[OpenAFS] NetRestrict
Environment: Volserver is OpenAFS 1.4.2 built 2007-02-19 OS is Suse 10.2 Server has an Iscsi enclosure on a private ip address (192.168.0.9) I put NetRestrict file in place in /usr/afs/local/ inside file I put one line 192.168.0.255 Hoping to cover entire subnet. restart bosserver move a volume over and when I run vos listaddr it lists 192.168.0.9 If I repeat the same expireiment moving the volume off the server and deleting the address from the VLDB then only explicitly declaring 192.168.0.9, moving volume back on server, restarting bosserver it fails as well. So does the NetInfo file have to exist as well to fix this. /sd -- Steve Devine Storage Systems Academic Computing Network Services Michigan State University 506 Computer Center East Lansing, MI 48824-1042 1-517-432-7327 Baseball is ninety percent mental; the other half is physical. - Yogi Berra ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] NetRestrict
On Wed, 14 Mar 2007, Steve Devine wrote: Environment: Volserver is OpenAFS 1.4.2 built 2007-02-19 OS is Suse 10.2 Server has an Iscsi enclosure on a private ip address (192.168.0.9) I put NetRestrict file in place in /usr/afs/local/ inside file I put one line 192.168.0.255 Hoping to cover entire subnet. It doesn't work that way. restart bosserver move a volume over and when I run vos listaddr it lists 192.168.0.9 If I repeat the same expireiment moving the volume off the server and deleting the address from the VLDB then only explicitly declaring 192.168.0.9, moving volume back on server, restarting bosserver it fails as well. So does the NetInfo file have to exist as well to fix this. Possibly, but I thought masking the address was sufficient. Some relevant fixes are in 1.4.3 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] NetRestrict
Derrick J Brashear wrote: On Wed, 14 Mar 2007, Steve Devine wrote: Environment: Volserver is OpenAFS 1.4.2 built 2007-02-19 OS is Suse 10.2 Server has an Iscsi enclosure on a private ip address (192.168.0.9) I put NetRestrict file in place in /usr/afs/local/ inside file I put one line 192.168.0.255 Hoping to cover entire subnet. It doesn't work that way. I must have read this wrong then: The *NetRestrict* file is in ASCII format. One IP address appears on each line, in dotted decimal format. The order of the addresses is not significant. The value *255* is a wildcard that represents all possible addresses in that field. For example, the value *192.12.105.255* indicates that the Cache Manager does not register any of the addresses in the *192.12.105* subnet. restart bosserver move a volume over and when I run vos listaddr it lists 192.168.0.9 If I repeat the same expireiment moving the volume off the server and deleting the address from the VLDB then only explicitly declaring 192.168.0.9, moving volume back on server, restarting bosserver it fails as well. So does the NetInfo file have to exist as well to fix this. Possibly, but I thought masking the address was sufficient. Some relevant fixes are in 1.4.3 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Steve Devine Storage Systems Academic Computing Network Services Michigan State University 506 Computer Center East Lansing, MI 48824-1042 1-517-432-7327 Baseball is ninety percent mental; the other half is physical. - Yogi Berra ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] NetRestrict
On Wed, 14 Mar 2007, Steve Devine wrote: Derrick J Brashear wrote: On Wed, 14 Mar 2007, Steve Devine wrote: Environment: Volserver is OpenAFS 1.4.2 built 2007-02-19 OS is Suse 10.2 Server has an Iscsi enclosure on a private ip address (192.168.0.9) I put NetRestrict file in place in /usr/afs/local/ inside file I put one line 192.168.0.255 Hoping to cover entire subnet. It doesn't work that way. I must have read this wrong then: The *NetRestrict* file is in ASCII format. One IP address appears on each line, in dotted decimal format. The order of the addresses is not significant. The value *255* is a wildcard that represents all possible addresses in that field. For example, the value *192.12.105.255* indicates that the Cache Manager does not register any of the addresses in the *192.12.105* subnet. I'll reread the code later, but I don't remember that piece of code. I was in that code in the last month, literally, because it turns out the fake ip address support doesn't actually work correctly if you also have a NetRestrict file. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
I am using PAM + AFS to authenticate the user, i have given persmissions to everybody read the .ssh directory of the users home directory, but ssh complains with: pam_afs[25129]: AFS Won't use illegal password for user walter How could i resolve it ? Thanks Walter On Thu, 2007-03-08 at 10:20 -0500, Jim Rees wrote: Alexander Al wrote: I'll tell the user : can't (because he is connecting from outside.) That's the wrong answer. This should go in a FAQ somewhere. You just need to make the public key world readable. That's difficult because ssh wants to put public and private keys both in the same directory, and afs puts the same acls on all files in a directory. But with creative use of symlinks it can certainly be done. Here is how I do it. It's not the only way, maybe not the best way, but it works for me. % cd .ssh % ls -l total 17 -rw-r--r-- 1 rees staff 828 Nov 16 2005 authorized_keys -rw-r--r-- 1 rees staff62 Dec 18 17:08 check-dups lrwxr-xr-x 1 rees wheel14 Jan 1 1999 config - private/config -rw-r--r-- 1 rees staff52 Jan 10 2006 config-um -rw-r--r-- 1 rees wheel31 Jan 1 1999 environment lrwxr-xr-x 1 rees wheel14 Oct 13 2000 id_dsa - private/id_dsa -rw-r--r-- 1 rees wheel 604 Oct 13 2000 id_dsa.pub lrwxr-xr-x 1 rees wheel14 Jun 30 2003 id_rsa - private/id_rsa -rw-r--r-- 1 rees staff 224 Jun 30 2003 id_rsa.pub lrwxr-xr-x 1 rees wheel16 Mar 7 1997 identity - private/identity -rw-r--r-- 1 rees wheel 333 Feb 8 1999 identity.pub lrwxr-xr-x 1 rees wheel19 Mar 7 1997 known_hosts - private/known_hosts drwxr-xr-x 2 rees wheel 2048 Mar 5 12:16 private lrwxr-xr-x 1 rees wheel19 Mar 7 1997 random_seed - private/random_seed ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh on krb5/afs enabled workstation.
Walter Lamagna [EMAIL PROTECTED] writes: I am using PAM + AFS to authenticate the user, i have given persmissions to everybody read the .ssh directory of the users home directory, but ssh complains with: pam_afs[25129]: AFS Won't use illegal password for user walter How could i resolve it ? If this is still in the context of password-less login, you can't use the AFS PAM module that comes in the OpenAFS source tree with that. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh with pam/afs.
Yes, i want to login to a server though ssh authenticating with public key, using the authorized_keys2 file located in the users home directory, i have this directive in sshd_config: AuthorizedKeysFile ~/.ssh/authorized_keys2 How can i do this ? Thanks Walter On Wed, 2007-03-14 at 08:39 -0700, Russ Allbery wrote: Walter Lamagna [EMAIL PROTECTED] writes: I am using PAM + AFS to authenticate the user, i have given persmissions to everybody read the .ssh directory of the users home directory, but ssh complains with: pam_afs[25129]: AFS Won't use illegal password for user walter How could i resolve it ? If this is still in the context of password-less login, you can't use the AFS PAM module that comes in the OpenAFS source tree with that. -- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh with pam/afs.
Walter Lamagna [EMAIL PROTECTED] writes: Yes, i want to login to a server though ssh authenticating with public key, using the authorized_keys2 file located in the users home directory, i have this directive in sshd_config: AuthorizedKeysFile ~/.ssh/authorized_keys2 How can i do this ? Like that, with making that directory world-readable. However, after the person logs in, they won't have AFS tokens, and you can't run the AFS PAM module for those logins since it can't do anything meaningful without a password. (In general, you don't want to be using the pam_afs from the OpenAFS source tree at all unless you're running a Kerberos infrastructure based on AFS kaserver, which you don't want to be doing, so I'll just go back to you don't want to be using that module at all.) If you want people to be able to log in with ssh public key authentication and also get an AFS token, well, the answer is that you can't do that. There's no way currently to go from ssh public key authentication to an AFS token. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] NetRestrict
Derrick J Brashear wrote: On Wed, 14 Mar 2007, Steve Devine wrote: Derrick J Brashear wrote: On Wed, 14 Mar 2007, Steve Devine wrote: Environment: Volserver is OpenAFS 1.4.2 built 2007-02-19 OS is Suse 10.2 Server has an Iscsi enclosure on a private ip address (192.168.0.9) I put NetRestrict file in place in /usr/afs/local/ inside file I put one line 192.168.0.255 Hoping to cover entire subnet. It doesn't work that way. I must have read this wrong then: The *NetRestrict* file is in ASCII format. One IP address appears on each line, in dotted decimal format. The order of the addresses is not significant. The value *255* is a wildcard that represents all possible addresses in that field. For example, the value *192.12.105.255* indicates that the Cache Manager does not register any of the addresses in the *192.12.105* subnet. I'll reread the code later, but I don't remember that piece of code. I was in that code in the last month, literally, because it turns out the fake ip address support doesn't actually work correctly if you also have a NetRestrict file. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info Further Developments. With a NetRestrict File in place you can list IP's to restrict like so: 192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 And this works .. which is really all I want. This way I can make one file to go on many servers. The NetInfo file is not required but it is best to delete the sysid file before starting the bosserver. This insures that the server you want registered in the vldb gets registered. /sd -- Steve Devine Storage Systems Academic Computing Network Services Michigan State University 506 Computer Center East Lansing, MI 48824-1042 1-517-432-7327 Baseball is ninety percent mental; the other half is physical. - Yogi Berra ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh with pam/afs.
Thanks for your answer. It is acceptable for me to doesnt have the token when i ssh, the ~/.ssh directory in the users home (which is in the AFS) is publicly readable. But i do get this error when i want to ssh to the host: pam_afs[26655]: AFS Won't use illegal password for user integra Does pam_afs restricts the login because i am willing to use public key with ssh ? Thanks Walter On Wed, 2007-03-14 at 08:55 -0700, Russ Allbery wrote: Walter Lamagna [EMAIL PROTECTED] writes: Yes, i want to login to a server though ssh authenticating with public key, using the authorized_keys2 file located in the users home directory, i have this directive in sshd_config: AuthorizedKeysFile ~/.ssh/authorized_keys2 How can i do this ? Like that, with making that directory world-readable. However, after the person logs in, they won't have AFS tokens, and you can't run the AFS PAM module for those logins since it can't do anything meaningful without a password. (In general, you don't want to be using the pam_afs from the OpenAFS source tree at all unless you're running a Kerberos infrastructure based on AFS kaserver, which you don't want to be doing, so I'll just go back to you don't want to be using that module at all.) If you want people to be able to log in with ssh public key authentication and also get an AFS token, well, the answer is that you can't do that. There's no way currently to go from ssh public key authentication to an AFS token. -- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Passwordless login through ssh with pam/afs.
Walter Lamagna [EMAIL PROTECTED] writes: Thanks for your answer. It is acceptable for me to doesnt have the token when i ssh, the ~/.ssh directory in the users home (which is in the AFS) is publicly readable. But i do get this error when i want to ssh to the host: pam_afs[26655]: AFS Won't use illegal password for user integra You can't use pam_afs as a session module if you're using public key authentication because pam_afs doesn't know what to do without a password. You need to change your PAM configuration so that pam_afs is not used in this case or so that its return status is ignored. Does pam_afs restricts the login because i am willing to use public key with ssh ? pam_afs is failing because it doesn't have a password, and apparently it's a required module in your PAM stack and therefore is aborting the login. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Vista compatibility
I'll be upgrading both hardware and software for our AFS servers next summer. Will OpenAFS 1.4.x on the servers be compatible with the client for MS Vista when it is ready, or will I need to upgrade the server software to 1.5 too? -- veritatas simplex oratio est -Seneca Andrew Bacchi Systems Programmer Rensselaer Polytechnic Institute phone: 518.276.6415 fax: 518.276.2809 http://www.rpi.edu/~bacchi/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Windows XP SP2, OpenAFS 1.4.3rc3, KfW 2.6.5
I'm having a problem getting OpenAFS 1.4.3 and KfW 2.6.5 working properly. I'm working on Windows XP SP2 joined to a Windows 2003 Active Directory domain. I installed and configured both clients (OpenAFS and KfW). When I login to the domain with my user account I get AFS tokens and Kerberos V tickets (per the leash32 gui), but I receive an Access is Denied message when attempting to navigate to any AFS directory such as: \\afs\nd.edu\. I'm not sure if this is of any relevance, but our Active Directory domain and our MIT Kerberos V realm are named the same (ND.EDU). I disabled the use of Kerberos IV because I need to get pure Kerb5 authentication working so we can plan to phase out its use here at Notre Dame. Any ideas what could be causing this problem? --James Univ. of Notre Dame Systems Engineer ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows XP SP2, OpenAFS 1.4.3rc3, KfW 2.6.5
James Rogers wrote: I'm having a problem getting OpenAFS 1.4.3 and KfW 2.6.5 working properly. I'm working on Windows XP SP2 joined to a Windows 2003 Active Directory domain. I installed and configured both clients (OpenAFS and KfW). When I login to the domain with my user account I get AFS tokens and Kerberos V tickets (per the leash32 gui), but I receive an Access is Denied message when attempting to navigate to any AFS directory such as: \\afs\nd.edu\. I'm not sure if this is of any relevance, but our Active Directory domain and our MIT Kerberos V realm are named the same (ND.EDU). If the AD domain and the Kerberos realm have the same name (but not the same KDCs) you have a problem. Some code will see [EMAIL PROTECTED] and try and use the KDCs for AD. Some code will try and use your MIT Kerberos V realm. AFS will only be the first of many problems you will have you you try and use the same realm name for both. (For example the DNS SRV records can only point at one. KfW if it imports tickets from Windows then trys to use the TGT against you MIT Kerberos V realm. Options: Rename one of the realms, and maybe use cross realm between them. Just use the AD KDCs for everything. I disabled the use of Kerberos IV because I need to get pure Kerb5 authentication working so we can plan to phase out its use here at Notre Dame. Any ideas what could be causing this problem? --James Univ. of Notre Dame Systems Engineer ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Douglas E. Engert [EMAIL PROTECTED] Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Vista compatibility
Andrew Bacchi wrote: I'll be upgrading both hardware and software for our AFS servers next summer. Will OpenAFS 1.4.x on the servers be compatible with the client for MS Vista when it is ready, or will I need to upgrade the server software to 1.5 too? OpenAFS 1.4 on the servers is compatible with OpenAFS 1.5 clients. Jeffrey Altman Secure Endpoints Inc. smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Windows XP SP2, OpenAFS 1.4.3rc3, KfW 2.6.5
James Rogers wrote: On Mar 14, 2007, at 2:52 PM, Douglas E. Engert wrote: Options: Rename one of the realms, and maybe use cross realm between them. Just use the AD KDCs for everything. Is there some documentation available on how to set up the KfW client to use Active Directory KDCs? I'm assuming the 'kdc=' entries in krb5.ini will just be the individual names of the domain controllers? Yes. The Windows AD can act as K5 KDCs. You will then have to register services like afs/[EMAIL PROTECTED] in AD. Atart with Google: site:microsoft.com kerberos I always like the original article: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx --James -- Douglas E. Engert [EMAIL PROTECTED] Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] umbc's mod_waklog stuff
I just posted this to the mod_waklog developers list, however, I think this stuff might be of interest to the rest of the AFS community, since we all seem to have the same problems ;) -- Awhile back I posted something regarding some work we had been doing to the umich mod_waklog to make it useful for the multiple-site hosting environment so you could carve up various virtual hosts and subsites in one apache instance to have their work done by different AFS tokens. We've had it deployed successfully on our production web servers here at UMBC for about the past month, and seem to have the major bugs now worked out and feel ready to share. You'll find the source distribution housed on our wiki page, along with some instructions and such: http://www.umbc.edu/oit/iss/syscore/wiki/Mod_waklog Enjoy... -rob Robert Banz Coordinator, Core Systems [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info