[OpenAFS] fs: You don't have the required access rights on '/afs'
- SOLVED
Tony D'Amato
tdamato@odu.edu
Thu, 11 Dec 2008 16:33:29 -0500
This is a multi-part message in MIME format.
--------------090808040100030304030603
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
After working the problem with Jeffrey Altman and Douglas Engert as well
as Derrick Brashear offline, here's what I was doing wrong:
1) The afs/lionstest.odu.edu key was using the wrong salt... I fixed
this by removing all instances of afs/lionstest.odu.edu from the keytab
and from AFS (using asetkey delete) and replaced them with the proper
one, then recycled the server:
kadmin: addprinc -randkey -e "des-cbc-crc:v4" afs/lionstest.odu.edu
kadmin: ktadd -e "des-cbc-crc:v4" afs/lionstest.odu.edu
# klist -k -e -t -K|grep afs
3 11/12/2008 15:43 afs/lionstest.odu.edu@AUTH.ODU.EDU (DES cbc mode
with CRC-32) (0xb58c6e5e0d0b8f54)
# asetkey add 3 /etc/krb5/krb5.keytab afs/lionstest.odu.edu
# asetkey list
kvno 3: key is: b58c6e5e0d0b8f54
All done.
2) Because I'm using a Kerberos realm name which does not match the AFS
cell name, I had to enter that realm into the following two files and
recycle the AFS server and client:
/usr/vice/etc/krb.conf # for the client
/usr/afs/etc/krb.conf # for the server
Once this was done, it worked!
# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@lionstest.odu.edu
<mailto:afs@lionstest.odu.edu> [Expires Dec 12 01:58]
--End of list--
# fs setacl /afs system:anyuser rl
# fs listacl /afs
Access list for /afs is
Normal rights:
system:administrators rlidwka
system:anyuser rl
#
Thanks for all of you - you're the greatest!
--
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
Senior UNIX Systems Administrator
Server Support Group, OCCS
Old Dominion University
--------------090808040100030304030603
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
After working the problem with Jeffrey Altman and Douglas Engert as
well as Derrick Brashear offline, here's what I was doing wrong:<br>
<br>
1) The afs/lionstest.odu.edu key was using the wrong salt... I fixed
this by removing all instances of afs/lionstest.odu.edu from the keytab
and from AFS (using asetkey delete) and replaced them with the proper
one, then recycled the server:<br>
<br>
kadmin: addprinc -randkey -e "des-cbc-crc:v4" afs/lionstest.odu.edu<br>
<br>
kadmin: ktadd -e "des-cbc-crc:v4" afs/lionstest.odu.edu<br>
<br>
# klist -k -e -t -K|grep afs<br>
3 11/12/2008 15:43 <a class="moz-txt-link-abbreviated" href="mailto:afs/lionstest.odu.edu@AUTH.ODU.EDU">afs/lionstest.odu.edu@AUTH.ODU.EDU</a> (DES cbc mode
with CRC-32) (0xb58c6e5e0d0b8f54)<br>
<br>
# asetkey add 3 /etc/krb5/krb5.keytab afs/lionstest.odu.edu<br>
<br>
# asetkey list<br>
kvno 3: key is: b58c6e5e0d0b8f54<br>
All done.<br>
<br>
2) Because I'm using a Kerberos realm name which does not match the AFS
cell name, I had to enter that realm into the following two files and
recycle the AFS server and client:<br>
<br>
/usr/vice/etc/krb.conf # for the client<br>
/usr/afs/etc/krb.conf # for the server<br>
<br>
Once this was done, it worked!<br>
<br>
# tokens<br>
<br>
Tokens held by the Cache Manager:<br>
<br>
User's (AFS ID 1) tokens for <a href="mailto:afs@lionstest.odu.edu">afs@lionstest.odu.edu</a>
[Expires Dec 12
01:58]<br>
--End of list--<br>
# fs setacl /afs system:anyuser rl<br>
# fs listacl /afs<br>
Access list for /afs is<br>
Normal rights:<br>
system:administrators rlidwka<br>
system:anyuser rl<br>
#<br>
<br>
<br>
Thanks for all of you - you're the greatest!<br>
<address>-- <br>
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)<br>
Senior UNIX Systems Administrator<br>
Server Support Group, OCCS<br>
Old Dominion University<br>
</address>
</body>
</html>
--------------090808040100030304030603--