Re: [OpenAFS] OpenAFS 1.8.X token problems

Wed, 22 May 2019 13:58:03 -0700 

Florian,

Please see my comments and questions interleaved below:

> On May 22, 2019, at 5:34 AM, Florian Möller 
> <fmoel...@mathematik.uni-wuerzburg.de> wrote:
> 
> we are experiencing problems with the 1.8.X client.
> 
> The servers of our cell run OpenAFS 1.8.3. Everything works fine using the 
> 1.6.X client. When using 1.8.X the following strange behaviour occurs:
> 
> aklog seems to obtain a token; "aklog -d username" gives
> 
> Authenticating to cell ifm (server [correct name]).
> Trying to authenticate to user's realm IFM.
> Getting tickets: afs/ifm@IFM
> Using Kerberos V5 ticket natively
> About to resolve name username to id in cell ifm.
> Id [correct id]
> Setting tokens. username @ ifm
> 
> But the token is not stored properly. "tokens" gives
> 
> Tokens held by the Cache Manager:
> 
> tokens: failed to get token info for cell ifm (code 11862788)
>   --End of list--

We can use a little-known OpenAFS utility to help with this: 
$ translate_et 11862788
11862788 (ktc).4 = a pioctl failed

This is KTC_PIOCTLFAIL.  But which pioctl failed, and why?

Your strace was very helpul in that respect:
> 
> Here are the relevant portions of "strace tokens":
> 
> openat(AT_FDCWD, "/proc/fs/openafs/afs_ioctl", O_RDONLY) = 3
> ioctl(3, _IOC(_IOC_WRITE, 0x43, 0x1, 0x8), 0x7ffc3529aae0) = -1 EDOM 
> (Numerical argument out of domain)

Pioctl 0x8 is VIOCGETTOK (get token); it is usually called repeatedly to obtain 
one token at a time, and returns EDOM to indicate there are no more tokens for 
the requested user.  So this EDOM is not necessarily a problem.

However, the fact that you are running 1.8.x but calling VIOCGETTOK may be a 
clue.  VIOCGETTOK is a "legacy" 1.6.x token interface; 1.8.x clients (e.g. 
aklog, tokens) will call the 1.8.x token interface VIOC_GETTOK2 first, and fall 
back to VIOCGETTOK if there is a problem.  So your strace tells me there was 
some kind of problem that caused a fallback.

Before we go any further with that, I would like you to verify that all the 
OpenAFS components are the same version.  Please provide the output from the 
following commands:
- rxdebug <client> 7001 -version
- strings $(which aklog) | grep OpenAFS
- strings $(which tokens) | grep OpenAFS

Thanks,
--
Mark Vitale
mvit...@sinenomine.net



:��T���&j)b�   b�өzpJ)ߢ�^��좸!��l��b��(���~�+��Y���b�ا~����~ȧ~

Reply via email to