Re: [OpenAFS] Samba4 KDC afs service principal?

2011-10-14 Thread Jeffrey Altman 
On 10/14/2011 6:29 PM, Gémes Géza wrote:
> Hi,
> 
> In testing for our organizations migration from an
> OpenLDAP/Heimdal/Samba3 based authentication infrastructure to a Samba4
> one, I've set up a domain. Created a user principal called afs (with
> enctypes: des-cbc-crc and des-cbc-md5) and set up an SPN for it:
> afs/cell@REALM (initially was trying with afs@REALM, but from the KDC
> logs saw that client requested afs/cell@REALM so changed it). Exported
> it to a keytab which was successfully built with asetkey into a KeyFile.
> But when I try to do an aklog with a keytab as Administrator@REALM, it
> gives:
> aklog: Couldn't get "cell" AFS tickets:
> aklog: unknown RPC error (-1765328324) while getting AFS tickets
> In theory Samba4 (the KDC part being Heimdal) should obey to the setting
> allow_weak_crypto=true from the [kdc] section of krb5.conf. (That
> assumption I'm going to check with the samba-technical mailing list).

-1765328324 =  Generic error (see e-text)

You need to look at the error text returned in the Kerberos response
from the KDC to determine what the actual error is.  Or look in the KDC
logs.

Jeffrey Altman



signature.asc
Description: OpenPGP digital signature

[OpenAFS] Kernel panic RHEL 5

2011-10-14 Thread Jeff Blaine 

This has to be something really dumb on my part, but I can't
make sense of it.

RHEL 5.7 x86_64 2.6.18-274.3.1.el5 SMP on a brand new box.

I've tried both of the following, separately, with the
same result:

1. OpenAFS 1.4.14 binaries built from source 20 days ago, copied
   verbatim from a working RHEL 5.7 x86_64 2.6.18-274.3.1.el5 SMP
   box.

2. Fresh OpenAFS 1.4.14 build from source *on* this box,
   then installed

sh /etc/init.d/afs.rc start => kernel panic

Rebooting to single user, the insmod works fine and shows:

Oct 14 23:36:34 rcf-monitor kernel: libafs: module license 
'http://www.openafs.org/dl/license10.html' taints kernel.
Oct 14 23:36:34 rcf-monitor kernel: Found system call table at 
0x8028ff40 (pattern scan)
Oct 14 23:36:34 rcf-monitor kernel: Using keyrings, rather than hooking 
system calls
Oct 14 23:36:34 rcf-monitor kernel: Found 32-bit system call table at 
0x80291280 (pattern scan)
Oct 14 23:36:34 rcf-monitor kernel: Using keyrings, rather than hooking 
system calls


What I can see of the panic on the console is shown in the
screenshot here:

http://dl.dropbox.com/u/15519230/panic.jpg

If I build 1.4.14.1 from source, it works fine on this box
it seems.

I cannot explain how 1.4.14 is working fine on our other
similar boxes, but not this one.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Samba4 KDC afs service principal?

2011-10-14 Thread Gémes Géza 
Hi,

In testing for our organizations migration from an
OpenLDAP/Heimdal/Samba3 based authentication infrastructure to a Samba4
one, I've set up a domain. Created a user principal called afs (with
enctypes: des-cbc-crc and des-cbc-md5) and set up an SPN for it:
afs/cell@REALM (initially was trying with afs@REALM, but from the KDC
logs saw that client requested afs/cell@REALM so changed it). Exported
it to a keytab which was successfully built with asetkey into a KeyFile.
But when I try to do an aklog with a keytab as Administrator@REALM, it
gives:
aklog: Couldn't get "cell" AFS tickets:
aklog: unknown RPC error (-1765328324) while getting AFS tickets
In theory Samba4 (the KDC part being Heimdal) should obey to the setting
allow_weak_crypto=true from the [kdc] section of krb5.conf. (That
assumption I'm going to check with the samba-technical mailing list).

Thanks for any idea!

Cheers

Geza
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Re: Clear offlinemsg?

2011-10-14 Thread Andrew Deason 
On Thu, 13 Oct 2011 14:35:45 -0400
Jeff Blaine  wrote:

> How does one clear a volume's "offlinemsg" as set by
> 'fs setvol /afs/blah -offlinemsg' ?

There isn't a convenient way. I'm not really sure why this is exposed as
a user-settable thing...

The easiest way I've found to clear it is to get the volume to be
reattached. The easiest way to do that I think is to do

vos size  -dump

Or maybe 'vos offline ; vos online' or something.

-- 
Andrew Deason
adea...@sinenomine.net

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Re: NFS Translator in 1.14.12

2011-10-14 Thread Andrew Deason 
On Fri, 14 Oct 2011 17:19:50 +0200
"Mike Legg"  wrote:

> I did come across an old post suggesting it is not supported in
> 1.4.12. Is this the case?

The Linux NFS xlator was added in the 1.5 series; you may be best trying
it with 1.6.0. The Linux xlator isn't guaranteed to work all that well,
either, since it does not get very much testing, and the Linux kernel
interfaces work against us. I'm actually not sure if anyone's tried it
with 1.6.0, but I do remember someone had gotten it at least minimally
working with 1.5.77. iirc, it will not work at all in kernel 2.6.29 and
beyond, due to certain APIs being made inaccessible.

There is a file in the tree which may be helpful:
doc/txt/README.linux-nfstrans. In order to compile the xlator support at
all, you need to remove or comment out the first line that says:

#define AFS_NONFSTRANS  1

in src/config/param.linux26.h, before you build. When you load the
openafs module, you need to, as mentioned in README.linux-nfstrans:

modprobe sunrpc
authtab=`awk '/[ \t]authtab[ \t]/ { print $1 }' < /proc/kallsyms`
modprobe openafs ${authtab:+authtab_addr=0x$authtab}

After that, I believe basic functionality should work (unless something
is broken). There are other nfs-related configuration knobs, but for
basic support you don't need to do anything further.

-- 
Andrew Deason
adea...@sinenomine.net

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] NFS Translator in 1.14.12

2011-10-14 Thread Mike Legg 
Hi,

 
I am currently testing OpenAFS 1.4.12 on Debian and would like to configure 
NFS. From what I can see from the documentation I need to configure an NFS/AFS 
translator machine. I am finding the documentation 
(http://docs.openafs.org/AdminGuide/apas03.html 
 ) confusing. Is there an easy 
step by step  guide to configuring the NFS translator on Debian with OpenAFS 
1.4.12? 

 
I did come across an old post suggesting it is not supported in 1.4.12. Is this 
the case?

 
Kind regards 

 
Mike Legg
IT Support

u-blox UK Ltd, 
Foundation House, 
42-48 London Road, 
Reigate, 
Surrey, 
RH2 9QQ, 
United Kingdom 

Phone: +44 (0)1737 228 457 
Fax: +44 (0)1737 228 464 
www.u-blox.com  

locate, communicate, accelerate 

 
u-blox UK Ltd. is registered in England and Wales. Registered number: 06176878. 
Registered office: Foundation House, 42-48 London Road, Reigate, Surrey RH2 
9QQ. 

u-blox UK Ltd. is part of the u-blox Group; a public company incorporated under 
the laws of Switzerland. 

The information contained in this message is confidential and may be legally 
privileged. The message is intended solely for the addressee(s). If you are not 
the intended recipient, you are hereby notified that any use, dissemination, or 
reproduction is strictly prohibited and may be unlawful. If you are not the 
intended recipient, please contact the sender by return e-mail and destroy all 
copies of the original message.

Re: [OpenAFS] Re: klog.krb5 incompatible with Heimdal 1.5.1?

2011-10-14 Thread Andreas Haupt 
Hi Jeffrey,

On Fri, 2011-10-14 at 08:02 -0400, Jeffrey Altman wrote:
> Andreas:
> 
> Wireshark cannot show you the type of the session key since that key is
> only visible to parties that are capable of decrypting the encrypted
> portions of the response.  It is the session key that must be des-cbc-*
> and which is instead aes256-cts-hmac-sha1-96 in the 1.5.1 case.

OK, learned something again ...

> klog.krb5 should be setting an explicit request for a des-cbc-crc
> session key.  That is a bug which must be fixed.  It should be reported
> to openafs-b...@openafs.org.

Done.

> Heimdal 1.5.1 should also be restricting the session key to one of the
> encryption types that are known to the a...@ifh.de principal.  That is
> also a bug and should be reported on the heimdal mailing list.

Done, as well.

Cheers,
Andreas
-- 
| Andreas Haupt | E-Mail: andreas.ha...@desy.de
|  DESY Zeuthen | WWW:http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6  | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen  | Fax:+49/33762/7-7216



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: klog.krb5 incompatible with Heimdal 1.5.1?

2011-10-14 Thread Jeffrey Altman 
On 10/14/2011 4:10 AM, Andreas Haupt wrote:
> Hi Andrew,
> 
> this looks like a hint. Interestingly it doesn't match my observations
> with wireshark! I've attached the two AS-REP responses with the suffix
> -working & -notworking. The responses are identical (except for the KDC
> ip and the encrypted data) ... 
> 
> 141.34.22.10 is a Heimdal 1.2.1 KDC, 141.34.22.11 is version 1.5.1
> 
> Does this help any further?
> 
> Cheers,
> Andreas

Andreas:

Wireshark cannot show you the type of the session key since that key is
only visible to parties that are capable of decrypting the encrypted
portions of the response.  It is the session key that must be des-cbc-*
and which is instead aes256-cts-hmac-sha1-96 in the 1.5.1 case.
klog.krb5 should be setting an explicit request for a des-cbc-crc
session key.  That is a bug which must be fixed.  It should be reported
to openafs-b...@openafs.org.

Heimdal 1.5.1 should also be restricting the session key to one of the
encryption types that are known to the a...@ifh.de principal.  That is
also a bug and should be reported on the heimdal mailing list.

Jeffrey Altman




signature.asc
Description: OpenPGP digital signature

Re: [OpenAFS] Monitoring performance of fileservers using cacti or munin

2011-10-14 Thread Jose Calhariz 
On Thu, Oct 13, 2011 at 12:29:02PM -0400, Jeff Blaine wrote:
>> I am missing something from the manual pages or openafs documentation?
>
> Aside from scout, afsmonitor and xstat_*_test

Thank you, let me study them.

Is anyone using cacti or munin for monitoring file servers?

> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>

 Jose Calhariz

-- 
--

As amizades reatadas requerem maiores cuidados do que as que nunca foram 
rompidas

--La Rochefoucauld
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: klog.krb5 incompatible with Heimdal 1.5.1?

2011-10-14 Thread Andreas Haupt 
Hi Andrew,

this looks like a hint. Interestingly it doesn't match my observations
with wireshark! I've attached the two AS-REP responses with the suffix
-working & -notworking. The responses are identical (except for the KDC
ip and the encrypted data) ... 

141.34.22.10 is a Heimdal 1.2.1 KDC, 141.34.22.11 is version 1.5.1

Does this help any further?

Cheers,
Andreas
-- 
| Andreas Haupt | E-Mail: andreas.ha...@desy.de
|  DESY Zeuthen | WWW:http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6  | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen  | Fax:+49/33762/7-7216

No. TimeSourceDestination   Protocol Info
   9287 44.161261   141.34.22.10  141.34.2.11   KRB5 AS-REP 
NT Status: Unknown error code 0x2e484649

Frame 9287 (673 bytes on wire, 673 bytes captured)
Ethernet II, Src: Cisco_59:2e:80 (a8:b1:d4:59:2e:80), Dst: Dell_8d:ab:78 
(00:18:8b:8d:ab:78)
Internet Protocol, Src: 141.34.22.10 (141.34.22.10), Dst: 141.34.2.11 
(141.34.2.11)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 33676 (33676)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 4946482E4445616861757074
NT Status: Unknown (0x2e484649)
Unknown: 0x68614544
Unknown: 0x74707561
Client Realm: IFH.DE
Client Name (Principal): ahaupt
Name-type: Principal (1)
Name: ahaupt
Ticket
Tkt-vno: 5
Realm: IFH.DE
Server Name (Principal): afs
Name-type: Principal (1)
Name: afs
enc-part des-cbc-md5
Encryption type: des-cbc-md5 (3)
Kvno: 2
enc-part: 6179B1966792CC7239F3985920F0CEF288BAA3B3031B9B4B...
enc-part aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
Kvno: 39
enc-part: 44244E2F55FFA9BFCFCB3CD9436911927C34849DB4211EB6...
No. TimeSourceDestination   Protocol Info
   7142 33.774371   141.34.22.11  141.34.2.11   KRB5 AS-REP 
NT Status: Unknown error code 0x2e484649

Frame 7142 (721 bytes on wire, 721 bytes captured)
Ethernet II, Src: Cisco_59:2e:80 (a8:b1:d4:59:2e:80), Dst: Dell_8d:ab:78 
(00:18:8b:8d:ab:78)
Internet Protocol, Src: 141.34.22.11 (141.34.22.11), Dst: 141.34.2.11 
(141.34.2.11)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 49970 (49970)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 4946482E4445616861757074
NT Status: Unknown (0x2e484649)
Unknown: 0x68614544
Unknown: 0x74707561
Client Realm: IFH.DE
Client Name (Principal): ahaupt
Name-type: Principal (1)
Name: ahaupt
Ticket
Tkt-vno: 5
Realm: IFH.DE
Server Name (Principal): afs
Name-type: Principal (1)
Name: afs
enc-part des-cbc-md5
Encryption type: des-cbc-md5 (3)
Kvno: 2
enc-part: 84443A576FDBAE510178FC6ED072427A777EB51BC70A8A79...
enc-part aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
Kvno: 39
enc-part: A305225BD2711CF12BF97B5B19975189C81F9976445586BB...