Re: [OpenAFS] Zabbix monitoring AFS health
Back when I ran a cell that people other than me cared about, I had implemented various checks from: https://www.eyrie.org/~eagle/software/afs-monitor/ I do not know anything about Zabbix, but I assume it is possible to take these nagios checks and make them work? < Hello, I started to implement a zabbix server for my OpenAFS cells. For now I only measuring the standard Linux measures. Is there anyone with more advanced setups? From the community, what OpenAFS measures are important to measure the performance of the OpenAFS, that I should monitor with my zabbix server? Kind regards Jose M Calhariz On Thu, Oct 07, 2021 at 09:56:28AM -0400, Tim Champ wrote: Hello all. Just figured I'd check if anyone out there is using Zabbix to monitor their AFS file servers, etc. If so, we're interested in seeing/hearing about it if you're willing to share any templates or other things you've done in that regard. If not, once we have something, we'll plan to contribute it to anyone it may help. Thanks for your time! Tim ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Why the KfW/Heidmdal dependency with OpenAFS for Windows?
The Microsoft libraries are only useful if one is actually using the Windows Kerberos parts (either through Active Directory or ksetup.exe with a realm.) For your standard home user, they aren't going to be using either and need a way to enter Kerberos credentials from within Windows itself. Think of it as Windows not having a kinit command. Windows can only obtain initial Kerberos credentials from the login screen. Also, KfW or Heimdal allow one to obtain credentials for different realms/cells outside of the ones the computer is authorized to obtain. E.g. This allows me to authenticate to cells at other organizations just by having a password for their realm and (usually) not requiring me to join my computer to their Active Directory or Kerberos infrastructure. CDC Coy Hile coy.h...@coyhile.com wrote: I'm almost certainly missing something obvious here, but why do we have the dependency on either KfW or Heimdal for the Windows OpenAFS client? Microsoft already ships Kerberos libraries as part of Active Directory; why can we not link against those directly? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Proposed changes - restricted mode
Michael Meffie mmef...@sinenomine.net wrote: Simon Wilkinson wrote: On 5 Dec 2010, at 02:55, Derrick Brashear sha...@dementia.org wrote: We tell you that you can, and how, to disable this Perhaps we should ship with it disabled by default? Yes, I agree, bos exec really should disabled by default, and only turned on after people understand the implications. (I've used the same trick Derrick mentioned, bos exec/bos getlog. I thought I was being clever.) Someone correct me if this has changed, but be careful enabling restricted mode by default. This adds a line to BosConfig and backing out newer binaries with this option enabled for older binaries can cause AFS to no longer work as the old binaries do not understand the restrictedmode entry in the BosConfig file and give some kind of cryptic error or something. (Or at least I had something like this happen once and had to remove the offending line from BosConfig by hand to get my old binaries to work again.) This can be somewhat of a problem when backing out upgrades due to whatever problems. That said, I do think this is a good idea. Random services (especially ones running as root) shouldn't have a default mechanism to run arbitrary binaries on a system. People likely do not realize that adding someone to UserList also effectively gives them root access on the AFS servers which could be running other services as well. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Proposed changes for server log rotation
I was just wondering if anyone thought about these same logging changes on the Windows platform too. I know the servers aren't really supported right now on Windows, but I wouldn't want to go in a direction that makes it extereme hard to share code between platforms for logging... Or does that not really matter so much? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Proposed changes for server log rotation
Russ Allbery r...@stanford.edu wrote: Jeffrey Altman jalt...@secure-endpoints.com writes: My one concern to switching to something like syslog by default is that bos getlog will need to be re-implemented in a different fashion. Yeah, this is a very good point. I think I've used bos getlog maybe three times in the past fifteen years, so I never think about it, but I suspect others use it more than I do. I'd say that you could BOTH log to syslog AND keep the current log file method. I'd actually prefer that myself. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] pts createuser -name hostname.domain ?
As an FYI, I usually just create a group name that is similar to the hostname, then add the IP user to the group and use the group in ACLs. Of course, if you actually make a lot of DNS changes you'll need to keep these in sync, but it shouldn't be that hard to write a quick script to audit / check groups and IPs. CDC Assarsson, Emil emil.assars...@sonyericsson.com wrote: Hi, Thanks for the reply. I think I will be able to work around this problem until then. But the new feature would make things a lot more readable. On 11/9/2010 4:32 AM, Assarsson, Emil wrote: Hi, I know there is a way to add client machines by their ip address. But is it possible to add them by hostname instead using their Kerberos principalName? Not at the moment. There are two things that need to be done. Jeffrey Altman ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AlwaysAttach
Russ Allbery r...@stanford.edu wrote: Jason Edgecombe ja...@rampaginggeek.com writes: Would it be terribly difficult to add an informational message to the fileserver to mention this? I took a look, but the code is structured in a really obnoxious way that makes it hard to do this. It needs substantial restructuring so that it's aware of what partitions have been mounted already because they're separate devices. I'd prefer to NOT encourage people to use directories and instead have them actually create partitions to avoid problems with system partitions filling up for whatever reason. Having the ability to work around it is one thing, recommending it via a default message is quite another entirely. Someone just setting up AFS should create dedicated partitions. People who absolutely need to use a directory can usually just ask, read the man page, or find this thread in the list archives. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Testing OpenAFS with Windows XP Roaming Profiles....
Claudio Prono claudio.pr...@atpss.net wrote: I am testing a solution like: OpenAFS with kerberos, Windows XP with Integrated logon and roaming profile. OpenAFS works, Kerberos works, integrated logon works... The profile on AFS not. I have manually copied the profile in a directory on AFS like msprofile, edited the windows registry at key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and changed the key ProfileImagePath to \\afs\mediaservice-test.pri\users\claudio\msprofile Deleted the local profile, rebooted the machine, logged in as claudio... and...a new local profile was created!!! If i check the registry key, it is changed again to the default (something like %SystemDrive%\Documents and Settings\claudio.TESTAFS)... What i am doing wrong? What is the best solution? Are you literally changing the registry? And not doing things the supported way by setting the user profile path within Active Directory? I'd say the best solution is to NOT edit the registry directly to change a profile location. There are some group policy settings to disable windows trying to change permissions on the profile path. I suspect this might be causing problems as Windows does not know how to set AFS permissions and if this attempt fails, Windows reverts to a local profile. Also, you might need to set at least system:anyuser l on the folder so that the computer itself (without AFS credentials) can see that the folder exists before trying to use it as a profile path. I am not sure about that though. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: [OpenAFS-devel] 1.6 and post-1.6 OpenAFS branch management and schedule
Russ Allbery r...@stanford.edu wrote: Chas Williams (CONTRACTOR) c...@cmf.nrl.navy.mil writes: Russ Allbery writes: I definitely agree that this is where we should go. I don't think we're quite ready to be there right now, unless you feel that we should enable supergroups by default. :) (I can't reasonably turn it off in the Debian packages, where it's been enabled for quite some time, without causing obvious serious problems.) what would be a good reason for not enabling by default? no one is forcing use to use supergroups even if the support is turned on. Turning it on and not using isn't the issue. Turning it off for those of us (like me) who do use will obviously cause problems and won't encourage people to upgrade to newer versions of OpenAFS. The code is dire verging on unsupportable and really needs to be rewritten. If the code is so bad, why was it accepted in the first place? This seems to be a completely different issue than supporting a specific feature. You cannot penalize people who are using what appeared to be a supported feature because someone allowed said bad code in and now it cannot be maintained. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: [OpenAFS-devel] 1.6 and post-1.6 OpenAFS branch management and schedule
Rainer Toebbicke r...@pclella.cern.ch wrote: Derrick Brashear schrieb: Considering it a showstopper when you admit one graph earlier that you're already running with a patched tree seems a bit overblown, perhaps? The tree is now gold and patches may no longer be applied? No, of course not. It would be painful to have to put back the '--enable-fast-restart and --enable-bitmap-later' code if you removed them, probably dangerous. My plea is to keep them in as an alternative to the demand-attach file-server: with mandatory salvaging the non-demand-attach case is seriously impaired, hence disabling it is no real alternative. With the ambitious schedule for new releases I see this happening very quickly. I'd like to avoid having to stop at a particular release next year because of a functionality that we manage to live without, and miss others that we're interested in. I agree with Rainer on this. - At the same time, I'd be happy to start doing more testing of the various DAFS features, although I'm not quite sure what version I should be using for testing, nor am I completely sure how to actually migrate an existing file server to use DAFS or if there is a reverse path to downgrade if I encounter problems. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: [OpenAFS-devel] 1.6 and post-1.6 OpenAFS branch management and schedule
Russ Allbery r...@stanford.edu wrote: Chris, to check, are you currently using --enable-fast-restart or --enable-bitmap-later? Yes, both of them. Please understand that neither of those options are recommended now, whether you have DAFS enabled or not. I consider --enable-fast-restart in particular to be dangerous and likely to cause or propagate file corruption and would not feel comfortable ever running it in production. I know that some people are using the existing implementation and taking their chances, and if they're expert AFS administrators and know what they're risking, that's fine, but, as I understand it, it's pretty much equivalent to disabling fsck and journaling on your file systems after crashes and just trusting that there won't be any damage or that, if there is, you'll fsck when you notice it. I have heard that, but I have never experienced any problems myself in many years of running that way. In general the way I see it is that if the power goes out, my server stays up for a little longer due to its UPS but the network dies immediately so the AFS processes are not doing anything when the power finally dies and the server goes down a few minutes later. (This is of course assuming no actual server crashes and luckily I haven't had any of those.) Its fine to not have it enabled by default, but I can't see why one would remove the functionality from the source tree. If you want to require a --yes-i-know-i-can-corrupt-data configure option, that is also fine, but requiring source code patches sounds like an major annoyance. - I guess I don't understand the particulars of what could happen, but if one is really worried about sending corrupt data, wouldn't the best thing to do be check the data as it is being sent and return errors then and log that something is wrong, not require an ENTIRE VOLUME to be salvaged, leaving all of the files inaccessible for a potentially long period of time? I assume that such a thing is not possible to do? I mean I occationally see NTFS errors in the event log on Windows servers. Windows doesn't take the disk offline and run a chkdsk for me to prevent potential errors, it allows me to try and access other data and if it works there are no problems and denies access to specific files or directories if there is corruption. At the same time, I'd be happy to start doing more testing of the various DAFS features, although I'm not quite sure what version I should be using for testing, If you want to test DAFS, you need to use a 1.5 series server or (coming soon) a 1.6 release candidate. Ah, excellent. I will wait for a 1.6 release candidate. Will DAFS be enabled by default in 1.6? Or is that still being determined? nor am I completely sure how to actually migrate an existing file server to use DAFS or if there is a reverse path to downgrade if I encounter problems. Migration is documented in the bos_create(8) man page as one of the examples. You can do the inverse procedure to downgrade, although of course you'll also need to replace the server binaries with a version compiled without demand-attach. Ok, so http://docs.openafs.org/Reference/8/bos_create.html is the only documentation on openafs.org on demand attach? Ah, I see a http://docs.openafs.org/Reference/8/salvageserver.html as well. Perhaps a generic dafs man page is in order for us non-developer types to be up to speed on what DAFS is, what the benefits are, and how to use it correctly? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: [OpenAFS-devel] 1.6 and post-1.6 OpenAFS branch management and schedule
Simon Wilkinson s...@inf.ed.ac.uk wrote: On 17 Jun 2010, at 19:45, Christopher D. Clausen wrote: Its fine to not have it enabled by default, but I can't see why one would remove the functionality from the source tree. Because every different configuration option you have doubles the complexity of testing the code. What actually tends to happen is that stuff that isn't enabled by default never actually gets tested when changes are made, and so ends up rotting. So, these options are dangerous both because we _know_ they can cause data loss now and that's only going to get worse in the future because nobody developing for the fileserver actually tests with them enabled. We have very limited developer effort available. Reducing the breadth of our code significantly improves our ability to add the new features that everyone says they want. My original proposal for both fast-restart and bitmap-later was that we should remove the configuration options but retain the code for one release cycle and then remove the code entirely in the next cycle. That hopefully prevents folk from running them thinking that they're in any way supported, but still allows those brave enough to do so some time to move over to demand attach. Ah, ok. I thought these options were just being removed because people thought it was dangerous. If it is actually a long-term support issue, I am fine with the code being removed. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] forcing coredumpsize in bosserver
Derrick Brashear sha...@gmail.com wrote: Folks, I submitted a patch which would use the fact that bosserver runs as root to override resource limits and always drop a core. The issue it's intended to address is that often people will start bosserver from contaminated environments (where coredumpsize is limited) and then have a crash, and can provide no data... Is anyone deliberately turning off cores with limit? Would a command line switch to bosserver be acceptable to you in lieu of it? (None is provided in this patch yet but it could be if it mattered) http://gerrit.openafs.org/#change,1959 I'd don't care if core files get generated, but I'd want some way to make sure that the core file doesn't fill the disk partition when it gets written. I'm not sure how large the files can get, but I have had that problem in the past (on other software) with multiple GB core files completely filling a smallish / or /usr partition (as on a file server, I'd want to have as much space as possible go to the vice partitions.) Would it be possible to reserve some space in the vice partition and have the core file written there instead? (I suppose you could argue that could be worse, but in general I have much larger vice paritions than system ones.) CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Purging the client cache
Russ Allbery r...@stanford.edu wrote: We're starting a project to provide a set of AFS servers and a file space with additional security restrictions around who can access it so that it's suitable for storing data subject to various regulatory requirements. This space will require using either strong TLS or a VPN to access any files in that space. One of the concerns raised by our Information Security Office is that a primary point of this space is to get the data off of people's hard drives and into central storage that can be managed securely. If the data persists in users' caches after they disconnect from the VPN required to access the secure space directly, this would partly defeat this purpose. If it were me, I would NOT allow such data to go to end-user systems (and thus avoid having it cached there.) I would setup a few servers within a secure data center and require all work to be done via remote access to these systems (using RDP, SSH, FreeNX, etc.) If the user can view data directly as a filesystem, they can copy it elsewhere and you can no longer control it. If you force them to use a specific set of systems, you can restrict how they could copy data off of the system and even restrict, filter and log outbound network traffic and filter outbound email (if needed.) In this case I would setup an AFS cell (or maybe just a few file servers in an existing cell) that was only accessible from this secure data center and actually had vice partitions encrypted when on-disk on the file servers, probably taking a performance hit for the additional security (which is hopefully acceptable in this case.) This way the data never leaves the data center and all access to it can be enforced over encrypted channels (you can force high encryption with RDP and do similar things with SSH to disable weaker ciphers.) This should also help with access to non-file data such as SQL and Filemaker Pro databases which don't work so well in AFS. - And correct me if I'm wrong here, but wouldn't you also want to wipe the client's system pagefile or swap area after VPN disconnect as some data could be cached when swapped to disk? (This may actually be true when using RDP and FreeNX as well as screen bitmaps and other data may be in memory after the system disconnects.) CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Ideas for finer grain set acl controls
Alf Wachsmann a...@slac.stanford.edu wrote: On Thu, 12 Nov 2009, Russ Allbery wrote: Andrew Deason adea...@sinenomine.net writes: In other words: *** PLEASE SPEAK UP *** if you want to be able to prevent normal users from doing something like fs setacl ${HOME} system:authuser rlidwka even when they have the 'a' bit on ${HOME}. Even if it's just +1, yes, I want that, please say something. It's not as important as being able to block system:anyuser, but yes, I'd ideally like to be able to block arbitrary PTS groups from being added to ACLs with all or write access. What he said. I would like that feature. Me too! Also, I would like separate change acl and add mount point permissions. I often end up granting a just so that users can add mount points as I see mount points as one of the key benefits of AFS. The end user can define their view of the file space and not have to resort to hard-coded things like symlinks or hardlinks. Some users just cannot be trusted to manage their own ACLs though. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions
David Bear david.b...@asu.edu wrote: The only other thing I miss from afscreds is the version number for afs. I don't see where this is easily available -- elsewhere, not even in the control panel applet. Just run fs -version from a command prompt: Win+R cmd - fs -version C:\fs -version OpenAFS_1.5.6101 C:\vos -version OpenAFS_1.5.6101 C:\bos -version OpenAFS_1.5.6101 CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions
David Boyes dbo...@sinenomine.net wrote: 1. afscreds simply doesn't work reliably. as a result, its continued use is in my opinion not an option on Vista, 2008 and Windows 7. Valid point, but it seems a bit precipitous to remove it before a replacement with equivalent function is available. Clearly it works for *some* people. It also clearly doesn't work for some people. Perhaps just making the installation of afscreds optional would be acceptable? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Openafs on Ubuntu
Jason Edgecombe ja...@rampaginggeek.com wrote: gottoomanyaccounts wrote: I am wondering is there a plan to have an official repository for Ubuntu, like the one we have for Fedora/RHEL? It would be nice to be able to install the openafs client on Ubuntu as easily as on Fedora. Um... I'm running ubuntu with the openafs client. I just had to run sudo apt-get install openafs-client I think that depends on the Ubuntu version that one is using. Is the outdated version the problem? According to what the developers tell us, yes, the outdated version is a problem. (1.4.6 is current for Ubuntu Hardy 8.04 and it is likely to remain so until 2013 when hardy goes out of support.) And I'm still running 6.06 dapper (previous LTS release) on some machines. Dapper goes out of support in 2011. I'd like to see newer packages in dapper-backports and hardy-backports, although I have no idea on the process to get them there. Further info at: https://help.ubuntu.com/community/UbuntuBackports CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Thinking about a different way to distribute configuration.
Russ Allbery r...@stanford.edu wrote: David Boyes dbo...@sinenomine.net writes: Why? If the data it serves is on a SAN or otherwise connectable storage, why should the physical server handling the information be somehow special if it gets the same address and configuration information? [snip] I want to use my configuration management system to do configuration management, not my distributed file system. If you want to do large-scale seamless configuration management, use Puppet, don't invent a half-assed version of Puppet and embed it in AFS. *YOUR* configuration management system is Puppet. Great! Some of us use other products, like say Windows Group Policy. The OpenAFS for Windows client already does support registry settings for nearly everything and I would like to eventually use OpenAFS servers on Windows and as such I think that somehow supporting the Windows registry should be a key feature of OpenAFS servers on Windows. This allows for easy configuration using Group Policy. This same level of control is simply not available when using a config file of any kind. I realize few if any people are running servers on Windows today, but please keep Windows in mind when developing a config file format. Using a config file is NOT the usual Windows way to manage a service and in the few instances where config files exist, there is usually some other process that edits them such that the user nevers touches them directly. Which IMHO would argue that there needs to be exactly ONE command line argument -- the location of the config file. No. This is exactly the behavior that constantly annoys me with Kerberos where many things have to go into krb5.conf and you have to duplicate krb5.conf and set an environment variable to get different behavior. It's understandable for Kerberos where the configuration is for an underlying library and there's no clear way to tie into the command line, but that loss of convenience in AFS where we can easily do better would be a disservice to our users. This problem already exists with CellServDB files on Windows (and of course the same Krberos config file problems that you mention.) How do I push a change to a specific cell's servers? Oh thats right, I have to modify or replace the existing file, which is a terrible process and can end badly. This would be much easier to deal with if this file format was instead represented within the registry where atomic changes can be made on a per-value basis and do not require replacing an entire file. You could argue that simply having a way to include other config files within a file (include=/path/to/file) would solve a lot of this and I concur with that, although I suspect most people would hate to now manage a CellServDB directory instead of a single file. (But it would allow for a greater level of flexibility for those who wished to use it.) - Here's an example (I realize that the CellServDB file was not the target for this discussion, just using it as an example) that may not be easy to represent in some of the simpler file formats. Consider the case of linked cells within CellServDB. I do not think anyone has linked cells in the public CellServDB file currently. Could these be represented in all file formats suggested? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS + Active Directory documentation
Josh Fiske jfi...@clarkson.edu wrote: I've been doing alot of research recently... We have an old (circa 2003) AFS cell and are looking at replacing those aging servers. For our new implementation, I hope to (read as: have received an edict that we must...) be able to use Active Directory as the authentication source. Initially, I began the new server installation following the Quick Start guide[1], but it still uses kaserver (krb4)...so that was right out. Can anyone point me towards some detailed documentation on the subject? If no documentation exists, might someone be able to help step me through the process? If the latter, I would be happy to create detailed (step-by-step) documentation of the setup to share with the community (perhaps as an update to the Quick Start guide[1]). Please ask questions in the #openafs IRC channel on freenode. Basically, you use ktpass.exe to create an afs/celln...@ad.domain (after marking the user account DES only within AD) service principal for use by AFS and then import this keytab into the AFS KeyFile using asetkey. Note that this only uses AD for authentication. You still need to add users to PTS for authorization to AFS. You can try and look at: https://w3.physics.uiuc.edu/physwiki/doku.php?id=pcs:unix:afs Note that I did not write that, but I do use AD.UIUC.EDU for several AFS cells. I also would not have used ktutil when asetkey works just fine. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Best Filesystem
Jason C. Wells j...@highperformance.net wrote: Dirk Heinrichs wrote: So your server OS is Solaris No. My server OS is debian. My client OS are FreeBSD, debian, XP. Your assumption that file system suitability is determined purely by OS is limited. ZFS appears to ready for prime time on BSD and Linux or it will be soon enough for me to start thinking about adopting it. Your assumption is that just because an OS supports a filesystem, that OpenAFS will support it for a client cache. This is not the case. Support for ZFS caches on Solaris does NOT mean that ZFS on Linux would work. I'd stick with etx2/ext3 caches on Linux if I were you. You are welcome to try it out, but I'm fairly certain you'll run into strange errors using ZFS on Linux as an afs cache partition. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] adding a repository for yum on centos
David Bear david.b...@asu.edu wrote: Unless, there is a different file I would use to add the repository. I don't see that these are rpms themselves and thus cannot be added via rpm -Uhv http:... Do these represent configuration added to /etc/yum/repos.d ??? http://www.openafs.org/dl/openafs/1.4.10/openafs-repository-1.4.10-1.noarch.rpm http://www.openafs.org/dl/openafs/1.4.10/openafs-repository-rhel-1.4.10-1.noarch.rpm They are in the source code section on the release page, but I suspect that is what you want. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openafs and tivoli backup client
Russ Allbery r...@stanford.edu wrote: Vladimir Konrad v.kon...@lse.ac.uk writes: Do you know a way to persuade IBM Tivoli client to do backup of openafs file-system? Not any more. Tivoli dropped support for AFS. We have old binaries that we're still using because they've not broken the API (yet), but I don't think we're allowed to give them out, and they're not really a long-term solution for anyone anyway. I'm fairly certain the TSM 5.1 client here has AFS support (as I use it now): ftp://ftp.software.ibm.com/storage/tivoli-storage-management/maintenance/client/v5r1/AIX/AIX32bit/v517/ AFS file level support only works from the AIX client. (You can force it to install on AIX newer than 5.1, but it isn't easy. I'd recomend installing AIX 5.1, then the AFS tsm client and then upgrade to something newer if you need to.) We have many filesystems defined within TSM (one per volume) on our TSM 5.2 server and I haven't heard any complaints from the TSM admins about it. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openafs and tivoli backup client
Russ Allbery r...@stanford.edu wrote: Christopher D. Clausen cclau...@acm.org writes: Russ Allbery r...@stanford.edu wrote: Not any more. Tivoli dropped support for AFS. We have old binaries that we're still using because they've not broken the API (yet), but I don't think we're allowed to give them out, and they're not really a long-term solution for anyone anyway. I'm fairly certain the TSM 5.1 client here has AFS support (as I use it now): ftp://ftp.software.ibm.com/storage/tivoli-storage-management/maintenance/client/v5r1/AIX/AIX32bit/v517/ Oh, I didn't realize they still had the 5.1 client available. Yes, that approach will work for the time being if that comes with the *.afs binary. Note, though, that the current version of Tivoli is 5.5, and I'm fairly sure that later versions no longer include AFS support. We've been told by IBM that they do not support it and eventually it will break. I too have heard that, but there are still machines on campus using the 3.x TSM client, so I'm not too worried about 5.1 breaking anytime soon. Additionally, I don't think we're planning on upgrading our TSM server (5.2) anytime soon either. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] windows list permission confusion
Sean O'Malley omall...@msu.edu wrote: Our users are getting confused with the 'list' permission and the Windows client. The Windows afs client -will- show 0k files if you have the list permission, but in the Windows Explorer properties get/show change permissions box thing, they see that it is set to read-only box is checked when in fact it is not read only, it is list only. Yes, that is what it is supposed to do. Although I don't think the read-only box is actually checked. Its greyed out. It does the same thing on files on the C: drive. In contrast, if they go through the afs-smb gateway, samba doesn't show the file because they don't have read permissions. (it ignores the list acl.) They either think, the smb-gateways do not work, or they lost their files so we end up with a phone call. So the samba gateway is broken, not the AFS client? Can we have the default be list doesn't show any files in the Explorer? Or at least not have the checkbox come back and say they have read-only permissions when in fact they don't. We can potentially make an override advance preference for advanced users. (I am sure there are good reasons to make list permissions list files, however, that is a more advanced topic then some of our users can handle.) I consider the current functionality working as desgined and your suggested changes as broken. Should I file this as a bug report? I am not sure if this is by design, or if it is a legitimate bug because it is setting the read-only flag for the file. https://lists.openafs.org/mailman/listinfo/openafs-info You should provide the AFS server and client versions though. I'm running OpenAFS_1.5.5711 on Windwos 2003 and have 1.4.2 and 1.4.6 servers. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] encrypted volumes
Jason Edgecombe ja...@rampaginggeek.com wrote: Why not just use a truecrypt to mount a file from an AFS volume as an encrypted volume? I've found that mounting anything (even ISOs on loopback) out of AFS causes serious system hangs and/or crashes. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] some afs clients are unreachable afs servers from time to time.
Derrick Brashear sha...@gmail.com wrote: On Sat, Jan 17, 2009 at 8:59 PM, TIARA System Man sys...@tiara.sinica.edu.tw wrote: thank you.. : ) but, i have further questions. if you could tell me more, it will be appreciated. there should be the reason afs programmers let server restart at sunday 4am by default. if i turn it off, will server become more unstable? i found previous threads at http://www.openafs.org/pipermail/openafs-info/2001-September/001978.html. That is from 2001, which was over 7 years ago and a different openafs version. The 1.4.x series seems to have much better stability than the 1.2.x and older versions (the mentioned 3.4a version is from Transarc/IBM and predates openafs.) do you suggest to turn off auto restart? thanks.. someone else should answer. i leave it on. in 1.4.8 rx doesn't leak like it did in prior versions so even the people who might have needed to before probably don't now. I have it turned off and have not had problems: % bos getrestart localhost Server localhost restarts never Server localhost restarts for new binaries never % uptime up 611 days This is with openafs 1.4.2 and stability likely improved in newer openafs versions. - At a minimum though, you should set each of your different AFS servers to restart at a different time. You do not want them all to restart at once and have your cell go down. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS 1.5.56 and Vista Home Premium 64bit SP1
According to the subject, you are on 64-bit Vista and the below refers to the 32 bit installer, which is likely the problem. CDC mbn anonymous...@gmail.com wrote: OK thanks a lot. I had to use 7-zip to extract the contents because the cmd line you sent keep giving me errors. Jeffrey Altman-2 wrote: You can extract the binaries without installing them with the command: msiexec /a openafs-en_US-1-5-55.msi ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Problem with OpenAFS on Vista x86
Paul Accisano shiningmasam...@gmail.com wrote: Jeffrey Altman wrote: Paul Accisano wrote: Finally, here's an extremely telling bit of information: not only do I lose access to \\afs when I connect to VPN, but I also lose access to all other comptuers on my network except the only other one that's running Vista. What's more, I don't regain access even when I disconnect from VPN! Rebooting seems to be the only cure after I've connected to VPN once. Unfortunately, this suggests to me that it's some kind of Vista VPN conflict, which means I'm getting outside of your area of expertise here... Any ideas? Reconfigure the Cisco VPN entry for NJIT to permit access to the local area network. No change. I was pretty excited when I saw that check box in the VPN settings, but it doesn't seem to have any effect; I checked it, rebooted, VPN'ed, and the same thing happened. All my non-Vista computers vanish, along with \\afs, and don't come back until I reboot. What version of the Cisco VPN client are you using? What happens if you wait and start the OpenAFS client service after you are connected to the VPN? (Leave the OpenAFS service in the manual state instead of automatic and then start it after you are connected to the VPN.) CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Weird conflict between openafs kernel module and nvidia driver on Ubuntu
Karl M. Davis [EMAIL PROTECTED] wrote: As part of my standard setup, I've been editing /etc/openafs/afs.conf: ... #OPTIONS=AUTOMATIC OPTIONS=-chunksize 20 -memcache -blocks 65536 Is that not legit? Can't recall where I was told to do that, but I'm guessing it was likely someone in the IRC channel. It was probably me that suggested that. I run several machines that way. Does it not work for you? How much RAM do you have on this machine though? The -blocks 65536 requires 64MB of memory (possibly a continuous chunk.) Or, switch to the on-disk cache and see if the problem goes away. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Fileserver doesn't recognise host-principals
Douglas E. Engert [EMAIL PROTECTED] wrote: Frank Burkhardt wrote: Hi, I've got a strange problem here. Some of my AFS-client-machines must put some stuff into AFS on a regular basis. Since all of them have a host/...-Keytab, I wanted to use it as AFS-identity: [snip] However, when I try to create a file in AFS, I'm recognised as anonymous: [EMAIL PROTECTED] # cd /afs/cbs.mpg.de/tmp/leipzig;rm -f xxx [EMAIL PROTECTED] # touch xxx [EMAIL PROTECTED] # ls -la xxx -rw-r--r-- 1 anonymous root 0 Aug 26 16:25 xxx ls -l uses the host's mapping of UID to names. So was the file written with the anonymous UID? ls -ln should show the UID. What mappings are /etc/passwd, NIS or LDAP? Doesn't fs examine on a specific file show the actual PTS owner? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS in a static kernel build
Russ Allbery [EMAIL PROTECTED] wrote: Has anyone built OpenAFS statically into a Linux kernel with a recent code base? Someone posted code in RT for openafs 1.4.4 that does this for web hosting places that do not allow kernel modules but will allow customers to provide a kernel binary or something like that: http://rt.central.org/rt/Ticket/Display.html?id=61009 Is that what you are talking about? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS/Kerberos Windows client
Karen L Eldredge [EMAIL PROTECTED] wrote: I'm not real familiar with Windows, because I mostly work on AIX or Linux. AIX and Linux have the tool k5start that can be used to run scheduled (cron) jobs by accessing the principal's password via a keytab file. Is there something similar for Windows? I use the at command to create scheduled tasks that run as the local SYSTEM user. These tasks automatically have access to the SYSTEM host principal ( [EMAIL PROTECTED] ) in the MSLSA cache for machines joined to Active Directory. You can then just have your script run aklog to obtain tokens (provided you create a PTS entry for the SYSTEM user.) Windows will auto-renew the tickets so you'd just need to periodically obtain new tokens. I don't have jobs that run long enough to need to renew tokens. If you want to run a job as a particular user, the same thing applies, only you have to actually enter the user's password to create the job. The user's Kerberos credentials are accessible in the same way. In theory you could write a short script that does the same thing as k5start but I'm not sure what it will gain you. The hard part of renewing tickets / tokens is handled by Windows if you are using Active Directory. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Win2K AFS server, mirror data+config to RHEL4.5 new Server?
Jeffrey Altman [EMAIL PROTECTED] wrote: avison48 wrote: Our KDC is a Windows server managed by someone else who wants to upgrade it, which will probably break krb to the Win2K AFS server. Why do you believe this to be true? An upgrade of Active Directory from Windows 2000 to Windows 2003 increments all kvnos and WILL break all non-Windows machines that have had keytabs extracted for them. Yes, this did happen to me when campus upgraded AD. You can of course re-extract the keytabs and fix everything, but it is a real annoyance. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] windows download links broken
I think he meant: The installers are all located at /afs/openafs.org/software/openafs/1.5.51/winxp/ The path without the .org did not work for me. CDC Jeffrey Altman [EMAIL PROTECTED] wrote: The windows.html has been fixed. The 1.5.51 release page was not broken Fixing the download URL would have been obvious if you had looked at it. s/1-5-50/1-5-51 The installers are all located at /afs/openafs/software/openafs/1.5.51/winxp/ David Bear wrote: It seems the download links to both the msi and exe installers are broken on openafs.org http://openafs.org. At least, for me.. Anyone else able to download the windows client? Can I grab it directly from an afs path? /afs/openafs.or/??? -- David Bear College of Public Programs at ASU 602-464-0424 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] when openafs becomes a windows IFS
Jeffrey Altman [EMAIL PROTECTED] wrote: A symlink is not an object that Windows knows how to describe. It is reported to Windows as a directory if it points to a directory and as a file if it points to a file. The behavior you are seeing is the behavior that Windows provides when you delete a directory. It deletes all of the files under the directory and then the directory. To remove a symlink, use right click for the context menu select AFS Select Symlink Select Remove There is also a symlink.exe command line binary. - Would using mount points instead of symlinks to directories help with this problem? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] inode to namei process
anne salemme [EMAIL PROTECTED] wrote: if the goal is to make a copy of a quiescent RW volume, you could do a 'vos dump' of the .backup volume, piped to a 'vos restore'. as in 'vos dump volume.whatever.backup' | 'vos restore volume.newname' using appropriate arguments. if the goal is to make a volume unavailable for a short time, you would need to do something else. How is that different from vos copy ? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Solaris 10 crashing - BAD TRAP ... NULL pointer dereference
Jeff Blaine [EMAIL PROTECTED] wrote: We're having this exact same problem that was never replied to publicly in 2006: http://www.openafs.org/pipermail/openafs-devel/2006-July/014073.html OpenAFS 1.4.7 (and older revs too) with libafs64.o under Solaris 10 (old version and also fully patched modern version). panic[cpu1]/thread=30003074d00: BAD TRAP: type=31 rp=2a101c9ee30 addr=4 mmu_fsr=0 occurred in module afs due to a NULL pointer dereference Did you file a bug through the openafs-bugs email address to RT? Same questions as before apply. Are you using the NFS translator? And if not, why aren't you using the nonfs module? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: [OpenAFS-devel] Compiling source in Debian (Ubuntu)
Vishal Powar [EMAIL PROTECTED] wrote: I am having some trouble in compiling the sources of (1.4.7) on ubuntu. I have an existing cell made up of two machines. One acting as the KDC,dbserver 'kerbserver' and other as a fileserver 'server1', I have installed this according to the document 'Setting up a Debian OpenAFS Server'. The debian paths are different than the traditional afs paths, as shown in the two columns below, the first column is the traditional path and the second column is the debian path. /usr/afs/etc/etc/openafs/server /usr/afs/local /var/lib/openafs/local /usr/afs/db /var/lib/openafs/db /usr/afs/logs /var/log/openafs /usr/afs/bin/usr/lib/openafs /usr/vice/etc /etc/openafs I have downloaded the source from the openAFS site and compiled it on 'server1'. './configure --enable-transarc-paths --with-krb5-conf=/usr/bin/krb5-config makemake dest' As I understand there is backward compatibility with the previous version and should run perfectly fine if I do the following 1) /etc/init.d/openafs-fileserver stop 2) Replace the binaries in /usr/lib/openafs (fileserver,volserver,salvager) 3) bos install (host) fileserver bos install (host) volserver bos install (host) salvager 4) /etc/init.d/openafs-fileserver start Now here is the problem, the compiled binaries do not follow the debian file paths and work with the traditional paths. So the above mentioned steps fail. My question, what do I pass to the ./configure to get the binaries work with debian filepaths? './configure --help' did not help me, is there something else that I need to do\think? anybody faced similar problem and found a working workaround? This isn't a development question. It should be sent to openafs-info in the future. - Set your apt.sources list to deb-src to Debian unstable. apt-get update; apt-get source openafs-fileserver; cd openafs*; dpkg-buildpackage -rfakeroot The Debian packages require actual source code patches to get the proper paths set for Debian. Just downloading the raw source from openafs.org will not get you what you want. I can help with further questions on #openafs on the Freenode IRC network. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: OpenAFS 1.5
Russ Allbery [EMAIL PROTECTED] wrote: Steve Simmons [EMAIL PROTECTED] writes: On May 26, 2008, at 3:48 PM, Russ Allbery wrote: . . . Plus, a stable demand-attach is a good milestone for releasing 1.5 . . . That said, do we have a milestone list for 1.5 becoming 1.6? At this point, I'm fairly sure that the only major thing that's left is testing and fixing the resulting bugs, although Derrick is the best person to give a canonical answer. I was under the impression that the object storage stuff was going to be added to 1.5.x as well? Am I hoping for too much? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] kerberos 5 and afs server
Brandon S. Allbery KF8NH [EMAIL PROTECTED] wrote: On 2008 May 22, at 7:31, Lara Lloret Iglesias wrote: I installed a kerberos server in both machines, but maybe I just have to install it in one of the machines and copy somehow the configuration to the other servers...I don't know what do I have to do actually. Each server on the cell needs its own kerberos server? If not how do I do it? You only need one Kerberos server, as long as it's named like the cell (but uppercase) and there is a krb5.conf or SRV records for it then AFS will find it. Each AFS server needs the same copy of the KeyFile. I suspect that you re-extracted a new KeyFile on a new server and broke the existing one. But perhaps not. If you can join #openafs on the Freenode IRC network various smart people can figure out what is going on and help you fix things or answer further questions. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] vos listaddr problem?
Lars Schimmer [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! While trying to get the afsss.pl script to run I found a glitch with vos listaddr. As done via help from the #openafs chat I managed to get my cell back to run with vos syncvldb (all fileservers) after a IP change of the servers. Now a vos listaddr shows: trinculo.cgv.tu-graz.ac.at deimos.cgv.tu-graz.ac.at phobos.cgv.tu-graz.ac.at I get: C:\vos listaddrs -cell cgv.tugraz.at trinculo.cgv.tu-graz.ac.at deimos.cgv.tu-graz.ac.at phobos.cgv.tu-graz.ac.at host6968.igd.fhg.de But a vos listvldb shows two filserver more (oberon.cgv.tugraz and host6968.igd.fhg.de) Even a vos exa user.schimmer tells the two fileservers are active (and I can access the volumes on those two fileservers). And I can do vos syncvldb host6968.igd.fhg.de and a vos listaddr shows nothing of that fileserver afterwards. Did I miss something? One of those fileservers isn't accessible on the live internet, right? I wonder if that has something to do with it. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Getting Tickets but not Tokens
Jason C. Wells [EMAIL PROTECTED] wrote: I am able to get an krb5 ticket for afs, but for some strange reason aklog won't get a token for me. I use heimdal on FreeBSD 6.3 and openafs 1.2.8 on Redhat 8. I am not running a kaserver. From the command line: [EMAIL PROTECTED] stradamotorsports.com]$ kinit Password for [EMAIL PROTECTED]: [EMAIL PROTECTED] stradamotorsports.com]$ aklog -d Authenticating to cell stradamotorsports.com (server s3.stradamotorsports.com). We've deduced that we need to authenticate to realm STRADAMOTORSPORTS.COM. Getting tickets: afs/[EMAIL PROTECTED] Kerberos error code returned by get_cred: -1765328228 aklog: Couldn't get stradamotorsports.com AFS tickets: aklog: Cannot contact any KDC for requested realm while getting AFS tickets The error indicates a Kerberos problem, not an AFS problem. Where did you get aklog from? openafs 1.2.8 does not have an aklog binary and I suspect your aklog is trying to contact a krb524d process on the KDC (runs on port udp) and is probably failing thus rendering you unable to obtain tokens. Either upgrade to a newer openafs version or obtain an aklog that has native Kerberos 5 support and does not need a krb524d service running. (You could also enable krb524d on the KDC, but I would not suggest that.) CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Gary Bowling [EMAIL PROTECTED] wrote: Ok, after being side tracked by real work for an hour or so I'm back to looking at this. Here are some answers to a few of the responses. Lars - Thanks, I had no idea DNS needed anything. I have everything in /etc/hosts right now. Will that work or do I need DNS entries? Time is sync'd already. I don't think DNS is an issue at this point, although it might be. vos listaddrs -nore output would be handy to see. Sergio - No real reason to downgrade to single-des, I wasn't even thinking as that set up was just copied from some place I found... If I get it all working I'll go back and change that to 3des. As for -dynroot, I do not have that on the client, the only client option is -fakestat. Christopher - Thanks for that, at least I can stop looking at those log entries :) Here is the output of vos listvldb -noauth VLDB entries for all servers root.afs RWrite: 536870912 number of sites - 1 server homepc.gbco.us partition /vicepa RW Site Total entries: 1 vos create root.cell wait a few minutes, restart your AFS client, and then try the fs sa command again. Just in case -dynroot is on this will allow you to at least see something in /afs assuming you can get tokens with aklog. The other question is if afsd is even loading properly. Any dmesg output when afsd starts? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Gary Bowling [EMAIL PROTECTED] wrote: klog admin Password: Unable to authenticate to AFS because Authentication Server was unavailable. I'm pretty sure you aren't using kaserver and as such klog won't work (without a ka-forwarder or aother such service running.) You want to use aklog and aklog -d output may be useful to debug, although I don't think that you are seeing problems with your tokens not working. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Speed difference between OpenAFS 1.4.x on Debian and CentOS
Jeffrey Altman [EMAIL PROTECTED] wrote: MichaÅ, Droździewicz wrote: Is AFS_CRYPT really that needed that debian is turning this _ON_ by default? One of the benefits that AFS provides over other file systems is privacy. For that you need crypt to be on. The Windows client defaults to use of encrypted sessions as well. I think the better question is why CentOS has it _OFF_ by default. Packages should fail safe by being in the safest operating mode by default. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Speed difference between OpenAFS 1.4.x on Debian and CentOS
Jeffrey Altman [EMAIL PROTECTED] wrote: Christopher D. Clausen wrote: I think the better question is why CentOS has it _OFF_ by default. Packages should fail safe by being in the safest operating mode by default. Agreed but then you get the folks who install AFS and perform some tests and say NFS is 20 times faster, AFS sucks. Anyone performing such tests should know about and be able to issue a fs setcrypt off command before running benchmarks. What if OpenSSH left encryption turned off by default so people could benchmark it against FTP? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Speed difference between OpenAFS 1.4.x on Debian and CentOS
Wesley Chow [EMAIL PROTECTED] wrote: Does turning crypt off mean data in transit can be read *and* tampered with? Or read, but still safe from tampering? Also, does this imply that a server participating in the public directory is trusting that all clients are using encryption to connect to it? Is there a way for a server to force encryption on any clients accessing its volumes? Encryption in OpenAFS is a per-client command and only operates when one is using tickets. IP based ACLs and system:anyuser anonymous access cannot be encrypted. There is not currently a way to enforce encryption from the server-side. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] best practice for salvage
Chas Williams (CONTRACTOR) [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED],Robert Banz write s: What makes you think running salvage is a good thing? I had gotten to the point where I would avoid running it like the plague -- using running salvage once in a while is a good way to clean up .__afs files. Would a find command execing rm do the same thing? Or does the salvager actually need to be run for a correct cleanup? Also, is it not possible to have a volume salvaged during a vos move? (I realize this may not happen in the code now, just if such a thing is indeed possible.) CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] kstart for windows ?
Hans Melgers [EMAIL PROTECTED] wrote: I was wondering if there are ways to make a windows machine get tokens automatically, similar to Russ's kstart utility for *nix? Or am i missing a cool feature in MIT KfW ? I need it for a win server to sync some files to afs every night. Anybody here who has done this before ? Is the machine joined to a Windows domain? Is the job running as a domain user or the local SYSTEM account? If so, running ms2mit.exe and then aklog.exe should just work. You would of course then need to add the appropriate PTS entry for the system COMPUTERNAME$ or so to PTS. I have some winscp jobs I run this way with Kerberos credentials for authentication. Should work just as well for direct AFS access, although going through another machine using SSH is always an option. A keytab will work as well. You probably want to remember to unlog and kdestroy when the job is done though, or the machine itself may be able to continue to write into AFS and that could be bad. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] will OpenAFS serve my needs?
F. Even [EMAIL PROTECTED] wrote: On Sun, Mar 30, 2008 at 2:09 PM, Russ Allbery [EMAIL PROTECTED] wrote: F. Even [EMAIL PROTECTED] writes: So...I guess another question then (that everyone probably dreads as it's usually meaningless to real support of a product, but it gives companies warm and fuzzies). Are there any commercial products still out there supporting OpenAFS? Yes -- one example that comes to mind is Teradactyl's backup system. Ah...you bring up another interesting point. We use TSM for backups. Can the AFS exports be read as normal filesystems and be backed up Exports is a NFS term. One would not backup the data through the /vicepXX partitions on the fileservers like one can with NFS. You would want to use an AFS client which should work just fine, provided you understand circular mount points and how afs can link to foreign cells and such. And your backup software obviously needs an ACL to read the data. to TSM...or would this data have to be flushed to a normal filesystem (using up additional space) to make available to TSM for backup purposes? Some sites actually still use a TSM client for native AFS backups. The older TSM 5.1r17 or 5.1r18 client still supports AFS buta file level backups. Although you have to run the TSM backups from an AIX client machine. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] will OpenAFS serve my needs?
F. Even [EMAIL PROTECTED] wrote: On Sun, Mar 30, 2008 at 4:15 PM, Christopher D. Clausen [EMAIL PROTECTED] wrote: Some sites actually still use a TSM client for native AFS backups. The older TSM 5.1r17 or 5.1r18 client still supports AFS buta file level backups. Although you have to run the TSM backups from an AIX client machine. That shouldn't be an issue. As of right now all the servers in the environment are AIX which are clients to AIX TSM servers. But yes...some method of reliable and replicatable backup is necessary. Business continuity/disaster recovery needs to be a consideration also. You might want to read this thread: http://www.openafs.org/pipermail/openafs-info/2005-September/019570.html Some sites are using AFS backup volumes (BK) for the case when a user deletes a file. These volumes are a Copy-on-Write snapshot of a volume at a certain point in time (usually run at night.) End-users can directly access backup volumes and can generally copy the files out themselves to restore accidentally deleted files. There is only one backup replica per volume though. There are other methods of doing DR / BC instead of restoring from backups. There are ways to create volume replicas or copies and simply point clients at a different server if something catches on fire and burns to the ground. In backup industry jargon, what are your Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? http://en.wikipedia.org/wiki/Recovery_Point_Objective http://en.wikipedia.org/wiki/Recovery_Time_Objective Of course, a more traditional backup method for restoring files that are no longer in the backup volume are probably wise. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS and SELinux?
Jason Edgecombe [EMAIL PROTECTED] wrote: Joshua Hutchins wrote: Harald Barth wrote: I'm concerned that a hacked mail server could lead to compromise of the server key, which would then compromise the entire cluster. I know that there are folks out there which deliver email into AFS and not all of you do it by distributing the server key to the email server, don't you? So how do you do it? I was doing this by having seperate mail.user volumes with an ACL allowing the mail server itself (not an IP ACL, a keytab used by k5start was created) to create, insert, lookup, etc. in specific directories as required by the mail server. The seperate volume was needed to NOT grant users a to prevent someone who knows what they were doing from mounting another user's mail volume under their own and reading the contents. It was also done to mount these volumes at a specific location and have the mail server chroot there. This also required disabling exec-ings commands with procmail and .forward files and other precautions to prevent access to other user's data. It also required using the maildir format, as MBOX files don't work so well in AFS. The IMAP server I was using (dovecot) supported PAM and one could actually have it obtain tokens on behalf of the user in order to read / delete email. This worked for me but it was slow and I do not have a lot of email. This setup has also been taken down as there were very few people who cared about it. I would highly recommend splitting the mail server from the file server. Use Xen/VMware or something else to make two virtuals if you don't have a spare box. selinux works fine with OpenAFS clients, but I haven't run it on servers before. I too would recomend NOT running the email server on an AFS fileserver directly. (Or nearly any other service, with the possible exceptions of a KDC or an AFS backup process.) CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] vos syncserv and vos syncvldb
I was trying to help someone on #openafs yesterday with a hosed vldb due to an AFS server being initial setup on localhost. Once we determined that was indeed the problem (which was not easy in and of itself) and corrected, attempts were made to fix the vldb by using vos syncvldb and vos syncserv. However, these did not seem to help and I had the user in question simply shutdown their AFS servers and manually delete the vldb.DB0 and vldb.DBSYS1. This worked, but I suspect this is not the correct way to solve the problem. Can someone provide the correct steps to make an incorrect (say localhost) entry disappear from the vldb and vos listaddrs or at least say in what situations vos syncserv and vos syncvldb should be used? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] vos syncserv and vos syncvldb
Steven Jenkins [EMAIL PROTECTED] wrote: On Sun, Mar 23, 2008 at 1:58 PM, Christopher D. Clausen [EMAIL PROTECTED] wrote: I was trying to help someone on #openafs yesterday with a hosed vldb due to an AFS server being initial setup on localhost. Once we determined that was indeed the problem (which was not easy in and of itself) and corrected, attempts were made to fix the vldb by using vos syncvldb and vos syncserv. However, these did not seem to help and I had the user in question simply shutdown their AFS servers and manually delete the vldb.DB0 and vldb.DBSYS1. This worked, but I suspect this is not the correct way to solve the problem. Can someone provide the correct steps to make an incorrect (say localhost) entry disappear from the vldb and vos listaddrs or at least say in what situations vos syncserv and vos syncvldb should be used? Would: - vos listaddr -noresolve (to make sure 'bad-addr' is indeed 127.0.0.1) It was indeed bad and we did that, after fixing /etc/hosts to make localhost appear instead of the machine name in there. - vos changeaddr bad-addr new-addr' Was doing vos changeaddr 127.0.0.1 -remove which gave: Could not remove server localhost from the VLDB I guess that was not the correct thing to do. Now I know. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Public Cell as Sandbox
Fred Bartlett [EMAIL PROTECTED] wrote: I am new to AFS and just wanted to try using the client without having to setup a full cell. Is there any public cell out there where I can get some type of Guest account just to try it out on? Thanks You can get a cheap account at http://hcoop.net/ They run an AFS that you will get access to as a member. Most production cells have network policies that prevent random people from getting accounts. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] New to OpenAFS
billbaird3 [EMAIL PROTECTED] wrote: I'm new to OpenAFS and was hoping if the community could help me determine if it would be a good fit for my company. We are approx 150 people, with 50 home users and the rest in small offices of about 10-15 people. I would like to have a main file server that everyone can access, but also departmental servers in offices that would allow people to save files quickly (without going over the WAN). What operating system are these users running? If you are running nearly all Microsoft Windows machine, you probably want to at least look at Microsoft's Distributed FileSystem (Dfs.) It allows for multi-master read-write replicas and a user-defined site topology to optimize replication and allowing clients to find the closest replica. Be aware that Dfs is not encrypted and is not a true WAN filesystem. Microsoft recomends using IPsec to secure connections. There is also no caching by default (one would need to setup Offline Folders functionality to cache files locally on the computer.) While AFS is very useful in heterogeneous environments, there may be a better choice if only a single operating system is in use. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] perpetual Connection timed out
Wesley Chow [EMAIL PROTECTED] wrote: Mike Garrison wrote: On Mar 19, 2008, at 12:26 PM, Wesley Chow wrote: On a few of our clients (running 1.4.1), we sometimes get Connection timed out with a single volume. Other volumes on the same server are 1.4.1 is almost 2 years old. Have you tried upgrading? 1.4.6 is recent. Yep, I'll do that. I was just hoping there was a bos restart-like command for clients that I could use in the meantime. It's not a common problem anyway, so I'll just upgrade. fs checks; fs checkv CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] groups in groups, ptsviewers etc...
Anders Magnusson [EMAIL PROTECTED] wrote: Marcus Watts wrote: Also, for people to be able to see what's in the protection database, they must obviously be members of the (undocumented?) ptsviewers group. Is it safe just to add all people to this group or are there other implications of doing so? Depends on if you ever want private groups or not. If you want everybody in your cell to be able to see group membership by default, you're probably better off running ptserver this way: /usr/afs/bin/ptserver -p 16 -default SOM-- SOM-- probably you will need to remake your ptserver instances in bos to do this. As a follow-up to this question, is there a way to allow users to list the pts entries in some way? Being in system:ptsviewers doesn't help here, as you have probably figured out. You could use something like remctl to allow others to run it via delegated access. Or make modifications to the source code. % pts listentries -groups seems to require that the user belongs to system:administrators. I don't think you realize just how many groups there are in some cells. Enumerating all of them is not useful in many cases. Most users are probably fine just checking on their own group membership and using these groups to allow access to files. pts mem username will list the groups that a user is in. And pts listowned username will list the groups that a particular users owns. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] groups in groups, ptsviewers etc...
Anders Magnusson [EMAIL PROTECTED] wrote: What I am thinking on is letting people give access to groups that they are not member of. For example to let a teacher give and take rights for courses he gives; we have about 20k of (auto-generated) student groups so it's good to be able to list them to find the right group :-) I would make the teacher the owner of this group in that case and then pts listowned would show it. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS on windows - profile in AFS, who uses it?
Rodney M. Dyer [EMAIL PROTECTED] wrote: So the only variable we have left is %username%. How am I supposed to setup folder redirection? I can't use: n:\cell\usr\a\%username%\pc\win_data\Desktop That won't work since the parent folders are different for every user. I have not tested this (all my user directories are out of a single folder) but can one use the documented set command envirnoment variable display options (set /?) to obtain the first (second, third, etc.) letter of a username? C:\echo %USERNAME% Administrator C:\echo %USERNAME:~0,1% A C:\echo %USERNAME:~1,1% d CDC -- Christopher D. Clausen ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS on windows - profile in AFS, who uses it?
Stephen Joyce [EMAIL PROTECTED] wrote: On Sun, 10 Feb 2008, Rodney M. Dyer wrote: 2. A users profile has a folder under it called Local Settings. THIS FOLDER DOES NOT ROAM. This folder only exists during your session on the local machine. When you logout, the data in that folder is considered temporary for your session. Microsoft in further grand wisdom decided to store valuable information in that folder that you really need to carry around with you with the profile, but this data is excluded by default. Notable application data includes: Microsoft Outlook email settings and PST files, etc.. Microsoft IE history, etc.. Microsoft Visual Studio .NET option settings,etc. This is a very good reason to recommend Firefox and Thunderbird. The most annoying thing for my users was that the desktop picture is a Local Setting that doesn't roam. Clever logout and login scripts took care of this though. Last time I checked, attempting to use an Outlook PST file from ANY network file system was considered unsafe, which is probably why it defaults to a local folder. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] can someone point me in the right direction on cleaning up RO volumes?
Kim Kimball [EMAIL PROTECTED] wrote: While it's true that putting an RO on the same server and partition as the RW will save some disk space, it doesn't protect against failure of the RW storage device (LUN, drive, whatever.) I therefore put some critical ROs on separate LUNs on the RW server. I thought was point was to save some time during the vos release process and as such the RO clones MUST be on the same partition as the RW in order for this copy on write benefit to work correctly. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] restart times
Russ Allbery [EMAIL PROTECTED] wrote: That said, I think the advice to restart the file servers weekly is pretty thoroughly obsolete. We've not done that at Stanford since at least 1995, and I think longer. Does the default installation still setup an automatic weekly restart at 4:00a on Sunday? If so, perhaps that could be changed? I have not done periodic restarts either, other then on a normal patch cycle for the server OS. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Puzzler: lack of access to AFS files
Rodney M. Dyer [EMAIL PROTECTED] wrote: At 05:26 PM 12/12/2007, Jeffrey Altman wrote: I disagree. We need more resources for testing a broader range of scenarios than we currently have available. The performance improvements must be implemented or you absolutely should go find something else to use. If we can't get to the point where operations are as fast or faster than NFS or CIFS and if we can't support all of the application operations they support and if we can't scale to the number of clients per server and requests per second that they can scale to, you might as well go find something new. I understand this, however you need to realize where I'm coming from. We support professors who have research projects that run into the millions of dollars. Perhaps some of these millions of dollars from these research projects can go into testing to provide a better AFS client that is both fast AND reliable. Many times these people don't know anything about where their data files are being saved when they choose File-Save from an application. They expect it to work. We need to be in a position to provide the works part. Are you currently paying to cover any of the development costs for AFS? Do you have a support contract with any company specifically for AFS support? If they save a valuable data file from an application one day, then return the next and the application won't load it because of some random network change updated a few bytes here or there when the file was saved, what do we tell them? Oh btw, maybe you should keep a local copy on your USB keychain unless the AFS network fails? Most professors don't spend the extra time to run checksums on their files after the save. This kind of thing doesn't cut it. I'm the type of professional sysadmin who's willing to give up 10 percent of my speed for guaranteed delivery. I'm not some young post high school geek who's got a job running a smallish home network and constantly Some of us ARE young post high-school geeks who have jobs running smallish networks. I thought a benefit of AFS is scalability? What is wrong with scaling down? Remember that some of us young post high-school geeks grow up to have jobs as professional sysadmins. boasts product x is faster than product y, and that's just uber cool because product y sux'ors! I find that now is an appropriate time to post this link: http://people.ccmr.cornell.edu/~mitch/afsvsnfs.html But seriously, if AFS is at the point where non-professional geeks look at it and say AFS rules! then something has been done right. Right now people just look at it and say its not that bad and then go on and look at other cool alternatives. Many would-be AFS admins stop by and ask questions in the #openafs IRC channel. Most of them go something like this: * newuser1 has joined the channel newuser1: Hi! I heard that AFS can do replication. afsadmin1: yes, but only for read-only data afsadmin2: if you want real-time replication, you probably need to look at something else. newuser1: oh? really? Too bad. * newuser1 has left the channel The other conversations involve those already using AFS and post high-school geeks who DO want to setup something cool. The AFS community isn't going to grow if these people are insulted and discouraged from testing various new and cool technologies. I am happy with the speed improvements, and I hope we can continue to use AFS. However I need to be able to look at people with a straight face when they ask about how well AFS works. Speed? Check Scale? Check Functionality? Check Reliablity? hrm... I know this is isn't a useful data point, but to my knowledge, none of the AFS servers that I maintain have lost important data due to a fault in AFS. Yes, some test data was lost, but that is exactly why a professional sysadmin runs tests in the first place. Have you actually lost data? Or are you just concerned about truthful warnings posted by the developers? (Of course I realize that there is always the possibility that data is corrupted and one doesn't know yet. Volunteer and help test new builds to help reduce these posibilities or fund development.) I will also point out that a salesperson for a commmercial company isn't as likely to tell you that his/her company's product will not work in your situation. The AFS community IS more likely to tell you the reality of the situation. AFS is not better than filesystem y, at least not yet. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] aix 5.3 crash becasue of afs client 1.4.4
sajid [EMAIL PROTECTED] wrote: we are running afs client 1.4.4 on aix 5.3. and its doing core dump and reboot the machine sometime. afs server 1.4.5 is running on Red Hat Enterprise Linux AS release 4 (Nahant Update 5). im getting the following error on the aix server Did you compile the client yourself from source? Or are you using the provided binaries? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Problem for file system navigation in a backup volume tree
Jason Edgecombe [EMAIL PROTECTED] wrote: Jeffrey Altman wrote: And I just added equivalent functionality to the Windows client. If you want to test it, let me know. Should -backuptree be the default? What might that break? I'm thinking that -backuptree would be the behavior a user expect's when they use their ~/BACKUP folder in a traditional AFS config. No, it should NOT be the default. Bad idea. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Deletion of clones source volumes takes a while with vos move
Jeffrey Altman [EMAIL PROTECTED] wrote: Christopher D. Clausen wrote: Apply the no-fsync patch There is no patch to apply. Just update to 1.4.5. Hmm... Jason's previous email seemed to indicate that he was already running 1.4.5. I guess we need to know how many files are in the volume and how long the clone actually takes. B/c things should get considerably faster with the included no-fsync patch in 1.4.5. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] E212: Can't open file for writing
Ron Croonenberg [EMAIL PROTECTED] wrote: Christopher D. Clausen wrote: Ron Croonenberg [EMAIL PROTECTED] wrote: Uhm... I noticed that after a while (an hour or so)that problem fixed itself ? It looks like I copied the files there and it took a long while before it was actually there (even though sftp said it transferred the files)? Writes go to your AFS cache first, and then to the fileserver. You could see a large hang at the end of a transfer as the data is flushed out of the local cache and actually written to the AFS fileserver. Especially with large files ? Probably, yes. Larger files will take longer to write on the fileserver side. I've found that using a smaller cache size and using -memcache allows the cache to be flushed periodically and lessen these hangs on file close. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] E212: Can't open file for writing
Ron Croonenberg [EMAIL PROTECTED] wrote: Uhm... I noticed that after a while (an hour or so)that problem fixed itself ? It looks like I copied the files there and it took a long while before it was actually there (even though sftp said it transferred the files)? Writes go to your AFS cache first, and then to the fileserver. You could see a large hang at the end of a transfer as the data is flushed out of the local cache and actually written to the AFS fileserver. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Kerberos5 and afs
Steve Devine [EMAIL PROTECTED] wrote: Does the order of the enctypes listed in the kdc affect this? This is my current kdc.conf entry: supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 I'm not sure how to manipulate the kvno on the AD I currently have the following on a KDC with an AD domain trust: supported_enctypes = aes256-cts:normal aes128-cts:normal rc4-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal I suspect that you may want at least the rc4-hmac:normal in that list, as that is one of the enc_types that AD supports. I remember that I had no luck getting the trust to work when using specific enc_types in the -e option to ktadd. Completely omiting the -e seemed to work though. This could be something odd in my environment though. For instance, my cross-realm TGT has AES enc_types that are not actually supported by Windows: kadmin.local: getprinc krbtgt/[EMAIL PROTECTED] Principal: krbtgt/[EMAIL PROTECTED] Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, ArcFour with HMAC/md5, no salt You can turn on RC4 for the realm trust using ktpass.exe. If you join #kerberos on Freenode IRC there are smart people in the channel who can help you with this. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Kerberos5 and afs
Steve Devine [EMAIL PROTECTED] wrote: Forgive the slightly off topic post but I think it applies here as well on the kerberos list Several years ago we moved to MIT kerberos 5. At the time I set the master key in the kdc.conf to: master_key_type = des-cbc-crc I did this to allow transfer of principals from our old kaserver to the new kdc. Now we are trying to get Windows 2003 AD to auth against our Kerberos server and it seems that it will not work with our kdc as it is configured. My question is am I screwed here or just missing something easy? I have tried multiple allowed enctypes and still no luck. If I build a kdc without specifying a master key it seems to work. Have any others done this same thing? Can you be more specific with what you are attempting? Windows AD can trust an MIT realm. (I have multiple MIT realms trusting AD.UIUC.EDU, one using a des3 master key type and one using des as above.) As far as I can tell, the master key type should not actually matter. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Best practice: inode or namei fileserver?
Jason Edgecombe [EMAIL PROTECTED] wrote: We are currently running inode-based fileservers on solaris 9. Does the namei filesystem play nice with logging filesystems? It seems to. Going forward, which format is recommended, inode or namei? I migrated some Solaris systems to namei simply to use ZFS as there is no inode support for ZFS currently. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] trouble running programs out of AFS after imaging
Dean Knape [EMAIL PROTECTED] wrote: Christopher D. Clausen wrote: What application? Could you copy the application in question to local disk? (E.g. did you actually have read access to it?) For testing and example, I've installed perl and and SSH client in AFS. Start - Run - \\afs\uis\platform\local\platform\Perl\bin\perl.exe -V or [EMAIL PROTECTED] Secure Shell\SshClient.exe Both fail with error described above. Logs and detailed description sent to openafs-bugs. What are the ACLs on the files? F:\fs la \\AFS\acm.uiuc.edu\system\sys\local\util\network\SSH.com\ Access list for \\AFS\acm.uiuc.edu\system\sys\local\util\network\SSH.com\ is Normal rights: winadmin rlidwk acm.admin rlidwka acm.users rlk system:administrators rlidwka system:anyuser rlk F:\fs -version OpenAFS1.5.2607 I can run \\AFS\acm.uiuc.edu\system\sys\local\util\network\SSH.com\SshClient.exe just fine. \\AFS\acm.uiuc.edu\system\sys\local\util\Perl\bin\perl.exe -V seems to work from start - run as well. Try using the above paths yourself. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] trouble running programs out of AFS after imaging
Dean Knape [EMAIL PROTECTED] wrote: Jeffrey Altman wrote: Something to note. You are attempting to run a 32-bit exe from 64-bit Server 2003. I wonder if that is a variable. I was thinking same but everything runs fine on my base image. It's only after a sysprep that things fall apart. Hmm... Did you completely DELETE the %TEMP%\AFSCache file before cloning the system? This is specifically mentioned in the release notes and weird things happen if you have multiple systems based off of the same image. The AFS uuid is stored in the cache file and multiple machines can look like the same client if these are not unique. According to your reproduction steps, you need to sysprep the vmware image. Is that really a requirement for reproduction? This avoids the duplicate SID and AFS UUID problem. Sysprep by itself does not take care of duplicate UUIDs. You need to delete the AFSCache file. Or run fs uuid -generate CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] trouble running programs out of AFS after imaging
Dean Knape [EMAIL PROTECTED] wrote: No and yes. According to section 3.38 of release notes, if SID is regenerated by sysprep then there is no need to delete the file. However, I did eventually delete the cache file as I was troubleshooting. Well, this is eay to check. Just run fs uuid from each system and compare the UUIDs. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Error 11862791 AFS service may not have started
MG [EMAIL PROTECTED] wrote: I downloaded and installed 1.5.27 and got the same error. ipconfig /all indicates that AFS is bound to the loopback adapter. The only anomalous setting is that DHCP enabled = NO. DHCP should not be enabled on the loopback adapter. By default, it has the hardcoded IP address of 10.254.254.253 There is extensive debugging information in the Release Notes. Please read them if you have not already done so. I did not see anything that addresses this persistent error, either in the release notes or in the documentation in general, on http://www.openafs.org/doc Not your error specifically, but there is information in the release notes on how to debug general problems. For instance, what is in the %SYSTEMROOT%\Temp\afsd_init.log file? - If you join the #openafs IRC channel on Freenode there are useful people who can help you out. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] trouble running programs out of AFS after imaging
Dean Knape [EMAIL PROTECTED] wrote: I have a W2K3 R2 server VM with OpenAFS 1.5.26 provisioned from a sysprep image. When I try to run a program out of AFS from explorer I get Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.. Running the same programs from a command line works correctly. ACLs are correct. I get the same error with and without token. Refreshing the AFScache file did not help. What application? Could you copy the application in question to local disk? (E.g. did you actually have read access to it?) fs checks fs checkv fs flusha and try again. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] installing loopback adapter after sysprep
Dean Knape [EMAIL PROTECTED] wrote: I have a sysprep'd W2K3 R2 server VM with OpenAFS 1.5.26. I've added the necessary GuiRunOnce entry in the sysprep.inf using the instloop.exe extracted from this version's MSI to have the loopback adapter reinstalled. Instloop does reinstall the loopback adapter but I end up with my previously DHCP enabled local area connection getting a static 10. ... address and my AFS adapter doing DHCP. I too have seen this happen. Usually happens only when there are multiple NICs in a machine, either real ethernet ones or FireWire. But since you are using a VM, I bet you do not have firewire. Try this: Before running sysprep on the image, disable the network adapter at the VM level. Shutdown the AFS service. start - run - cmd set DEVMGR_SHOW_DETAILS=1 set DEVMGR_SHOW_NONPRESENT_DEVICES=1 %SYSTEMROOT%\system32\devmgmt.msc View - Show hidden devices then find and delete all NICs, including the loopback adapter This should remove pre-configured network adapters from your syspreped image. Hopefully this will allow newly detected ones to be correctly setup and the loopback adapter install to work as desired. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] where does volserver deposit its core dumps?
Adam Megacz [EMAIL PROTECTED] wrote: Could anybody tell me where volserver leaves its core dumps? (the answer is not /var/lib/openafs/cores/) I have to honestly admit I've never debugged a program via core dumps before. Always used printf() or [last resort] gdb. Unfortunately in my current situation, attaching gdb to any of the volserver pids causes volserver to become unresponsive (yes, even after typing continue in gdb). After detaching gdb, volserver remains unresponsive. Kinda frustrating. Probably depends on the platform. On sun4x_510, I think cores ended up in /usr/afs/logs CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openAFS 1.4.4 - ticket contained unknown key version number
Hamish [EMAIL PROTECTED] wrote: On Friday 26 October 2007 17:49, Hamish wrote: Thanks. I'd just taken that route when I got your reply. (I think I probably stuffed it up trying to build the second machine rerunning some of the commands that should only have been run once. Joys of trying to adapt a readme I found on the internet that only deals withinstalling a single machine :). The local machine works fine now. But when I try to run a command remotely (e.g. run bos restart from the first server against the second server I installed) it fails with '(you are not authorised for this operation)' Both work locally though... And if I append -localauth to the command on machine1 to restart machine2 it works... Whoops... Telling lies... My token was old... I unlog'ed, kdestroyed and tried again (On machine 2)... kinit works no problems, but aklog is hanging after 'About to revolve name admin to is in cell xxx.xx.x.com' Check your AFS server log files for any errors. I suspect something isn't running correctly. Or, you did not add a PTS account for the user you are trying to obtain tokens for. If you'd like more interactive help, please join the #openafs channel on the Freenode IRC network. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openAFS 1.4.4 - ticket contained unknown key version number
Hamish [EMAIL PROTECTED] wrote: Why the heck do I get an unknown key version when trying to do anything? I've googled till I'm blue in the face and have only found some really really old emails asking questions with no answers... The Wiki seems devoid of any info unless it's using kaserver when it comes to krb at all... I suspect that your KeyFile contains an entry where the kvno on the KDC does not match. Delete your KeyFile, recreate a keytab and re-run asetkey (using the proper kvno) to generate a good KeyFile. Copy this KeyFile to all of your AFS servers and restart all of them. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openAFS 1.4.4 - ticket contained unknown key version number
Hamish [EMAIL PROTECTED] wrote: On Friday 26 October 2007 18:09, Christopher D. Clausen wrote: Hamish [EMAIL PROTECTED] wrote: On Friday 26 October 2007 17:49, Hamish wrote: Thanks. I'd just taken that route when I got your reply. (I think I probably stuffed it up trying to build the second machine rerunning some of the commands that should only have been run once. Joys of trying to adapt a readme I found on the internet that only deals withinstalling a single machine :). The local machine works fine now. But when I try to run a command remotely (e.g. run bos restart from the first server against the second server I installed) it fails with '(you are not authorised for this operation)' Both work locally though... And if I append -localauth to the command on machine1 to restart machine2 it works... Whoops... Telling lies... My token was old... I unlog'ed, kdestroyed and tried again (On machine 2)... kinit works no problems, but aklog is hanging after 'About to revolve name admin to is in cell xxx.xx.x.com' Check your AFS server log files for any errors. I suspect something isn't running correctly. Or, you did not add a PTS account for the user you are trying to obtain tokens for. Spelling mistake in my CellServDB file... Damnit I hate that... I also just discovered that aklog won't work unless I've started the AFS client... Didn't realise that was mandatory... The user was admin... e.g. Oh, yeah, need to have AFS client running in order for the store tokens ioctl to work. Now it works (getting the tokens), but I'm still not authorised for doing restarts of the second server, vos create etc... Nothing logged as to why. Are you in that server's UserList? bos listusers to check. If you'd like more interactive help, please join the #openafs channel on the Freenode IRC network. Hmm... Wonder if I can get there from here (At a client site, A client? As in someone is paying you to ask me AFS questions on a mailing list? firewall might kill me. I may have to work on it over the weekend from home where I can get to things like IRC). CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openAFS 1.4.4 - ticket contained unknown key version number
Hamish [EMAIL PROTECTED] wrote: yeah, can't get on at the moment... QUick question... When I kinit as admin give my passwd, I get in klist the default principal 'admin', but the two service principals are krbtgt/... and afs/[EMAIL PROTECTED] Those are Kerberos TICKETS. When I aklog display the tokens, the tokens are AFS ID 1 tokens for [EMAIL PROTECTED] That is an AFS TOKEN. is that right? Or should I get tokens for admin? (Sorry... I've been running AFS on kaserver for a few years with openafs transarc (very old), and only now trying to run up a new cell on krb5... And it's not going well :) The tokens are for admin. I bet if you run pts mem 1 you'll get back admin as the user. The [EMAIL PROTECTED] part just informs you that you have tokens in cell and the AFS ID tells you which user these tokens are for. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Strategy for disaster recover of an AFS fileserver
Lars Schimmer [EMAIL PROTECTED] wrote: Jose Calhariz wrote: In recent past I had lost a /vicepa partition with half of the volumes of my cell and found that my backup procedure is not fast enough for recovering so many volumes and data. I am using amanda without afs patch. What plans do you have for quick recovering from massive loss of data on an AFS cell? first: no loss of data ;-) second: a extra server with HD space and a RO copy of ALL volumes third: 2-4 RO copies of all RW volumes spread over 4 fileservers fourth: vos convertRotoRW I specific fs mkm -rw when doing this, otherwise users end up reading the RO version, which is not usually want they want. Also, you need to use the namei fileserver. Vos convertROtoRW does not work with the inode fileserver. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Automatic move of volumes
Steven Jenkins [EMAIL PROTECTED] wrote: On 10/24/07, Derrick Brashear [EMAIL PROTECTED] wrote: perl scripts exist to do it and I think have been posted here in the past; they may even deal with the RO already exists case. It would be nice if there were a repository of publically available contrib stuff like that. I've offered to maintain such a thing if someone would be willing to grant AFS space in some part of a public cell. I can't really host things at UIUC due to various campus network usage policies. And actually, with AFS we can just create a mount point to a world readable volume in any public cell so that the contributor can maintain the most up to date version without involving someone in updating the content. the interesting case is where the RW has unreleased changes and you want to recreate the ROs as they are now. i don't know of distributed tools to do this. I hadn't really thought about people intentionally keeping their RWs ROs out of sync w/each other. I'm not clear why someone would want to do that -- could you elaborate? Yes, I do this. This isn't easy to work around either as I'm pretty sure that vos dump and vos copy specifically prevent you from doing operations on an RO volume. For instance I may pre-stage content for a website that is to be released next week at 10a on Monday. I can then cron the release and have the data show up exactly at a specific time. However, what usually happens is that some last minute change needs to be made to the current live website and its not easy to undo the new site, make the change, and then re-release. I generally end up deleting (copying elsewhere first of course) the contents of the RW with rm, copying the RO, making changes and re-releasing. And then putting back the pre-staged content. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Automatic move of volumes
Steven Jenkins [EMAIL PROTECTED] wrote: On 10/24/07, Brandon S. Allbery KF8NH [EMAIL PROTECTED] wrote: On Oct 24, 2007, at 10:15 , Steven Jenkins wrote: - the RO handling is not good -- what happens if the _only_ RO is on the old server and the remsite happens? Clients with existing remsite is irrelevant: it just informs the vlserver of where an R/O replica will be stored in the future, it has no impact whatsoever on what R/Os (if any) exist *now*. remsite is _very_ relevant for clients that don't already know about the RO that has been remsite'd -- when they ask the vlserver for the volume, the vlserver will tell them that only the RW exists. That sounds like a mis-use of the remsite command, although that is an interesting way to hide RO volumes. I assume that a client that gets rebooted / crashes is going to start reading the RW when it comes back up though, right? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS Fileserver Won't Start -- Can't Release root.cell or root.afs
Kim Kimball [EMAIL PROTECTED] wrote: You might also try vos remove server partition volumename.readonly #for each readonly instance vos backup volumename vos dump volumename.backup | vos restore server partition volumename -overwrite full Use the same volume name for each instance of volumename This will give you a new volumeID for volumename which will be reflected in the VLDB. Then vos addsite to replace the RO sites. Then vos release I was going to suggest that, but I figured it may not actually clear up the problem and could potentially just waste a lot of time. How does one know that the 127.* IPs really are gone? - When specifing server names, DO NOT use localhost or 127.0.0.1. Use the FQDNs of your servers. - Hmm... would vos delent for each volume, then the vos changeaddr -remove, and then a vos syncvldb do the same thing and not take as much time for the dump / restores? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS Fileserver Won't Start -- Can't Release root.cell or root.afs
Karl M. Davis [EMAIL PROTECTED] wrote: Well, after rebooting again, things suddenly seem to be working. No idea why... I still have some problems with making RO copies of root.cell and root.afs, though. Running vos release gives me: [EMAIL PROTECTED]:~$ vos release -id root.cell Failed to start a transaction on the RO volume. VOLSER: volume is busy The volume 536870918 could not be released to the following 1 sites: picacho.ridgetop-group.local /vicepa VOLSER: release could not be completed Error in vos release command. VOLSER: release could not be completed [EMAIL PROTECTED]:~$ vos release -id root.afs Failed to start a transaction on the RO volume. VOLSER: volume is busy The volume 536870915 could not be released to the following 1 sites: picacho.ridgetop-group.local /vicepa VOLSER: release could not be completed Error in vos release command. VOLSER: release could not be completed Try vos release -id root.afs -verbose -local as root to get more info and use your KeyFile instead of user tokens. Does vos listaddrs -noresolve print out? And can you vos changeaddr -remove any incorrect IP addresses? (You might need to vos remsite replicas attached to those IPs first.) You might still be having problems related to having your 127.* /etc/hosts line match the actual IP of your AFS server. In theory you can shutdown both AFS servers, delete your VL DB and have it regenerated via vos syncserv and vos syncvldb commands. Of course, this could also make things worse. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS Fileserver Won't Start -- Can't Release root.cell or root.afs
Karl M. Davis [EMAIL PROTECTED] wrote: I then tried running vos changeaddr -oldaddr 127.0.0.1 -remove, but it looks like some of my volumes are still stuck on the old IP: [EMAIL PROTECTED]:~$ sudo vos changeaddr -oldaddr 127.0.0.1 -remove -localauth -verbose Could not remove server 127.0.0.1 from the VLDB VLDB: volume Id exists in the vldb I'd say to try and get a good vos dump of each volume that you care about so that you can at least restore to a new cell if things go bad from here. Usually I'd fix this finding the volume that is listed as being on that IP and moving it to another server :-) But it would seem that you have already done that. I guess its possible that the vldb still thinks that 127.0.0.1 is one of the servers somehow. Did you try restarting your file servers? Does vos syncvldb/syncserv do anything useful for you? If not, it should be safe to shutdown the AFS server and delete the VL db files and have them get recreated at server startup. (Might need to delete the sysid file as well.) Or, vos dumping, deleting, and recreate each volume via vos restore may fix it, assuming you have fixed all 127.0.0.1 problems. How would I go about resolving this? By the way, thanks very much for all of your help so far; you've really saved my ass on this. No problem. I'm glad it helped. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS Fileserver Won't Start
Karl M. Davis [EMAIL PROTECTED] wrote: Hi Karl. I'm going to assume it was you in the #openafs IRC channel. I'd suggest staying logged in if you really want help. You have to wait for people to have time to respond. And more than the 15 minutes that you waited. We do need to do things like eat and sleep. Somewhere towards the end of moving the volumes from the old server to the new server, things got badly goofed. The fs process will no longer start on the new server and I find the following entry in the /var/log/openafs/FileLog file: Wed Oct 3 19:26:59 2007 afs_krb_get_lrealm failed, using ridgetop-group.local. Is the above a correct assumption about your Realm? I would expect you to be using ridgetop-group.com. Wed Oct 3 19:26:59 2007 VL_RegisterAddrs rpc failed; The IP address exists on a different server; repair it Check the /etc/hosts file on all machines and all CellServDB files for incorrect entries. Wed Oct 3 19:26:59 2007 VL_RegisterAddrs rpc failed; See VLLog for details What is in VLLog? Unfortunately, there's nothing helpful in VLLog. Interestingly, vos listaddrs returns nothing on the new server, either. vos listaddrs might not be working b/c of the above errors. Running vos listvldb returns the following: VLDB entries for all servers root.afs RWrite: 536870915 ROnly: 536870916 number of sites - 3 server picacho.ridgetop-group.local partition /vicepa RW Site server picacho.ridgetop-group.local partition /vicepa RO Site server picacho.ridgetop-group.local partition /vicepa RO Site root.cell RWrite: 536870918 ROnly: 536870919 number of sites - 3 server picacho.ridgetop-group.local partition /vicepa RW Site server picacho.ridgetop-group.local partition /vicepa RO Site server picacho.ridgetop-group.local partition /vicepa RO Site I'm unsure why there are duplicate RO entries, but the last thing I was working on was recreating RO volumes for root.cell and root.afs on the new server. Well, it looks like something did not work out right. I'm panicking because all of the volumes are now on the new server and non-accessible. Anyone have some clue what I did wrong and how I can fix things? Probably going to need more information about what happened, what you did to try and fix it, and other infrastructure questions, like how many AFS DB servers you actually have, and if any of them are multi-homed. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] fileserver on etch may crash because ulimit -s 8192
Russ Allbery [EMAIL PROTECTED] wrote: XFS is a lot better than ReiserFS, though, in terms of support and knowledge by the kernel developers, and would probably be fine. It is faster for a lot of usage profiles than ext3. I have had some problems with XFS on a Debian-based AFS fileserver. XFS decided to off-line a volume due to a long timeout in the underlying RAID volume. I would not recomend it without heavy testing. Ok, I have by default ulimit -c 0. I don't depend on core files for so many years I forget about ulimit -c 0. Now I am a sysadm not a programmer. I only program in bash and install gdb for other people to use, not for myself :-) Right. :) I got caught recently the same way, actually. I'll note that someone mentioned a problem with the 8192 stack size in Debian a few months ago in the #openafs IRC channel. They worked around the problem with via changing some setting before starting the AFS processes. Unfortunately I do not remember the exact solution or the exact problem, but you are not the only one experiencing it. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Howto speedup the restore of a crashed fileserver
Jason Edgecombe [EMAIL PROTECTED] wrote: Jose Calhariz wrote: If you're not already, I recommend restoring into a local directory, then copying into AFS. That will at least make the tape part go faster and reduce wear and tear on the tapes and drive. I am doing that, As I can recover from tapes faster than I can write to AFS. Specially because I use virtual tapes on disks. Do you have multiple AFS servers? If so, are you copying files to different servers simultaneously? Perhaps it's worthwhile to set up a temporary server and then do a vos move of the volumes after everything has settled. What are the settings on the client you are using to restore the files into AFS? I'd suggest maybe using a memcache while doing restores. Should avoid needing to write the data into the AFS cache file. Additionally, is the AFS cache file on the same block device as your vice partitions? Keeping things on seperate physical disks should help. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] performance stats
David Bear [EMAIL PROTECTED] wrote: We are finding that cifs performance is very BAD over a WAN and I'm guessing that the checkpoint vpn software the we MUST run is a contributing factor. We can't trust cifs over the wider internet without vpn. We can trust afs. But there are still some microsoft diehards that just don't think anything else could work. Some VPNs actually compress sent data as well as encrypt, so your performance might actually get worse without the VPN. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AES Support ?
Russ Allbery [EMAIL PROTECTED] wrote: John Hascall [EMAIL PROTECTED] writes: The difference here is that somebody else turning something off can be the trigger. Still not seeing your point. This looks pretty much like every other we're going to turn something off transition I've been through in IT. Clear-text telnet, ftp, NFS, DCE, you name it. Exactly. Isn't the whole point of disabling less secure methods so that they cannot be used anymore? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AES Support ?
John Hascall [EMAIL PROTECTED] wrote: What makes your cell rxk5 capable is if you have an [EMAIL PROTECTED] service key. That seems icky. Why does it have to have a different name? I suspet that if it had the same name, the enc-types would be confused with AES vs. DES in the current clients. Additionally, using a different service principal ensures that only binaries that are setup to use the new principal will attempt to do so, allowing for current clients and servers to keep working while adding support for rxk5 to your cell, one server / client at a time. I'm assuming that something like afs-k5/[EMAIL PROTECTED] will work, as I already have multiple AFS cells using the same Kerberos realm. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] multiple kerberos realms support.
Matthew Andrews [EMAIL PROTECTED] wrote: a few questions about the multiple kerberos realms support in the 1.5 series. If you only need support for two realms, I believe that mostly works with the current code. Is there a concise set of patches that I could apply to a 1.4 series release to get the multiple kerberos realms support? Yes. Look in the OpenAFS RT queue: http://rt.central.org/rt/Ticket/Display.html?id=58447 Do these changes affect all of the servers, or only the ptserver? The source code in the patch can probably tell you that. Is anyone currently running with this feature in production? Yes, but only on a very small cell so I wouldn't consider the features completely tested yet. CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AES Support ?
John Hascall [EMAIL PROTECTED] wrote: The behavior prevents a denial of service attack against the clients. Sorry, meant to say prevents a downgrade attack against the clients. Huh? How exactly would returning a security index not supported error instead of just ignoring the packet result in a downgrade attack? How would you ever know if the security index not supported packet came from a legit server? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?
Just a thought, did you add/change enc_types when you went to 1.6.2? E.g. were you supporting AES256, DES3 and DES under krb5-1.4.3 ? I've seen issues with certain things not understanding the AES256 type. CDC Mike Dopheide [EMAIL PROTECTED] wrote: We've also found that reverting back to MIT Kerberos 1.4.3 wasn't good enough. Some principals would start working with klog again after another password change, but others needed to be deleted and recreated. Is anyone else using MIT Kerberos 1.6.2 and klog? Mike Dopheide wrote: Number of keys: 5 Key: vno 30, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 30, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 30, DES cbc mode with CRC-32, no salt Key: vno 30, DES cbc mode with CRC-32, Version 4 Key: vno 30, DES cbc mode with CRC-32, AFS version 3 Jeffrey Altman wrote: Matt Elliott wrote: We just discovered a problem with our KDC now running MIT 1.6.2. When a user changes their password (previous keys were created with our old kdc version 1.4.3 still work) with patches and then tries klog it longer grants tokens. klog returns Unable to authenticate to AFS because password was incorrect. kinit and a subsequent aklog still works. Has anyone else seen this or have a fix? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] bos restricted mode
Jeffrey Altman [EMAIL PROTECTED] wrote: Jason Edgecombe wrote: Are there any objections to enabling pts interactive, sleep, quit, and source for all compiles, not just supergroups? I have no objection to those commands being added to the general build. What about other commands only enabled with specific compile time options such as bos setrestricted? Is there any reason to require the compile time --enable-bos-restricted-mode to enable this functionality in the bos command itself? Or for that matter, is there any reason to not always enable it in the bosserver itself? Restricted mode is not enabled by default, so always having support for it compiled in would not seem to cause any problems. Reference: http://www.openafs.org/pipermail/openafs-info/2007-June/026479.html CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info