[OpenAFS] Re: Need help: Tokens stop working

Daniel Richard G. danielg@teragram.com
Fri, 9 Oct 2009 16:46:53 -0400


> -----Original Message-----
> From: openafs-info-admin@openafs.org [mailto:openafs-
> info-admin@openafs.org] On Behalf Of Andrew Deason
>
> Unfortunately, issues relating to this can't really be
> debugged from
> userspace. You could try disabling the gid PAG code or
> the keyring PAG
> code when building the client, though. You can disable
> the gid PAG code
> with the configure option --disable-linux-syscall-
> probing, though that's
> not really what it's supposed to be used for.

Ouch. We're currently using Ubuntu's pre-built packages; custom-building the 
clients would be difficult to manage.

> I can't think of anything right now that you can look
> at that would help
> more. If you're seeing that, something thinks the
> current time is past
> your token's expiration time. So, checking the
> expiration time reported
> by 'tokens' and looking at the present time on the
> client and all
> servers the user may have contacted would be going in
> the right
> direction, but if all of that looks correct...

NTP is fairly well-deployed here, so I don't think clock skew is an issue.

> Of course, finding patterns helps. If you can narrow
> it down to the user
> accessing a specific fileserver, or if tokens always
> go away N minutes
> before they are supposed to, or they go away
> prematurely only if you
> logged in the previous day, or something like that,
> that would help.

I'll try to gather more information on this, and report back anything that may 
be of interest. And if anyone can suggest other ways of examining what's going 
on, I'm all ears.


--Daniel