[OpenAFS] OpenAFS 1.8.X token problems

Florian Möller fmoeller@mathematik.uni-wuerzburg.de
Wed, 22 May 2019 11:34:08 +0200 

Hi,

we are experiencing problems with the 1.8.X client.

The servers of our cell run OpenAFS 1.8.3. Everything works fine using 
the 1.6.X client. When using 1.8.X the following strange behaviour occurs:

aklog seems to obtain a token; "aklog -d username" gives

Authenticating to cell ifm (server [correct name]).
Trying to authenticate to user's realm IFM.
Getting tickets: afs/ifm@IFM
Using Kerberos V5 ticket natively
About to resolve name username to id in cell ifm.
Id [correct id]
Setting tokens. username @ ifm

But the token is not stored properly. "tokens" gives

Tokens held by the Cache Manager:

tokens: failed to get token info for cell ifm (code 11862788)
    --End of list--

Here are the relevant portions of "strace tokens":

openat(AT_FDCWD, "/proc/fs/openafs/afs_ioctl", O_RDONLY) = 3
ioctl(3, _IOC(_IOC_WRITE, 0x43, 0x1, 0x8), 0x7ffc3529aae0) = -1 EDOM 
(Numerical argument out of domain)
close(3)
write(1, "tokens: failed to get token info"..., 62tokens: failed to get 
token info for cell ifm (code 11862788)
) = 62
openat(AT_FDCWD, "/proc/fs/openafs/afs_ioctl", O_RDONLY) = 3
ioctl(3, _IOC(_IOC_WRITE, 0x43, 0x1, 0x8), 0x7ffc3529aaf0) = -1 EDOM 
(Numerical argument out of domain)
close(3)
[... The three lines above repeat several times ...]
write(1, "   --End of list--\n", 19   --End of list--)    = 19
exit_group(0)                           = ?
+++ exited with 0 +++


After issuing aklog, file access with the correct permissions is 
possible. So afsd seems to be able to use the token.

But it is impossible to use the token for non file access-related 
things, for instance:

pts exa username gives

libprot: unable to build security class (getting token)
libprot: Could not get afs tokens, running unauthenticated

vos rel somevolumename gives

vos: Could not get afs tokens, running unauthenticated.
Could not lock the VLDB entry for the volume [some number].
VLDB: no permission access for call
Error in vos release command.
VLDB: no permission access for call

Can anyone explain this behaviour? How can we solve the problem?

Thanks,
Florian


-- 
Dr. Florian Möller
Universität Würzburg