[OpenAFS] Stuck in Quick start guide at "fs: You don't have the
required access rights on '/afs'"
Chas Williams
3chas3@gmail.com
Mon, 07 Mar 2016 15:19:27 -0500
On Mon, 2016-03-07 at 15:06 +0100, Karl-Philipp Richter wrote:
>
> Concretely, in section 2.24:
>
> - So 1. basically wants to say if `-dynroot` is enabled, then 1. isn't
> necessary and no alternative action needs to be performed? Anything else
> isn't possible, but the reader still wonders why it's not written that
> clearly, so that should be done.
> - How am I supposed to get to the replication step if already setting
> the ACL on /afs fails with `-dynroot` disabled? Both the explanation and
> the commands are after setting those. If creating the read-write mount
> point is a precondition to be able to set ACL, then it a tautology
> because it depends itself on setting the ACL on / - obviously in my case
> only since other people have set up AFS volumes already.
Yes, that part of the manual is out of date when it comes to dynroot.
You don't need to setup replication for /afs (root.afs) since it doesn't
really exist. You still access the R/W path to your local cell via
/afs/.CELLNAME though. Dynroot understands this convention.
So don't do step #1. -- However, you need to do something to make sure
dynroot can find your new cell (i.e. be in CellServDB, DNS records, ...)
Do step #2 create and setacl. To create the mount, just access it the path
instead of using mkm. So create root.cell before you try to access it.
Don't do step #3 (short names are handled differently for dynroot -- this
documented elsewhere).
Don't do step #4
Don't do root.afs parts of #5, #7
>
> > That posting predates
> > http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt; you should not
> > use des-cbc-crc (or des-cbc-md5 or other single-des enctypes) for the AFS
> > cell-wide key. (If the Quick Start guide indicates to create a single-des
> > key, please let me know -- I thought I had removed all such references.)
> I didn't, but to make sure (since OpenAFS error messages generally don't
> explain the reason for the error), how would I purge such a key from the
> setup? Is deleting the keytab and recreating it sufficient?
>
> Thanks for you support.
>
> -Kalle
>