[OpenAFS] Re: Moving Magic Trio to another domain

Andrew Deason adeason@sinenomine.net
Tue, 24 Sep 2013 16:07:31 -0500


On Tue, 24 Sep 2013 23:31:22 +0300 (EEST)
"Jukka Tuominen" <jukka.tuominen@finndesign.fi> wrote:

> > Okay, I thought you meant they were just offline or something. If
> > that's the problem, then it probably is related to authentication;
> > it seems more like the authentication setup is broken, not related
> > to the migration. Are your tokens not working at all, then? (A way
> > to test would be to try writing to, say, a new file in /afs/.cell/ )
> 
> mkdir saids it cannot be done because it's readonly.

For a dir in /afs/.cell? Not /afs/cell, but /afs/.cell; that is,
/afs/.[new.domain]. Can you 'fs lsm' /afs/.[new.domain] ?

> According to the syslog, the cause might be the ldap service which is
> still somehow off sync, eventhough it is trying to contact the new
> domain.  But I don't know whether it should prevent root/admin
> accessing dirs?

No, it should not. What you're looking for are messages that say
something like 'invalid tokens' or 'tokens discarded' from AFS. If you
see anything like that, the kerberos stuff is broken, so you won't be
able to access anything that requires authentication.

If you do not see that, you can turn up debugging in the fileserver to
see who the fileserver thinks you are when you are accessing it, and it
may provide insight into why you are getting permissions errors.

To turn up debugging all the way in the fileserver, 'pkill -TSTP
fileserver' 4 times (or 'pkill -TSTP dafileserver' if you're running
DAFS). Then run 'fs la' on the directory you're getting an error for,
and you should see a bunch of entries in FileLog. Run 'pkill -HUP
fileserver' to turn off debugging (or 'pkill -HUP dafileserver' for
DAFS).

Then provide the debugging FileLog entries. Either just send it to me
privately or post it with obfuscation or whatever you want to do :)

-- 
Andrew Deason
adeason@sinenomine.net