OK, still no luck (I wasnt confident that rxbind would do it, but I was happy to be guided (it was working in 1.4.7) :)
I have changed it now so that: * all the ip addresses of the host are in the group for IP based ACLs * using rxbind for afsd * using Netinfo with only 10.1.3.1 (just one of the IPs that this host has) And with tcpdump running (tcpdump -ni eth0 portrange 7000-7007) [r...@penguin ~]# klog user Password: 11:03:26.042089 IP 10.1.3.1.47278 > 10.1.3.1.afs3-kaserver: rx data kauth call authenticate-v2 principal "user" "" (72) 11:03:26.082665 IP 10.1.3.1.afs3-kaserver > 10.1.3.1.47278: rx data kauth reply authenticate-v2 (156) ... [r...@penguin ~]# fs la /afs/local/asterisk 11:04:19.676138 IP 10.1.3.1.afs3-callback > 10.1.3.1.afs3-fileserver: rx data fs call fetch-acl fid 536871041/1/1 (44) 11:04:19.676263 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-callback: rx challenge (44) 11:04:19.676323 IP 10.1.3.1.afs3-callback > 10.1.3.1.afs3-fileserver: rx response (116) 11:04:19.676433 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-prserver: rx data pt call op#234510314 (300) ... 11:04:30.044638 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-prserver: rx data pt call op#-704595638 (52) 11:04:30.044819 IP 10.1.3.1.afs3-prserver > 10.1.3.1.afs3-fileserver: rx data pt reply op#-704595638 (556) 11:04:30.044911 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-prserver: rx ack first 2 serial 0 reason delay (65) 11:04:30.044969 IP 10.1.3.1.afs3-fileserver > 10.1.3.1.afs3-callback: rx data fs reply fetch-acl [|fs] (192) Access list for /afs/local/asterisk is Normal rights: server:asterisk rlidwk system:administrators rlidwka 11:04:30.045467 IP 10.1.3.1.afs3-callback > 10.1.3.1.afs3-fileserver: rx ack first 2 serial 0 reason delay (65) (NOTICE that it took 11 seconds for this? Previously it was instantaneous) [r...@penguin ~]# pts membership server:asterisk Members of server:asterisk (id: -1005) are: 10.1.3.65 10.1.3.97 10.1.3.193 10.1.3.1 [r...@penguin ~]# unlog [r...@penguin ~]# ls -al /afs/local/asterisk ls: /afs/local/asterisk: Permission denied (BTW: With rxbind now in place, directory lookups are incredibly slow, and the afs-client took much longer to start - 15? seconds compared to <1... The traffic trace that I have ommitted shows some chatter on 10.1.3.193 - Im not sure if that is related to this connection, or others on that network). So, my IP addressed based ACLs are still not working - whereas they were working in 1.4.7... BTW: With this session, the ACLs were not working immediately after I restarted the client, in the past it has worked for 1-48 hours before it stopped... (The only thing I have changed is added -rxbind to afsd, and added the IP address to the group.) Another BTW: I restarted the afsclient serveral times with -rxbind, and each time I could not list /afs/local/asterisk. As soon as I removed it, I could immediately list /afs/local/asterisk (as I would expect with the ACLs). Please, do you have any more suggestions? ...deon _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
