[OpenAFS] aklog: a pioctl failed while setting tokens for cell

Daria Phoebe Brashear shadow@gmail.com
Fri, 26 Jul 2019 13:29:59 -0400


--000000000000fa9916058e98e495
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

A followup to keep the group current:
1) the kext is properly signed
2) the extra kext which is already approved by policy is not relevant nor
is it an issue
3) the opportunity to approve the current kext is offered at the preference
pane but the "Allow" button does not work
4) it is possible the issue is use of the screen via screenshare API
(unlikely as a share but maybe a piece of software screenjacking) is
involved: the allow button is disabled when this is the case
5) spctl can be used to approvelist kexts, but requires disabling SIP to
update the registry, and is not how the prefs pane works
6) there does not appear to be an actual command line tool to do this

On Fri, Jul 26, 2019 at 5:44 AM Jan Posp=C3=AD=C5=A1il <honik@kma.zcu.cz> w=
rote:

> First of all I would like to thank all for your effort to help me, I
> really appreciate it.
>
> On 25 Jul 2019, at 19:49, Daria Phoebe Brashear <shadow@gmail.com> wrote:
> >
> > Can you do the following and give me output?
> >
> > rxdebug localhost 7001 -version
>
> I am afraid I do not have rxdebug, it is not part of the auristor client,
> is it? Where can I get the macOS version of these utils?
>
> > kextstat | grep auristor
>
> ok, the list is empty, i.e. the kernel extension is not loaded, which
> confirms what Benjamin Kadudk wrote, and afsd is not running
>
> # launchctl list | grep auristor
> 581     0       com.auristor.XPCHelper
> -       1       com.auristor.yfs-client
>
> # ps auxww | grep -i afsd
>
> > On 25 Jul 2019, at 23:09, Marcio Barbosa <mbarbosa@sinenomine.net>
> wrote:
> >
> > With that being said, I would take a look on /private/var/log/system.lo=
g.
>
> Unfortunately I cannot see any useful info there. Running manually
>
> # launchctl start com.auristor.yfs-client
>
> gives =E2=80=9Conly"
>
> Jul 26 10:52:47 vpn-234-086 com.apple.xpc.launchd[1]
> (com.auristor.yfs-client[2954]): Service exited with abnormal code: 1
>
> > Also, I would go to "System Preferences > Security and Privacy" to chec=
k
> > if we have to "allow" the kernel extension.
>
> I remember I clicked on allow during the installation. It seems that the
> problem is really in the =E2=80=9Csignature=E2=80=9D:
>
> # kextutil /Library/Extensions/yfs.kext
> Untrusted kexts are not allowed
> Kext with invalid signature (-67062) denied:
> /Library/StagedExtensions/System/Library/Extensions/1B4B7561-DC98-41D3-82=
B6-E5C754200137.kext
> Bundle (/System/Library/Extensions/LaCieScsiType00.kext) failed to
> validate, deleting:
> /Library/StagedExtensions/System/Library/Extensions/1B4B7561-DC98-41D3-82=
B6-E5C754200137.kext
> Unable to stage kext (/System/Library/Extensions/LaCieScsiType00.kext) to
> secure location.
> Kext rejected due to system policy: <OSKext 0x7fe37b9cfa50
> [0x7fffa90b9b40]> { URL =3D
> "file:///Library/StagedExtensions/Library/Extensions/yfs.kext/", ID =3D
> "com.auristor.filesystems.yfs" }
> Diagnostics for /Library/Extensions/yfs.kext:
>
>
> # sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
> sqlite> SELECT * FROM kext_policy WHERE bundle_id LIKE '%yfs' ;
> L2TGP62ZXS|com.your-file-system.filesystems.yfs|1|AuriStor, Inc.|12
> L2TGP62ZXS|com.auristor.filesystems.yfs|0|AuriStor, Inc.|4
>
> Why there are two policies and why the latter is disabled? On the other
> computer the extension is enabled and everything works fine, so I don't
> understand, why even re-installing the client did not help here.
>
> WBR
> Jan
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>

--=20
Daria Phoebe Brashear
AuriStor, Inc
dariaphoebe.com

--000000000000fa9916058e98e495
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>A followup to keep the group current:</div><div>1) th=
e kext is properly signed</div><div>2) the extra kext which is already appr=
oved by policy is not relevant nor is it an issue</div><div>3) the opportun=
ity to approve the current kext is offered at the preference pane but the &=
quot;Allow&quot; button does not work</div><div>4) it is possible the issue=
 is use of the screen via screenshare API (unlikely as a share but maybe a =
piece of software screenjacking) is involved: the allow button is disabled =
when this is the case</div><div>5) spctl can be used to approvelist kexts, =
but requires disabling SIP to update the registry, and is not how the prefs=
 pane works</div><div>6) there does not appear to be an actual command line=
 tool to do this<br></div></div><br><div class=3D"gmail_quote"><div dir=3D"=
ltr" class=3D"gmail_attr">On Fri, Jul 26, 2019 at 5:44 AM Jan Posp=C3=AD=C5=
=A1il &lt;<a href=3D"mailto:honik@kma.zcu.cz">honik@kma.zcu.cz</a>&gt; wrot=
e:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">First of all =
I would like to thank all for your effort to help me, I really appreciate i=
t.<br>
<br>
On 25 Jul 2019, at 19:49, Daria Phoebe Brashear &lt;<a href=3D"mailto:shado=
w@gmail.com" target=3D"_blank">shadow@gmail.com</a>&gt; wrote:<br>
&gt; <br>
&gt; Can you do the following and give me output?<br>
&gt; <br>
&gt; rxdebug localhost 7001 -version<br>
<br>
I am afraid I do not have rxdebug, it is not part of the auristor client, i=
s it? Where can I get the macOS version of these utils?<br>
<br>
&gt; kextstat | grep auristor<br>
<br>
ok, the list is empty, i.e. the kernel extension is not loaded, which confi=
rms what Benjamin Kadudk wrote, and afsd is not running<br>
<br>
# launchctl list | grep auristor<br>
581=C2=A0 =C2=A0 =C2=A00=C2=A0 =C2=A0 =C2=A0 =C2=A0com.auristor.XPCHelper<b=
r>
-=C2=A0 =C2=A0 =C2=A0 =C2=A01=C2=A0 =C2=A0 =C2=A0 =C2=A0com.auristor.yfs-cl=
ient<br>
<br>
# ps auxww | grep -i afsd<br>
<br>
&gt; On 25 Jul 2019, at 23:09, Marcio Barbosa &lt;<a href=3D"mailto:mbarbos=
a@sinenomine.net" target=3D"_blank">mbarbosa@sinenomine.net</a>&gt; wrote:<=
br>
&gt; <br>
&gt; With that being said, I would take a look on /private/var/log/system.l=
og.<br>
<br>
Unfortunately I cannot see any useful info there. Running manually<br>
<br>
# launchctl start com.auristor.yfs-client<br>
<br>
gives =E2=80=9Conly&quot;<br>
<br>
Jul 26 10:52:47 vpn-234-086 com.apple.xpc.launchd[1] (com.auristor.yfs-clie=
nt[2954]): Service exited with abnormal code: 1<br>
<br>
&gt; Also, I would go to &quot;System Preferences &gt; Security and Privacy=
&quot; to check<br>
&gt; if we have to &quot;allow&quot; the kernel extension.<br>
<br>
I remember I clicked on allow during the installation. It seems that the pr=
oblem is really in the =E2=80=9Csignature=E2=80=9D:<br>
<br>
# kextutil /Library/Extensions/yfs.kext<br>
Untrusted kexts are not allowed<br>
Kext with invalid signature (-67062) denied: /Library/StagedExtensions/Syst=
em/Library/Extensions/1B4B7561-DC98-41D3-82B6-E5C754200137.kext<br>
Bundle (/System/Library/Extensions/LaCieScsiType00.kext) failed to validate=
, deleting: /Library/StagedExtensions/System/Library/Extensions/1B4B7561-DC=
98-41D3-82B6-E5C754200137.kext<br>
Unable to stage kext (/System/Library/Extensions/LaCieScsiType00.kext) to s=
ecure location.<br>
Kext rejected due to system policy: &lt;OSKext 0x7fe37b9cfa50 [0x7fffa90b9b=
40]&gt; { URL =3D &quot;file:///Library/StagedExtensions/Library/Extensions=
/yfs.kext/&quot;, ID =3D &quot;com.auristor.filesystems.yfs&quot; }<br>
Diagnostics for /Library/Extensions/yfs.kext:<br>
<br>
<br>
# sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy<br>
sqlite&gt; SELECT * FROM kext_policy WHERE bundle_id LIKE &#39;%yfs&#39; ;<=
br>
L2TGP62ZXS|com.your-file-system.filesystems.yfs|1|AuriStor, Inc.|12<br>
L2TGP62ZXS|com.auristor.filesystems.yfs|0|AuriStor, Inc.|4<br>
<br>
Why there are two policies and why the latter is disabled? On the other com=
puter the extension is enabled and everything works fine, so I don&#39;t un=
derstand, why even re-installing the client did not help here.<br>
<br>
WBR<br>
Jan<br>
<br>
_______________________________________________<br>
OpenAFS-info mailing list<br>
<a href=3D"mailto:OpenAFS-info@openafs.org" target=3D"_blank">OpenAFS-info@=
openafs.org</a><br>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" rel=3D"=
noreferrer" target=3D"_blank">https://lists.openafs.org/mailman/listinfo/op=
enafs-info</a><br>
<br>
</blockquote></div><br clear=3D"all"><br>-- <br><div dir=3D"ltr" class=3D"g=
mail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div dir=3D"ltr=
">Daria Phoebe Brashear<br></div><div>AuriStor, Inc<br></div><div><a href=
=3D"http://dariaphoebe.com" target=3D"_blank">dariaphoebe.com</a><br><br></=
div></div></div></div></div></div>

--000000000000fa9916058e98e495--