Re: [OpenAFS] HP-UX file systems on client
On Apr 20, 2005, at 12:24 AM, rogbazan wrote: Hi, i´m installing a client on a HP-UX, i knew that the file system type where /usr/vice and /usr/vice/etc will be has to be (and only) hfs, is that correct? I don't remember anything like that and I'm pretty sure I've done it on some other file system, too. What you refer to, might be the restriction on the AFS cache. Try using memcache, if you're unsure you have the right file system. I'm using memcache and it works. Could i create those dirs on a volume manager FS? I've done that, too, and the machine didn't bite me :-) but again not for the cache, only for the files to sit around. BTW, what version of HP-UX? All my statements are true for HP-UX 11.11 and undefined for the rest :-) Horst ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Debian install problem: ptserver won't start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Fritzinger schrieb: | All, | | I'm having a bang your head against a wall problem when installing | OpenAFS on Debian from the Debian repository. First - which one? I strongly suggest the experimental sources and version 1.3.81 of OpenAFS. And to your problem - if the server is multihomed, try the netrestrict file, in which all IPs are listed that OpenAFS shouldn't listen to. More info on the www.openafs.org website documentation. In Debian that file should rest in /etc/openafs/server-local/NetRestrict. | Thank you for any help in advance! | | -Scott Cya Lars - -- - - Technische Universität Braunschweig, Institut für Computergraphik Tel.: +49 531 391-2109E-Mail: [EMAIL PROTECTED] PGP-Key-ID: 0xB87A0E03 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCZg5gVguzrLh6DgMRAutLAJ0cIAogT9qZpYd7ki51eA8YRY6uGACgxwns PF4uTh8f/fWGkhnHfMxERbI= =Hn2R -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] 1.3.81 under AIX 5.1
Hello, I further tested the 1.3.81 client under AIX 5.1, single processor, 32-Bit kernel. If root.afs of the workstations cell is not available the workstation crashes. In this special case root.afs of the cell in question was not yet created. afsd was started without -dynroot. Using -dynroot, the client works well. So this is a minor problem. Gunther -- Hans-Gunther Borrmann [EMAIL PROTECTED] Rechenzentrum der Universitaet Freiburg Hermann-Herder-Str. 10, D79104 FREIBURG Tel.: +49 761/203-4652 Fax: +49 761/203-4643 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] 1.3.81 Server under AIX 5.1
Hello, I tested the 1.3.81 Server under AIX 5.1 ML07, single processor, 32-bit kernel. The salvager coredumps: [EMAIL PROTECTED]:root]# bos salvage localhost -all bos: shutting down fs. Starting salvage. bos: salvage completed bos: restarting fs. [EMAIL PROTECTED]:root]# bos status localhost Instance fs, currently running normally. Auxiliary status is: file server running. Instance ptserver, currently running normally. Instance vlserver, currently running normally. Instance kaserver, currently running normally. [EMAIL PROTECTED]:root]# vos listvol localhost Total number of volumes on server localhost partition /vicepa: 3 root.afs 536870962 RW 2 K On-line root.cell 536870965 RW 3 K On-line root.cell.readonly536870966 RO 3 K On-line Total volumes onLine 3 ; Total volumes offLine 0 ; Total busy 0 Total number of volumes on server localhost partition /vicepb: 1 usr.hgb 536870968 RW 564128 K On-line Total volumes onLine 1 ; Total volumes offLine 0 ; Total busy 0 [EMAIL PROTECTED]:root]# bos getlog localhost SalvageLog Fetching log file 'SalvageLog'... @(#) OpenAFS 1.3.81 built 2005-04-14 04/20/2005 10:42:12 STARTING AFS SALVAGER 2.4 (/usr/afs/bin/salvager -f) 04/20/2005 10:42:12 Starting salvage of file system partition /vicepa 04/20/2005 10:42:12 Starting salvage of file system partition /vicepb 04/20/2005 10:42:12 SALVAGING FILE SYSTEM PARTITION /vicepa (device=vicepa) 04/20/2005 10:42:12 ***Forced salvage of all volumes on this partition*** 04/20/2005 10:42:12 3 nVolumesInInodeFile 84 04/20/2005 10:42:12 SALVAGING VOLUME 536870962. 04/20/2005 10:42:12 root.afs (536870962) not updated (created 04/20/2005 10:16) 04/20/2005 10:42:12 totalInodes 5 04/20/2005 10:42:12 Salvage volume group core dumped! 04/20/2005 10:42:12 CHECKING CLONED VOLUME 536870966. 04/20/2005 10:42:12 root.cell.readonly (536870966) updated 04/20/2005 10:18 04/20/2005 10:42:12 Salvage volume group core dumped! 04/20/2005 10:42:12 SALVAGING OF PARTITION /vicepa COMPLETED 04/20/2005 10:42:12 SALVAGING FILE SYSTEM PARTITION /vicepb (device=vicepb) 04/20/2005 10:42:12 ***Forced salvage of all volumes on this partition*** 04/20/2005 10:42:12 1 nVolumesInInodeFile 28 04/20/2005 10:42:12 SALVAGING VOLUME 536870968. 04/20/2005 10:42:12 usr.hgb (536870968) updated 04/20/2005 10:38 04/20/2005 10:42:12 Vnode 60: version inode version; fixed (old status) 04/20/2005 10:42:12 Salvage volume group core dumped! 04/20/2005 10:42:12 SALVAGING OF PARTITION /vicepb COMPLETED Compilation information: CC=cc ./configure --enable-namei-fileserver \ --enable-largefile-fileserver \ --enable-fast-restart \ --enable-bitmap-later \ --enable-tivoli-tsm \ --enable-transarc-paths \ --disable-pam -- Hans-Gunther Borrmann [EMAIL PROTECTED] Rechenzentrum der Universitaet Freiburg Hermann-Herder-Str. 10, D79104 FREIBURG Tel.: +49 761/203-4652 Fax: +49 761/203-4643 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Kerberos 5 in OpenAFS
Hello Everybody, I've set up an OpenAFs cell, and it works fine. I can create Users, user directories and so on. But now I'm trying to implement Kerberos 5 into openAFS, I find a lot of information about what goes wrong or what mistakes people make. But I don't know how to start. Some people talk about migration tools like asetkey and aklog, but what do they do? Is there someone who can help me get on the way implementing Kerberos into OpenAFS??? I'm working with gentoo, and my kernel-version is 2.4.26. The version of OpenAFS is 1.2.11 THX in advance. Greetz Loretto ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Debian install problem: ptserver won't start
* Lars Schimmer [2005-04-20 10:10:08 +0200]: Scott Fritzinger schrieb: | All, | | I'm having a bang your head against a wall problem when installing | OpenAFS on Debian from the Debian repository. First - which one? I strongly suggest the experimental sources and version 1.3.81 of OpenAFS. Very good question. In particular, Debian stable (woody, 3.0r5) still ships with OpenAFS 1.2.3 packages which you most definitely should not use. Get the 1.2.13 packages from openafs.org if you're using woody. And to your problem - if the server is multihomed, try the netrestrict file, in which all IPs are listed that OpenAFS shouldn't listen to. More info on the www.openafs.org website documentation. In Debian that file should rest in /etc/openafs/server-local/NetRestrict. Or in /var/lib/openafs, depending on which build of the .deb's you are using. I agree that NetRestrict can be desirable for a multihomed server, but I don't think it's the main issue here. Things ought to work, if a little less efficiently, without any explicit NetRestrict configuration. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Kerberos 5 in OpenAFS
Hi, Maybe these could help you, these are the guides I used for installing my AFS cell on Debian sarge: http://www.debianplanet.org/node.php?id=816 http://www.scode.org/afs/openafs-install.txt AFAIK asetkey and aklog are 2 programs from the Kerberos Migration kit. asetkey is for converting your afs kerberosV service key to Kerberos4 key so afs can work with it and aklog is for obtaining AFS tokens from your kerberosV ticket. Hope this helps, David [EMAIL PROTECTED] wrote: Hello Everybody, I've set up an OpenAFs cell, and it works fine. I can create Users, user directories and so on. But now I'm trying to implement Kerberos 5 into openAFS, I find a lot of information about what goes wrong or what mistakes people make. But I don't know how to start. Some people talk about migration tools like asetkey and aklog, but what do they do? Is there someone who can help me get on the way implementing Kerberos into OpenAFS??? I'm working with gentoo, and my kernel-version is 2.4.26. The version of OpenAFS is 1.2.11 THX in advance. Greetz Loretto ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Kerberos 5 in OpenAFS
On Wed, April 20, 2005 5:58 am, David Claessens said: Hi, Maybe these could help you, these are the guides I used for installing my AFS cell on Debian sarge: http://www.debianplanet.org/node.php?id=816 http://www.scode.org/afs/openafs-install.txt AFAIK asetkey and aklog are 2 programs from the Kerberos Migration kit. asetkey is for converting your afs kerberosV service key to Kerberos4 key so afs can work with it and aklog is for obtaining AFS tokens from your kerberosV ticket. Hope this helps, David [EMAIL PROTECTED] wrote: Hello Everybody, I've set up an OpenAFs cell, and it works fine. I can create Users, user directories and so on. But now I'm trying to implement Kerberos 5 into openAFS, I find a lot of information about what goes wrong or what mistakes people make. But I don't know how to start. Some people talk about migration tools like asetkey and aklog, but what do they do? Is there someone who can help me get on the way implementing Kerberos into OpenAFS??? I'm working with gentoo, and my kernel-version is 2.4.26. The version of OpenAFS is 1.2.11 THX in advance. Greetz Loretto It is a bit different if you are moveing an existing cell to K5 verses just setting up a cell and then a K5 kdc. If you have existing users and their passwords to worry about you will need afs2k5db to migrate the users. Google afs2k5db. /sd ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info Steve Devine Storage Systems Academic Computing Network Services Michigan State University 301 Computer Center East Lansing, MI 48824-1042 1-517-432-7327 Baseball is ninety percent mental; the other half is physical. - Yogi Berra ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Kerberos 5 in OpenAFS
It is a bit different if you are moveing an existing cell to K5 verses just setting up a cell and then a K5 kdc. If you have existing users and their passwords to worry about you will need afs2k5db to migrate the users. Google afs2k5db. OK I understand, but I don't have to worry about users and passwords and user directories. Because this is a testproject. What I think i shoot do is get the migration tools: asetkey and aklog. Create an afs entry in Kerberos and so on ... But I cant find these migration tools for gentoo. Is there someone who knows where to find them?? ThX ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] HP-UX file systems on client
Horst Birthelmer wrote: On Apr 20, 2005, at 12:24 AM, rogbazan wrote: Hi, i´m installing a client on a HP-UX, i knew that the file system type where /usr/vice and /usr/vice/etc will be has to be (and only) hfs, is that correct? I don't remember anything like that and I'm pretty sure I've done it on some other file system, too. What you refer to, might be the restriction on the AFS cache. Try using memcache, if you're unsure you have the right file system. I'm using memcache and it works. The cache should be hfs for example the fstab entry looks like: /dev/vg00/lvol9 /usr/vice/cache hfs rw,suid,nolargefiles 0 2 Could i create those dirs on a volume manager FS? I've done that, too, and the machine didn't bite me :-) but again not for the cache, only for the files to sit around. BTW, what version of HP-UX? All my statements are true for HP-UX 11.11 and undefined for the rest :-) I have built OpenAFS 1.3.81 for hp_ux110, hp_ux11i, ia64_hpux123 and for hp_ux1123. So far we have only tested the new hp_ux1123. If any of you are interested in testing these, drop me a note. Horst ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Douglas E. Engert [EMAIL PROTECTED] Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] HP-UX file systems on client
rogbazan wrote: Hi, i´m installing a client on a HP-UX, i knew that the file system type where /usr/vice and /usr/vice/etc will be has to be (and only) hfs, is that correct? Could i create those dirs on a volume manager FS? This is my first time on the issue (HP-UX). I´ve been trying to find that info on the documentation, but nothing. Please help me. thanx a lot. http://grand.central.org/twiki/bin/view/AFSLore/SupportedConfigurations is supposed to have all the known-to-work and known-to-fail file system types for both client caches and server /vicepXes. It's probably pretty close to correct, but I see vxfs listed as working for sun4x_5[789] client caches while vxfs (HP-UX, Solaris) is listed under These Don't Work for client caches. Would somebody who knows the status of vxfs for client cache on Solaris please update the above linked twiki page? -- +--+ / [EMAIL PROTECTED] 919-962-5273 http://www.unc.edu/~utoddl / /Banning the bra was a big flop. / +--+ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] 1.3.81 under AIX 5.1
My very minor problem is not being able to tell the difference between PAG and UID-based tokens. groups no longer lists the special groups. IBM resolved it by changing the output of AIX 5 tokens to indicate PAG or UID based tokens in the output. I'd be willing to to do the same if I had a quick here's what to look for. IBM AFS also introduced a 'curpag' command that tells you which PAG you are in (similar to looking at what special groups you were in). Though not a 'must', this is also quite handy from time to time. -- Michael Niksch /Zurich/IBM @ IBMCH IBM Zurich Research Laboratory [EMAIL PROTECTED] Saeumerstrasse 4 http://www.zurich.ibm.com/~nik/ CH-8803 Rueschlikon / Switzerland P: +41-44-724-8913 F: +41-44-724-8080 . ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] can not change a backup or readonly volume
Have you had a token for a admin user while performing that action? Use the command tokens to check that. Should the tokens command specify admin or is there a symbolic representation? [EMAIL PROTECTED] klog admin Password: [EMAIL PROTECTED] tokens Tokens held by the Cache Manager: User's (AFS ID 1) tokens for [EMAIL PROTECTED] [Expires Apr 21 11:07] --End of list-- [EMAIL PROTECTED] vos create -server addedserver.edu -partition /vicepe -name addedserver-afs -cell .exp-lab.edu vsu_ClientInit: Could not get afs tokens, running unauthenticated. Could not get an Id for volume addedserver-afs VLDB: no permission access for call Error in vos create command. VLDB: no permission access for call [EMAIL PROTECTED] __ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] can not change a backup or readonly volume
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] schrieb: |Have you had a token for a admin user while performing that action? |Use the command tokens to check that. | Should the tokens command specify admin or is there a symbolic | representation? | | [EMAIL PROTECTED] klog admin | Password: | [EMAIL PROTECTED] tokens | | Tokens held by the Cache Manager: | | User's (AFS ID 1) tokens for [EMAIL PROTECTED] [Expires Apr 21 11:07] |--End of list-- So far so good. I assume the UserID 1 in your cell is the admin. | [EMAIL PROTECTED] vos create -server addedserver.edu -partition /vicepe - -name addedserver-afs -cell .exp-lab.edu | vsu_ClientInit: Could not get afs tokens, running unauthenticated. | Could not get an Id for volume addedserver-afs | VLDB: no permission access for call | Error in vos create command. | VLDB: no permission access for call | [EMAIL PROTECTED] Thats not good. Try vos create addeserver vicepe addserver-afs exp-lab.edu instead, maybe their are typos. At least the dot in front of the cell name could be a showstopper. Do you need the -cell option at least? Mine vos create works without. Cya Lars - -- - - Technische Universität Braunschweig, Institut für Computergraphik Tel.: +49 531 391-2109E-Mail: [EMAIL PROTECTED] PGP-Key-ID: 0xB87A0E03 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFCZnd0VguzrLh6DgMRAkjgAKDWATZNT1TlWtD4m13CV6POe2tW9ACeKH6r EsNBlfuBcUGRXz6mMYqWP+o= =K9vT -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Kerberos 5 in OpenAFS
[EMAIL PROTECTED] wrote: OK I understand, but I don't have to worry about users and passwords and user directories. Because this is a testproject. What I think i shoot do is get the migration tools: asetkey and aklog. Create an afs entry in Kerberos and so on ... But I cant find these migration tools for gentoo. Is there someone who knows where to find them?? You can grab them from debian's repository and recompile them. Make sure you modify the make files, because libraries have changed since woody versions. -- Sensei mailto:[EMAIL PROTECTED] pgp:8998A2DB The difference between stupidity and genius is that genius has its limits. Albert Einstein signature.asc Description: OpenPGP digital signature
[OpenAFS] AFS client on AIX: is there hope?
Hi, still trying to have my AIX 5.2 get on my cell! My situation (again). Kerberos KDC, OpenAFS, OpenLDAP on debian stable. Kerberos authenticates, LDAP gives home informations along with GID/UID (*flat* database: uid=username, objectClass=top, objectClass=posixAccount...), at last, I convert the ticket in afs token and the session begins. What I've succeeded to do? Kerberos can kinit, ktutil and kadmin. OpenAFS mounts my cell correctly, but I can't access to it since I don't have the tokens. Perfect. Now how do I make this work under AIX? How to convert tickets in tokens? How to use LDAP for user info? I've contacted aix newsgoups but nothing. They use aix just server-side. Has anyone an AIX machine being a client of afs kerberos? -- Sensei mailto:[EMAIL PROTECTED] pgp:8998A2DB The difference between stupidity and genius is that genius has its limits. Albert Einstein signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Problem with pam on debian with 1.3.81 kernel 2.6.11
On Thu, Apr 14, 2005 at 12:59:13PM +0200, Lars Schimmer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! I setup pam conf on debian sarge like it was written here: http://mailman.mit.edu/pipermail/kerberos/2004-October/006601.html And tried to login and get my tokens. I can login, but can't get any tickets. I hace to call kinit manually to get a ticket and after that aklog to obtain a token. Has anyone a working conf on debian sarge for me? The following works on my setup, Debian Sarge, Kerberos 5 and OpenAFS You need the libpam-openafs-session and libpam-krb5 (MIT Kerberos) The following is just the Kerberos and AFS part of my PAM configuration, note that there is no common-password, I don't use it, but I suspect that it wouldn't be much different. /etc/pam.d/common-account: account sufficient pam_krb5.so /etc/pam.d/common-account: authsufficient pam_krb5.so /etc/pam.d/common-session: session optionalpam_krb5.so session optionalpam_openafs_session.so The KerberosTgtPassing yes won't work on Sarge, as the Debian package doesn't support that, so you'll need to compile OpenSSH yourself. Step 2 and 3 in the guide you refere to are redundant if let PAM handle everything. The downside is that you won't be able to use ssh keys, which brings you back to recompiling SSH yourself. The ssh-krb5 package doesn't really seem to contain as many features as one would like. I might be wrong, but I failed to make it work. Hope it helps -- Simon Do not assume that low-probability, high-impact events will not happen. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Integrating AFS and Kerberos V
Hi All, I know this is AFS mailing list, please forgive me if I post to the wrong place. Recently I spent some time on OpenAFS and MIT Kerberos V and finally authenticate AFS users through MIT Kerberos V server instead of AFS KA server. During this process, I googled a lot but didn't find too many useful articles regarding this topic(Except Ken Hornstein). I'd like to share my experience with people, but don't know if anybody is interested. So I send this message and hope to know some new friends. Jun LiSun Certified -- SCSA, SCNA Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
Re: [OpenAFS] Problem with pam on debian with 1.3.81 kernel 2.6.11
Simon Lyngshede [EMAIL PROTECTED] writes: The KerberosTgtPassing yes won't work on Sarge, as the Debian package doesn't support that, so you'll need to compile OpenSSH yourself. Or install ssh-krb5 and then set GSSAPIDelegateCredentials in ssh_config. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Debian install problem: ptserver won't start
Lars (and others who have responded), I was using Debian stable, which was, as mentioned, using the 1.2.3 release. I removed all of 1.2.3 and tried the Debian testing branch (which uses 1.3.18). I ran into a problem with bosserver not finding the default cell when it is being shut down. afs-newcell had problems because of this it seems. So, I removed it all, added the openafs.org reposity to my sources lists and installed 1.2.13, which appears to have worked with exception of the kernel modules. I'm currently running 2.6.7 and the openafs-modules-source won't compile because of the changes to sys_call_table apparently in the new kernel. I am moving back down to 2.4.27 (something I've been meaning to do for a while. Can you tell this is the experimental server? :-) and will try again. I'll write in to give a status update when 2.4.27 is installed and the modules are loaded. Thanks to everyone for replying and providing feedback. -Scott Sergio Gelato wrote: * Lars Schimmer [2005-04-20 10:10:08 +0200]: Scott Fritzinger schrieb: | All, | | I'm having a bang your head against a wall problem when installing | OpenAFS on Debian from the Debian repository. First - which one? I strongly suggest the experimental sources and version 1.3.81 of OpenAFS. Very good question. In particular, Debian stable (woody, 3.0r5) still ships with OpenAFS 1.2.3 packages which you most definitely should not use. Get the 1.2.13 packages from openafs.org if you're using woody. And to your problem - if the server is multihomed, try the netrestrict file, in which all IPs are listed that OpenAFS shouldn't listen to. More info on the www.openafs.org website documentation. In Debian that file should rest in /etc/openafs/server-local/NetRestrict. Or in /var/lib/openafs, depending on which build of the .deb's you are using. I agree that NetRestrict can be desirable for a multihomed server, but I don't think it's the main issue here. Things ought to work, if a little less efficiently, without any explicit NetRestrict configuration. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS client on AIX: is there hope?
From Franco Sensei [EMAIL PROTECTED] Hi, still trying to have my AIX 5.2 get on my cell! My situation (again). Kerberos KDC, OpenAFS, OpenLDAP on debian stable. Kerberos authenticates, LDAP gives home informations along with GID/UID (*flat* database: uid=username, objectClass=top, objectClass=posixAccount...), at last, I convert the ticket in afs token and the session begins. I'm using Solaris for my servers, two are Solaris 10 running 1.3.80 and one is still Solaris 9 running 1.2.13. I'm using NIS for account information. What I've succeeded to do? Kerberos can kinit, ktutil and kadmin. OpenAFS mounts my cell correctly, but I can't access to it since I don't have the tokens. Perfect. Which Kerberos are you using? I compiled and am using MIT Kerberos 1.3.1 or possibly 1.3.6, not sure exactly. I thought someone had previously mentioned a pure Kerberos 5 aklog available somewhere, but I haven't yet tried to compile it on AIX nor do I remember where it is available from. Now how do I make this work under AIX? How to convert tickets in tokens? How to use LDAP for user info? I've contacted aix newsgoups but nothing. They use aix just server-side. I just downloaded and compiled gssklog on AIX: ftp://achilles.ctd.anl.gov/pub/DEE/ Of course, this requires gssklogd running on your AFS servers, but this was an acceptable alternative for us since we also use gssklog from our Windows 2003 machines. Has anyone an AIX machine being a client of afs kerberos? I have an AIX 5.1 and 5.2 machine with AFS and Kerberos working quite well. Only issue is that users do not automatically aquire tokens at login. They simply run gssklog to obtain tokens. This is acceptable in my environment. You might be able to get a pam_run or similar module to run an aklog or gssklog at login on AIX 5.2. (AIX 5.1 has no real PAM.) Is this the only problem you are having? There was a recent post about afs_dynamic_kerbauth working in 1.3.80 but I still run 1.2.13 on my AIX machines. Can someone confirm that it does indeed work against a Kereberos 5 KDC? afs_dynamic_kerbauth does NOT appear to work against a Kerberos 5 KDC in the 1.2.13 version, although I will re-test if someone believes it does. CDC Christopher D. Clausen [EMAIL PROTECTED] SysAdmin ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] acl's and permissions
Hello, If my home directory (on Linux) is /home/ron and I have a directory project that I want to give another afs user access too then that user needs to have at least l rights in my home directory, correct ? I mean if him has access to /home/ron/project then his rights need to be rwl AND his rights in /home/ron need to be at least l right ? I tried giving him access to project by : fs sa him rwl (when in the projects subdir). But he can't get there. or am I missing something ? thanks, Ron = 1879: Thomas Edison gets an idea, and his brother Timmy says, Hey, what's that thing over your head? = Ron Croonenberg | Phone: 1 765 658 4761 Technology Coordinator| Fax: 1 765 658 4732 | Department of ComputerScience | e-mail : [EMAIL PROTECTED] DePauw University | Julian Science Math Center | 602 South College Ave.| Greencastle, IN 46135| = http://www.depauw.edu/acad/computer/RonCroonenberg.asp = ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Kerberos 5 in OpenAFS
On Wed, Apr 20, 2005 at 11:58:16AM +0200, David Claessens wrote: Hi, Maybe these could help you, these are the guides I used for installing my AFS cell on Debian sarge: http://www.debianplanet.org/node.php?id=816 http://www.scode.org/afs/openafs-install.txt The debianplanet.org guide isn't all that good, there a mistakes in it, some parts simply wrong... or just out of date. A colleague of mine cleaned it up a bit when we did our installation http://web.s-et.aau.dk/edb/guides/afs-server-install.html It does explain that much, but at least it works. -- Simon Assume that every mistake the users can make will be made. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] MS Access and OpenAFS
Has anyone used an MS Access database from within OpenAFS? Does it work with multiple users? I'd heard some talk about AFS not supporting byte-range locking, and wasn't sure how MS Access fit into this. Thanks, Gabe ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: Kerberos 5 in OpenAFS
Franco Sensei wrote: [EMAIL PROTECTED] wrote: OK I understand, but I don't have to worry about users and passwords and user directories. Because this is a testproject. What I think i shoot do is get the migration tools: asetkey and aklog. Create an afs entry in Kerberos and so on ... But I cant find these migration tools for gentoo. Is there someone who knows where to find them?? You can grab them from debian's repository and recompile them. Make sure you modify the make files, because libraries have changed since woody versions. This is where I got a copy: ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/afs-krb5-2.0.tar.gz ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] MS Access and OpenAFS
Gabe Castillo wrote: Has anyone used an MS Access database from within OpenAFS? Does it work with multiple users? I'd heard some talk about AFS not supporting byte-range locking, and wasn't sure how MS Access fit into this. Thanks, Gabe You do not want to execute database applications out of AFS. AFS does not support byte range locks. MS Access requires byte range locks to protect records during modification. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] AFS client on AIX: is there hope?
From: Franco Sensei [EMAIL PROTECTED] Christopher D. Clausen wrote: We can compile (at least I hope) aklog from sources, but the problem is that I don't see where to attach aklog, which has to be run before a session is opened. Just for the sake of testing it, does http://afs.caspur.it/afs/italia/project/ssh/ work for you, getting tokens at login? I just downloaded and compiled gssklog on AIX: ftp://achilles.ctd.anl.gov/pub/DEE/ Of course, this requires gssklogd running on your AFS servers, but this was an acceptable alternative for us since we also use gssklog from our Windows 2003 machines. Mmmh... another daemon, another port open. We can give it a try anyway. How can you use it on aix? I mean, how do you start gssklog in your config files? Right now I just type in gssklog as the first thing I run after logging on. For instance: Using username cclausen. [EMAIL PROTECTED]:~]% gssklog [EMAIL PROTECTED]:~]% I have my home directory setup to let all my login scripts run fine even if I don't have AFS tokens at login: /afs/acm.uiuc.edu/user/cclausen is system:anyuser l and ~/Public is system:anyuser rl. I have symlinks from ~/ to ~/Public for various files to not depend on tokens for my scripts to run. Depending on the shells you use, you might be able to fake tokens by running gssklog or aklog directly from /etc/profile or whatever global config your shells use or from each user's dotfiles. I can't use LDAP to retrieve user information. And... it's quite bad not having any token at login! :) Do you use ssh or a direct login? This is one of the reasons why we still use NIS. Haven't gotten LDAP to work everywhere yet. I ssh in right now. I have a version of openssh 3.8 that I compiled against MIT Kerberos myself. The version that IBM distributes from their website has Kerberos support, but I wanted to support MIT Kerberos 1.3 so that I could get RC4-HMAC enc_type support, as I'm pretty sure the IBM Kerberos doesn't support it yet. There was a recent post about afs_dynamic_kerbauth working in 1.3.80 but I still run 1.2.13 on my AIX machines. Can someone confirm that it does indeed work against a Kereberos 5 KDC? afs_dynamic_kerbauth does NOT appear to work against a Kerberos 5 KDC in the 1.2.13 version, although I will re-test if someone believes it does. I'd be happy staying with the stable branch... If I'm right afs_dynamic_kerbauth works with kerberos 4, not 5... is it so? That is what I think as well. Kerberos 4 only, which is hopefully something everyone is moving away from. Although the IBM docs mention DCE, which doesn't work with Kerberos 4, so its possible that there is Krb5 support, we just don't know how to use it correctly. The other option is to write your own AIX Auth Module and use it. I am considering doing this myself, but it really isn't worth the trouble for the few machines that we have that run AIX. And newer AIX versions have PAM support, so this is even less useful. If someone has contacts at IBM, it might be possible to obtain an exmaple or the source to IBM;s KRB5 or KRB5A LAM and then modify it to also obtain AFS tokens in addition to Kerberos tickets. I have no idea how willing IBM would be to work with someone on doing just that. Have you tried using pam_afs2 on AIX? Doug emailed this list a few weeks ago about it: ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar I have an AIX 5.1 system with no PAM support, so it won't work for me, but you might be able to get it to work. You may be able to use LAM on AIX 5.2 to have SSH obtain AFS tokens using one of the afs PAMs available on the net. I believe I posted this to the AIX newsgroup, but http://www.feep.net/PAM/AIX/ might be of use to others who haven't seen that post. I don't have a dev environment setup on a AIX 5.2 machine right now, but when I get around to it I'll attempt to get PAM and LAM working such that tokens can be obtained at login. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] MS Access and OpenAFS
One can reverse engineer the Access database design with Visio Enterprise and have Visio emit new definitions for any number of real databases. AFS is a good place to archive .mdb files. Being a university, one should investigate SQL server for multiuser applications. Its Data Transformation Services work quite well. Of course then you have that to backup. tedc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Federico Balbi Sent: Wednesday, April 20, 2005 2:54 PM To: Gabe Castillo Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] MS Access and OpenAFS I do not think AFS would be good with concurrent users. AFS is good to share many small files with low concurrency access. If you have bunch of MDB and low probability to have 2 users or more using it concurrently then it would be fine. Federico Balbi Division of Computer Science University of Texas at San Antonio 6900 N. Loop 1604 West San Antonio, TX 78249-0667 [EMAIL PROTECTED] http://www.cs.utsa.edu/~fbalbi On Wed, 20 Apr 2005, Gabe Castillo wrote: Has anyone used an MS Access database from within OpenAFS? Does it work with multiple users? I'd heard some talk about AFS not supporting byte-range locking, and wasn't sure how MS Access fit into this. Thanks, Gabe ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openafs fileservers in VMware ESX
here is some of the strace. It seems that the gettimeofday function is
having issues. Would this cause the vos listvol to slow? If this is the
case then would I be save to say it is a OS level issue not afs issue.
Of cause now I have to move all the volumes onto a REDHAT server (we use
debian) before I can bug vmware.
Cheers
Matt
gettimeofday({1114053992, 397630}, NULL) = 0
select(4, [3], NULL, NULL, {0, 939534}) = 0 (Timeout)
gettimeofday({1114053993, 336018}, NULL) = 0
select(4, [3], NULL, NULL, {0, 1146}) = 0 (Timeout)
gettimeofday({1114053993, 346133}, NULL) = 0
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474834,
33}}) = 0
gettimeofday({1114053993, 346467}, NULL) = 0
select(4, [3], NULL, NULL, {12, 989666}) = 0 (Timeout)
gettimeofday({1114054006, 341534}, NULL) = 0
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474821,
34}}) = 0
select(4, [3], NULL, NULL, {0, 0}) = 0 (Timeout)
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474821,
34}}) = 0
gettimeofday({1114054006, 342237}, NULL) = 0
select(4, [3], NULL, NULL, {14, 999297}) = 0 (Timeout)
gettimeofday({1114054021, 352019}, NULL) = 0
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474806,
34}}) = 0
sendmsg(3, {msg_name(16)={sin_family=AF_INET, sin_port=htons(7005),
sin_addr=inet_addr(130.216.35.4)}},
msg_iov(2)=[{Bg\35g\t\220\311t\0\0\0\1\0\0\0\0\0\0\0\2\2#\0\0\0\0\0...,
28}, {\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\26\0\0..., 37}],
msg_controllen=0, msg_flags=0}, 0) = 65
select(4, [3], NULL, NULL, {0, 0}) = 0 (Timeout)
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474806,
34}}) = 0
gettimeofday({1114054021, 353190}, NULL) = 0
select(4, [3], NULL, NULL, {14, 998829}) = 1 (in [3], left {14, 96})
recvmsg(3, {msg_name(16)={sin_family=AF_INET, sin_port=htons(7005),
sin_addr=inet_addr(130.216.35.4)}},
msg_iov(7)=[{Bg\35g\t\220\311t\0\0\0\1\0\0\0\0\0\0\0\2\2
\0\0\307\37..., 28},
{\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\2\7\0\266I\6\0\0\26\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1420}],
msg_controllen=0, msg_flags=0}, 0) = 65
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474806,
29}}) = 0
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474806,
29}}) = 0
gettimeofday({1114054021, 398538}, NULL) = 0
select(4, [3], NULL, NULL, {14, 904652}) = 0 (Timeout)
gettimeofday({1114054036, 315442}, NULL) = 0
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474791,
38}}) = 0
select(4, [3], NULL, NULL, {0, 0}) = 0 (Timeout)
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474791,
38}}) = 0
gettimeofday({1114054036, 316288}, NULL) = 0
select(4, [3], NULL, NULL, {0, 39154}) = 0 (Timeout)
gettimeofday({1114054036, 355875}, NULL) = 0
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474791,
34}}) = 0
gettimeofday({1114054036, 356213}, NULL) = 0
select(4, [3], NULL, NULL, {14, 999662}) = 0 (Timeout)
gettimeofday({1114054051, 367262}, NULL) = 0
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474776,
34}}) = 0
sendmsg(3, {msg_name(16)={sin_family=AF_INET, sin_port=htons(7005),
sin_addr=inet_addr(130.216.35.4)}},
msg_iov(2)=[{Bg\35g\t\220\311t\0\0\0\1\0\0\0\0\0\0\0\3\2#\0\0\0\0\0...,
28}, {\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\26\0\0..., 37}],
msg_controllen=0, msg_flags=0}, 0) = 65
select(4, [3], NULL, NULL, {0, 0}) = 0 (Timeout)
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474776,
34}}) = 0
gettimeofday({1114054051, 368232}, NULL) = 0
select(4, [3], NULL, NULL, {14, 999030}) = 1 (in [3], left {14, 98})
recvmsg(3, {msg_name(16)={sin_family=AF_INET, sin_port=htons(7005),
sin_addr=inet_addr(130.216.35.4)}},
msg_iov(7)=[{Bg\35g\t\220\311t\0\0\0\1\0\0\0\0\0\0\0\3\2
\0\0\31\354..., 28},
{\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\3\7\0\1\1\1\0\0\26\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1416},
{\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 1420}],
msg_controllen=0, msg_flags=0}, 0) = 65
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474776,
32}}) = 0
getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={21474776,
32}}) = 0
gettimeofday({1114054051, 389715}, NULL) = 0
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openafs fileservers in VMware ESX
I've never seen any reason to virtualize an AFS server. Ever. The key is IO bandwith, which isn't increased by virtualization. You really want separate PHYSICAL servers for AFS servers. Virtualization does not give you any benefits due to hardware failure, power failure, or any other failure. It just adds overhead. -derek Quoting Matthew Cocker [EMAIL PROTECTED]: Hi We have just invested in a Fibre Channel SANs and several FC attached ESX servers (brillant product, just love vmotion and virtual center) and are playing with Virtualised Openafs Fileservers. All is working very well except if we put to many volumes on a server at which point vos listvol takes a very long time to return. If we have say 5000-7000 volumes (about 50Gb) on a vice partition performance is equivalent to hardware server. At 10k volumes to 40k volumes 100-300Gb we have problems with vos listvol. This is not a huge problem for us as we wanted to do more smaller machines any way to take advantage of the VM environment but it does make me wonder why this occurs. What exactly does vos listvol do? does it scan the vice partitions and return all the volumes it finds (du -sh /vicepa takes a huge amount of time too so maybe this is a vm issue)? Is any network traffic exchanged with the DBs? When we start vos listvol on the virtualised server with lots of volumes it just seems to stop working with the cpu usage for the afs process not jumping above 1-2%. An strace (available if anyone interested) shows the vos listvol is doing something (although very slowly). If the virtualised server has less volumes cpu usage jumps up to 30-50% and every thing works. The only thing effected seems to be vos listvol as accessing a volume stored on the server is quick (from user point of view). vos backup stuff all seems to work. Hardware server with same number of volumes works OK. SANS monitoring suggests there is not a data access issue on that side. Not sure this is an AFS issue but any suggestion to help me understand why vos listvol is effected so badly apprepriated. Cheers Matt ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openafs fileservers in VMware ESX
Matthew Cocker wrote: The question is how much does the overhead of virtualisation (which with afs is not much) actually matter with an AFS fileserver and the client side caching. That should read The question is how much does the overhead of virtualisation (which with esx is not much) actually matter with an AFS fileserver and the client side caching. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
