[OpenAFS] fs: You don't have the required access rights on '/afs'
Douglas E. Engert
deengert@anl.gov
Thu, 11 Dec 2008 11:35:47 -0600
Tony D'Amato wrote:
> Okay, I'm beating my head against the wall on this one... I've compiled,
> installed, and attempting to set up OpenAFS 1.4.8 as a server on Solaris
> 10 x86 (originally Update 5, with some U6 patches). I'm using Sun Studio
> 12 to compile the software. After setting up the services with -noauth,
> using asetkey to add the afs principal, created the admin principal
> 'cell_admin' (we're a former DCE/DFS shop), but when I issue the setacl
> on the /afs mount point, I get the infamous error message in the
> subject. Please note that due to local requirements, the Kerberos domain
> is not and cannot be the same as the AFS cell name... perhaps that's my
> problem?
>
> Anywho, here's a log of what I've done...
>
>> # kinit cell_admin
>> Password for cell_admin@AUTH.ODU.EDU:
>> # aklog -d
>> Authenticating to cell lionstest.odu.edu (server marcos.server1.odu.edu).
>> Trying to authenticate to user's realm AUTH.ODU.EDU.
>> Getting tickets: afs/lionstest.odu.edu@AUTH.ODU.EDU
>> Using Kerberos V5 ticket natively
>> About to resolve name cell_admin to id in cell lionstest.odu.edu.
>> Id 1
>> Set username to AFS ID 1
>> Setting tokens. AFS ID 1 / @ AUTH.ODU.EDU
>> # fs setacl /afs system:anyuser rl
What does "fs exam /afs" and "fs whichcell" show?
If its readonly that could be the issue.
You can make a temp mount point for root.afs and set the acl,
then release the volume and unmount the temp mount point?
cd /afs/.lionstest.odu.edu
fs mkm -dir tmp.root -vol root.afs
fs sa tmp.root -acl system:anyuser rl
vos release root.afs
fs rmm tmp.root
>> fs: You don't have the required access rights on '/afs'
>> # /usr/afs/bin/pt_util -members
>> Ubik Version is: 1229008544.4
>> system:backup 2/0 -205 -204 -204
>> system:administrators 130/20 -204 -204 -204
>> cell_admin 1
>> system:ptsviewers 2/0 -203 -204 -204
>> system:authuser 2/0 -102 -204 -204
>> system:anyuser 2/0 -101 -204 -204
>> # tokens
>>
>> Tokens held by the Cache Manager:
>>
>> User's (AFS ID 1) tokens for afs@lionstest.odu.edu [Expires Dec 11 20:32]
>> --End of list--
>> # pts me system:administrators
>> pts: Permission denied ; unable to get membership of
>> system:administrators (id: -204)
>> # pts me system:administrators -noauth
>> Members of system:administrators (id: -204) are:
>> cell_admin
>> # fstrace setset cm -active
>> # fs setacl /afs system:anyuser rl
>> fs: You don't have the required access rights on '/afs'
>> # fstrace dump cm
>> AFS Trace Dump -
>>
>> Date: Thu Dec 11 10:37:00 2008
>>
>> Found 1 logs.
>>
>> Contents of log cmfx:
>> time 916.908804, pid 0: Thu Dec 11 10:36:52 2008
>>
>>
>> time 916.908804, pid 1376: Analyze RPC op 2 conn 0x83d7e258 code 0x0
>> user 0x0
>> time 916.908814, pid 1376: ProcessFS vp 0x85899000 old len (0x0,
>> 0x800) new len (0x0, 0x800)
>> time 916.908821, pid 1376: vfs root vp 0x85899000, code 0
>> time 916.908828, pid 1376: Pioctl command 0x2 for vp 0x85899000, follow=1
>> time 916.908992, pid 1376: Analyze RPC op 1 conn 0x83d7e258 code
>> 0x2f6df0c user 0x0
>> time 916.908999, pid 1376: Returning code 49733388 from 41
>>
>> AFS Trace Dump - Completed
>> # vos listaddrs
>> marcos.server1.odu.edu
>> # fs checkservers
>> All servers are running.
>> # fs checkvolumes
>> All volumeID/name mappings checked.
>> # pts me cell_admin -cell lionstest.odu.edu -localauth
>> Groups cell_admin (id: 1) is a member of:
>> system:administrators
>> #
>>
> Thanks in advance for any assistance you can give me!
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444