[OpenAFS] Re: Need help: Tokens stop working

[Andrew Deason]

On Fri, 9 Oct 2009 13:16:21 -0400
"Daniel Richard G." <oss@teragram.com> wrote:

> > We've seen some odd behavior in some situations when gid and keyring
> > PAG tracking are both in use. I've never seen issues with it and
> > SSH, though, and if your tokens are lasting longer than 10 minutes,
> > that's probably not the problem.
> 
> It's a layer I was unaware of, at least. I'll try looking at the
> keyring the next time I get the odd token behavior.

Unfortunately, issues relating to this can't really be debugged from
userspace. You could try disabling the gid PAG code or the keyring PAG
code when building the client, though. You can disable the gid PAG code
with the configure option --disable-linux-syscall-probing, though that's
not really what it's supposed to be used for.

But again, if you're seeing tokens last for several hours, you're not
hitting the specific issue I'm thinking of. It's still possible for the
gid and keyring PAG stuff to be interacting strangely in ways I haven't
seen, though.

> Any other ideas as to what kind of poking and prodding I can do when
> the AFS token isn't working as it should?

I can't think of anything right now that you can look at that would help
more. If you're seeing that, something thinks the current time is past
your token's expiration time. So, checking the expiration time reported
by 'tokens' and looking at the present time on the client and all
servers the user may have contacted would be going in the right
direction, but if all of that looks correct...

Of course, finding patterns helps. If you can narrow it down to the user
accessing a specific fileserver, or if tokens always go away N minutes
before they are supposed to, or they go away prematurely only if you
logged in the previous day, or something like that, that would help.

-- 
Andrew Deason
adeason@sinenomine.net