Re: [OpenAFS] extreme slowness on windows client
David Bear wrote: > I have recently noted on two separate windows XP system (with sp2 > installed and openafs 1.4.xxx current stable release as of yesterday) > that opening items in afs space is very slow. I googled for this and > ran across some old notes from around 2003 but didn't think they would > apply any longer. > > The event logged has the following: > Pkt straddled session startup, took 117125 ms, ncb length 81. > > cm_Analyze: HardDeadTime exceeded.. There was a request that took the AFS Cache manager 117 seconds to reply to. In that time, the CIFS client timed out and broke the virtual connection to the AFS CIFS server. > Google reveals that event 1009 may be a server related error, ie the > fileserver is too busy. But I've check with our afs server > administrator and there were no load issues at all. > > The really strange thing is that all I did was convert these system > from using static to dynamic ip addresses. They do not go through any > NAT or other ip mungers (that I am aware of). > > Any idea what I might look for? Follow the instructions in the OpenAFS for Windows release notes. Use the SysInternal's FileMon and DbgView tools to figure out what requests Windows is making and map them to the internal processing in the AFS Cache Manager to figure out why they are taking so long to complete. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
[OpenAFS] extreme slowness on windows client
I have recently noted on two separate windows XP system (with sp2 installed and openafs 1.4.xxx current stable release as of yesterday) that opening items in afs space is very slow. I googled for this and ran across some old notes from around 2003 but didn't think they would apply any longer. The event logged has the following: Event Type:Warning Event Source:AFS Client Event Category:None Event ID:1005 Date:6/26/2006 Time:5:06:33 PM User:N/A Computer:PP-CCOFFMAN Description: The description for Event ID ( 1005 ) in Source ( AFS Client ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Pkt straddled session startup, took 117125 ms, ncb length 81. There was also the following event logged as well: Event Type:Warning Event Source:AFS Client Event Category:None Event ID:1009 Date:6/26/2006 Time:5:06:33 PM User:N/A Computer:PP-CCOFFMAN Description: The description for Event ID ( 1009 ) in Source ( AFS Client ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: cm_Analyze: HardDeadTime exceeded.. Google reveals that event 1009 may be a server related error, ie the fileserver is too busy. But I've check with our afs server administrator and there were no load issues at all. The really strange thing is that all I did was convert these system from using static to dynamic ip addresses. They do not go through any NAT or other ip mungers (that I am aware of). Any idea what I might look for? -- David Bear phone: 480-965-8257 fax:480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing" ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows AD + openafs integration
On Tue, 27 Jun 2006, Jeffrey Altman wrote: AFSIDs will be automatically issued the first time the Windows client obtains an AFS token for the user if they have not already been created manually. If you want to have the user's home directories For a local user that's not true, actually. admin powers are needed to create local users in pts, so the Windows client (nor any other) has no ability to autocreate users. Derrick ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows AD + openafs integration
What you want to do is configure AFS to use Active Directory as the Kerberos 5 server for authentication. There was a talk on this very subject at the AFS & Kerberos Best Practice Workshop given by Derrick Brashear (Thursday at 13:30 second talk) http://www.pmw.org/afsbpw06/workshop.html#16 AFSIDs will be automatically issued the first time the Windows client obtains an AFS token for the user if they have not already been created manually. If you want to have the user's home directories in AFS, you will have to do so manually. I'm not aware of anyone who has written any scripts/tools for Active Directory to create AFS volumes in response to AD account creation. Jeffrey Altman Sean Kennedy wrote: > List, > > First up, forgive me if this is an obvious question; I'm still wrapping > my head around how afs works. > > What I'd like to do is have openafs auth against my AD domain, going so > far as to dynamically create afs accounts based off of AD accounts. Is > this possible? > So in my ideal setup, I wouldn't have to pre-create a user for afs if > they already exist in my AD tree. Instead, on first log in, the account > is automatically created. Further, the username/password info would be > taken directly from the AD tree. This way, when a password changes, it > doesn't need to be changed in the afs tree as well. > > I could get by with having to hand create the accounts in afs if I could > get auth working against AD. > Thanks in advance for your help! > ___ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Windows AD + openafs integration
Sean Kennedy <[EMAIL PROTECTED]> wrote: > What I'd like to do is have openafs auth against my AD domain, going > so far as to dynamically create afs accounts based off of AD > accounts. Is this possible? If you were to treat AD as a foreign realm, yes, user accounts could be auto-created. I would not recomend this though, as you would have no way to put users into groups before their accounts were created or otherwise add them to ACLs. I.e. users would need to login and obtain AFS tokens before they could be put on ACLs. This would make it very hard to setup user home directories or other file shares, assuming you wanted to rely upon more than just the system:authusers group. > So in my ideal setup, I wouldn't have to pre-create a user for afs if > they already exist in my AD tree. Instead, on first log in, the > account is automatically created. Further, the username/password > info would be taken directly from the AD tree. This way, when a > password changes, it doesn't need to be changed in the afs tree as > well. Its possible to use AD as Kerberos realm and obtain Kerberos tickets and then AFS tokens from AD. Just create an AFS service principal in AD and use the proper ktadd.exe command to extract a keytab and then asetkey the keytab into the AFS KeyFile. > I could get by with having to hand create the accounts in afs if I > could get auth working against AD. I'd strongly recomend doing this instead. There have been several posts on using AD as a KDC for AFS. Look through the archives.
[OpenAFS] Using volumes for daemons
I'm curious as to whether you can use AFS volumes for the storage locations of services like openldap, mysql and postgresql. All three use database files which are held open for long periods of time and normally would require large amounts of local storage. I'm not looking for AFS to provide replication of the databases, just an alternative to data being stored locally on quasi-stable disks. We're already moving 'home dir' type data to a set of AFS servers and would like to leverage the pool of reliable, redundant disks we use for this, for some of our services. If this is possible, are there any restrictions with regard to the local cache size versus the largest file being accessed? I understand the files are stored/transferred in slices/chunks of 64KB or so, does this mean that dirty chunks are sent back to the volume server similarly when the cache fills up? Even if the cache is, say 100M and the file is 1G? Thanks for all the info/help. CLD ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [darcs-users] Re: [OpenAFS] Re: afs semantics
Jeffrey, Adam, Thanks a lot for your help. After reading Jeffrey's reply carefully, I am fairly certain that running darcs over AFS is safe (both in the default, NFS-safe mode and with DARCS_SLOPPY_LOCKS). All operations should either produce the expected result or fail gracefully. This information is offered in good faith, but with no guarantee. Not even of any kind. Juliusz ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How does AFS deal with non-AFS files on its partitions?
2006/6/20, Mathias Feiler <[EMAIL PROTECTED]>: Hello , If I undersand You the right way (long answer) On Fri, 9 Jun 2006, David Geirsson wrote: |Hi all, | |I'm preparing to set up OpenAFS for a small network (3-4 users, ~500GB |of data to store). The server machine has 4x320GB IDE disks in a RAID5 |configuration. There is no backup equipment set up, as this is for a |personal network and we can't afford it. | |I've read in the AFS docs (which I admit I'm still reading, so this may |be covered better later) that AFS likes to have its own dedicated |partitions, and that this is "strongly recommended". I am wondering, |however, what would happen? Will OpenAFS trample all the files? Because |the easiest solution for me here would be to let OpenAFS use the data |partition for its own files, As long as You use the namei-interface (Linux) ther is a way to mount /vicep* even if it is not a separate partition. But for now dont ask me for the -option . |and then move files from that partition to |the AFS mount. Nice idea but not the way AFS is designd. Imho. the problem steps in on at least two points: (1) -- Accessmethod to the volumes on a vice partition -- If You are using the origin inode interface to access the /vicep* (as it is common for Solaris and such) You just cannot move data into the /vicep* since ther is nothing to move it in. The only thing you see are 76 Byte files calles Vnnn.vol (e.g. V1920534048.vol) which represent the volumeheader. All the other things are hidden in a strange way. Thus You need a special fsck for such partitions. If You use namei for the /vicep* there is a directory strukture but the names are totaly srewd . You wouldn't succseed if You just write in. (2) --- Access control --- AFS got acl and volumes. Both of them needs to be represented in the /vice* While You are thinking of moving files into a vice partition by unix mv you probably did not considder volumes (rw,clone,ro,backup) and acl The proper way is, to have a afs client running on the old fileserver (as well as on the AFS server for conveniences) and just copy your data into the AFS using the afs client. Example: # Create a volume vos create afsserver vicepa prj.dump # Mout the volume into the AFS-file tree fs mkm /afs/.mySite/projects/dump prj.dump # set the (initial) acl fs sa /afs/.mySite/projects/dump dummy write # Copy the data into the volume cp -R /oldDump/* /afs/.mySite/projects/dump # Eventually define a clone and/or replicate site of the volume vos addsi afsserver vicepa prj.dump vos addsi afsserver2 a prj.dump # Eventually do the replication of the volume vos rel prj.dump | |Anyway, help would be much appreciated. | Well it could be of advantage to join a AFS workshop : USA / english : http://www.central.org/workshop/index.html Germany / deutsch : http://www.rz.uni-hohenheim.de/afsws06 This might help to keep You from a few other newcomer-uups as well. Sincerely , Mathias [snip sigs] Hi Mathias, thanks for your reply. I think you misunderstand my problem (I probably wasn't very clear in my original mail) The problem is that I need to get the files onto the AFS mount once I've created it. At the moment they are on a single linux ext3 filesystem: /dev/md0 881G 532G 349G 61% /data /dev/md0 being the RAID5 array. I want to set this array up as an AFS partition at /vicepa, but I have nowhere to store the data while I set up AFS. I want to merge this data into the AFS tree once it is operational. I was wondering what would happen if I simply mounted the current filesystem, with the files and directories currently on there. I realise that AFS wouldn't recognise the files, and I couldn't use them on the AFS, but if they are left alone, I can then move those files from /vicepa to the /afs mount one file tree at a time, making them part of the AFS tree, all the while without disturbing the filesystem already there. I hope this made more sense than my previous post. Thanks for the pointer to the workshops, I'd love to go. I doubt my finances will allow me to attend this year unfortunately, but you never know. With kind regards, -- Davíð Steinn Geirsson Reykjavik, Iceland [EMAIL PROTECTED] +354 8696608 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Choosing Cell Names (was Re: Changing AFS database server names)
On Tuesday, June 27, 2006 09:13:30 AM -0400 "Todd M. Lewis" <[EMAIL PROTECTED]> wrote: Somebody made a good decision when our cell was named. They gave it a name ("isis") that didn't have anything to do with our current organization (except the top levels of course: "unc.edu"). Did it have anything to do with an initiative to provide a campus-wide computing infrastructure? In the early days, those projects tended to have names, and often lent them to the infrastructures they created. That's how we ended up with names like ANDREW.CMU.EDU or ATHENA.MIT.EDU (just to name a couple). These days, I don't think that phenomenon is so common. Personally, I think the right answer is to give the organizational units ficticious names, like "Larry" or "Bob", instead of descriptive ones. :-) ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Windows AD + openafs integration
List, First up, forgive me if this is an obvious question; I'm still wrapping my head around how afs works. What I'd like to do is have openafs auth against my AD domain, going so far as to dynamically create afs accounts based off of AD accounts. Is this possible? So in my ideal setup, I wouldn't have to pre-create a user for afs if they already exist in my AD tree. Instead, on first log in, the account is automatically created. Further, the username/password info would be taken directly from the AD tree. This way, when a password changes, it doesn't need to be changed in the afs tree as well. I could get by with having to hand create the accounts in afs if I could get auth working against AD. Thanks in advance for your help! ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Changing AFS database server names
Rodney M Dyer wrote: > At 09:16 AM 6/27/2006, Jeffrey Altman wrote: > >> I should also point out that the Windows client when not using >> Freelance mode does a very poor job of failing over when the first >> vlserver found in the CellServDB is not available and Freelance mode >> is not being used. The Windows client prior to the next set of >> releases only makes one attempt to load the root.afs volume due to >> the fact that the HardDeadTimeout for RX is greater than the timeout >> configured for processing CIFS requests. Depending on the deployed >> clients moving the vlservers could end up being quite painful. > > I have one question related to this. When we were experiencing this > problem the first vlserver in the list was active, and it had the lowest > subnet number, which means the service should have started just fine. > The fact that the other vlservers were not contactable shouldn't have > prevented the client from finding the root.afs, but that is what > happend. It appeared (to me) that the client service wasn't starting > because all the vlservers weren't online. That is a different senario > than just saying the first one not contactable caused the service to > "time out". vlservers are not sorted by subnet number. they are read from the CellServDB file and randomized. If the first vlserver contacted does not respond when attempting to mount the root.afs volume, the timeout period will be exceeded and afsd_service.exe will terminate. I have fixed this for future releases. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Changing AFS database server names
At 09:16 AM 6/27/2006, Jeffrey Altman wrote: I should also point out that the Windows client when not using Freelance mode does a very poor job of failing over when the first vlserver found in the CellServDB is not available and Freelance mode is not being used. The Windows client prior to the next set of releases only makes one attempt to load the root.afs volume due to the fact that the HardDeadTimeout for RX is greater than the timeout configured for processing CIFS requests. Depending on the deployed clients moving the vlservers could end up being quite painful. I have one question related to this. When we were experiencing this problem the first vlserver in the list was active, and it had the lowest subnet number, which means the service should have started just fine. The fact that the other vlservers were not contactable shouldn't have prevented the client from finding the root.afs, but that is what happend. It appeared (to me) that the client service wasn't starting because all the vlservers weren't online. That is a different senario than just saying the first one not contactable caused the service to "time out". Rodney ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] error 56: (Authetication server unavailable)
Hello all, I am using the OpenAFS windows client 1.4.0101 but when I Obtain a new tokenm I get "Error 56: (Authetication server unavailable) However on another machine it just works (and I never have any problems with my Linux machines) any ideas ? thanks, Ron == 2B OR NOT 2B = FF == Ron Croonenberg | Phone: 1 765 658 4761 | Lab Instructor / | Technology Coordinator| Fax: 1 765 658 4732 | Department of ComputerScience | e-mail : [EMAIL PROTECTED] DePauw University | 275 Julian Science & Math Center | 602 South College Ave.| Greencastle, IN 46135| == http://www.csc.depauw.edu/RonCroonenberg.html == ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Changing AFS database server names
Russ Allbery wrote: > If you're not using AFSDB records or the kaserver or running a fileserver > on the DB servers, I don't know that anything in AFS cares about the > *names* of the machines. Well, upclient, but that's an obvious fix if > you're using it. CellServDB includes the names but mostly is there to > provide the IP addresses. If the IP addresses are changing, then yes, you > have to update everything (or use AFSDB records -- they're a good idea). > But if you're not changing the IP addresses, I bet nearly everything > doesn't care and what's left would be happy with CNAMEs. This is not entirely accurate. At least in the Windows client gethostbyname() is performed on the hostname. The IP address located in the file is used when the gethostbyname() call fails. I should also point out that the Windows client when not using Freelance mode does a very poor job of failing over when the first vlserver found in the CellServDB is not available and Freelance mode is not being used. The Windows client prior to the next set of releases only makes one attempt to load the root.afs volume due to the fact that the HardDeadTimeout for RX is greater than the timeout configured for processing CIFS requests. Depending on the deployed clients moving the vlservers could end up being quite painful. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
[OpenAFS] Choosing Cell Names (was Re: Changing AFS database server names)
Brian Sebby wrote: We're going to be upgrading our AFS cell in the coming months, and my boss has informed me that he wants to change the names of our AFS database servers from their current domain (which is our old department name) to our new server subdomain. This question got me thinking about guidelines for picking cell names. I've cruised the TWiki at http://www.dementia.org/twiki/bin/view/AFSLore (which is back up now, and looks beautiful, btw; I must have blinked when that was announced), but I didn't see any topic that dealt with choosing a name for a new cell. http://openafs.org/pages/doc/AdminGuide/auagd007.htm#HDRWQ34 and http://openafs.org/pages/doc/AdminGuide/auagd007.htm#HDRWQ35 give a little guidance, but misses an important point that was brought to mind by Brian's question. That point is, names change. Servers get life-cycled, departments get renamed, divisions get reorganized, etc. But the name of an AFS cell tends to find its way into the darkest corners of documentation and code that could take a long time to find and replace whenever one of these transient names transits. Changing a cell's name is not trivial, and is to be avoided if possible. Perhaps the best way to avoid having to change a cell's name is to name it well to start with. Somebody made a good decision when our cell was named. They gave it a name ("isis") that didn't have anything to do with our current organization (except the top levels of course: "unc.edu"). The cell's name was its own; it didn't reflect who owned it, who ran it, or who used it. The initial reaction to the name was, as I recall, a collective question mark above everybody's heads. But it's been a good name. Besides being short and easy to type, the cell's administering entity has undergone several reorganizations, renamings, and consolidations, and the user base has shifted quite a bit, all without having to consider renaming the cell. Although the crystal ball is rather cloudy at the moment, it appears that the cell's name will endure, largely because it's not heavily intertwingled with the transient names surrounding it. Would it be worth having some text along these lines in the TWiki? I tend to be a bit wordy; perhaps a good editor could cut it down to about 30 well-chosen words? -- +--+ / [EMAIL PROTECTED] 919-445-9302 http://www.unc.edu/~utoddl / /"I didn't attend the funeral, but I sent a nice letter/ /saying I approved of it." - Mark Twain/ +--+ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info