[OpenAFS] Openafs broken on Ubuntu Hardy ?
Madhusudan Singh
singh.madhusudan@gmail.com
Mon, 27 Oct 2008 09:39:50 -0700
------=_Part_30197_20677569.1225125590079
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hello,
Apologies for the long delay. I forgot about this issue as I got busy.
> I upgraded from -19 to -21 this morning, built and installed
> openafs-modules-2.6.24-21-generic_1.4.6.dfsg1-2+2.6.24-21.42_i386.deb
> using m-a as usual, and it still works.
>
Ok.
>
> > >> :$ cd /afs/YYY.edu/users/X/Y/Z/XYZABC
> > >> bash: cd: /afs/YYY.edu/users/X/Y/Z/XYZABC: Permission denied
> > >>
> > > This look like the user you authenticate as, simply doesn't have the
> > > required permissions to access the directory.
> >
> > Impossible. I can ssh into the server with the same username and password
> > without any issues. I use rsync to do regular (every 1 hour) backups to
> this
> > directory ( a process that is cumbersome, which is why I am looking to
> set
> > up my openafs client).
>
> All right. Your problem *is* client-side, then. Could you look at the
> output of "klist -a -n" and verify that your AFS service ticket is for
> the right address? (Addressless is usually OK.) NAT gateways sometimes
> interfere.
>
$ klist -a -n
Ticket cache: FILE:/tmp/krb5cc_457671
Default principal: XYZABC@YYY.EDU
Valid starting Expires Service principal
10/27/08 09:17:57 10/28/08 09:17:57 krbtgt/YYY.EDU@YYY.EDU
Addresses: (none)
10/27/08 09:18:01 10/28/08 09:17:57 afs@YYY.EDU
Addresses: (none)
Kerberos 4 ticket cache: /tmp/tkt457671
klist: You have no tickets cached
Appears to be addressless. I tried this with my own firewall down (not that
has anything to do with what you were talking about - just wanted to
eliminate a possible point of failure).
>
> > I cannot cd into my own directory, so I ssh'ed into the server and issued
> fs
>
> Which authentication method did you use with ssh? Does GSSAPI work?
>
I have never really looked into this. I believe that I have ssh-krb5 or some
such thing installed. A quick look inside my /etc/ssh/sshd_config on the
client indicates "GSSAPIAuthentication yes" is set.
> > listacl :
> >
> > $ fs listacl
> > Access list for . is
> > Normal rights:
> > systems:backup rl
> > www-hosts l
> > system:administrators rlidwka
> > XYZABC rlidwka
>
> Looks good. One question, though: is the server you ran this on a member
> of www-hosts ?
I have no idea (it does host www directories for users). How do I find out ?
>
>
> > The owner of all directories under /afs/YYY.EDU/users/X/Y/Z is root.root
> > (tested both through the local /afs tree and by ssh'ing to the server and
> > doing a cd ..). I do not recall what this was when things were working
> fine
> > (never needed to check), but is this normal (sounds fishy) ? In a
> different
> > cell, a long time ago, I seem to vaguely recall that the directory was
> owned
> > by the user in question.
>
> The UID that owns the volume root has implicit "a" permission on all
> directories in the volume. That would let you recover from a "fs setacl
> $HOME XYZABC none" without having to bother the AFS administrators. But
> since the ACL explicitly grants you full access, you should have full
> access --- as long as your token is valid.
>
> > To test if this was messing up things, I cd'ed to
> > /afs/YYY.EDU/users/X/Y/Z/XYZABC and issued a command :
> >
> > $ cd XYZABC/Private
> > bash: cd: XYZABC/Private: Permission denied
>
> So you were trying to access /afs/
> YYY.EDU/users/X/Y/Z/XYZABC/XYZABC/Private ?
>
Yes.
>
> Was this on the server or on your client? If on the client (as your
> other statements are suggesting), it simply restates that your token
> is not being accepted. If on the server, I'd want to see the ACL on
> that subdirectory (and know whether the server is in www-hosts).
This was on the client. On the server, I have no issues accessing anything
that I own.
>
>
> > This is more nonsense as ~/Private holds my backups :) Maybe the fact
> that I
> > do not own /afs/YYY.EDU/users/X/Y/Z/XYZABC is shortcircuiting that
> command.
>
> I don't see how that would work as an explanation.
Shooting in the dark with my ignorance as an able ally :)
>
>
> > The owner of all files inside /afs/YYY.EDU/users/X/Y/Z/XYZABC is
> obviously
> > XYZABC.
>
> Not so obviously since you said that the top-level directory is owned by
> root, not by XYZABC. You could be locked out of a subdirectory by its ACL.
>
When I login to the server through ssh, I see the following :
drwxr-xr-x 6 XYZABC XYZABC 2048 Oct 27 09:24 Private
I guess I should have included that instead of simply stating that I can
read/write to the directory etc. You can read/write to any directory without
being the owner if you have the right ACL's / unix file permissions.
> My impression is that the token you got on your client is either invalid
> or belongs to a different AFS user. The explanations I can think of are
I simply fail to see how it can belong to a different AFS user. The UID is
the same and the username used is the same for the attempt to get tokens,
and for the successful login to the server (as well as the ownership of the
subdirectories like above).
Maybe you should explain why you continue to suspect this ?
>
> (a) that you are behind a NAT and your token is for the wrong address;
Addressless above.
>
> (b) that you're obtaining the token via Kerberos cross-realm and it's
> really for user XYZABC@OTHER.REALM (in which case you could try
> fs setacl /afs/YYY.EDU/users/X/Y/Z/XYZABC XYZABC@other.realm all
> on the server where you do have access, or learn how to authenticate to
> the correct realm in the first place).
The realm listed in the token is YYY.EDU. To just check against any mess up
of this sort, I logged in to the server using ssh. Issued klist -a -n ON the
SERVER :
$ klist -a -n
Ticket cache: FILE:/tmp/krb5cc_457671_Rdt7da
Default principal: XYZABC@YYY.EDU
Valid starting Expires Service principal
10/27/08 09:32:49 10/27/08 19:32:48 krbtgt/YYY.EDU@YYY.EDU
renew until 10/27/08 19:32:48
Addresses: <an actual IP address>
Kerberos 4 ticket cache: /tmp/tkt457671_QToYEM
Principal: XYZABC@YYY.EDU
Issued Expires Principal
10/27/08 09:32:49 10/27/08 19:27:49 krbtgt.YYY.EDU@YYY.EDU
10/27/08 09:32:49 10/27/08 19:32:49 afs@YYY.EDU
Notable differences - its not addressless and kerberos 4 tickets were issued
as well.
>
> Can't the helpdesk at YYY.EDU help you with this?
>
I will definitely ask them (though most of them are windows addled unix
ignoramuses - this is one your more "modern" IT departments) once I have
exhausted all chances of the problem being at my end. Thanks for your help
and patience so far. Any suggestions would be greatly appreciated.
With regards.
------=_Part_30197_20677569.1225125590079
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hello,<br><br>Apologies for the long delay. I forgot about this issue as I got busy.<br><br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
</div>I upgraded from -19 to -21 this morning, built and installed<br>
openafs-modules-2.6.24-21-generic_1.4.6.dfsg1-2+2.6.24-21.42_i386.deb<br>
using m-a as usual, and it still works.<br>
<div class="Ih2E3d"></div></blockquote><div><br>Ok.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
> >> :$ cd /afs/YYY.edu/users/X/Y/Z/XYZABC<br>
> >> bash: cd: /afs/YYY.edu/users/X/Y/Z/XYZABC: Permission denied<br>
> >><br>
> > This look like the user you authenticate as, simply doesn't have the<br>
> > required permissions to access the directory.<br>
><br>
> Impossible. I can ssh into the server with the same username and password<br>
> without any issues. I use rsync to do regular (every 1 hour) backups to this<br>
> directory ( a process that is cumbersome, which is why I am looking to set<br>
> up my openafs client).<br>
<br>
</div>All right. Your problem *is* client-side, then. Could you look at the<br>
output of "klist -a -n" and verify that your AFS service ticket is for<br>
the right address? (Addressless is usually OK.) NAT gateways sometimes<br>
interfere.<br>
<div class="Ih2E3d"></div></blockquote><div><br> $ klist -a -n<br>Ticket cache: FILE:/tmp/krb5cc_457671<br>Default principal: <a href="mailto:XYZABC@YYY.EDU">XYZABC@YYY.EDU</a><br><br>Valid starting Expires Service principal<br>
10/27/08 09:17:57 10/28/08 09:17:57 krbtgt/<a href="http://YYY.EDU">YYY.EDU</a>@<a href="http://YYY.EDU">YYY.EDU</a><br> Addresses: (none)<br>10/27/08 09:18:01 10/28/08 09:17:57 <a href="mailto:afs@YYY.EDU">afs@YYY.EDU</a><br>
Addresses: (none)<br><br><br>Kerberos 4 ticket cache: /tmp/tkt457671<br>klist: You have no tickets cached<br><br>Appears to be addressless. I tried this with my own firewall down (not that has anything to do with what you were talking about - just wanted to eliminate a possible point of failure).<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<div class="Ih2E3d"><br>
> I cannot cd into my own directory, so I ssh'ed into the server and issued fs<br>
<br>
</div>Which authentication method did you use with ssh? Does GSSAPI work?<br>
<div class="Ih2E3d"></div></blockquote><div><br>I have never really looked into this. I believe that I have ssh-krb5 or some such thing installed. A quick look inside my /etc/ssh/sshd_config on the client indicates "GSSAPIAuthentication yes" is set.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
> listacl :<br>
><br>
> $ fs listacl<br>
> Access list for . is<br>
> Normal rights:<br>
> systems:backup rl<br>
> www-hosts l<br>
> system:administrators rlidwka<br>
> XYZABC rlidwka<br>
<br>
</div>Looks good. One question, though: is the server you ran this on a member<br>
of www-hosts ?</blockquote><div><br>I have no idea (it does host www directories for users). How do I find out ?<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<div class="Ih2E3d"><br>
> The owner of all directories under /afs/<a href="http://YYY.EDU/users/X/Y/Z" target="_blank">YYY.EDU/users/X/Y/Z</a> is root.root<br>
> (tested both through the local /afs tree and by ssh'ing to the server and<br>
> doing a cd ..). I do not recall what this was when things were working fine<br>
> (never needed to check), but is this normal (sounds fishy) ? In a different<br>
> cell, a long time ago, I seem to vaguely recall that the directory was owned<br>
> by the user in question.<br>
<br>
</div>The UID that owns the volume root has implicit "a" permission on all<br>
directories in the volume. That would let you recover from a "fs setacl<br>
$HOME XYZABC none" without having to bother the AFS administrators. But<br>
since the ACL explicitly grants you full access, you should have full<br>
access --- as long as your token is valid.<br>
<div class="Ih2E3d"><br>
> To test if this was messing up things, I cd'ed to<br>
> /afs/<a href="http://YYY.EDU/users/X/Y/Z/XYZABC" target="_blank">YYY.EDU/users/X/Y/Z/XYZABC</a> and issued a command :<br>
><br>
> $ cd XYZABC/Private<br>
> bash: cd: XYZABC/Private: Permission denied<br>
<br>
</div>So you were trying to access /afs/<a href="http://YYY.EDU/users/X/Y/Z/XYZABC/XYZABC/Private" target="_blank">YYY.EDU/users/X/Y/Z/XYZABC/XYZABC/Private</a> ?<br>
</blockquote><div><br>Yes.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Was this on the server or on your client? If on the client (as your<br>
other statements are suggesting), it simply restates that your token<br>
is not being accepted. If on the server, I'd want to see the ACL on<br>
that subdirectory (and know whether the server is in www-hosts).</blockquote><div><br>This was on the client. On the server, I have no issues accessing anything that I own.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<div class="Ih2E3d"><br>
> This is more nonsense as ~/Private holds my backups :) Maybe the fact that I<br>
> do not own /afs/<a href="http://YYY.EDU/users/X/Y/Z/XYZABC" target="_blank">YYY.EDU/users/X/Y/Z/XYZABC</a> is shortcircuiting that command.<br>
<br>
</div>I don't see how that would work as an explanation.</blockquote><div><br>Shooting in the dark with my ignorance as an able ally :)<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<div class="Ih2E3d"><br>
> The owner of all files inside /afs/<a href="http://YYY.EDU/users/X/Y/Z/XYZABC" target="_blank">YYY.EDU/users/X/Y/Z/XYZABC</a> is obviously<br>
> XYZABC.<br>
<br>
</div>Not so obviously since you said that the top-level directory is owned by<br>
root, not by XYZABC. You could be locked out of a subdirectory by its ACL.<br>
</blockquote><div><br>When I login to the server through ssh, I see the following :<br><br> drwxr-xr-x 6 XYZABC XYZABC 2048 Oct 27 09:24 Private<br><br>I guess I should have included that instead of simply stating that I can read/write to the directory etc. You can read/write to any directory without being the owner if you have the right ACL's / unix file permissions.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
My impression is that the token you got on your client is either invalid<br>
or belongs to a different AFS user. The explanations I can think of are</blockquote><div><br>I simply fail to see how it can belong to a different AFS user. The UID is the same and the username used is the same for the attempt to get tokens, and for the successful login to the server (as well as the ownership of the subdirectories like above).<br>
<br>Maybe you should explain why you continue to suspect this ?<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
(a) that you are behind a NAT and your token is for the wrong address;</blockquote><div><br>Addressless above.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
(b) that you're obtaining the token via Kerberos cross-realm and it's<br>
really for user XYZABC@OTHER.REALM (in which case you could try<br>
fs setacl /afs/<a href="http://YYY.EDU/users/X/Y/Z/XYZABC" target="_blank">YYY.EDU/users/X/Y/Z/XYZABC</a> XYZABC@other.realm all<br>
on the server where you do have access, or learn how to authenticate to<br>
the correct realm in the first place).</blockquote><div><br>The realm listed in the token is <a href="http://YYY.EDU">YYY.EDU</a>. To just check against any mess up of this sort, I logged in to the server using ssh. Issued klist -a -n ON the SERVER :<br>
<br>$ klist -a -n<br>Ticket cache: FILE:/tmp/krb5cc_457671_Rdt7da<br>Default principal: <a href="mailto:XYZABC@YYY.EDU">XYZABC@YYY.EDU</a><br><br>Valid starting Expires Service principal<br>10/27/08 09:32:49 10/27/08 19:32:48 krbtgt/<a href="http://YYY.EDU">YYY.EDU</a>@<a href="http://YYY.EDU">YYY.EDU</a><br>
renew until 10/27/08 19:32:48<br> Addresses: <an actual IP address><br><br><br>Kerberos 4 ticket cache: /tmp/tkt457671_QToYEM<br>Principal: <a href="mailto:XYZABC@YYY.EDU">XYZABC@YYY.EDU</a><br><br> Issued Expires Principal<br>
10/27/08 09:32:49 10/27/08 19:27:49 <a href="http://krbtgt.YYY.EDU">krbtgt.YYY.EDU</a>@<a href="http://YYY.EDU">YYY.EDU</a><br>10/27/08 09:32:49 10/27/08 19:32:49 <a href="mailto:afs@YYY.EDU">afs@YYY.EDU</a><br><br>Notable differences - its not addressless and kerberos 4 tickets were issued as well.<br>
<br><br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
Can't the helpdesk at <a href="http://YYY.EDU" target="_blank">YYY.EDU</a> help you with this?<br>
</blockquote></div><br>I will definitely ask them (though most of them are windows addled unix ignoramuses - this is one your more "modern" IT departments) once I have exhausted all chances of the problem being at my end. Thanks for your help and patience so far. Any suggestions would be greatly appreciated.<br>
<br>With regards. <br>
------=_Part_30197_20677569.1225125590079--