The OSX installer from OpenAFS.org uses a self-signed certificate to sign both afsd and the kext. In the past this has been sufficient to permit the cache manager to receive traffic from endpoints that it contacts provided that the firewall option
Automatically allow signed software to receive incoming connections is checked. Note that the endpoint is the address and port. You should not expect to be able to query the cache manager with cmdebug or rxdebug with the firewall enabled since the cache manager did not initiate contact with those endpoints. It is possible (and I haven't checked this) that Mavericks is no longer permitting any packets to be received if the kext is legacy and/or signed by a self-signed certificate. I have confirmed that the OSX installers provided by Your File System Inc. to its support customers do successfully receive callbacks from file servers. These installers are Mavericks native (not legacy) and are signed using Apple issued certificates. Jeffrey Altman On 3/6/2014 10:54 AM, Dan van der Ster wrote: > Hi all, > Apologies if this has been already documented, but I didn't find anything. > > We have a Mac user complaining about problems with afs connectivity. > It appears that his local mac (mavericks) firewall is preventing > callbacks to 7001. When he turns off the mac firewall, we cmdebug to > his host. > > Normally, signed executables can have ports opened (evidenced by the > similarly named checkbox in the system prefs). But since 1.6.6 is not > signed, I presume its ports are not being opened by mac os. > > Is there a workaround for this, other than turning off the firewall > completely? > > Best Regards, > Dan > > -- Dan van der Ster || Data & Storage Services || CERN IT Department -- > _______________________________________________ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info >
smime.p7s
Description: S/MIME Cryptographic Signature
