[OpenAFS] Help setting up openafs on debian bookworm
Ernesto Alfonso
erjoalgo@gmail.com
Tue, 28 May 2024 21:38:01 -0400
--000000000000b58a7606198dcd09
Content-Type: text/plain; charset="UTF-8"
Hello,
I'm having trouble setting up openafs on debian bookworm.
I've imported kerberos keys into openafs via `akeyconvert -all`:
sudo asetkey list
rxkad_krb5 kvno 4 enctype 17; key is:
????????????????????????????????
rxkad_krb5 kvno 4 enctype 18; key is:
????????????????????????????????????????????????????????????????
All done.
I'm now try to use the bos command line, but this fails:
$ sudo bos listkeys -server asus.erjoalgo.com
bos: unable to build security class (configuring connection security)
I have tried building `bos` from source to better understand the context of
the error message. I've only narrowed it down to:
function afsconf_ClientAuthToken in auth/authcon.c
code = ktc_GetTokenEx(info->name, &tokenSet);
function ktc_GetTokenEx in auth/ktc.c:
code = PIOCTL(0, VIOC_GETTOK2, &iob, 0);
This returns a non-zero code, causing the command line to fail.
What could be the reason that the PIOCTL command is failing? Is there any
way to get more information?
I've tried rebuilding the kernel module as suggested here
<https://unix.stackexchange.com/questions/404247/openafs-suddenly-fails-a-pioctl-failed-while-obtaining-tokens>
:
sudo dpkg-reconfigure openafs-modules-dkms
And restarting the openafs-client service, but this does not change
anything.
I only noticed some bening-looking warnings in dmesg:
[ 20.377862] systemd-fstab-generator[637]: Checking was requested for
"/var/cache/openafs.img", but it is not a device.
[ 20.676946] systemd[1]:
/lib/systemd/system/openafs-client.service:22: Unit uses KillMode=none.
This is unsafe, as it disables systemd's process lifecycle management for
the service. Please update the service to use a safer KillMode=, such as
'mixed' or 'control-group'. Support for KillMode=none is deprecated and
will eventually be removed.
[ 49.217272] openafs: loading out-of-tree module taints kernel.
[ 49.217278] openafs: module license '
http://www.openafs.org/dl/license10.html' taints kernel.
[ 49.217987] openafs: module verification failed: signature and/or
required key missing - tainting kernel
I don't see anything interesting in the openafs-client service logs or in
syslog:
$ sudo journalctl -feu openafs-client
May 28 09:03:43 asus systemd[1]: Starting openafs-client.service -
OpenAFS client...
May 28 09:03:50 asus afsd[1823]: afsd: All AFS daemons started.
May 28 09:03:50 asus afsd[1787]: afsd: All AFS daemons started.
May 28 09:03:50 asus systemd[1]: Started openafs-client.service -
OpenAFS client.
May 28 09:03:52 asus fs[1827]: Usage: /usr/bin/fs sysname [-newsys <new
sysname>+] [-help]
May 28 21:11:53 asus systemd[1]: Stopping openafs-client.service -
OpenAFS client...
May 28 21:11:54 asus systemd[1]: openafs-client.service: Deactivated
successfully.
May 28 21:11:54 asus systemd[1]: Stopped openafs-client.service -
OpenAFS client.
May 28 21:11:54 asus systemd[1]: openafs-client.service: Consumed
2.957s CPU time.
May 28 21:11:54 asus systemd[1]: Starting openafs-client.service -
OpenAFS client...
May 28 21:11:56 asus afsd[275229]: afsd: All AFS daemons started.
May 28 21:11:56 asus afsd[275250]: afsd: All AFS daemons started.
May 28 21:11:56 asus fs[275253]: Usage: /usr/bin/fs sysname [-newsys
<new sysname>+] [-help]
May 28 21:11:56 asus systemd[1]: Started openafs-client.service -
OpenAFS client.
How can I further debug this bos error?
openafs 1.8.9-1-debian
$ sudo lsmod | grep openafs
openafs 2863104 2
$
Ernesto
--000000000000b58a7606198dcd09
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hello,<div><br></div><div>I'm having trouble setting u=
p openafs on debian bookworm.</div><div><br></div><div>I've imported ke=
rberos keys into openafs via `akeyconvert -all`:<br></div><div><br></div><d=
iv>=C2=A0 =C2=A0 sudo asetkey list<br>=C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=
=A0 =C2=A0kvno =C2=A0 =C2=A04 enctype 17; key is: ?????????????????????????=
???????<br>=C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A04=
enctype 18; key is: ??????????????????????????????????????????????????????=
??????????<br>=C2=A0 =C2=A0 All done.<br>=C2=A0 =C2=A0=C2=A0<br></div><div>=
<br></div><div>I'm now try to use the bos command line, but this fails:=
</div><div><br></div><div>=C2=A0 =C2=A0 $ sudo bos listkeys -server <a href=
=3D"http://asus.erjoalgo.com">asus.erjoalgo.com</a><br>=C2=A0 =C2=A0 bos: u=
nable to build security class (configuring connection security)<br>=C2=A0 =
=C2=A0<br></div><div>I have tried building `bos` from source to better unde=
rstand=C2=A0the context of the error message. I've only narrowed it dow=
n to:</div><div><br></div><div>function afsconf_ClientAuthToken in auth/aut=
hcon.c=C2=A0=C2=A0</div><div>=C2=A0 =C2=A0=C2=A0code =3D ktc_GetTokenEx(inf=
o->name, &tokenSet);</div><div><br></div><div>function ktc_GetTokenE=
x in auth/ktc.c:=C2=A0</div><div>=C2=A0 =C2=A0 code =3D PIOCTL(0, VIOC_GETT=
OK2, &iob, 0);<br></div><div><br></div><div>This returns a non-zero cod=
e, causing the command line to fail.</div><div><br></div><div>What could be=
the reason that the PIOCTL command is failing? Is there any way to get mor=
e information?</div><div><br></div><div>I've tried rebuilding the kerne=
l module as suggested <a href=3D"https://unix.stackexchange.com/questions/4=
04247/openafs-suddenly-fails-a-pioctl-failed-while-obtaining-tokens">here</=
a>:</div><div><br></div><div>=C2=A0 =C2=A0 sudo dpkg-reconfigure openafs-mo=
dules-dkms<br></div><div><br></div><div>And restarting the openafs-client s=
ervice, but this does not change anything.</div><div><br></div><div>I only =
noticed some bening-looking warnings in dmesg:</div><div><br></div><div>=C2=
=A0 =C2=A0 [ =C2=A0 20.377862] systemd-fstab-generator[637]: Checking was r=
equested for "/var/cache/openafs.img", but it is not a device.<br=
>=C2=A0 =C2=A0 [ =C2=A0 20.676946] systemd[1]: /lib/systemd/system/openafs-=
client.service:22: Unit uses KillMode=3Dnone. This is unsafe, as it disable=
s systemd's process lifecycle management for the service. Please update=
the service to use a safer KillMode=3D, such as 'mixed' or 'co=
ntrol-group'. Support for KillMode=3Dnone is deprecated and will eventu=
ally be removed.<br>=C2=A0 =C2=A0 [ =C2=A0 49.217272] openafs: loading out-=
of-tree module taints kernel.<br>=C2=A0 =C2=A0 [ =C2=A0 49.217278] openafs:=
module license '<a href=3D"http://www.openafs.org/dl/license10.html">h=
ttp://www.openafs.org/dl/license10.html</a>' taints kernel.<br>=C2=A0 =
=C2=A0 [ =C2=A0 49.217987] openafs: module verification failed: signature a=
nd/or required key missing - tainting kernel<br>=C2=A0 =C2=A0=C2=A0<br></di=
v><div>I don't see anything interesting in the openafs-client service l=
ogs or in syslog:</div><div><br></div><div>=C2=A0 =C2=A0 $ sudo journalctl =
-feu openafs-client<br>=C2=A0 =C2=A0 May 28 09:03:43 asus systemd[1]: Start=
ing openafs-client.service - OpenAFS client...<br>=C2=A0 =C2=A0 May 28 09:0=
3:50 asus afsd[1823]: afsd: All AFS daemons started.<br>=C2=A0 =C2=A0 May 2=
8 09:03:50 asus afsd[1787]: afsd: All AFS daemons started.<br>=C2=A0 =C2=A0=
May 28 09:03:50 asus systemd[1]: Started openafs-client.service - OpenAFS =
client.<br>=C2=A0 =C2=A0 May 28 09:03:52 asus fs[1827]: Usage: /usr/bin/fs =
sysname [-newsys <new sysname>+] [-help]<br>=C2=A0 =C2=A0 May 28 21:1=
1:53 asus systemd[1]: Stopping openafs-client.service - OpenAFS client...<b=
r>=C2=A0 =C2=A0 May 28 21:11:54 asus systemd[1]: openafs-client.service: De=
activated successfully.<br>=C2=A0 =C2=A0 May 28 21:11:54 asus systemd[1]: S=
topped openafs-client.service - OpenAFS client.<br>=C2=A0 =C2=A0 May 28 21:=
11:54 asus systemd[1]: openafs-client.service: Consumed 2.957s CPU time.<br=
>=C2=A0 =C2=A0 May 28 21:11:54 asus systemd[1]: Starting openafs-client.ser=
vice - OpenAFS client...<br>=C2=A0 =C2=A0 May 28 21:11:56 asus afsd[275229]=
: afsd: All AFS daemons started.<br>=C2=A0 =C2=A0 May 28 21:11:56 asus afsd=
[275250]: afsd: All AFS daemons started.<br>=C2=A0 =C2=A0 May 28 21:11:56 a=
sus fs[275253]: Usage: /usr/bin/fs sysname [-newsys <new sysname>+] [=
-help]<br>=C2=A0 =C2=A0 May 28 21:11:56 asus systemd[1]: Started openafs-cl=
ient.service - OpenAFS client.<br>=C2=A0 =C2=A0=C2=A0<br></div><div>How can=
I further debug this bos error?</div><div><br></div><div>openafs 1.8.9-1-d=
ebian<br></div><div><br></div><div>$ sudo lsmod =C2=A0| grep openafs<br>ope=
nafs =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A02863104 =C2=A02<br>$</=
div><div>=C2=A0<br></div><div>Ernesto</div></div>
--000000000000b58a7606198dcd09--