Re: [OpenAFS] afsd segfaults
Derek Atkins <[EMAIL PROTECTED]> writes: > compare the inode init in afs_NewVCache() in src/afs/afs_vcache.c > with init_once() in linux/fs/inode.c I can say this: I have no idea what I'm looking for in afs_NewVCache. init_once in fs/inode.c is: static void init_once(void * foo, kmem_cache_t * cachep, unsigned long flags) { struct inode * inode = (struct inode *) foo; if ((flags & (SLAB_CTOR_VERIFY|SLAB_CTOR_CONSTRUCTOR)) == SLAB_CTOR_CONSTRUCTOR) { memset(inode, 0, sizeof(*inode)); init_waitqueue_head(&inode->i_wait); INIT_LIST_HEAD(&inode->i_hash); INIT_LIST_HEAD(&inode->i_data.clean_pages); INIT_LIST_HEAD(&inode->i_data.dirty_pages); INIT_LIST_HEAD(&inode->i_data.locked_pages); INIT_LIST_HEAD(&inode->i_dentry); INIT_LIST_HEAD(&inode->i_dirty_buffers); INIT_LIST_HEAD(&inode->i_dirty_data_buffers); INIT_LIST_HEAD(&inode->i_devices); sema_init(&inode->i_sem, 1); sema_init(&inode->i_zombie, 1); spin_lock_init(&inode->i_data.i_shared_lock); } } > > -derek > > Ian D <[EMAIL PROTECTED]> writes: > > > Derek Atkins <[EMAIL PROTECTED]> writes: > > > > > Have you compared the source files as I asked? If not, then do it. > > > Report what you find. No other report is interesting until you > > > report on the comparrison. > > > > Which file in the OpenAFS tree? > > -- > > /Ian D > > [EMAIL PROTECTED] > > > > ___ > > OpenAFS-info mailing list > > [EMAIL PROTECTED] > > https://lists.openafs.org/mailman/listinfo/openafs-info > > -- >Derek Atkins >Computer and Internet Security Consultant >[EMAIL PROTECTED] www.ihtfp.com > -- /Ian D [EMAIL PROTECTED] ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Moving Volumes
If I am moving volumes from server to server, can I expect an outage? My AFS server currently contains volumes attached to my web site. Will this cause an outage for my site? Thanks Mike
Re: [OpenAFS] Authenticating against krb5-only KDC (active directory)
Jacob Gorm Hansen <[EMAIL PROTECTED]> writes: > On Thu, Feb 28, 2002 at 10:34:04AM -0500, Derek Atkins wrote: > > There are a number of ways to do this. You could just use your M$-KDC > > as a regular K5 KDC and use krb524 to obtain AFS tokens, or you could > > have a process similar to the above where the 'v4 AFS key' is separate > > from the 'M$ key'. > > Would that work when clients where on Win2k machines as well? Sure. You just need to compile aklog (or the equivalent) > > Basically, you use 'aklog' to authenticate to the 524 daemon, and that > > gives you a 'token' which you stuff into your client to authenticate. > > Has anyone been succesfull in running 524d on a windows machine, or do I need > to run it on linux? It worries me that the linux machine might end up being > single point of failure. > > > You don't need native k5 in AFS for this to work. > > Still, native k5 would be wonderful. But I have no idea how hard that would be > to accomplish. I recently implemented k5 (by means of GSSAPI) in Intermezzo's > perl cache manager (which was abandoned just as the work was completed :-(), > and that was fairly simple. Native v5 in AFS is going to be a LOT of work. In particular, it's going to require a completely new RX security framework. I don't expect this to happen any time soon. The problem is that way too much of RX/RXKAD depend on 1-DES and v4. > > -derek > > Best, > Jacob -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Authenticating against krb5-only KDC (active directory)
On Thu, Feb 28, 2002 at 10:34:04AM -0500, Derek Atkins wrote: > There are a number of ways to do this. You could just use your M$-KDC > as a regular K5 KDC and use krb524 to obtain AFS tokens, or you could > have a process similar to the above where the 'v4 AFS key' is separate > from the 'M$ key'. Would that work when clients where on Win2k machines as well? > Basically, you use 'aklog' to authenticate to the 524 daemon, and that > gives you a 'token' which you stuff into your client to authenticate. Has anyone been succesfull in running 524d on a windows machine, or do I need to run it on linux? It worries me that the linux machine might end up being single point of failure. > You don't need native k5 in AFS for this to work. Still, native k5 would be wonderful. But I have no idea how hard that would be to accomplish. I recently implemented k5 (by means of GSSAPI) in Intermezzo's perl cache manager (which was abandoned just as the work was completed :-(), and that was fairly simple. > -derek Best, Jacob ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afsd segfaults
compare the inode init in afs_NewVCache() in src/afs/afs_vcache.c with init_once() in linux/fs/inode.c -derek Ian D <[EMAIL PROTECTED]> writes: > Derek Atkins <[EMAIL PROTECTED]> writes: > > > Have you compared the source files as I asked? If not, then do it. > > Report what you find. No other report is interesting until you > > report on the comparrison. > > Which file in the OpenAFS tree? > -- > /Ian D > [EMAIL PROTECTED] > > ___ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Automated backups
> The backup script is quite simplistic: > > #!/bin/sh > day=$(date +%A) > vos backupsys -verbose Isn't this normally implemented as a bos service? My bos status has: Instance backupsys, (type is cron) currently running normally. Auxiliary status is: run next at Thu Feb 28 04:00:00 2002. Process last started at Wed Feb 27 03:00:35 2002 (3 proc starts) Last exit at Wed Feb 27 03:05:25 2002 Command 1 is '/usr/afs/bin/vos backupsys -localauth' Command 2 is '4:00' > cat backup.$day | sed 's/^/backup dump /' | sh > backup savedb > > [snip] > > butc is indeed a problem as well. It seems to need a lot of rights as well, > and doesn't undesrtand -localauth. As I never need to interact with it (all > backups are made to file, these files are copied some time later in the night > to off-site storage), I can probably fire it up just before the backup script > and kill it when I'm done. It should. $ butc -help Usage: butc [-port ] [-debuglevel <0 | 1 | 2>] [-cell ] [-noautoquery] [-localauth] [-help] When I used to do AFS administration, I'd log in at the console of the AFS server as root, open two dtterm's, do a butc -localauth in one, and a backup -localauth in the other. -- t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Authenticating against krb5-only KDC (active directory)
There are a number of ways to do this. You could just use your M$-KDC as a regular K5 KDC and use krb524 to obtain AFS tokens, or you could have a process similar to the above where the 'v4 AFS key' is separate from the 'M$ key'. Basically, you use 'aklog' to authenticate to the 524 daemon, and that gives you a 'token' which you stuff into your client to authenticate. You don't need native k5 in AFS for this to work. -derek Jacob Gorm Hansen <[EMAIL PROTECTED]> writes: > I know Active Directory is not anyone's favorite, not mine either, but I need > to be able to authenticate against it. Currently, I've got just one AFS server. > running debian linux. > > Does anyone have a recipe for doing so? I read somewhere that krb5 was being > worked on for OpenAFS, I suppose that would make things easier. What is the > status of that? > > Best, > Jacob > ___ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afsd segfaults
Have you compared the source files as I asked? If not, then do it. Report what you find. No other report is interesting until you report on the comparrison. -derek Ian D <[EMAIL PROTECTED]> writes: > Derek Atkins <[EMAIL PROTECTED]> writes: > > > Ian D <[EMAIL PROTECTED]> writes: > > > > > Derek Atkins <[EMAIL PROTECTED]> writes: > > > > > > > Another thing to verify is whether the inode initialization function > > > > in OpenAFS matches the init_once() in linux/fs/inode.c. It's > > > > possible that mandrake has (yet another) weird kernel patch, and > > > > that could cause problems. > > > > > > Actually, my laptop is running a vanilla 2.4.13 kernel, from what I > > > can tell. No patches there (The 2.4.8 on my server is a mandrake > > > kernel, though). > > > > As I said, it's probably a strange mandrake patch that OpenAFS doesn't > > support. Go perform the comparrison I mentioned above. > > I tried again, and it segfaulted on my laptop also. > > Then again, this whole day has been pretty weird wrt AFS and my > computer. > -- > /Ian D > [EMAIL PROTECTED] > > ___ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Authenticating against krb5-only KDC (active directory)
I know Active Directory is not anyone's favorite, not mine either, but I need to be able to authenticate against it. Currently, I've got just one AFS server. running debian linux. Does anyone have a recipe for doing so? I read somewhere that krb5 was being worked on for OpenAFS, I suppose that would make things easier. What is the status of that? Best, Jacob ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afsd segfaults
Derek Atkins <[EMAIL PROTECTED]> writes: > Ian D <[EMAIL PROTECTED]> writes: > > > Derek Atkins <[EMAIL PROTECTED]> writes: > > > > > Another thing to verify is whether the inode initialization function > > > in OpenAFS matches the init_once() in linux/fs/inode.c. It's > > > possible that mandrake has (yet another) weird kernel patch, and > > > that could cause problems. > > > > Actually, my laptop is running a vanilla 2.4.13 kernel, from what I > > can tell. No patches there (The 2.4.8 on my server is a mandrake > > kernel, though). > > As I said, it's probably a strange mandrake patch that OpenAFS doesn't > support. Go perform the comparrison I mentioned above. I tried again, and it segfaulted on my laptop also. Then again, this whole day has been pretty weird wrt AFS and my computer. -- /Ian D [EMAIL PROTECTED] ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: State of OpenAFS
"Todd M. Lewis" wrote: > > Wout Mertens wrote: > > > > Anything else that is different versus 'regular' unix filesystems? > > * ACLs apply to whole directories > * Only the first 3 bits of a file's permissions are relevant > (which gives you 6 free bits to do with whatever crazy >things you want -- not that I'd ever do such a thing :-) > * A cell-wide switch for support of AFS suid/sgid executables > * volume mount points are just specially formatted symlinks, so > volumes can be mounted almost anywhere any number of times > * @sys macro expansion makes serious architecture magic possible > * PTS cool/weird (groups in groups, IP ACLs, user-defined groups) I left out one that really came as a shocker the first time I encountered it: * AFS does not update/maintain last access times. Cheers, -- ++ / [EMAIL PROTECTED] http://www.unc.edu/~utoddl / /(919) 962-5273 Linux - It's now safe to turn on your computer. / ++ ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afsd segfaults
Ian D <[EMAIL PROTECTED]> writes: > Derek Atkins <[EMAIL PROTECTED]> writes: > > > Another thing to verify is whether the inode initialization function > > in OpenAFS matches the init_once() in linux/fs/inode.c. It's > > possible that mandrake has (yet another) weird kernel patch, and > > that could cause problems. > > Actually, my laptop is running a vanilla 2.4.13 kernel, from what I > can tell. No patches there (The 2.4.8 on my server is a mandrake > kernel, though). As I said, it's probably a strange mandrake patch that OpenAFS doesn't support. Go perform the comparrison I mentioned above. > -- > /Ian D > [EMAIL PROTECTED] -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Automatic AFS authentication on more than 1 cell
At 2/28/2002 06:19 AM -0500, you wrote: >Giovanni Bracco <[EMAIL PROTECTED]> writes: > > In the implementation it would be better not to modify the pam arguments > > but to add another file of the same type as "ThisCell" like "OtherCells" > > containing al list of cells,comma separated. If the file does not exist > > nothing new is performed. Does it sound reasonable? > >It would be better if this were per-user. If every user in ThisCell >exists under the same principal name in OtherCells, then why >have 2 cells? Chances are, you have some people who are missing, >and sooner or later, unless your various system administrators coordinate >things carefully, you'll end up with duplicate names, or people with >different names in different cells. > >Here at the university of michigan, we've tried to support a slightly >more flexible scheme: >each user can have a file, > .principals >that specifies additional realms in which to get kerberos tickets. >Thid idea is to have one or more lines like this: > # this line ignored > @ENGIN.UMICH.EDU > [EMAIL PROTECTED] & > [EMAIL PROTECTED] >Once authentication is accepted in the primary realm, login (or >whatever) can then go off & get these additional tickets, >potentially under a different name, and possibly in the background. do you mean that the user must not provide explicitely password for the other cells (e.g. in ssh connection to the main cell), providing that the password is the same on the different cells/users? If that is the case this solution also looks great and surely is more flexible. Can it be implemented in OpenAFS? Giovanni Giovanni Bracco Associazione EURATOM-ENEA sulla Fusione C.R.E. ENEA Frascati Via E. Fermi 45 I-00044 Frascati (Roma) Italy phone 00-39-06-9400-5597 FAX 00-39-06-9400-5735 E-mail [EMAIL PROTECTED] WWW http://fusfis.frascati.enea.it/~bracco ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Automatic AFS authentication on more than 1 cell
Giovanni Bracco <[EMAIL PROTECTED]> writes: > In the implementation it would be better not to modify the pam arguments > but to add another file of the same type as "ThisCell" like "OtherCells" > containing al list of cells,comma separated. If the file does not exist > nothing new is performed. Does it sound reasonable? It would be better if this were per-user. If every user in ThisCell exists under the same principal name in OtherCells, then why have 2 cells? Chances are, you have some people who are missing, and sooner or later, unless your various system administrators coordinate things carefully, you'll end up with duplicate names, or people with different names in different cells. Here at the university of michigan, we've tried to support a slightly more flexible scheme: each user can have a file, .principals that specifies additional realms in which to get kerberos tickets. Thid idea is to have one or more lines like this: # this line ignored @ENGIN.UMICH.EDU [EMAIL PROTECTED] & [EMAIL PROTECTED] Once authentication is accepted in the primary realm, login (or whatever) can then go off & get these additional tickets, potentially under a different name, and possibly in the background. Here's some sample code to do this (will need some slight fixups to work with openafs): do_principals(whoami, principals, passwd) char *whoami; char *principals; char *passwd; { int pass; char *cp; FILE *fp; char line[512]; int passlim; char word[512]; char name[MAXKTCNAMELEN], inst[MAXKTCNAMELEN]; char cell[MAXKTCREALMLEN], realm[MAXKTCREALMLEN], lrealm[MAXKTCREALMLEN]; char *reason; long password_expires; AFS_sigreturntype (*oldsig)(); *lrealm = 0; if (!principals || !passwd) return; passlim = 1; for (pass = 0; pass < passlim; ++pass) { fp = fopen(principals, "r"); if (!*lrealm && ka_ExpandCell((char*)0, lrealm, (int*)0)) *lrealm = 0; if (!fp) break; while (fgets(line, sizeof line, fp)) { cp = getword(line, word); if (*word == '#') continue; while (*cp && isspace(*cp)) ++cp; ka_ParseLoginName(word, name, inst, cell); if (!*name) strcpy(name, whoami); if (!*cell) strcpy(cell, lrealm); else ka_ExpandCell(cell, realm, (int*)0); if (!strcasecmp(realm, lrealm)) continue; if (pass ^ (*cp == '&')) { passlim = 2; continue; } if(ka_UserAuthenticateGeneral( KA_USERAUTH_VERSION, name, /* kerberos name */ inst, /* instance */ realm, /* realm */ passwd, /* password */ 0, /* default lifetime */ &password_expires, 0, /* spare 2 */ &reason /* error string */ )) { fprintf (stderr,"Cannot authenticate in %s - %s\n", realm, reason); } } fclose(fp); if (passlim == 2) { oldsig = signal(SIGCHLD, SIG_IGN); if (fork()) { (void) signal(SIGCHLD, oldsig); return; } } } if (passlim == 2) _exit(0); } -Marcus Watts UM ITCS Umich Systems Group ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Automatic AFS authentication on more than 1 cell
At 2/27/2002 11:21 AM -0600, you wrote: > > Is it possible to authenticate to both cells at the ssh connection > > providing the password only once (usernames and passwords are the same > > on both systems)? Can it be done just by a proper setting of the pam > > modules for sshd? > >It can be done with PAM quite easily, if such a module existed. The >current module does not support specifying an alternate cell name. >However, it could easily be added. Then a PAM config something like the >following would work: > >auth sufficient /lib/security/pam_afs.so ignore_root >auth optional /lib/security/pam_afs.so ignore_root use_first_pass > cell=other.cell refresh_tokens >auth required pam_unix.so > >You'd need the "refresh_tokens" to prevent creation of another PAG. I >could work on a patch to pam_afs, if there's sufficient interest. > It would be very usefull really! In the implementation it would be better not to modify the pam arguments but to add another file of the same type as "ThisCell" like "OtherCells" containing al list of cells,comma separated. If the file does not exist nothing new is performed. Does it sound reasonable? Giovanni Giovanni Bracco Associazione EURATOM-ENEA sulla Fusione C.R.E. ENEA Frascati Via E. Fermi 45 I-00044 Frascati (Roma) Italy phone 00-39-06-9400-5597 FAX 00-39-06-9400-5735 E-mail [EMAIL PROTECTED] WWW http://fusfis.frascati.enea.it/~bracco ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Any way to create srvtabs for use with kaserver...
Eric Knudstrup <[EMAIL PROTECTED]> writes: > Subject: [OpenAFS] Any way to create srvtabs for use with kaserver... > Date: Thu, 28 Feb 2002 00:55:02 -0800 (PST) > > without upgrading to Heimdal or MIT kdc (I have set up a system once like that > and decided I wanted to stay with the stock kaserver)? Sure. couple choices: (1) use some version of ksrvutil that asks for a password, and make sure you use the same (hopefully long random) password to make the principal using kas. (2) build a copy of kaserver that understands "getkey", then write an application that calls "getkey" and saves the result in a srvtab. Note: application must run on kdc, & this only works with empty instances (3) write something that rummages through the kadatabase directly. doable, but messy. (4) write a variation of "kpasswd" that resets the password to something random, then saves it into a file. Generate the principal using kas, then use your utility. The utility could also create the principal & set a random key all in one go. (5) use kas to set the pw to a known value. Then use the "stringtokey" function in kas to convert that same pw to a key. Use perl to convert the key to a srvtab. -Marcus Watts UM ITCS Umich Systems Group ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info