On Tue, 24 Sep 2013 23:31:22 +0300 (EEST) "Jukka Tuominen" <[email protected]> wrote:
> > Okay, I thought you meant they were just offline or something. If > > that's the problem, then it probably is related to authentication; > > it seems more like the authentication setup is broken, not related > > to the migration. Are your tokens not working at all, then? (A way > > to test would be to try writing to, say, a new file in /afs/.cell/ ) > > mkdir saids it cannot be done because it's readonly. For a dir in /afs/.cell? Not /afs/cell, but /afs/.cell; that is, /afs/.[new.domain]. Can you 'fs lsm' /afs/.[new.domain] ? > According to the syslog, the cause might be the ldap service which is > still somehow off sync, eventhough it is trying to contact the new > domain. But I don't know whether it should prevent root/admin > accessing dirs? No, it should not. What you're looking for are messages that say something like 'invalid tokens' or 'tokens discarded' from AFS. If you see anything like that, the kerberos stuff is broken, so you won't be able to access anything that requires authentication. If you do not see that, you can turn up debugging in the fileserver to see who the fileserver thinks you are when you are accessing it, and it may provide insight into why you are getting permissions errors. To turn up debugging all the way in the fileserver, 'pkill -TSTP fileserver' 4 times (or 'pkill -TSTP dafileserver' if you're running DAFS). Then run 'fs la' on the directory you're getting an error for, and you should see a bunch of entries in FileLog. Run 'pkill -HUP fileserver' to turn off debugging (or 'pkill -HUP dafileserver' for DAFS). Then provide the debugging FileLog entries. Either just send it to me privately or post it with obfuscation or whatever you want to do :) -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
