[OpenAFS] Moving AFS {pt,vl,vol?}server
Marcus Watts
mdw@umich.edu
Thu, 22 Aug 2002 03:37:08 -0400
Turbo Fredriksson <turbo@bayour.com> writes:
> Marcus> sysid should be unique per-system. Definitely don't copy
> Marcus> this (unless what you want to do is merely effectively
> Marcus> changing the IP adddress of an existing fileserver.)
>
> Well... Do I? Na, the 'fs' instance is NOT to be moved, just the DB
> instance(s)...
>
> Is this ONLY for the fs instance? Because I've managed to get the pt/vl
> servers up and running on the two sparcs now. For future list searches
> and references, I'll include the new 'super-micro-howto' :)
sysid is only for the fs instance, yes.
> It now seems like the (bos,pt,vl)server instances run just fine on the
> two new machines. I had some problem with the server CellServDB file,
> but I think that's sorted out now. I have the two SPARC's _and_ the
> real AFS server, which is on the 'Net, while'st the SPARC's is at
> home, behind a firewall; 'bos listhosts HOST[12]' confirms this.
>
> After a while (a couple of seconds) the (pt,vl)server instances die,
> and I get 'Inconsistent Cell Info on server ... <REAL AFS SERVER IP>'
> in the PtLog. Does this have something to do with the fact that the
> SPARC's is behind a firewall?
You say they "run just fine", then complain they die right away.
Um, which is it?
Routine SDISK_UpdateInterfaceAddr in ubik/remote.c can print
out "Inconsistent Cell Info from server: "; if that's the
message you saw, then this probably means you still have CellServDB
issues.
Firewall? I don't think a firewall could cause that particular
message (at least not likely) but there are all sorts of
other issues that can cause bad problems if you have a firewall
that isn't configured correctly. Somebody must have a FAQ by
now that says what has to be done to make this work.
Is there some reason you want to run with firewalls between things?
> If I try to list users/groups with 'pts listentries' I get:
>
> ----- s n i p -----
> libprot: a pioctl failed Could not get afs tokens, running unauthenticated.
> Name ID Owner Creator
> pts: Permission denied ; unable to list entries
...
You haven't got tokens.
...
> aklog: unable to obtain tokens for cell CELLNAME (status: a pioctl failed).
...
Does this machine have a cache manager installed?
> and in the kerberos logs I get
>
> ----- s n i p -----
> Aug 21 10:22:10 <HOST1> krb5kdc[156](info): TGS_REQ (1 etypes {1}) 192.168.1.5(88): UNKNOWN_SERVER: authtime 1029909803, turbo@<MY KERBEROS REALM> for afs/<MY CELLNAME>@<MY KERBEROS REALM>, Server not found in Kerberos database
...
Interesting. In "classic" AFS at least, the only sort of afs ticket
that will work is a k4 service ticket for "afs@K4-REALM-NAME"; that is,
a null instance is a requirement. Looks like you are running an "aklog"
that tries for a K5 ticket service ticket for afs/<cellname> then defaults to
a null instance if this does not exist. Possibly the intent of that is
to make it possible to get a service ticket for
"afs/<some-cell>@<another-realm-trusted-a-whole-lot-by-that-cell>"
which is a fascinating change, to say the least. There must be some
other part of aklog that converts your k5 ticket to a k4 ticket.
There are lots of versions of aklog floating around that do different
things; I've no idea which one you've got.
-Marcus Watts
UM ITCS Umich Systems Group