[OpenAFS] fs: You don't have the required access rights on '/afs'
Tony D'Amato
tdamato@odu.edu
Thu, 11 Dec 2008 15:14:41 -0500
This is a multi-part message in MIME format.
--------------040802090800060707070701
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Douglas E. Engert wrote:
> Did you add cell_admin to /usr/afs/etc/UserList
> using the bos adduser?
>
Yup:
# bos listuser marcos -noauth
SUsers are: cell_admin
>
>
> Tony D'Amato wrote:
>
>> Douglas E. Engert wrote:
>>
>>> Tony D'Amato wrote:
>>>
>>>
>>>> Okay, I'm beating my head against the wall on this one... I've compiled,
>>>> installed, and attempting to set up OpenAFS 1.4.8 as a server on Solaris
>>>> 10 x86 (originally Update 5, with some U6 patches). I'm using Sun Studio
>>>> 12 to compile the software. After setting up the services with -noauth,
>>>> using asetkey to add the afs principal, created the admin principal
>>>> 'cell_admin' (we're a former DCE/DFS shop), but when I issue the setacl
>>>> on the /afs mount point, I get the infamous error message in the
>>>> subject. Please note that due to local requirements, the Kerberos domain
>>>> is not and cannot be the same as the AFS cell name... perhaps that's my
>>>> problem?
>>>>
>>>>
>
>
>
>
>
>
>
>>>> Anywho, here's a log of what I've done...
>>>>
>>>>
>>>>
>>>>> # kinit cell_admin
>>>>> Password for cell_admin@AUTH.ODU.EDU:
>>>>> # aklog -d
>>>>> Authenticating to cell lionstest.odu.edu (server marcos.server1.odu.edu).
>>>>> Trying to authenticate to user's realm AUTH.ODU.EDU.
>>>>> Getting tickets: afs/lionstest.odu.edu@AUTH.ODU.EDU
>>>>> Using Kerberos V5 ticket natively
>>>>> About to resolve name cell_admin to id in cell lionstest.odu.edu.
>>>>> Id 1
>>>>> Set username to AFS ID 1
>>>>> Setting tokens. AFS ID 1 / @ AUTH.ODU.EDU
>>>>> # fs setacl /afs system:anyuser rl
>>>>>
>>>>>
>>> What does "fs exam /afs" and "fs whichcell" show?
>>>
>>>
>> # fs exam /afs
>> fs: You don't have the required access rights on '/afs'
>> # fs whichcell /afs
>> File /afs lives in cell 'lionstest.odu.edu'
>> #
>>
>>
>>
>>> If its readonly that could be the issue.
>>> You can make a temp mount point for root.afs and set the acl,
>>> then release the volume and unmount the temp mount point?
>>>
>>> cd /afs/.lionstest.odu.edu
>>> fs mkm -dir tmp.root -vol root.afs
>>> fs sa tmp.root -acl system:anyuser rl
>>> vos release root.afs
>>> fs rmm tmp.root
>>>
>>>
>> Unfortunately, this is a new cell, I just created root.afs w/ -noauth,
>> and I haven't been able to create /afs/lionstest.odu.edu because of the
>> permission issue on /afs. When I try my next step in creating root.cell,
>> I get this:
>>
>> # /usr/sbin/vos create marcos.server1.odu.edu /vicepa root.cell
>>
>> Could not get an Id for volume root.cell
>> VLDB: no permission access for call
>> VLDB: no permission access for call
>> Error in vos create command.
>> VLDB: no permission access for call
>> # tokens
>>
>> Tokens held by the Cache Manager:
>>
>> User's (AFS ID 1) tokens for afs@lionstest.odu.edu [Expires Dec 11 20:32]
>> --End of list--
>> #
>>
>> In a separate email, Derrick Brashear is thinking it might be a bad
>> token giving me issues. Thoughts all?
>>
>>
>>> [...snip...]
>>>
>>>
>> --
>> Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
>> Senior UNIX Systems Administrator
>> Server Support Group, OCCS
>> Old Dominion University
>>
>>
>
>
--
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
Senior UNIX Systems Administrator
Server Support Group, OCCS
Old Dominion University
--------------040802090800060707070701
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Douglas E. Engert wrote:
<blockquote cite="mid:494167B9.5020405@anl.gov" type="cite">
<pre wrap="">Did you add cell_admin to /usr/afs/etc/UserList
using the bos adduser?
</pre>
</blockquote>
<br>
Yup:<br>
<br>
# bos listuser marcos -noauth<br>
SUsers are: cell_admin<br>
<br>
<blockquote cite="mid:494167B9.5020405@anl.gov" type="cite">
<pre wrap="">
Tony D'Amato wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Douglas E. Engert wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Tony D'Amato wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Okay, I'm beating my head against the wall on this one... I've compiled,
installed, and attempting to set up OpenAFS 1.4.8 as a server on Solaris
10 x86 (originally Update 5, with some U6 patches). I'm using Sun Studio
12 to compile the software. After setting up the services with -noauth,
using asetkey to add the afs principal, created the admin principal
'cell_admin' (we're a former DCE/DFS shop), but when I issue the setacl
on the /afs mount point, I get the infamous error message in the
subject. Please note that due to local requirements, the Kerberos domain
is not and cannot be the same as the AFS cell name... perhaps that's my
problem?
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Anywho, here's a log of what I've done...
</pre>
<blockquote type="cite">
<pre wrap=""># kinit cell_admin
Password for <a class="moz-txt-link-abbreviated" href="mailto:cell_admin@AUTH.ODU.EDU:">cell_admin@AUTH.ODU.EDU:</a>
# aklog -d
Authenticating to cell lionstest.odu.edu (server marcos.server1.odu.edu).
Trying to authenticate to user's realm AUTH.ODU.EDU.
Getting tickets: <a class="moz-txt-link-abbreviated" href="mailto:afs/lionstest.odu.edu@AUTH.ODU.EDU">afs/lionstest.odu.edu@AUTH.ODU.EDU</a>
Using Kerberos V5 ticket natively
About to resolve name cell_admin to id in cell lionstest.odu.edu.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 / @ AUTH.ODU.EDU
# fs setacl /afs system:anyuser rl
</pre>
</blockquote>
</blockquote>
<pre wrap="">What does "fs exam /afs" and "fs whichcell" show?
</pre>
</blockquote>
<pre wrap=""># fs exam /afs
fs: You don't have the required access rights on '/afs'
# fs whichcell /afs
File /afs lives in cell 'lionstest.odu.edu'
#
</pre>
<blockquote type="cite">
<pre wrap="">If its readonly that could be the issue.
You can make a temp mount point for root.afs and set the acl,
then release the volume and unmount the temp mount point?
cd /afs/.lionstest.odu.edu
fs mkm -dir tmp.root -vol root.afs
fs sa tmp.root -acl system:anyuser rl
vos release root.afs
fs rmm tmp.root
</pre>
</blockquote>
<pre wrap="">Unfortunately, this is a new cell, I just created root.afs w/ -noauth,
and I haven't been able to create /afs/lionstest.odu.edu because of the
permission issue on /afs. When I try my next step in creating root.cell,
I get this:
# /usr/sbin/vos create marcos.server1.odu.edu /vicepa root.cell
Could not get an Id for volume root.cell
VLDB: no permission access for call
VLDB: no permission access for call
Error in vos create command.
VLDB: no permission access for call
# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for <a class="moz-txt-link-abbreviated" href="mailto:afs@lionstest.odu.edu">afs@lionstest.odu.edu</a> [Expires Dec 11 20:32]
--End of list--
#
In a separate email, Derrick Brashear is thinking it might be a bad
token giving me issues. Thoughts all?
</pre>
<blockquote type="cite">
<pre wrap="">[...snip...]
</pre>
</blockquote>
<pre wrap="">--
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
Senior UNIX Systems Administrator
Server Support Group, OCCS
Old Dominion University
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
Senior UNIX Systems Administrator
Server Support Group, OCCS
Old Dominion University
</pre>
</body>
</html>
--------------040802090800060707070701--