Re: [OpenAFS] dynroot question
On Wed, Aug 05, 2009 at 10:02:21AM -0400, Derrick Brashear wrote: > On Wed, Aug 5, 2009 at 10:00 AM, Jack Neely wrote: > > Folks, > > > > I'm having an issue with the dynroot functionality on my web servers. > > I've straced the httpd process and discovered that it is attempting to > > stat() /afs/.htaccess which, of course, doesn't exist. The problem > > being that AFS takes 10 to 20 seconds or more to return the stat call. > > > > The problem comes and goes. I'm not exactly sure what is triggering it > > and would like some help figuring that out. > > > > We're running 1.4.10 client side and the servers with the web volumes > > are 1.4.7 and 1.4.10. We are in the process of moving everything to > > 1.4.11 but wanted to try to track down this issue. > > tcpdump. i assume you see no afs traffic, but you do see dns traffic. > yes? what's the round trip time on that? > > fstrace. what do you see? We did find the cause for this specific problem. Our DNS servers' firewall was dropping packets when the ip_conntrack table became full. Thanks for the help! Jack -- Jack Neely Linux Czar, OIT Campus Linux Services Office of Information Technology, NC State University GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Using the Windows Explorer extension on global drives
Drives mapped in the system context are deprecated by Microsoft and cause numerous problems for the Microsoft SMB redirector and several anti-virus solutions. They really need to be avoided. If there is a drive letter that you want mapped within each logon session I recommend developing your own Network Provider that executes a custom logon script that will perform the desired mapping. That being said, let me explain the changes to the pioctl interface post-1.5.35. For years users of OpenAFS have complained that on some systems (but not others) the presence of the AFS Explorer Shell extension has resulted in extremely long delays when attempting to access the context menu. During the development work for the AFS redirector client Peter Scott and I finally identified what the problem was. The pioctl interface on Windows is implemented as a transceive operation on a special file name _._AFS_IOCTL_._. This file is opened in the current directory of the explorer shell and if that fails, within \\\all\. Opening the file in the current directory permits the drive mapping context to be transmitted to the AFS SMB server. What happens if the current directory is not mapped to AFS? Well, depending on what the drive letter is mapped to or what the current UNC path is, it might result in a long timeout waiting for a hardware device to become available, or a network browsing attempt to complete, or This in turn resulted in the very long delays that were being seen which can be on the order of minutes. For the affected users, this makes it is impossible to use the AFS Explorer Shell extension but more often resulted in the user refusing to use OpenAFS. The only safe way to implement this functionality is to ensure that the CreateFile on _._AFS_IOCTL_._ only occurs if there is a strong likelihood that the device is in fact an AFS device. The pioctl interface now has a very complicated series of checks that examines the current path to identify what the real device name is. It handles SUBST, NET USE, MAP, and several other combinations. So what is the problem with global drive letter mappings? A global drive letter mapping does not expose any of the details of what the drive letter is mapped to. Instead it is reported as a local disk device. As a result there is no method by which the pioctl interface can use the file system apis to determine that it is in fact an AFS device. The pioctl interface does attempt to get around this problem by using the afsd_service configuration. If the drive mapping is configured using the ...\TransarcAFSDaemon\Parameters\GlobalAutoMapper functionality, then the pioctl interface will be able to find the drive letter and determine that it is in fact mapped to AFS. Otherwise, as far as the pioctl interface is concerned, the device is a local disk and it would be too risky to attempt to open _._AFS_IOCTL_._ on it. I hope that helps. Jeffrey Altman Justin Brinegar wrote: > After upgrading to version 1.5.60 on Windows XP, the AFS Windows > Explorer extension no longer functions on drives mapped in the system > context*. This symptom was not seen in 1.5.35, and the symptom still > exists in 1.5.61. > > Is this change by design? Is there any way to re-enable the functionality? > > We are currently directing our users to type in the full UNC path to the > mapped system drive that they would like to use the AFS Explorer > Extension on, which presents the afs path to them in a user context. > > *Note: This is used for folder redirection. File change operations do > not work properly (folder refreshing) over UNC paths in Windows XP. > > Thanks, > Justin ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] dynroot question]
On Fri, Aug 7, 2009 at 10:43 AM, Jack Neely wrote: > On Wed, Aug 05, 2009 at 07:08:30PM +0100, Simon Wilkinson wrote: >> >> On 5 Aug 2009, at 19:03, Russ Allbery wrote: >> >>> Apache recursively ascends the file hierarchy looking for .htaccess >>> files >>> even if that directory itself is not being served, so it will attempt >>> to >>> read /afs/.htaccess if you are serving any directory anywhere under / >>> afs. >> >> I haven't looked at the code, so we may be already doing this, but it >> seems to me that we could just bounce requests for /afs/.htaccess >> immediately. In fact, there's probably a range of things that it makes >> no sense to do DNS lookups for. >> >> S. >> > > I agree here. Turns out I am sending out DNS queries from each of the > web servers for the htaccess cell 20 or so times a second. A hardcoded blacklist would be good, configurable blacklist would be better, but at the same time, we could stand to cache negative answers for a bit longer in some manner. -- Derrick ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] dynroot question]
On Wed, Aug 05, 2009 at 07:08:30PM +0100, Simon Wilkinson wrote: > > On 5 Aug 2009, at 19:03, Russ Allbery wrote: > >> Apache recursively ascends the file hierarchy looking for .htaccess >> files >> even if that directory itself is not being served, so it will attempt >> to >> read /afs/.htaccess if you are serving any directory anywhere under / >> afs. > > I haven't looked at the code, so we may be already doing this, but it > seems to me that we could just bounce requests for /afs/.htaccess > immediately. In fact, there's probably a range of things that it makes > no sense to do DNS lookups for. > > S. > I agree here. Turns out I am sending out DNS queries from each of the web servers for the htaccess cell 20 or so times a second. Jack -- Jack Neely Linux Czar, OIT Campus Linux Services Office of Information Technology, NC State University GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] Strange problem with Windows client.
Some further tests.
>Does the 1.5.36 version of afslogon.dll work when installed with 1.5.61?
No. Not with 1.5.59 anyway.
>Were you using the incomplete LOCALHOST and LTU.SE registry keys with
>1.5.36?
No. The problem is the same.
With incomplete do you refer to the fact that the key LogonOptions should be
present?
I was under the impression that Integrated Logon is used if this key is not
present.
On the other hand it makes perfect sense to add it for the LOCALHOST.
The "LoginRetryInterval" and "LoginSleepInterval keys doesn't seem to work
either. Not in this Domain anyway. With earlier tests in our staff domain
everything seems to work fine. Including this very problem.
Then enabling TraceOption at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
From application log:
AFS Logon: The following information is part of the event: NPLogonNotify -
LoginId(0,301835).
AFS Logon: The following information is part of the event: In
GetDomainLogonOptions for user [anha] in domain [LTU.SE].
Userenv: Windows cannot locate the server copy of your roaming profile...
Userenv: Windows cannot find the local profile and is logging you on with a
temporary profile...
Folder Redirection: Failed to perform redirection of folder Desktop
Folder Redirection: Failed to perform redirection of folder My Documents...
Userenv: The Group Policy client-side extension Folder Redirection failed to
execute...
AFS Logon: The following information is part of the event: AFS_Logon_Event -
Start.
AFS Logon: The following information is part of the event: AFS_Logon_Event
Process ID: 720.
AFS Logon: The following information is part of the event: AFS_Logon_Event -
pInfo UserName and Domain.
AFS Logon: The following information is part of the event: AFS_Logon_Event -
Calling GetDomainLogonOptions.
AFS Logon: The following information is part of the event: In
GetDomainLogonOptions for user [anha] in domain [LTU.SE].
And here is then winlogon craches and the system reboots. This happens then
logging is enabled.
Logging then needs to be disabled remotely
Strangely enough on at least two computers this problem doesn't show up. Surely
there is some difference but there should not be much.
/Anders Hannus
-Original Message-
From: Jeffrey Altman [mailto:jalt...@secure-endpoints.com]
Sent: den 6 augusti 2009 22:10
To: Anders Magnusson
Cc: openafs-info@openafs.org; Anders Hannus
Subject: Re: [OpenAFS] Strange problem with Windows client.
Does the 1.5.36 version of afslogon.dll work when installed with 1.5.61?
When you enable afslogon debugging, what are the error codes reported
during token acquisition?
Were you using the incomplete LOCALHOST and LTU.SE registry keys with
1.5.36?
Jeffrey Altman
Anders Magnusson wrote:
> Hi,
>
> we have encountered a really strange problem when creating images for
> reinstallation
> of our Windows XP machines in out computer labs. All machines has
> mandatory profiles
> located on AFS.
>
> The problem is that when logging in to a newly installed machine it will
> try to fetch the
> profile and redirect Desktop and My Documents before the user has got a
> token,
> therefore loading profile and redirecting will fail. But when the user
> is logged in,
> a token exists and AFS works as expected. Setting access to the profile to
> system:anyuser will allow the profile to be loaded.
>
> This fails with clients 1.5.{59,60,61), but works with last years client
> 1.5.36.
>
> More on, after trying to track the bug down, we found that if any of
> these three
> registry entries is set loading the mandatory profile will fail, but it
> works as
> it should if none of them are present:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
>
> "FailLoginsSilently"=dword:0001
>
>
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LTU.SE]
>
> "LoginRetryInterval"=dword:001e
>
> "LoginSleepInterval"=dword:0005
>
>
>
> The machines tested all runs Windows XP SP3 with all the recommended
> hotfixes.
>
> Any ideas? We are running out of them...
>
> -- Ragge
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
[OpenAFS] Using the Windows Explorer extension on global drives
After upgrading to version 1.5.60 on Windows XP, the AFS Windows Explorer extension no longer functions on drives mapped in the system context*. This symptom was not seen in 1.5.35, and the symptom still exists in 1.5.61. Is this change by design? Is there any way to re-enable the functionality? We are currently directing our users to type in the full UNC path to the mapped system drive that they would like to use the AFS Explorer Extension on, which presents the afs path to them in a user context. *Note: This is used for folder redirection. File change operations do not work properly (folder refreshing) over UNC paths in Windows XP. Thanks, Justin -- Justin Brinegar ..brine...@physics.unc.edu ..(919) 962 - 6494 ..Assistant Windows Administrator ..Physics & Astronomy Networking Infrastructure and Computing ..University of North Carolina at Chapel Hill ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
