[OpenAFS] OpenAFS on MAC tokens issue
Terry Wood
tjw@cs.pitt.edu
Tue, 28 Sep 2010 11:11:35 -0400
Dear OpenAFS Gurus,
We having an issue at the University of Pittsburgh CS Dept. with
OpenAFS in our MAC lab. We are running OpenAFS 1.4.12.1 on the MACs.
Upon login if one does a "tokens" command, no tokens are displayed.
However, it appears because we can access a protected AFS files that
there must be a token granted of some sort. When we issue a unlog
command we can no longer access the files in the directory.
To be specific, we are accessing
/afs/cs.pitt.edu/public/incoming/CS401/ramirez/TestingMac.
This issue is only showing up on our MAC lab. When we test this from
other systems, permissions function as expected.
So I have to wonder if there isn't a token somewhere, but the tokens
command does not show it.
Here is a test case demonstrating the issue. This machine was
rebooted prior to running this test.
====================================================================
login as: tjw
Using keyboard-interactive authentication.
Password:
Last login: Tue Sep 28 10:30:40 2010 from bender.cs.pitt.edu
Could not chdir to home directory /Users/tjw: No such file or directory
java4a:/ tjw$ tokens
Tokens held by the Cache Manager:
--End of list--
java4a:/ tjw$ cd /afs/cs.pitt.edu/public/incoming/CS401/ramirez
java4a:ramirez tjw$ cd TestingMac
java4a:TestingMac tjw$ ls -l
ls: Bogus: Permission denied
total 49
-rwxrwxrwx@ 1 32766 staff 22016 Sep 27 14:46 syl.doc
-rw-rw-rw- 1 32766 2004 909 Sep 27 14:48 trace.p
java4a:TestingMac tjw$ more trace.p
program trace(input, output);
const Factor = 10;
Marker = '%';
var K, M: integer;
function isit(num : char): boolean;
begin
isit := ('0' <= num) and (num <= '9');
end;
procedure getit(var N: integer);
var ch: char;
dig: integer;
begin
N := 0;
read(ch);
while (ch <> Marker) do
begin
if isit(ch) then
begin
dig := ord(ch) - ord('0');
N := Factor * N + dig;
end;
java4a:TestingMac tjw$ tokens
Tokens held by the Cache Manager:
--End of list--
java4a:TestingMac tjw$ fs listacl
Access list for . is
Normal rights:
ramirez:cs401 rlidwk
techstaff rlidwka
system:administrators rlidwka
system:anyuser li
ramirez rlidwka
java4a:TestingMac tjw$ unlog
java4a:TestingMac tjw$ more trace.p
trace.p: Permission denied
====================================================================
Once an unlog is done, the permissions function as expected. However,
upon reboot the condition returns.
So it's my guess that there's some sort of token being granted at boot
up. But the tokens command isn't showing it.
This is a bit strange to say the least.
These systems were built by Bob Hoffman who asked me to submit this
issue to you for your input.
Many thanks for your time in this matter.
Terry J. Wood
Computer Science Dept.
University of Pittsburgh
412-624-8831