[OpenAFS] fs: You don't have the required access rights on '/afs'

Tony D'Amato tdamato@odu.edu
Thu, 11 Dec 2008 11:03:47 -0500 

Okay, I'm beating my head against the wall on this one... I've compiled, 
installed, and attempting to set up OpenAFS 1.4.8 as a server on Solaris 
10 x86 (originally Update 5, with some U6 patches). I'm using Sun Studio 
12 to compile the software. After setting up the services with -noauth, 
using asetkey to add the afs principal, created the admin principal 
'cell_admin' (we're a former DCE/DFS shop), but when I issue the setacl 
on the /afs mount point, I get the infamous error message in the 
subject. Please note that due to local requirements, the Kerberos domain 
is not and cannot be the same as the AFS cell name... perhaps that's my 
problem?

Anywho, here's a log of what I've done...

> # kinit cell_admin
> Password for cell_admin@AUTH.ODU.EDU:
> # aklog -d
> Authenticating to cell lionstest.odu.edu (server marcos.server1.odu.edu).
> Trying to authenticate to user's realm AUTH.ODU.EDU.
> Getting tickets: afs/lionstest.odu.edu@AUTH.ODU.EDU
> Using Kerberos V5 ticket natively
> About to resolve name cell_admin to id in cell lionstest.odu.edu.
> Id 1
> Set username to AFS ID 1
> Setting tokens. AFS ID 1 /  @ AUTH.ODU.EDU
> # fs setacl /afs system:anyuser rl
> fs: You don't have the required access rights on '/afs'
> # /usr/afs/bin/pt_util -members
> Ubik Version is: 1229008544.4
> system:backup 2/0 -205 -204 -204
> system:administrators 130/20 -204 -204 -204
>    cell_admin 1
> system:ptsviewers 2/0 -203 -204 -204
> system:authuser 2/0 -102 -204 -204
> system:anyuser 2/0 -101 -204 -204
> # tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for afs@lionstest.odu.edu [Expires Dec 11 20:32]
>    --End of list--
> # pts me system:administrators
> pts: Permission denied ; unable to get membership of 
> system:administrators (id: -204)
> # pts me system:administrators -noauth
> Members of system:administrators (id: -204) are:
>   cell_admin
> # fstrace setset cm -active
> # fs setacl /afs system:anyuser rl
> fs: You don't have the required access rights on '/afs'
> # fstrace dump cm
> AFS Trace Dump -
>
>    Date: Thu Dec 11 10:37:00 2008
>
> Found 1 logs.
>
> Contents of log cmfx:
> time 916.908804, pid 0: Thu Dec 11 10:36:52 2008
>
>
> time 916.908804, pid 1376: Analyze RPC op 2 conn 0x83d7e258 code 0x0 
> user 0x0
> time 916.908814, pid 1376: ProcessFS vp 0x85899000 old len (0x0, 
> 0x800) new len (0x0, 0x800)
> time 916.908821, pid 1376: vfs root vp 0x85899000, code 0
> time 916.908828, pid 1376: Pioctl command 0x2 for vp 0x85899000, follow=1
> time 916.908992, pid 1376: Analyze RPC op 1 conn 0x83d7e258 code 
> 0x2f6df0c user 0x0
> time 916.908999, pid 1376: Returning code 49733388 from 41
>
> AFS Trace Dump - Completed
> # vos listaddrs
> marcos.server1.odu.edu
> # fs checkservers
> All servers are running.
> # fs checkvolumes
> All volumeID/name mappings checked.
> # pts me cell_admin -cell lionstest.odu.edu -localauth
> Groups cell_admin (id: 1) is a member of:
>   system:administrators
> #
>
Thanks in advance for any assistance you can give me!
-- 
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
Senior UNIX Systems Administrator
Server Support Group, OCCS
Old Dominion University