bos: unable to build security class (configuring connection security)

Question

I'm having trouble setting up openafs on debian bookworm.

I've imported kerberos keys into openafs via akeyconvert -all:

sudo asetkey list
rxkad_krb5      kvno    4 enctype 17; key is: ????????????????????????????????
rxkad_krb5      kvno    4 enctype 18; key is: ????????????????????????????????????????????????????????????????
All done.

I'm now try to use the bos command line, but this fails:

$ sudo bos listkeys -server asus.erjoalgo.com
bos: unable to build security class (configuring connection security)

I have tried building bos from source to better understand the context of the error message. I've only narrowed it down to:

function afsconf_ClientAuthToken in auth/authcon.c  
    code = ktc_GetTokenEx(info->name, &tokenSet);

function ktc_GetTokenEx in auth/ktc.c: 
    code = PIOCTL(0, VIOC_GETTOK2, &iob, 0);

This returns a non-zero code, causing the command line to fail.

What could be the reason that the PIOCTL call is failing? Is there any way to get more information?

I've tried rebuilding the kernel module as suggested here:

sudo dpkg-reconfigure openafs-modules-dkms

And restarting the openafs-client service, but this does not change anything.

I only noticed some bening-looking warnings in dmesg:

[   20.377862] systemd-fstab-generator[637]: Checking was requested for "/var/cache/openafs.img", but it is not a device.
[   20.676946] systemd[1]: /lib/systemd/system/openafs-client.service:22: Unit uses KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update the service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
[   49.217272] openafs: loading out-of-tree module taints kernel.
[   49.217278] openafs: module license 'http://www.openafs.org/dl/license10.html' taints kernel.
[   49.217987] openafs: module verification failed: signature and/or required key missing - tainting kernel

I don't see anything interesting in the openafs-client service logs or in syslog:

$ sudo journalctl -feu openafs-client
May 28 09:03:43 asus systemd[1]: Starting openafs-client.service - OpenAFS client...
May 28 09:03:50 asus afsd[1823]: afsd: All AFS daemons started.
May 28 09:03:50 asus afsd[1787]: afsd: All AFS daemons started.
May 28 09:03:50 asus systemd[1]: Started openafs-client.service - OpenAFS client.
May 28 09:03:52 asus fs[1827]: Usage: /usr/bin/fs sysname [-newsys <new sysname>+] [-help]
May 28 21:11:53 asus systemd[1]: Stopping openafs-client.service - OpenAFS client...
May 28 21:11:54 asus systemd[1]: openafs-client.service: Deactivated successfully.
May 28 21:11:54 asus systemd[1]: Stopped openafs-client.service - OpenAFS client.
May 28 21:11:54 asus systemd[1]: openafs-client.service: Consumed 2.957s CPU time.
May 28 21:11:54 asus systemd[1]: Starting openafs-client.service - OpenAFS client...
May 28 21:11:56 asus afsd[275229]: afsd: All AFS daemons started.
May 28 21:11:56 asus afsd[275250]: afsd: All AFS daemons started.
May 28 21:11:56 asus fs[275253]: Usage: /usr/bin/fs sysname [-newsys <new sysname>+] [-help]
May 28 21:11:56 asus systemd[1]: Started openafs-client.service - OpenAFS client.

How can I further debug this bos error?

openafs 1.8.9-1-debian

$ sudo lsmod | grep openafs openafs 2863104 2 $ bos: unable to build security class (configuring connection security)

Answer 1

The bos command works over the network, so it expects the user to have credentials available in order to authenticate to the server.

That is, you're supposed to run aklog and get AFS tokens first (using your Kerberos tickets, so you also need to kinit before that). Use tokens to check what tokens you currently have.

$ bos listkeys -server ember
bos: unable to build security class (configuring connection security)

$ aklog [-d]

$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 2001) rxkad tokens for nullroute.lt [Expires Jun 21 22:01]
   --End of list--

$ bos listkeys -server ember
All done.

The AFS kernel module must be loaded even for bos/pts/etc., because OpenAFS stores your tokens directly in the kernel (even if you don't have /afs mounted yet).

If you're only using bos to configure the local server, you can use the -localauth option to have the program directly read the service keyfile and craft a ticket for itself:

$ unlog
# sudo bos listkeys -localauth -server localhost
All done.

(There is no output because bos listkeys can only list DES keys, which this cell does not have. There are no bos commands for working with KeyFileExt.)