[OpenAFS] Re: Need help: Tokens stop working

Andrew Deason adeason@sinenomine.net
Thu, 8 Oct 2009 16:55:36 -0500


On Thu, 8 Oct 2009 17:30:36 -0400
"Daniel Richard G." <oss@teragram.com> wrote:

> I see a lot of "byte-range lock/unlock ignored; make sure no one else
> is running this program" messages, which I presume are harmless.

Harmless unless you need byte-range locks to work right.

> I also see in one place "Tokens for user of AFS id NNNNN for cell
> teragram.com have expired", shortly before a support incident where
> this user lost access in the manner already described. However, this
> occurred at 2:30pm, for a user who arrived and authenticated at ~9am
> (and our ticket lifetimes are at the default of 10h).

You may want to describe how credentials are acquired, then. Is this
logging in via ssh, or is this an X session, or something else? Are you
using PAM, and what PAM modules are you using? If the user somehow
already had tokens, then e.g. 'aklog' may not do anything.

You may want to verify that a user is in a PAG when they login. In my
opinion, the easiest-explained way to verify that is just to have
someone log in twice, 'unlog' in one session, and verify you have tokens
in one session and not the other.

Also, check the clocks on all related systems. I would think you'd get a
different error if clock synch was your problem, but clocks being wrong
makes things go all kinds of screwy in my experience.

-- 
Andrew Deason
adeason@sinenomine.net