[OpenAFS] Stuck in Quick start guide at "fs: You don't have the
required access rights on '/afs'"
Mon, 7 Mar 2016 15:06:19 +0100
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
Content-Type: multipart/mixed; boundary="ChtOuw6u5gwq7GpcKC52gQL4d8VHgsRSC"
From: Karl-Philipp Richter <firstname.lastname@example.org>
To: Benjamin Kaduk <email@example.com>
Cc: "firstname.lastname@example.org" <email@example.com>
Subject: Re: [OpenAFS] Stuck in Quick start guide at "fs: You don't have the
required access rights on '/afs'"
Content-Type: text/plain; charset=windows-1252
Am 07.03.2016 um 06:18 schrieb Benjamin Kaduk:
> It is certainly possible to update the quickstart guide. Concrete
> references to a section number or HTML url wherein you want the change =
> be made would help.
> Looking at http://docs.openafs.org/QuickStartUnix/HDRWQ80.html, I see:
> % The top-level AFS directory, typically /afs, is a special case: when =
> % client is configured to run in dynroot mode (e.g. afsd -dynroot,
> % attempts to set the ACL on this directory will return Connection time=
> % out. This is because the dynamically- generated root directory is not=
> % part of the global AFS space, and cannot have an access control list =
> % on it.
> Prior to that is a note about "When the root.afs volume is replicated, =
> Cache Manager is programmed to access its read-only version
> (root.afs.readonly) whenever possible.", and a note that mounting the
> read-write copy elsewhere is needed in order to make modifications.
I would appreciate some recovery instructions, since the feedback of
OpenAFS will take time to be intuitive (e.g. this issue mentioned here
was caused by errornous kerberos encryption algorithms in the referenced
post and there's no way of knowing that and kerberos gives sadist
feedback like `kadmind: No such file or directory while initializing,
If the quick start guide becomes too large I'd kick the whole
system-specific service setup routines or move them to another document,
maybe a wiki or a Q&A since it's obsolete already since `systemd` isn't
Concretely, in section 2.24:
- So 1. basically wants to say if `-dynroot` is enabled, then 1. isn't
necessary and no alternative action needs to be performed? Anything else
isn't possible, but the reader still wonders why it's not written that
clearly, so that should be done.
- How am I supposed to get to the replication step if already setting
the ACL on /afs fails with `-dynroot` disabled? Both the explanation and
the commands are after setting those. If creating the read-write mount
point is a precondition to be able to set ACL, then it a tautology
because it depends itself on setting the ACL on / - obviously in my case
only since other people have set up AFS volumes already.
> That posting predates
> http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt; you should n=
> use des-cbc-crc (or des-cbc-md5 or other single-des enctypes) for the A=
> cell-wide key. (If the Quick Start guide indicates to create a single-=
> key, please let me know -- I thought I had removed all such references.=
I didn't, but to make sure (since OpenAFS error messages generally don't
explain the reason for the error), how would I purge such a key from the
setup? Is deleting the keytab and recreating it sufficient?
Thanks for you support.
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----