Thanks for getting back to me, I didn't see your message until now. Also
thanks for the explanation.
I've been able to get a little further by using `-localauth`. However, for
some reason `bos listkeys` now returns an empty list, whereas `asetkey`
does list 4 keys:
█[asus][openafs-1.8.9][1]$ sudo bos listkeys -localauth -server
asus.erjoalgo.com
All done.
█[asus][openafs-1.8.9][0]$ sudo asetkey list
rxkad_krb5 kvno 5 enctype 17; key is:
????????????????????????????????
rxkad_krb5 kvno 5 enctype 18; key is:
????????????????????????????????????????????????????????????????
rxkad_krb5 kvno 9 enctype 17; key is:
????????????????????????????????
rxkad_krb5 kvno 9 enctype 18; key is:
????????????????????????????????????????????????????????????????
All done.
█[asus][openafs-1.8.9][0]$
But according to this guide, which I have been trying to follow:
https://www.halolinux.us/debian-administration/openafs-installation-on-debian.html
the `bos listkeys` command should return the same keys that were added via
asetkey/akeyconvert.
Using strace and adding some debug logs into the `bos.c` source, I noticed
that it makes an RPC call to UDP port 7007, the process listening there is
`bosserver` invoked as:
█[asus][openafs-1.8.9][0]$ pgrep -af bosserver
75323 /usr/sbin/bosserver -nofork
Looking at `man bosserver` tells me that the bosserver log files are in
/var/log/openafs/BosLog. But unfortunately I don't see anything interesting
in the BosLog:
█[asus][git][0]$ sudo tail -f /var/log/openafs/BosLog
Sat Jun 1 12:46:13 2024: Core limits now -1 -1
Sat Jun 1 12:46:13 2024: Listening on 0.0.0.0:7007
Sat Jun 1 13:54:03 2024: Shutdown of BOS server and processes in
response to signal 15
Sat Jun 1 13:54:03 2024: Server directory access is okay
Sat Jun 1 13:54:03 2024: Core limits now -1 -1
Sat Jun 1 13:54:03 2024: Listening on 0.0.0.0:7007
Sat Jun 1 21:24:42 2024: Shutdown of BOS server and processes in
response to signal 15
Sat Jun 1 21:24:42 2024: Server directory access is okay
Sat Jun 1 21:24:42 2024: Core limits now -1 -1
Sat Jun 1 21:24:42 2024: Listening on 0.0.0.0:7007
I tried restarting the openafs-fileserver service to restart bosserver but
nothing changed.
I guess I will next try to compile bosserver and do some debugging to try
to understand which files it is reading and why it is returning an empty
set of keys despite asetkey reporting 4 keys.
Ernesto
On Wed, May 29, 2024 at 12:56 PM Cheyenne Wills <[email protected]>
wrote:
> Ernesto,
>
> Could you try adding -localauth to the command?
>
> sudo bos listkeys -server asus.erjoalgo.com -localauth
>
> The bos command is used to manage the openafs servers and requires that
> the user that is issuing the bos command be authenticated to kerberos
> unless the -localauth option is specified.
>
> The messages you are seeing in dmesg are related to the openafs
> cache manager kernel module which is part of the openafs client. The
> bos command does not use the openafs client (cache manager/kernel
> module) for communication to the servers.
>
> --
> Cheyenne Wills
> [email protected]
>
>
>
> On Tue, 28 May 2024 21:38:01 -0400
> Ernesto Alfonso <[email protected]> wrote:
> > Hello,
> >
> > I'm having trouble setting up openafs on debian bookworm.
> >
> > I've imported kerberos keys into openafs via `akeyconvert -all`:
> >
> > sudo asetkey list
> > rxkad_krb5 kvno 4 enctype 17; key is:
> > ????????????????????????????????
> > rxkad_krb5 kvno 4 enctype 18; key is:
> > ????????????????????????????????????????????????????????????????
> > All done.
> >
> >
> > I'm now try to use the bos command line, but this fails:
> >
> > $ sudo bos listkeys -server asus.erjoalgo.com
> > bos: unable to build security class (configuring connection
> > security)
> >
> > I have tried building `bos` from source to better understand the
> > context of the error message. I've only narrowed it down to:
> >
> > function afsconf_ClientAuthToken in auth/authcon.c
> > code = ktc_GetTokenEx(info->name, &tokenSet);
> >
> > function ktc_GetTokenEx in auth/ktc.c:
> > code = PIOCTL(0, VIOC_GETTOK2, &iob, 0);
> >
> > This returns a non-zero code, causing the command line to fail.
> >
> > What could be the reason that the PIOCTL command is failing? Is there
> > any way to get more information?
> >
> > I've tried rebuilding the kernel module as suggested here
> > <
> https://unix.stackexchange.com/questions/404247/openafs-suddenly-fails-a-pioctl-failed-while-obtaining-tokens
> >
> > :
> >
> > sudo dpkg-reconfigure openafs-modules-dkms
> >
> > And restarting the openafs-client service, but this does not change
> > anything.
> >
> > I only noticed some bening-looking warnings in dmesg:
> >
> > [ 20.377862] systemd-fstab-generator[637]: Checking was
> > requested for "/var/cache/openafs.img", but it is not a device.
> > [ 20.676946] systemd[1]:
> > /lib/systemd/system/openafs-client.service:22: Unit uses
> > KillMode=none. This is unsafe, as it disables systemd's process
> > lifecycle management for the service. Please update the service to
> > use a safer KillMode=, such as 'mixed' or 'control-group'. Support
> > for KillMode=none is deprecated and will eventually be removed.
> > [ 49.217272] openafs: loading out-of-tree module taints kernel.
> > [ 49.217278] openafs: module license '
> > http://www.openafs.org/dl/license10.html' taints kernel.
> > [ 49.217987] openafs: module verification failed: signature
> > and/or required key missing - tainting kernel
> >
> > I don't see anything interesting in the openafs-client service logs
> > or in syslog:
> >
> > $ sudo journalctl -feu openafs-client
> > May 28 09:03:43 asus systemd[1]: Starting openafs-client.service -
> > OpenAFS client...
> > May 28 09:03:50 asus afsd[1823]: afsd: All AFS daemons started.
> > May 28 09:03:50 asus afsd[1787]: afsd: All AFS daemons started.
> > May 28 09:03:50 asus systemd[1]: Started openafs-client.service -
> > OpenAFS client.
> > May 28 09:03:52 asus fs[1827]: Usage: /usr/bin/fs sysname
> > [-newsys <new
> > sysname>+] [-help]
> > May 28 21:11:53 asus systemd[1]: Stopping openafs-client.service -
> > OpenAFS client...
> > May 28 21:11:54 asus systemd[1]: openafs-client.service:
> > Deactivated successfully.
> > May 28 21:11:54 asus systemd[1]: Stopped openafs-client.service -
> > OpenAFS client.
> > May 28 21:11:54 asus systemd[1]: openafs-client.service: Consumed
> > 2.957s CPU time.
> > May 28 21:11:54 asus systemd[1]: Starting openafs-client.service -
> > OpenAFS client...
> > May 28 21:11:56 asus afsd[275229]: afsd: All AFS daemons started.
> > May 28 21:11:56 asus afsd[275250]: afsd: All AFS daemons started.
> > May 28 21:11:56 asus fs[275253]: Usage: /usr/bin/fs sysname
> > [-newsys <new sysname>+] [-help]
> > May 28 21:11:56 asus systemd[1]: Started openafs-client.service -
> > OpenAFS client.
> >
> > How can I further debug this bos error?
> >
> > openafs 1.8.9-1-debian
> >
> > $ sudo lsmod | grep openafs
> > openafs 2863104 2
> > $
> >
> > Ernesto
>
> _______________________________________________
> OpenAFS-info mailing list
> [email protected]
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
