[OpenAFS] Request for Assistance with OpenAFS
Wed, 16 Mar 2016 09:55:34 +0100
I'm trying to setup and use openafs for mobile nodes, not always having
a connection to the openAFS server. I would like to use the openAFS
caching mechanism as an offline disk that synchronizes everything once
I installed an openAFS 1.6.9 server and client, together with a kerberos
server on debian jessie. Everything works great, including offline
operations and synch after the client is back online. However, I fail of
open a afs session on the client machine while it is offline. To rule
out a lack of kerberos ticket, I installed a kerberos replica on the
client machine and I can get a ticket offline. However, even with a
valid ticket, AFS's cache manager doesn't give access to the files.
Investigating more and reading the doc, my understanding is that the
cache manager doesn't look for anything to confirm the authorization
granted by the kerberos ticket presented. However, I still fail to open
an AFS session with an offline machine. I think this is because the
cache manager requests information from the protection database (I guess
some kind of ACLs) and since it can't contact it, then it doesn't give
access to files at all.
In a desperate attempt to reach my goal, I started to set up at
protection database replication into the client and see what happens..
well, it looks like I need to identify protection database server
(including the replication installed in my client machine) with ip
addresses. The problem is that both databases (the original and replica)
check if the ip address of machines are the same in both ends before
allowing a replication to happen. That means I can't configure the
client so it connects to 127.0.0.1, which would be the only way t
contact the local protection database when offline, so this solution
doesn't seem to work either.
Then, finally my question (s): is it possible at all to have openafs
working in offline mode, including opening a session, even if I need to
run a Kerberos and a protection database replica on the client for it
(even if that sounds like a bad idea). Is it possible to prevent the
original and the replica protection databases from checking if the ip
addresses are the same, so that I can have the client machine to contact
its local replica of the protection database on 127.0.0.1 and the
original protection database server to contact the replica through its
ip address on the network; better: through its dns name only.