Re: [OpenAFS] controlling access to backup volumes
Adam Megacz [EMAIL PROTECTED] writes: If a user removes a file (or restricts access to it by changing an ACL), and the file existed prior to the most recent vos backup, that file will still be accessible via the backup volume. Correct. The backup volume can be mounted beneath a directory with a very restrictive ACL, but it seems that other users in the same cell could circumvent this by simply creating a new mount point for the backup volume somewhere else. It's not even limited to other uses in the same cell.. Someone in ANOTHER cell could mount it, too! Granted, they could only gain the rights that they can authenticate to, so generally it's only an issue for system:anyuser (or system:[EMAIL PROTECTED]) acls. So, is there any way to make a backup volume less accessible than its rw? If not, then it means that reducing access to any backed-up file always has to wait until the next backup... Nope, there's not. And your analysis is correct. - a -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Another one
On Tue, 13 Mar 2007, Kim Kimball wrote: Uh oh ... what happens with vos zap for pre-1.4.2? There was a rock missing in one of the calls and so it left some crap behind; This is actually only true of -force. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] jafs et al
On Tue, 13 Mar 2007, Marcus Watts wrote: I think for openafs, it would make sense to have a enable-pic configure flag - that could turn on pic mode globally. That could be used to The CCOBJ rule is designed for just that; you just need the configure glue. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] controlling access to backup volumes
Derek Atkins [EMAIL PROTECTED] writes: Adam Megacz [EMAIL PROTECTED] writes: So, is there any way to make a backup volume less accessible than its rw? If not, then it means that reducing access to any backed-up file always has to wait until the next backup... Nope, there's not. And your analysis is correct. You can, of course, force a new backup immediately (and even provide a tool for users to do that themselves through something like the remctl AFS interface we use at Stanford). -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: [OpenAFS-announce] OpenAFS 1.5.16 release available including 2007 DST fix for Microsoft Windows
HOn Fri, 2007-03-09 at 00:26 -0500, Jeffrey Altman wrote: The OpenAFS Gatekeepers announce the availability of OpenAFS version 1.5.16. Source files and available binaries can be accessed via the web at: http://www.openafs.org/release/openafs-1.5.16.html When did you plan to release the MacOSX binary ? Thank you Best Regards, -- Nicolas DEFFAYET NDSoftware http://www.ndsoftware.com/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afs cell migration
Um, I must be missing something, but why doesn't vos move fill the bill. Set up the new server, vos move the volumes from the old server and decommision it. The only catch is that AFS server's can't share vicepxx partitions at the same time. Jose Angel Herrero wrote: Hello everybody, We have an afs cell (atc.unican.es) installed in a HP Proliand DL380 G3 and Linux (Debian 3.0 r2) server. The afs partitions (vicepxx) for this cell are located in a HP MSA20 (SATA disk drive storage enclosure with 12 SATA disks with Ultra320 SCSI host connectivity and 6 TB). Now, we want migrate this cell (fileserver and dbserver) from this server to another server and we do not want to lose the data of our cell. We want to change the server (hardware), but no the disk library (vicepxx). We want to conserve the data in this disk library. So, we would like to know if there is some mechanism from afs admin commands suite that allows us to migrate it. Thanks in advance * Jose Angel Herrero Velasco* _/_/_/_/ _/_/_/_/ _/_/_/_/ /Administrador de Sistemas/ _/ _/ _/ _/ _/_/_/_/ _/ _/ *Grupo de Arquitectura y Tecnología de Computadores * _/ _/ _/ _/ E.T.S.I.I.T. - UNIVERSIDAD DE CANTABRIA _/ _/ _/ _/_/_/_/ 39005 SANTANDER CANTABRIA (SPAIN) Tel./Fax : +34 942 202248 / 2039 e-mail: soporte@ mailto:[EMAIL PROTECTED]_atc.unican.es mailto:[EMAIL PROTECTED]_ Web: _http://www.atc.unican.es http://www.atc.unican.es/%7Ejoseanhv_ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: A problem with authentication
Server not found in database: afs/[EMAIL PROTECTED]: No such entry in the database Just ignore this error, its kinit/pam modules trying to do afslog and tries diffrent names for the service. You might have a [EMAIL PROTECTED] if cellname and realmname only differ in case-ing. and at the same time in heimdal-kdc log I find: AS-REQ [EMAIL PROTECTED] from IPv4:ipaddress for krbtgt/ [EMAIL PROTECTED] Using des-cbc-crc/des-cbc-crc Requested flags: renewable_ok, proxiable, forwardable sending 493 bytes to IPv4:ipaddress AS-REQ [EMAIL PROTECTED] from IPv4:ipaddress for krbtgt/ [EMAIL PROTECTED] Using des-cbc-crc/des-cbc-crc Requested flags: renewable_ok, proxiable, forwardable sending 493 bytes to IPv4:ipaddress To me this looks as though the login ought to have succeeded. Any clarification welcome. You should check for a TGS req just below it for host/[EMAIL PROTECTED] that the hosts uses to verify the login. Love ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] regarding setcellname error
HI Sir I started the bos server successfully but while executing bos setcellname -server machinename -name cellname . It shows bos:can't open cell database (/usr/local/etc/openafs) . Although /usr/local/etc/openafs file exists and symlinks required are also there in the file. Please help me. thanking you, yours sincerely, ashish srivastava
[OpenAFS] Big Initial Question about OpenAFS
Network connectivity differs significantly between NFS and Samba. With CIFS/Samba, shares may participate in a DFS tree and appear to the client as a single unified tree. However, when the client actually connects to a resource, he is redirected to the IP address of the server that holds the resource, so he ends up communicating with multiple hosts. With NFS, a server mounts the remote filesystem(s) and the client communicates only with one machine. Which is OpenAFS more like? I am hoping it is more like NFS because I have to work around firewall limitations. I am hoping that I can communicate solely with the OpenAFS server, and it will in turn communicate with other servers that it has mounted. Is that the way it works? -- Eric Robinson Director of Information Technology Physician Select Management, LLC 775.720.2082 Disclaimer - March 14, 2007 This email and any files transmitted with it are confidential and intended solely for [EMAIL PROTECTED] If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management (PSM) or Physician's Managed Care (PMC). Warning: Although the message sender has taken reasonable precautions to ensure no viruses are present in this email, neither PSM nor PMC can accept responsibility for any loss or damage arising from the use of this email or attachments.
Re: [OpenAFS] Re: [OpenAFS-announce] OpenAFS 1.5.16 release available including 2007 DST fix for Microsoft Windows
On Wed, 14 Mar 2007, Nicolas DEFFAYET wrote: HOn Fri, 2007-03-09 at 00:26 -0500, Jeffrey Altman wrote: The OpenAFS Gatekeepers announce the availability of OpenAFS version 1.5.16. Source files and available binaries can be accessed via the web at: http://www.openafs.org/release/openafs-1.5.16.html When did you plan to release the MacOSX binary ? There were no changes since 1.5.15. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Big Initial Question about OpenAFS
On Wed, 14 Mar 2007, Robinson, Eric wrote: Network connectivity differs significantly between NFS and Samba. With CIFS/Samba, shares may participate in a DFS tree and appear to the client as a single unified tree. However, when the client actually connects to a resource, he is redirected to the IP address of the server that holds the resource, so he ends up communicating with multiple hosts. With NFS, a server mounts the remote filesystem(s) and the client communicates only with one machine. Which is OpenAFS more like? I am hoping it is more like NFS because I Well, not really either. There would be a small bounded set of AFS servers but typically more than one. have to work around firewall limitations. I am hoping that I can communicate solely with the OpenAFS server, and it will in turn communicate with other servers that it has mounted. Is that the way it works? AFS servers don't mount other things and re-export. They export their own space. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Big Initial Question about OpenAFS
I'm afraid you're going to be disappointed, unless you have only one OpenAFS server. The OpenAFS clients communicate with whichever server(s) house the volumes they are trying to use. Volumes contain what looks like a directory of subtrees with files, directories, and symbolic links, but they can also contain mountpoints (which look like directories) for other volumes in the same or other cells. Those other volumes may well be on other servers (and certainly will be if they are out of the parent volume's cell, as a server can only serve one cell). Yes, this means that a given volume can be mounted (referenced as a subtree really) from multiple places. Try not to make loops, 'kay. Robinson, Eric wrote: Network connectivity differs significantly between NFS and Samba. With CIFS/Samba, shares may participate in a DFS tree and appear to the client as a single unified tree. However, when the client actually connects to a resource, he is redirected to the IP address of the server that holds the resource, so he ends up communicating with multiple hosts. With NFS, a server mounts the remote filesystem(s) and the client communicates only with one machine. Which is OpenAFS more like? I am hoping it is more like NFS because I have to work around firewall limitations. I am hoping that I can communicate solely with the OpenAFS server, and it will in turn communicate with other servers that it has mounted. Is that the way it works? -- Eric Robinson Director of Information Technology Physician Select Management, LLC 775.720.2082 Disclaimer - March 14, 2007 This email and any files transmitted with it are confidential and intended solely for [EMAIL PROTECTED] If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author. Warning: Although the message sender has taken reasonable precautions to ensure no viruses are present in this email, neither Physician Select Management nor Physician's Managed Care can accept responsibility for any loss or damage arising from the use of this email or attachments. -- +--+ / [EMAIL PROTECTED] 919-445-9302 http://www.unc.edu/~utoddl / / A bicycle can't stand alone because it is two-tired. / +--+ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afs cell migration
Um, I must be missing something, but why doesn't vos move fill the bill. you must be missing something, indeed. [...] We want to change the server (hardware), but no[t] the disk library (vicepxx). [...] I also think (thanks, kula) that setting up the new machine as a fileserver, moving the disks over to the new machine, then doing the vos syncserv/vos syncvldb dance on all the fileservers will also work. I'm going to try it myself in a couple days. --david Jose Angel Herrero wrote: Hello everybody, We have an afs cell (atc.unican.es) installed in a HP Proliand DL380 G3 and Linux (Debian 3.0 r2) server. The afs partitions (vicepxx) for this cell are located in a HP MSA20 (SATA disk drive storage enclosure with 12 SATA disks with Ultra320 SCSI host connectivity and 6 TB). Now, we want migrate this cell (fileserver and dbserver) from this server to another server and we do not want to lose the data of our cell. We want to change the server (hardware), but no the disk library (vicepxx). We want to conserve the data in this disk library. So, we would like to know if there is some mechanism from afs admin commands suite that allows us to migrate it. Thanks in advance * Jose Angel Herrero Velasco* _/_/_/_/ _/_/_/_/ _/_/_/_/ /Administrador de Sistemas/ _/ _/ _/ _/ _/_/_/_/ _/ _/ *Grupo de Arquitectura y TecnologÃa de Computadores * _/ _/ _/ _/ E.T.S.I.I.T. - UNIVERSIDAD DE CANTABRIA _/ _/ _/ _/_/_/_/ 39005 SANTANDER CANTABRIA (SPAIN) Tel./Fax : +34 942 202248 / 2039 e-mail: soporte@ mailto:[EMAIL PROTECTED]_atc.unican.es mailto:[EMAIL PROTECTED]_ Web: _http://www.atc.unican.es http://www.atc.unican.es/%7Ejoseanhv_ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] unix owner/group of files in AFS
Just wondering... is the Administrator guide's documentation of how AFS uses the mode bits complete and up-to-date? http://www.openafs.org/pages/doc/AdminGuide/auagd020.htm#HDRWQ580 It doesn't seem to cover: 1. sticky bit - AFS stores this, but does it have any effect? 2. setuid/setgid bits - as of 1.4.4, these are ignored unless fs setcell otherwise 3. any additional meaning given to the unix owner/group of a file - For example, the PTS identity which is numerically equal to the owner userid of the root directory of a volume has implicit a rights on the volume. - others? Apparently, chown and chgrp will do the wrong thing if the numeric userids in /etc/passwd do not match those in pts. I'm trying to determine whether or not this really matters in a cell where all clients ignore setuid/setgid and the admins never chown the root directories of any of the volumes (the default owner seems to be uid=0). Are there any tools out there for automatically updating /etc/passwd using the output from pts listentries or equivalent? - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] unix owner/group of files in AFS
On Mon, 19 Mar 2007, Adam Megacz wrote: Just wondering... is the Administrator guide's documentation of how AFS uses the mode bits complete and up-to-date? http://www.openafs.org/pages/doc/AdminGuide/auagd020.htm#HDRWQ580 It doesn't seem to cover: 1. sticky bit - AFS stores this, but does it have any effect? not to afs, hence it not being covered 2. setuid/setgid bits - as of 1.4.4, these are ignored unless fs setcell otherwise if someone contributed an update it will be applied 3. any additional meaning given to the unix owner/group of a file - For example, the PTS identity which is numerically equal to the owner userid of the root directory of a volume has implicit a rights on the volume. whether that id be a user or a group, in fact - others? Apparently, chown and chgrp will do the wrong thing if the numeric userids in /etc/passwd do not match those in pts. I'm trying to what's wrong? determine whether or not this really matters in a cell where all clients ignore setuid/setgid and the admins never chown the root directories of any of the volumes (the default owner seems to be uid=0). Are there any tools out there for automatically updating /etc/passwd using the output from pts listentries or equivalent? someone had nss_pts. that's the right idea. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: refuse to grant tokens to a process without a PAG?
If I were to add support for this, where would be the best place to put the configuration option (afsd command line flag, perhaps)? - a Derrick J Brashear [EMAIL PROTECTED] writes: Not currently On Fri, 16 Mar 2007, Adam Megacz wrote: Is there any option for the OpenAFS client that will cause it to refuse to associate tokens with a userid (rather than a PAG)? This is the default behavior when aklog is invoked outside of a PAG -- any tokens get associated with all processes under that userid which do not have a PAG. I'm wondering if there is a way to simply refuse to offer tokens in this case -- force the user to get into a PAG before letting them get tokens. - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: unix owner/group of files in AFS
Derrick J Brashear [EMAIL PROTECTED] writes: someone had nss_pts. that's the right idea. http://tarna.oit.unc.edu/~utoddl/nss_pts_0.2.tgz Hey neat, the output of 'ls' shows pts names. - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: refuse to grant tokens to a process without a PAG?
On Mon, 19 Mar 2007, Adam Megacz wrote: If I were to add support for this, where would be the best place to put the configuration option (afsd command line flag, perhaps)? yet another afsd flag? ick. the generic pioctl (which takes a parameter and a value) and a parameter for this, is the right thing to do, and then if you want to set it, set it after running afsd of course, there are other things which should work this way. This is the default behavior when aklog is invoked outside of a PAG -- any tokens get associated with all processes under that userid which do not have a PAG. I'm wondering if there is a way to simply refuse to offer tokens in this case -- force the user to get into a PAG before letting them get tokens. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: unix owner/group of files in AFS
On Mon, 19 Mar 2007, Adam Megacz wrote: Derrick J Brashear [EMAIL PROTECTED] writes: someone had nss_pts. that's the right idea. http://tarna.oit.unc.edu/~utoddl/nss_pts_0.2.tgz Hey neat, the output of 'ls' shows pts names. i actually did this years ago, before there was nss, and let it drop. but, the issue when you have not coordinated local uids and pts ids is when do you do an afs lookup and when do you do a local uid lookup? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afs cell migration
I also think (thanks, kula) that setting up the new machine as a fileserver, moving the disks over to the new machine, then doing the vos syncserv/vos syncvldb dance on all the fileservers will also work. I'm going to try it myself in a couple days. --david this worked fine, too, if anyone was curious. --david Jose Angel Herrero wrote: Hello everybody, We have an afs cell (atc.unican.es) installed in a HP Proliand DL380 G3 and Linux (Debian 3.0 r2) server. The afs partitions (vicepxx) for this cell are located in a HP MSA20 (SATA disk drive storage enclosure with 12 SATA disks with Ultra320 SCSI host connectivity and 6 TB). Now, we want migrate this cell (fileserver and dbserver) from this server to another server and we do not want to lose the data of our cell. We want to change the server (hardware), but no the disk library (vicepxx). We want to conserve the data in this disk library. So, we would like to know if there is some mechanism from afs admin commands suite that allows us to migrate it. Thanks in advance * Jose Angel Herrero Velasco* pgpT1zLx7TKFS.pgp Description: PGP signature
[OpenAFS] Re: unix owner/group of files in AFS
Derrick J Brashear [EMAIL PROTECTED] writes: Hey neat, the output of 'ls' shows pts names. i actually did this years ago, before there was nss, and let it drop. but, the issue when you have not coordinated local uids and pts ids is when do you do an afs lookup and when do you do a local uid lookup? At least for glibc I think you can tell it to try one and if that fails try the other. So I guess you'd just have to make sure there's no overlap. - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info