[OpenAFS] Puzzler: lack of access to AFS files

John Hascall john@iastate.edu
Tue, 11 Dec 2007 15:48:50 CST

I'm sure I must be doing something embarrassingly stupid here,
but I just can't figure out why this script is not able to
access the files in AFS that it should be able to.

PATH=$PATH:/usr/local/bin:/usr/athena/bin:/usr/afsws/bin ; export PATH
KRBTKFILE=/tmp/tkt_asw_getwmf_v4.$$ ; export KRBTKFILE
KRB5CCNAME=/tmp/tkt_asw_getwmf_v5.$$ ; export KRB5CCNAME
authenticate -FACT -p sysadmin -i asw.iastate.edu -k $KEYTBFILE
aklog -d
klist -5
cat $1/.WebMail/messagefilters

which when ran as:

root@asw-1# ./getwmf /afs/iastate.edu/users/04/00/frank


Authenticating to cell iastate.edu (server afsdb-1.iastate.edu).
We've deduced that we need to authenticate to realm IASTATE.EDU.
Getting tickets: afs/iastate.edu@IASTATE.EDU
About to resolve name sysadmin.asw to id in cell iastate.edu.
Id 99940
Set username to AFS ID 99940
Setting tokens. AFS ID 99940 /  @ IASTATE.EDU

Tokens held by the Cache Manager:

User's (AFS ID 99940) tokens for afs@iastate.edu [Expires Dec 11 23:39]
   --End of list--
33538 38620 daemon system mem terminal opr lp gomsb usenet dba
Ticket cache: FILE:/tmp/tkt_asw_getwmf_v5.25562
Default principal: sysadmin/asw.iastate.edu@IASTATE.EDU

Valid starting     Expires            Service principal
12/11/07 15:39:09  12/11/07 23:39:08  krbtgt/IASTATE.EDU@IASTATE.EDU
12/11/07 15:39:09  12/11/07 23:39:08  afs/iastate.edu@IASTATE.EDU
cat: Cannot open /afs/iastate.edu/users/04/00/frank/.WebMail/messagefilters.

The file exists, and I with my account which is a member of
system:administrators cab read it.

The principal in question is also on system:administrators

> pts mem 99940
Groups sysadmin.asw (id: 99940) is a member of:

and system:administrators has rights all down that dir path:

> cd /
> foreach xx (afs iastate.edu users 04 00 frank .WebMail)
foreach? echo -n "$xx   "
foreach? fs la $xx | grep system:administrators
foreach? cd $xx
foreach? end
afs       system:administrators rlidwka
iastate.edu       system:administrators rlidwka
users     system:administrators rlidwka
04        system:administrators rlidwka
00        system:administrators rlidwka
frank     system:administrators rlidwka
.WebMail          system:administrators rlidwka

I'm stumped!!

If anyone has any ideas, I'd be very happy to hear them.