[OpenAFS] shut down hangs

[Helmut Jarausch]

Hi,

I am using openafs (cvs from today) on Linux 2.6.12-rc1-bk1.
It seems to run well but it won't shut down.
I get

WARM shutting down of: CB... afs... BkG... 
and then I have to hardware reset the machine.

Many thanks for any hints,

Helmut Jarausch

Lehrstuhl fuer Numerische Mathematik
RWTH - Aachen University
D 52056 Aachen, Germany

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] non-kerberos authentication mechanisms for afs?

[Douglas E. Engert]

gssklog would only solve part of the problem. The AFS admins still get
involved, deciding what GSS to use, and with a X509, what certificates
what CAs are trusted.  In any case the AFS admins need to define the
mapping from the PKI to the AFS usernames.
How paranoid are your AFS admins?
Derek Atkins wrote:
Sounds like you want gssklog, where you can convert any GSS credential
(i.e., X.509 and/or some new PGP-based GSS mech) to obtain AFS tokens.
-derek
Sergio Gelato <[EMAIL PROTECTED]> writes:

* Adam Megacz [2005-03-19 00:42:44 -0800]:
My only gripe with Kerberos is that two non-admin users can't set up a
trust/permissions relationship without involving their kerberos admins
(ie adding principals), or having a kerberos server in the first
place.  Sometimes the former just isn't possible (paranoid sysadmins
won't create principals because they think it's a "security risk").
I'd call it an "administrative burden" rather than a "security risk".

What I'd like to do is create some ugly hack that allows you to use an
OpenPGP key fingerprint in an ACL.
Let's generalise a little bit and talk about PKI-based authentication
(not necessarily PGP; other kinds of public keys will do just as well).
I'd want to use the full public key rather than the fingerprint.

The goal here is to have a single, worldwide namespace (openpgp
fingerprints) for authentication the same way we have a single,
worldwide namespace for file paths (/afs).
Kerberos 5 already provides a single namespace for principals. The trouble
(from your point of view) is that trust is a matter of realm policy, with
the end user being constrained by administrative fiat. So you're proposing
a mechanism for users to (effectively) register their own principals. One
way to do it within a Kerberos framework would be to give each user his/her
own realm to administer and establish a trust relationship with it. (No, 
I don't advocate actually doing this, at least not on a large scale; 
I only mention it as a possibility.)


Clearly this would require a lot of changes on both the client and
server side.
Maybe not much more than what is already needed to support GSSAPI in
OpenAFS 2.0.

I'm wondering if it's easier to set up a "kerberos to
pgp proxy" that will pretend to have an instance for any keyprint you
choose, and will issue you a tgt if you can prove that you hold the
private key.  Then it would just be a matter of writing this "fake
kerberos server".
Hasn't Microsoft been working on something like this? (Not to forget the
proponents of tools like gssklog...) Anyway, I think it's clear that the
exact same problem would need to be addressed for, say, NFSv4, so it 
deserves to be solved at the Kerberos/GSSAPI level rather than within 
AFS itself.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info



--
 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] magical new servers appear with false / fake ip addresses

[Jordi Haarman]

Hi!

I have a small setup with a FreeBSD (10.90.1.96, running 1.3.79) server and a 
windowsXP (10.90.1.101, running 1.3.8001) server that also functions as a 
client. Sometimes when I start the servermanager it 'finds' a 3th 
(non-existing) machine with the ip addresses of 0.1.0.0. and 1.96.127.0 and 
says for some entries on the ghost server that it has a VLDB entry but that 
it could not find the volume on it's partition and for the existing server 
that it has no VLDB entry for the volume.

I also can't seem to start the accountmanager.

Any idea what kind of magic is happening? 

Jordi
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] OpenAFS dup partition to different servers

[Andrew Velikoredchanin]

Hi, all!
I can not find documentation about duplicate data from OpenFS partition 
to different servers. What part of documentation I need read for this?

Thanks.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Testing 1.3.80 under AIX 5.1: klog crashes the client.

[Hans-Gunther Borrmann]

Hello,

as all versions before klog crashes the client almost immediately. During my 
test it was already the second klog. I did not access any files or 
directories besides /afs.
-- 

Hans-Gunther Borrmann <[EMAIL PROTECTED]>
Rechenzentrum der Universitaet Freiburg
Hermann-Herder-Str. 10, D79104 FREIBURG
Tel.: +49 761/203-4652
Fax:  +49 761/203-4643

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Question about append-only directories and ownership of files

[Todd M. Lewis]

Derrick J Brashear wrote:
On Tue, 22 Mar 2005, Bob Cook wrote:
On Monday, March 21, 2005, Todd Lewis wrote:
Not quite. The owner of a directory has implied administrator
rights in that directory.
[...] although Todd is right about the behavior, Derrick
Brashear acknowledged at last year's Best Practices workshop that the
behavior is a bug.  The intent was that the owner of the top directory 
in a volume have implicit admin rights in the volume, but not that the 
owner of each directory have such rights in "their" directories.
(Derrick: Any guess as to when this will be fixed?  It looks like
people are getting used to it, which I would claim is a not-good thing!)
IIRC it's been fixed in 1.3 for months.
Great!  However, people use the list archives as canonical information 
(probably because patching docs just isn't as interesting as patching code; go 
figure). In 
https://lists.openafs.org/pipermail/openafs-info/2001-July/001623.html, 
Jeffrey Hutzelman gave a nugget of cleanly distilled information that clearly 
deserves to be updated on the list and put into the wiki.  He said:

FWIW, there are three cases where someone gets implicit 'a' rights:
- the owner of a directory gets implicit 'a' rights on that directory
- the owner of a volume (same as the owner of its root directory)
  gets implicit 'a' rights on every directory in that volume.
- members of system:administrators get implicit 'a' rights on every
  directory in every volume
In light of the fixes in 1.3, would somebody be willing to amend this 
information so that (1) the list has the corrected/updated info somewhere in 
its archive and (2) we've got something concise to put into the wiki?  Free 
karma boost for any takers... :-)

Q. Where is this enforced? Specifically, what's different about implicit 'a' 
rights if somebody is running a 1.2 server with a 1.3 client?  How about a 1.3 
server and a 1.2 client?  Mixed servers?  Other relevant factors?
--
   +--+
  / [EMAIL PROTECTED]  919-962-5273  http://www.unc.edu/~utoddl /
 /  If you don't pay your exorcist you get repossessed. /
+--+
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AFS in a solaris 10 zone? How about Linux/Xen VM?

[Robert Banz]

Near as I can tell, the only way to get AFS in a solaris zone is to run
afsd in the global zone.  This is because zones are not full
virtualization, but merely isolation from other processes and the
fair-share scheduler to allocate resources to the zones.  I have not
tried it, but it seems like it should work.
The couple "caveats" i've found with running AFS in the global zone...
	
	1) UID-associated tokens are associated across all zones (including the 
global.)  PAGs work fine, but I've got a couple things that rely on UID 
association...
	2) To get /afs to appear as /afs in all of the zones, you use the a 
loopback mount.  However, since this loopback mount doesn't look like 
it's in AFS in the zone, PIOCTLs don't work.  Anyone think of a workaround?

-rob
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] CFP: AFS & Kerberos Best Practices Workshop 2005

[Rodney M Dyer]

Is there a reason that this years AFS Best Practices Workshop isn't being 
advertised on the OpenAFS web site yet?

Rodney
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] token expiring during vos move

[Wes Chow]

I have a lot of pretty large volumes to move.  I was wondering what
might happen if my AFS token expires while I'm performing a vos move
operation?

Thanks,
Wes

-- 
http://www.senortoad.com/~wes/  OpenPGP key = 0xA5CA6644
fingerprint = FDE5 21D8 9D8B 386F 128F  DF52 3F52 D582 A5CA 6644
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] token expiring during vos move

[Ben Staffin]

* Wes Chow <[EMAIL PROTECTED]> [2005-03-23 12:56] wibbled:
> I have a lot of pretty large volumes to move.  I was wondering what
> might happen if my AFS token expires while I'm performing a vos move
> operation?

I've had this happen.  Basically it's Not Good(tm), but it's fairly easy
to fix.  You end up having to vos zap the unfinished volume on the
destination partition and make sure that the VLDB knows where the
working volume really is.

- Ben

-- 
/--
| Ben Staffin
  perpetual nerd  |
--/
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] token expiring during vos move

[Steve Devine]

Whatever volume you are currently moving will end up locked and still on 
the original server. You can just unlock it. I run my scripts with the 
ampersand, leave the window open  and then the next day I re-klog and it 
extends my tokens.
/sd
Wes Chow wrote:

I have a lot of pretty large volumes to move.  I was wondering what
might happen if my AFS token expires while I'm performing a vos move
operation?
Thanks,
Wes
 

--
Steve Devine
Storage Systems
Academic Computing & Network Services
Michigan State University
301 Computer Center
East Lansing, MI 48824-1042
1-517-432-7327
Baseball is ninety percent mental; the other half is physical.
- Yogi Berra
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Question about append-only directories and ownership of files

[Jeffrey Hutzelman]

On Wednesday, March 23, 2005 08:26:54 AM -0500 "Todd M. Lewis" 
<[EMAIL PROTECTED]> wrote:


Q. Where is this enforced? Specifically, what's different about implicit
'a' rights if somebody is running a 1.2 server with a 1.3 client?  How
about a 1.3 server and a 1.2 client?  Mixed servers?  Other relevant
factors?

The set of rights you have on any given file or directory is always 
computed by the fileserver.  So, it doesn't matter what client you're 
running.

-- Jeff
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] CFP: AFS & Kerberos Best Practices Workshop 2005

[Jeffrey Hutzelman]

On Wednesday, March 23, 2005 01:31:34 PM -0500 Rodney M Dyer 
<[EMAIL PROTECTED]> wrote:

Is there a reason that this years AFS Best Practices Workshop isn't being
advertised on the OpenAFS web site yet?
That's a good question.  I don't think we actually advertised the workshops 
at SLAC or Stockholm University on the web site.  We should probably start 
doing something about that...

-- Jeff
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] token expiring during vos move

[Chris Huebsch]

On Wed, 23 Mar 2005, Steve Devine wrote:
I run my scripts with the ampersand, leave the window open  and then
the next day I re-klog and it extends my tokens.
If you have a krb-5 infrastructure, you can renew your tickets without
the need to type your password.
# while [ 1 ]; do sleep 24h; kinit -R; done
Chris
--
Chris Huebschwww.huebsch-gemacht.de | TU Chemmnitz, Informatik, RNVS
GPG-Encrypted mail welcome! ID:7F2B4DBA |   Str. d. Nationen 62, B204
 Chemnitzer Linux-Tage 2006, 4.-5.Maerz |   D-09107 Chemnitz
http://chemnitzer.linux-tage.de/|  +49 371 531-1377, Fax -1803
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] AIX 5.2 Setup (k5/afs/ldap)

[Franco \"Sensei\"]

Hi.
I'm quite new to AIX, so please excuse me... probably it's simple...
I've read the redbook about AIX/Linux, but in no way I can figure out
if I'm doing good, and I miss a step... I'm struggling with AIX 5.2...
my knowledge is more on linux, AIX seems to have a different way of
interpreting authentication...
First, I configured Kerberos5 and LDAP. Now I can obtain a ticket from 
our KDCs, and ldap works for quieries... I noticed also that ldap comes 
with no GSSAPI!

Now, I don't know how to continue, since AFS is running without 
kaserver, we have mit kdc and openldap for home directory and uid/gid 
mapping... Then... how can I make AIX join the afs cell as a client?

In simple tasks:
- UID/GID mapping with LDAP entries
- Kerberos Authentication (lsauthent shows K5 and then STD)
- AFS token grabbing (default k5 on aix seems mit-like)
Tell me if my guesses are right:
First, /etc/security/user
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
SYSTEM = "KRB5files OR compat"
*   SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
registry = DCE
umask = 022
expires = 0
logintimes =
pwdwarntime = 0
account_locked = false

Then /usr/lib/security/methods.cfg
AFS:
program = /usr/vice/etc/afs_dynamic_auth
KRB5:
program = /usr/lib/security/KRB5
KRB5files:
options = db=BUILTIN,auth=KRB5
Finally /usr/vice/etc (ThisCell, CellServDB), and LDAP. Everything seems 
to work, but now I need to glue all the pieces... can you tell me if I'm 
doing good?

plmserver:~> ldapsearch "cn=plm"
version: 2
#
# filter: cn=plm
# requesting: ALL
#
# plm
dn: cn=plm
objectClass: top
objectClass: posixGroup
cn: plm
gidNumber: 10002
memberUid: username
description: afs plm group
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
plmserver:~> kinit username
Password for [EMAIL PROTECTED]:
plmserver:~> klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_10831
Default principal:  [EMAIL PROTECTED]
Valid starting ExpiresService principal
03/17/05 20:48:47  03/18/05 06:48:47  krbtgt/[EMAIL PROTECTED]
plmserver:~>
--
Sensei  
   
   
   


signature.asc
Description: OpenPGP digital signature

Re: [OpenAFS] CFP: AFS & Kerberos Best Practices Workshop 2005

[Esther Filderman]

Only because, at the time you sent that, I hadn't kicked JHutz's behind yet.

:-)

e.



On Wed, 23 Mar 2005 13:31:34 -0500, Rodney M Dyer <[EMAIL PROTECTED]> wrote:
> Is there a reason that this years AFS Best Practices Workshop isn't being
> advertised on the OpenAFS web site yet?
> 
> Rodney
> 
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] 1.3.80 won't make on Gentoo Linux i386 2.6.11-r3

[Kevin]

With Jeff Hutzelman's fix to  src/libafs/MakefileProto.LINUX.in for
@TOP_SRCDIR@/libafs/make_kbuild_makefile.pl from openafs-devel,

./configure --prefix=/usr --host=i686-pc-linux-gnu
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share
--sysconfdir=/etc --localstatedir=/var/lib --enable-transarc-paths



  CC
[M]  
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_util.o
  CC
[M]  
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.o
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.c:
 In function `afs_NewVCache':
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.c:961:
 error: `inode' undeclared (first use in this function)
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.c:961:
 error: (Each undeclared identifier is reported only once
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.c:961:
 error: for each function it appears in.)
make[6]: ***
[/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.o]
 Error 1
make[5]: ***
[_module_/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP] 
Error 2
make[5]: Leaving directory `/usr/src/linux-2.6.11-gentoo-r3'
make[4]: *** [libafs.ko] Error 2
make[4]: Leaving directory
`/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP'
make[3]: *** [linux_compdirs] Error 2
make[3]: Leaving directory `/root/oafs/openafs-1.3.80/src/libafs'
make[2]: *** [libafs] Error 2
make[2]: Leaving directory `/root/oafs/openafs-1.3.80'
make[1]: *** [build] Error 2
make[1]: Leaving directory `/root/oafs/openafs-1.3.80'
make: *** [all] Error 2


# uname -a
Linux aphrodite 2.6.11-gentoo-r3-kf1 #1 Tue Mar 15 09:16:59 EST 2005
i686 Intel(R) Celeron(R) CPU 2.53GHz GenuineIntel GNU/Linux

I have 1.3.79 installed on this box but it acts up really badly with
Oops and so forth (discussed in previous posts to this list and -devel).


-- 
-Kevin
http://www.gnosys.us

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] 1.3.80 won't make on Gentoo Linux i386 2.6.11-r3

[Derrick J Brashear]

On Wed, 23 Mar 2005, Kevin wrote:
With Jeff Hutzelman's fix to  src/libafs/MakefileProto.LINUX.in for
@TOP_SRCDIR@/libafs/make_kbuild_makefile.pl from openafs-devel,
./configure --prefix=/usr --host=i686-pc-linux-gnu
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share
--sysconfdir=/etc --localstatedir=/var/lib --enable-transarc-paths

edit src/config/afsconfig.h and undefine STRUCT_INODE_HAS_INOTIFY_LOCK
i assume the configure test is somehow broken
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] 1.3.80 won't make on Gentoo Linux i386 2.6.11-r3

[Derrick J Brashear]

Oh, no, the problem is I suck
Change inode to ip on that line and the next line.
On Wed, 23 Mar 2005, Kevin wrote:
With Jeff Hutzelman's fix to  src/libafs/MakefileProto.LINUX.in for
@TOP_SRCDIR@/libafs/make_kbuild_makefile.pl from openafs-devel,
./configure --prefix=/usr --host=i686-pc-linux-gnu
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share
--sysconfdir=/etc --localstatedir=/var/lib --enable-transarc-paths

 CC
[M]  
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_util.o
 CC
[M]  
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.o
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.c:
 In function `afs_NewVCache':
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.c:961:
 error: `inode' undeclared (first use in this function)
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.c:961:
 error: (Each undeclared identifier is reported only once
/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.c:961:
 error: for each function it appears in.)
make[6]: ***
[/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP/afs_vcache.o]
 Error 1
make[5]: ***
[_module_/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP] 
Error 2
make[5]: Leaving directory `/usr/src/linux-2.6.11-gentoo-r3'
make[4]: *** [libafs.ko] Error 2
make[4]: Leaving directory
`/root/oafs/openafs-1.3.80/src/libafs/MODLOAD-2.6.11-gentoo-r3-kf1-SP'
make[3]: *** [linux_compdirs] Error 2
make[3]: Leaving directory `/root/oafs/openafs-1.3.80/src/libafs'
make[2]: *** [libafs] Error 2
make[2]: Leaving directory `/root/oafs/openafs-1.3.80'
make[1]: *** [build] Error 2
make[1]: Leaving directory `/root/oafs/openafs-1.3.80'
make: *** [all] Error 2
# uname -a
Linux aphrodite 2.6.11-gentoo-r3-kf1 #1 Tue Mar 15 09:16:59 EST 2005
i686 Intel(R) Celeron(R) CPU 2.53GHz GenuineIntel GNU/Linux
I have 1.3.79 installed on this box but it acts up really badly with
Oops and so forth (discussed in previous posts to this list and -devel).
--
-Kevin
http://www.gnosys.us
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info