[OpenAFS] fs: You don't have the required access rights on '/afs'
Tony D'Amato
tdamato@odu.edu
Thu, 11 Dec 2008 12:55:16 -0500
This is a multi-part message in MIME format.
--------------080901090505090804000200
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Douglas E. Engert wrote:
> Tony D'Amato wrote:
>
>> Okay, I'm beating my head against the wall on this one... I've compiled,
>> installed, and attempting to set up OpenAFS 1.4.8 as a server on Solaris
>> 10 x86 (originally Update 5, with some U6 patches). I'm using Sun Studio
>> 12 to compile the software. After setting up the services with -noauth,
>> using asetkey to add the afs principal, created the admin principal
>> 'cell_admin' (we're a former DCE/DFS shop), but when I issue the setacl
>> on the /afs mount point, I get the infamous error message in the
>> subject. Please note that due to local requirements, the Kerberos domain
>> is not and cannot be the same as the AFS cell name... perhaps that's my
>> problem?
>>
>> Anywho, here's a log of what I've done...
>>
>>
>>> # kinit cell_admin
>>> Password for cell_admin@AUTH.ODU.EDU:
>>> # aklog -d
>>> Authenticating to cell lionstest.odu.edu (server marcos.server1.odu.edu).
>>> Trying to authenticate to user's realm AUTH.ODU.EDU.
>>> Getting tickets: afs/lionstest.odu.edu@AUTH.ODU.EDU
>>> Using Kerberos V5 ticket natively
>>> About to resolve name cell_admin to id in cell lionstest.odu.edu.
>>> Id 1
>>> Set username to AFS ID 1
>>> Setting tokens. AFS ID 1 / @ AUTH.ODU.EDU
>>> # fs setacl /afs system:anyuser rl
>>>
>
> What does "fs exam /afs" and "fs whichcell" show?
>
# fs exam /afs
fs: You don't have the required access rights on '/afs'
# fs whichcell /afs
File /afs lives in cell 'lionstest.odu.edu'
#
> If its readonly that could be the issue.
> You can make a temp mount point for root.afs and set the acl,
> then release the volume and unmount the temp mount point?
>
> cd /afs/.lionstest.odu.edu
> fs mkm -dir tmp.root -vol root.afs
> fs sa tmp.root -acl system:anyuser rl
> vos release root.afs
> fs rmm tmp.root
>
Unfortunately, this is a new cell, I just created root.afs w/ -noauth,
and I haven't been able to create /afs/lionstest.odu.edu because of the
permission issue on /afs. When I try my next step in creating root.cell,
I get this:
# /usr/sbin/vos create marcos.server1.odu.edu /vicepa root.cell
Could not get an Id for volume root.cell
VLDB: no permission access for call
VLDB: no permission access for call
Error in vos create command.
VLDB: no permission access for call
# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@lionstest.odu.edu [Expires Dec 11 20:32]
--End of list--
#
In a separate email, Derrick Brashear is thinking it might be a bad
token giving me issues. Thoughts all?
> [...snip...]
>
--
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
Senior UNIX Systems Administrator
Server Support Group, OCCS
Old Dominion University
--------------080901090505090804000200
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Douglas E. Engert wrote:
<blockquote cite="mid:49414F73.3090605@anl.gov" type="cite">
<pre wrap="">
Tony D'Amato wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Okay, I'm beating my head against the wall on this one... I've compiled,
installed, and attempting to set up OpenAFS 1.4.8 as a server on Solaris
10 x86 (originally Update 5, with some U6 patches). I'm using Sun Studio
12 to compile the software. After setting up the services with -noauth,
using asetkey to add the afs principal, created the admin principal
'cell_admin' (we're a former DCE/DFS shop), but when I issue the setacl
on the /afs mount point, I get the infamous error message in the
subject. Please note that due to local requirements, the Kerberos domain
is not and cannot be the same as the AFS cell name... perhaps that's my
problem?
Anywho, here's a log of what I've done...
</pre>
<blockquote type="cite">
<pre wrap=""># kinit cell_admin
Password for <a class="moz-txt-link-abbreviated" href="mailto:cell_admin@AUTH.ODU.EDU:">cell_admin@AUTH.ODU.EDU:</a>
# aklog -d
Authenticating to cell lionstest.odu.edu (server marcos.server1.odu.edu).
Trying to authenticate to user's realm AUTH.ODU.EDU.
Getting tickets: <a class="moz-txt-link-abbreviated" href="mailto:afs/lionstest.odu.edu@AUTH.ODU.EDU">afs/lionstest.odu.edu@AUTH.ODU.EDU</a>
Using Kerberos V5 ticket natively
About to resolve name cell_admin to id in cell lionstest.odu.edu.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 / @ AUTH.ODU.EDU
# fs setacl /afs system:anyuser rl
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
What does "fs exam /afs" and "fs whichcell" show?
</pre>
</blockquote>
<br>
# fs exam /afs<br>
fs: You don't have the required access rights on '/afs'<br>
# fs whichcell /afs<br>
File /afs lives in cell 'lionstest.odu.edu'<br>
#<br>
<br>
<br>
<blockquote cite="mid:49414F73.3090605@anl.gov" type="cite">
<pre wrap="">
If its readonly that could be the issue.
You can make a temp mount point for root.afs and set the acl,
then release the volume and unmount the temp mount point?
cd /afs/.lionstest.odu.edu
fs mkm -dir tmp.root -vol root.afs
fs sa tmp.root -acl system:anyuser rl
vos release root.afs
fs rmm tmp.root
</pre>
</blockquote>
<br>
Unfortunately, this is a new cell, I just created root.afs w/ -noauth,
and I haven't been able to create /afs/lionstest.odu.edu because of the
permission issue on /afs. When I try my next step in creating
root.cell, I get this:<br>
<br>
# /usr/sbin/vos create marcos.server1.odu.edu /vicepa root.cell<br>
<br>
Could not get an Id for volume root.cell<br>
VLDB: no permission access for call<br>
VLDB: no permission access for call<br>
Error in vos create command.<br>
VLDB: no permission access for call<br>
# tokens<br>
<br>
Tokens held by the Cache Manager:<br>
<br>
User's (AFS ID 1) tokens for <a class="moz-txt-link-abbreviated" href="mailto:afs@lionstest.odu.edu">afs@lionstest.odu.edu</a> [Expires Dec 11
20:32]<br>
--End of list--<br>
#<br>
<br>
In a separate email, Derrick Brashear is thinking it might be a bad
token giving me issues. Thoughts all?<br>
<br>
<blockquote cite="mid:49414F73.3090605@anl.gov" type="cite">
<pre wrap="">
[...snip...]
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
Senior UNIX Systems Administrator
Server Support Group, OCCS
Old Dominion University
</pre>
</body>
</html>
--------------080901090505090804000200--