[OpenAFS] Re: Problems with ACLS

Derrick Brashear shadow@gmail.com
Mon, 7 May 2012 12:41:22 -0400


On Mon, May 7, 2012 at 11:49 AM, Stefan Michael Guenther
<s.guenther@in-put.de> wrote:
> Hi,
>
>> > User's (AFS ID 1010) tokens for afs@in-put.de [Expires May =A08 15:40]
>> > =A0 =A0--End of list--
>>
>> 'pts examine 1010' to double-check.
>>
> Name: stefan, id: 1010, owner: system:administrators, creator:admin,
> =A0membership: 0, flags: S----. group quota: 20.
>
> Is it correct, that the user stefan doesn't have to exist on the client a=
s a Unix account, because user management is done by AFS?

yes.

>> Run 'tokens' again after this. Is there anything in syslog/dmesg
>> mentioning AFS? Your tokens can be discarded due to a few different
>> errors, but they encountering them results in kernel log messages.
>>
> no entries in dmesg or any log file.

hm. what does fs lq /afs/in-put.de/data tell you?
not that a readonly filesystem should give "permission denied" but it
would be helpful to know.

>> the other thing to try is aklog -force; if you added the user to the
>> pts group after they got tokens, they need new tokens.
>>
> using -force didn't solve it.

since 1010 is in fact stefan you're directly on the ACL and refreshing
the tokens won't help; but it was worth a shot before we knew that for
sure.

> BTW: Should this permission problem be recorded by the server? The logfil=
es in /usr/afs/logs were changed more than 3 hours ago, while I was just ge=
tting another "permission denied".

permission denied isn't an error to the server, so no. auditlogs, if
you enable those, will log the user making the request as far as the
server is concerned, which is more useful in this regard.

Derrick