at 12:56=E2=80=AFPM Cheyenne Wills <cwills@sinenomine.=
net>
wrote:
> Ernesto,
>
> Could you try adding -localauth to the command?
>
> sudo bos listkeys -server asus.erjoalgo.com -localauth
>
> The bos command is used to manage the openafs servers and requires that
> the user that is issuing the bos command be authenticated to kerberos
> unless the -localauth option is specified.
>
> The messages you are seeing in dmesg are related to the openafs
> cache manager kernel module which is part of the openafs client. The
> bos command does not use the openafs client (cache manager/kernel
> module) for communication to the servers.
>
> --
> Cheyenne Wills
> cwills@sinenomine.net
>
>
>
> On Tue, 28 May 2024 21:38:01 -0400
> Ernesto Alfonso <erjoalgo@gmail.com> wrote:
> > Hello,
> >
> > I'm having trouble setting up openafs on debian bookworm.
> >
> > I've imported kerberos keys into openafs via `akeyconvert -all`:
> >
> > sudo asetkey list
> > rxkad_krb5 kvno 4 enctype 17; key is:
> > ????????????????????????????????
> > rxkad_krb5 kvno 4 enctype 18; key is:
> > ????????????????????????????????????????????????????????????????
> > All done.
> >
> >
> > I'm now try to use the bos command line, but this fails:
> >
> > $ sudo bos listkeys -server asus.erjoalgo.com
> > bos: unable to build security class (configuring connection
> > security)
> >
> > I have tried building `bos` from source to better understand the
> > context of the error message. I've only narrowed it down to:
> >
> > function afsconf_ClientAuthToken in auth/authcon.c
> > code =3D ktc_GetTokenEx(info->name, &tokenSet);
> >
> > function ktc_GetTokenEx in auth/ktc.c:
> > code =3D PIOCTL(0, VIOC_GETTOK2, &iob, 0);
> >
> > This returns a non-zero code, causing the command line to fail.
> >
> > What could be the reason that the PIOCTL command is failing? Is there
> > any way to get more information?
> >
> > I've tried rebuilding the kernel module as suggested here
> > <
> https://unix.stackexchange.com/questions/404247/openafs-suddenly-fails-a-=
pioctl-failed-while-obtaining-tokens
> >
> > :
> >
> > sudo dpkg-reconfigure openafs-modules-dkms
> >
> > And restarting the openafs-client service, but this does not change
> > anything.
> >
> > I only noticed some bening-looking warnings in dmesg:
> >
> > [ 20.377862] systemd-fstab-generator[637]: Checking was
> > requested for "/var/cache/openafs.img", but it is not a device.
> > [ 20.676946] systemd[1]:
> > /lib/systemd/system/openafs-client.service:22: Unit uses
> > KillMode=3Dnone. This is unsafe, as it disables systemd's process
> > lifecycle management for the service. Please update the service to
> > use a safer KillMode=3D, such as 'mixed' or 'control-group'. Support
> > for KillMode=3Dnone is deprecated and will eventually be removed.
> > [ 49.217272] openafs: loading out-of-tree module taints kernel.
> > [ 49.217278] openafs: module license '
> > http://www.openafs.org/dl/license10.html' taints kernel.
> > [ 49.217987] openafs: module verification failed: signature
> > and/or required key missing - tainting kernel
> >
> > I don't see anything interesting in the openafs-client service logs
> > or in syslog:
> >
> > $ sudo journalctl -feu openafs-client
> > May 28 09:03:43 asus systemd[1]: Starting openafs-client.service -
> > OpenAFS client...
> > May 28 09:03:50 asus afsd[1823]: afsd: All AFS daemons started.
> > May 28 09:03:50 asus afsd[1787]: afsd: All AFS daemons started.
> > May 28 09:03:50 asus systemd[1]: Started openafs-client.service -
> > OpenAFS client.
> > May 28 09:03:52 asus fs[1827]: Usage: /usr/bin/fs sysname
> > [-newsys <new
> > sysname>+] [-help]
> > May 28 21:11:53 asus systemd[1]: Stopping openafs-client.service -
> > OpenAFS client...
> > May 28 21:11:54 asus systemd[1]: openafs-client.service:
> > Deactivated successfully.
> > May 28 21:11:54 asus systemd[1]: Stopped openafs-client.service -
> > OpenAFS client.
> > May 28 21:11:54 asus systemd[1]: openafs-client.service: Consumed
> > 2.957s CPU time.
> > May 28 21:11:54 asus systemd[1]: Starting openafs-client.service -
> > OpenAFS client...
> > May 28 21:11:56 asus afsd[275229]: afsd: All AFS daemons started.
> > May 28 21:11:56 asus afsd[275250]: afsd: All AFS daemons started.
> > May 28 21:11:56 asus fs[275253]: Usage: /usr/bin/fs sysname
> > [-newsys <new sysname>+] [-help]
> > May 28 21:11:56 asus systemd[1]: Started openafs-client.service -
> > OpenAFS client.
> >
> > How can I further debug this bos error?
> >
> > openafs 1.8.9-1-debian
> >
> > $ sudo lsmod | grep openafs
> > openafs 2863104 2
> > $
> >
> > Ernesto
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
--000000000000627a0f0619de5ba5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Thanks for getting back to me, I didn't see your messa=
ge until now. Also thanks for the explanation.<div><br></div><div>I've =
been able to get a little further by using `-localauth`. However, for some =
reason `bos listkeys` now returns an empty list, whereas `asetkey` does lis=
t 4 keys:</div><div><br></div><div>=C2=A0 =C2=A0 =E2=96=88[asus][openafs-1.=
8.9][1]$ sudo bos listkeys -localauth -server <a href=3D"http://asus.erjoal=
go.com">asus.erjoalgo.com</a><br>=C2=A0 =C2=A0 All done.<br>=C2=A0 =C2=A0 =
=E2=96=88[asus][openafs-1.8.9][0]$ sudo asetkey list<br>=C2=A0 =C2=A0 rxkad=
_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A05 enctype 17; key is: ?????????=
???????????????????????<br>=C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvn=
o =C2=A0 =C2=A05 enctype 18; key is: ??????????????????????????????????????=
??????????????????????????<br>=C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0=
kvno =C2=A0 =C2=A09 enctype 17; key is: ????????????????????????????????<br=
>=C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A09 enctype 1=
8; key is: ????????????????????????????????????????????????????????????????=
<br>=C2=A0 =C2=A0 All done.<br>=C2=A0 =C2=A0 =E2=96=88[asus][openafs-1.8.9]=
[0]$</div><div><br></div><div>But according to this guide, which I have bee=
n trying to follow:</div><div><br></div><div><a href=3D"https://www.halolin=
ux.us/debian-administration/openafs-installation-on-debian.html">https://ww=
w.halolinux.us/debian-administration/openafs-installation-on-debian.html</a=
><br></div><div><br></div><div>the `bos listkeys` command should return the=
same keys that were added via asetkey/akeyconvert.</div><div><br></div><di=
v>Using strace and adding some debug logs into the `bos.c` source, I notice=
d that it makes an RPC call to UDP port 7007, the process listening there i=
s `bosserver` invoked as:=C2=A0</div><div><br></div><div><br></div>=C2=A0 =
=C2=A0 =E2=96=88[asus][openafs-1.8.9][0]$ pgrep -af bosserver<br>=C2=A0 =C2=
=A0 75323 /usr/sbin/bosserver -nofork<br><div>=C2=A0 =C2=A0</div><div><br><=
/div><div>Looking at `man bosserver` tells me that the bosserver log files =
are in=C2=A0<span style=3D"font-family:monospace;color:rgb(0,0,0)">/var/</s=
pan><span style=3D"font-family:monospace;color:rgb(255,255,255);background-=
color:rgb(0,0,0)">log</span><span style=3D"font-family:monospace;color:rgb(=
0,0,0)">/openafs/BosLog. But unfortunately I don't see anything interes=
ting in the BosLog:</span></div><div><span style=3D"font-family:monospace;c=
olor:rgb(255,255,255);background-color:rgb(0,0,0)"><br></span></div><div>=
=C2=A0 =C2=A0 =E2=96=88[asus][git][0]$ sudo tail -f /var/log/openafs/BosLog=
<br>=C2=A0 =C2=A0 Sat Jun =C2=A01 12:46:13 2024: Core limits now -1 -1<br>=
=C2=A0 =C2=A0 Sat Jun =C2=A01 12:46:13 2024: Listening on <a href=3D"http:/=
/0.0.0.0:7007">0.0.0.0:7007</a><br>=C2=A0 =C2=A0 Sat Jun =C2=A01 13:54:03 2=
024: Shutdown of BOS server and processes in response to signal 15<br>=C2=
=A0 =C2=A0 Sat Jun =C2=A01 13:54:03 2024: Server directory access is okay<b=
r>=C2=A0 =C2=A0 Sat Jun =C2=A01 13:54:03 2024: Core limits now -1 -1<br>=C2=
=A0 =C2=A0 Sat Jun =C2=A01 13:54:03 2024: Listening on <a href=3D"http://0.=
0.0.0:7007">0.0.0.0:7007</a><br>=C2=A0 =C2=A0 Sat Jun =C2=A01 21:24:42 2024=
: Shutdown of BOS server and processes in response to signal 15<br>=C2=A0 =
=C2=A0 Sat Jun =C2=A01 21:24:42 2024: Server directory access is okay<br>=
=C2=A0 =C2=A0 Sat Jun =C2=A01 21:24:42 2024: Core limits now -1 -1<br>=C2=
=A0 =C2=A0 Sat Jun =C2=A01 21:24:42 2024: Listening on <a href=3D"http://0.=
0.0.0:7007">0.0.0.0:7007</a><br>=C2=A0 =C2=A0=C2=A0<br></div><div>I tried r=
estarting the openafs-fileserver service to restart bosserver but nothing c=
hanged.</div><div><br></div><div>I guess I will next try to compile bosserv=
er and do some debugging to try to understand which files it is reading and=
why it is returning an empty set of keys despite asetkey reporting 4 keys.=
</div><div><br></div><div>Ernesto</div><div><br></div></div><br><div class=
=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, May 29, 2024=
at 12:56=E2=80=AFPM Cheyenne Wills <<a href=3D"mailto:cwills@sinenomine=
.net">cwills@sinenomine.net</a>> wrote:<br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,=
204,204);padding-left:1ex">Ernesto,<br>
<br>
Could you try adding -localauth to the command?<br>
<br>
=C2=A0 sudo bos listkeys -server <a href=3D"http://asus.erjoalgo.com" rel=
=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a> -localauth<br>
<br>
The bos command is used to manage the openafs servers and requires that<br>
the user that is issuing the bos command be authenticated to kerberos<br>
unless the -localauth option is specified. <br>
<br>
The messages you are seeing in dmesg are related to the openafs<br>
cache manager kernel module which is part of the openafs client. The<br>
bos command does not use the openafs client (cache manager/kernel<br>
module) for communication to the servers.<br>
<br>
-- <br>
Cheyenne Wills<br>
<a href=3D"mailto:cwills@sinenomine.net" target=3D"_blank">cwills@sinenomin=
e.net</a><br>
<br>
<br>
<br>
On Tue, 28 May 2024 21:38:01 -0400<br>
Ernesto Alfonso <<a href=3D"mailto:erjoalgo@gmail.com" target=3D"_blank"=
>erjoalgo@gmail.com</a>> wrote:<br>
> Hello,<br>
> <br>
> I'm having trouble setting up openafs on debian bookworm.<br>
> <br>
> I've imported kerberos keys into openafs via `akeyconvert -all`:<b=
r>
> <br>
>=C2=A0 =C2=A0 =C2=A0sudo asetkey list<br>
>=C2=A0 =C2=A0 =C2=A0rxkad_krb5=C2=A0 =C2=A0 =C2=A0 kvno=C2=A0 =C2=A0 4 =
enctype 17; key is:<br>
> ????????????????????????????????<br>
>=C2=A0 =C2=A0 =C2=A0rxkad_krb5=C2=A0 =C2=A0 =C2=A0 kvno=C2=A0 =C2=A0 4 =
enctype 18; key is:<br>
> ????????????????????????????????????????????????????????????????<br>
>=C2=A0 =C2=A0 =C2=A0All done.<br>
> <br>
> <br>
> I'm now try to use the bos command line, but this fails:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0$ sudo bos listkeys -server <a href=3D"http://asus.=
erjoalgo.com" rel=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a><br=
>
>=C2=A0 =C2=A0 =C2=A0bos: unable to build security class (configuring co=
nnection<br>
> security)<br>
> <br>
> I have tried building `bos` from source to better understand the<br>
> context of the error message. I've only narrowed it down to:<br>
> <br>
> function afsconf_ClientAuthToken in auth/authcon.c<br>
>=C2=A0 =C2=A0 =C2=A0code =3D ktc_GetTokenEx(info->name, &tokenSe=
t);<br>
> <br>
> function ktc_GetTokenEx in auth/ktc.c:<br>
>=C2=A0 =C2=A0 =C2=A0code =3D PIOCTL(0, VIOC_GETTOK2, &iob, 0);<br>
> <br>
> This returns a non-zero code, causing the command line to fail.<br>
> <br>
> What could be the reason that the PIOCTL command is failing? Is there<=
br>
> any way to get more information?<br>
> <br>
> I've tried rebuilding the kernel module as suggested here<br>
> <<a href=3D"https://unix.stackexchange.com/questions/404247/openafs=
-suddenly-fails-a-pioctl-failed-while-obtaining-tokens" rel=3D"noreferrer" =
target=3D"_blank">https://unix.stackexchange.com/questions/404247/openafs-s=
uddenly-fails-a-pioctl-failed-while-obtaining-tokens</a>><br>
> :<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0sudo dpkg-reconfigure openafs-modules-dkms<br>
> <br>
> And restarting the openafs-client service, but this does not change<br=
>
> anything.<br>
> <br>
> I only noticed some bening-looking warnings in dmesg:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A020.377862] systemd-fstab-generator[63=
7]: Checking was<br>
> requested for "/var/cache/openafs.img", but it is not a devi=
ce.<br>
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A020.676946] systemd[1]:<br>
> /lib/systemd/system/openafs-client.service:22: Unit uses<br>
> KillMode=3Dnone. This is unsafe, as it disables systemd's process<=
br>
> lifecycle management for the service. Please update the service to<br>
> use a safer KillMode=3D, such as 'mixed' or 'control-group=
'. Support<br>
> for KillMode=3Dnone is deprecated and will eventually be removed.<br>
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A049.217272] openafs: loading out-of-tr=
ee module taints kernel.<br>
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A049.217278] openafs: module license &#=
39;<br>
> <a href=3D"http://www.openafs.org/dl/license10.html" rel=3D"noreferrer=
" target=3D"_blank">http://www.openafs.org/dl/license10.html</a>' taint=
s kernel.<br>
>=C2=A0 =C2=A0 =C2=A0[=C2=A0 =C2=A049.217987] openafs: module verificati=
on failed: signature<br>
> and/or required key missing - tainting kernel<br>
> <br>
> I don't see anything interesting in the openafs-client service log=
s<br>
> or in syslog:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0$ sudo journalctl -feu openafs-client<br>
>=C2=A0 =C2=A0 =C2=A0May 28 09:03:43 asus systemd[1]: Starting openafs-c=
lient.service -<br>
> OpenAFS client...<br>
>=C2=A0 =C2=A0 =C2=A0May 28 09:03:50 asus afsd[1823]: afsd: All AFS daem=
ons started.<br>
>=C2=A0 =C2=A0 =C2=A0May 28 09:03:50 asus afsd[1787]: afsd: All AFS daem=
ons started.<br>
>=C2=A0 =C2=A0 =C2=A0May 28 09:03:50 asus systemd[1]: Started openafs-cl=
ient.service -<br>
> OpenAFS client.<br>
>=C2=A0 =C2=A0 =C2=A0May 28 09:03:52 asus fs[1827]: Usage: /usr/bin/fs s=
ysname<br>
> [-newsys <new<br>
> sysname>+] [-help]<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:53 asus systemd[1]: Stopping openafs-c=
lient.service -<br>
> OpenAFS client...<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:54 asus systemd[1]: openafs-client.ser=
vice:<br>
> Deactivated successfully.<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:54 asus systemd[1]: Stopped openafs-cl=
ient.service -<br>
> OpenAFS client.<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:54 asus systemd[1]: openafs-client.ser=
vice: Consumed<br>
> 2.957s CPU time.<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:54 asus systemd[1]: Starting openafs-c=
lient.service -<br>
> OpenAFS client...<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:56 asus afsd[275229]: afsd: All AFS da=
emons started.<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:56 asus afsd[275250]: afsd: All AFS da=
emons started.<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:56 asus fs[275253]: Usage: /usr/bin/fs=
sysname<br>
> [-newsys <new sysname>+] [-help]<br>
>=C2=A0 =C2=A0 =C2=A0May 28 21:11:56 asus systemd[1]: Started openafs-cl=
ient.service -<br>
> OpenAFS client.<br>
> <br>
> How can I further debug this bos error?<br>
> <br>
> openafs 1.8.9-1-debian<br>
> <br>
> $ sudo lsmod=C2=A0 | grep openafs<br>
> openafs=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 2863104=C2=A0 =
2<br>
> $<br>
> <br>
> Ernesto<br>
<br>
_______________________________________________<br>
OpenAFS-info mailing list<br>
<a href=3D"mailto:OpenAFS-info@openafs.org" target=3D"_blank">OpenAFS-info@=
openafs.org</a><br>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" rel=3D"=
noreferrer" target=3D"_blank">https://lists.openafs.org/mailman/listinfo/op=
enafs-info</a><br>
</blockquote></div>
--000000000000627a0f0619de5ba5--