[OpenAFS-devel] 1.4.8 has (re) introduced IP address ACL problems?

Deon George deon@wurley.net
Fri, 12 Dec 2008 11:16:41 +1100 

OK, still no luck (I wasnt confident that rxbind would do it, but I was
happy to be guided (it was working in 1.4.7) :)

I have changed it now so that:

* all the ip addresses of the host are in the group for IP based ACLs
* using rxbind for afsd
* using Netinfo with only 10.1.3.1 (just one of the IPs that this host has)

And with tcpdump running (tcpdump -ni eth0 portrange 7000-7007)

[root@penguin ~]# klog user
Password:
11:03:26.042089 IP 10.1.3.1.47278 > 10.1.3.1.afs3-kaserver:  rx data
kauth call authenticate-v2 principal "user" "" (72)
11:03:26.082665 IP 10.1.3.1.afs3-kaserver > 10.1.3.1.47278:  rx data
kauth reply authenticate-v2 (156)
...

[root@penguin ~]# fs la /afs/local/asterisk
11:04:19.676138 IP 10.1.3.1.afs3-callback > 10.1.3.1.afs3-fileserver: 
rx data fs call fetch-acl fid 536871041/1/1 (44)
11:04:19.676263 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-callback: 
rx challenge (44)
11:04:19.676323 IP 10.1.3.1.afs3-callback > 10.1.3.1.afs3-fileserver: 
rx response (116)
11:04:19.676433 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-prserver: 
rx data pt call op#234510314 (300)
...
11:04:30.044638 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-prserver: 
rx data pt call op#-704595638 (52)
11:04:30.044819 IP 10.1.3.1.afs3-prserver > 10.1.3.1.afs3-fileserver: 
rx data pt reply op#-704595638 (556)
11:04:30.044911 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-prserver: 
rx ack first 2 serial 0 reason delay (65)
11:04:30.044969 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-callback: 
rx data fs reply fetch-acl [|fs] (192)
Access list for /afs/local/asterisk is
Normal rights:
  server:asterisk rlidwk
  system:administrators rlidwka
11:04:30.045467 IP 10.1.3.1.afs3-callback > 10.1.3.1.afs3-fileserver: 
rx ack first 2 serial 0 reason delay (65)

(NOTICE that it took 11 seconds for this? Previously it was instantaneous)

[root@penguin ~]# pts membership server:asterisk
Members of server:asterisk (id: -1005) are:
  10.1.3.65
  10.1.3.97
  10.1.3.193
  10.1.3.1
[root@penguin ~]# unlog
[root@penguin ~]# ls -al /afs/local/asterisk
ls: /afs/local/asterisk: Permission denied

(BTW: With rxbind now in place, directory lookups are incredibly slow,
and the afs-client took much longer to start - 15? seconds compared to
<1... The traffic trace that I have ommitted shows some chatter on
10.1.3.193 - Im not sure if that is related to this connection, or
others on that network).

So, my IP addressed based ACLs are still not working - whereas they were
working in 1.4.7...

BTW: With this session, the ACLs were not working immediately after I
restarted the client, in the past it has worked for 1-48 hours before it
stopped... (The only thing I have changed is added -rxbind to afsd, and
added the IP address to the group.)

Another BTW: I restarted the afsclient serveral times with -rxbind, and
each time I could not list /afs/local/asterisk. As soon as I removed it,
I could immediately list /afs/local/asterisk (as I would expect with the
ACLs).

Please, do you have any more suggestions?

...deon