[OpenAFS] OpenAFS on MAC tokens issue

Terry Wood tjw@cs.pitt.edu
Tue, 28 Sep 2010 11:11:35 -0400

Dear OpenAFS Gurus,

We having an issue at the University of Pittsburgh CS Dept. with
OpenAFS in our MAC lab.  We are running OpenAFS on the MACs.

Upon login if one does a "tokens" command, no tokens are displayed.
However, it appears because we can access a protected AFS files that
there must be a token granted of some sort.  When we issue a unlog
command we can no longer access the files in the directory.

To be specific, we are accessing

This issue is only showing up on our MAC lab.  When we test this from
other systems, permissions function as expected.

So I have to wonder if there isn't a token somewhere, but the tokens
command does not show it.

Here is a test case demonstrating the issue.  This machine was
rebooted prior to running this test.


login as: tjw
Using keyboard-interactive authentication.

Last login: Tue Sep 28 10:30:40 2010 from bender.cs.pitt.edu
Could not chdir to home directory /Users/tjw: No such file or directory

java4a:/ tjw$ tokens

Tokens held by the Cache Manager:

   --End of list--

java4a:/ tjw$ cd /afs/cs.pitt.edu/public/incoming/CS401/ramirez

java4a:ramirez tjw$ cd TestingMac

java4a:TestingMac tjw$ ls -l
ls: Bogus: Permission denied
total 49
-rwxrwxrwx@ 1 32766  staff  22016 Sep 27 14:46 syl.doc
-rw-rw-rw-  1 32766  2004     909 Sep 27 14:48 trace.p

java4a:TestingMac tjw$ more trace.p
program trace(input, output);
const Factor = 10;
      Marker = '%';
var K, M: integer;

function isit(num : char): boolean;
     isit  :=  ('0' <= num) and (num <= '9');

procedure getit(var N: integer);
var ch: char;
    dig: integer;
     N := 0;
     while (ch <> Marker) do
           if isit(ch) then
                dig := ord(ch) - ord('0');
                N := Factor * N + dig;

java4a:TestingMac tjw$ tokens

Tokens held by the Cache Manager:

   --End of list--

java4a:TestingMac tjw$ fs listacl
Access list for . is
Normal rights:
  ramirez:cs401 rlidwk
  techstaff rlidwka
  system:administrators rlidwka
  system:anyuser li
  ramirez rlidwka

java4a:TestingMac tjw$ unlog

java4a:TestingMac tjw$ more trace.p
trace.p: Permission denied


Once an unlog is done, the permissions function as expected.  However,
upon reboot the condition returns.

So it's my guess that there's some sort of token being granted at boot
up.  But the tokens command isn't showing it.
This is a bit strange to say the least.

These systems were built by Bob Hoffman who asked me to submit this
issue to you for your input.

Many thanks for your time in this matter.

Terry J. Wood
Computer Science Dept.
University of Pittsburgh