Re: [OpenAFS] Re: VLDB and NetInfo
On May 16, 2014, at 10:28 PM, Andrew Deason adea...@sinenomine.net wrote: It is, but the 'vos listvldb' command just only shows one address in its output. We just pick the first address to display; I'm not sure if there's any way to pick which one that is (if there is, I don't think it would be guaranteed to keep working). If you don't want the internal address to appear, don't include it in NetInfo. The 'vos listaddrs' command is also looking in the VLDB; the addresses only come from one place. Thanks. That explains my confusion. For what it’s worth, when I listed the fake entry first, that one now shows up in the vldb output. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Extract files from /vicepa
I have a perl script from 2005 that could do this - but only for pure r/w volumes. If there's a backup or readonly clone on the same partition, it will probably fail miserably. It's not polished, may have to be adapted to current perl versions etc. And I think it recovered nothing but the file content and the path, not mode/owner/ACLs... Setting up a server is certainly the better option and may well be easier and faster. But if you're desperate enough, let me know. along not completely dissimilar lines… I’ve currently got a bunch of old data (couple hundred gigs maybe) from vos dump that I’d like to be able to examine to see exactly what’s there anymore. Right now, my personal cell lives on a couple VMs out in various public clouds, and I haven’t got around to standing up a fileserver inside the firewall yet. is there a tool (preferably stand-alone) that I could run on those old dumps to copy the data out of them into a local directory on, say, my mac. Then I can copy whatever of it I want to keep back into AFS later. Thanks, -c___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: How to remove a bogus (127.0.1.1) server entry for readonly?
On 12/10/13, 4:10 AM, Harald Barth h...@kth.se wrote: $ more hosts 127.0.0.1 localhost 127.0.1.1 peter.cae.uwm.edu peter I know various Linux distributions do this by default, ... Somewhat off-topic, but am I the only one who thinks that Linux distributions doing this is utterly brain-dead? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] ZFS-on-Linux on production fileservers?
Along the same lines, is anybody using any of the Illumos distributions? Personally, I'm working on rolling my own SmartOS build that has the AFS kernel module installed so that VMs could be AFS fileservers or clients. (Correct me if I'm wrong, but the AFS kernel module is required only for the clients and the fileservers, right? If I host is only an AFS dbserver, it has no requirement for the kernel module to be loaded, does it? -c From: openafs-info-ad...@openafs.org on behalf of Måns Nilsson Sent: Saturday, October 5, 2013 6:55 PM To: Jeff Blaine Cc: OpenAFS Subject: Re: [OpenAFS] ZFS-on-Linux on production fileservers? Subject: [OpenAFS] ZFS-on-Linux on production fileservers? Date: Fri, Oct 04, 2013 at 10:31:47AM -0400 Quoting Jeff Blaine (jbla...@kickflop.net): [ For those running ext3/ext4, a question further down for you as ] [ well! ] We're still a 100% Solaris + ZFS file server shop. We're EOLing our Sun SPARC hardware (with tears in our eyes) this year. Before we spend a significant amount of time evaluating this, I figured I'd ask first. Any brief response would be greatly appre- ciated. The generously longer the better :) * Are you using ZFS-on-Linux in production for file servers? * If not, and you looked into it, what stopped you? * If you are, how is it working out for you? ext3/ext4 people: What is your fsck strategy? I'd second the question about FreeBSD that was asked earlier. My personal cell runs vicep* on ZFS, 4 zmirrored 2TB SATA drives on an old Dell 2950 with 8G RAM. I also iSCSI share a few devices (around a TB, mail spool, backup spool, and scratch partition) from it. I'm very happy. Rock solid; as good as Solaris on X86 but Larry does not even get credit. Performance-wise, perhaps not super hot, but enough. The only important part is that you MUST NOT have a 32-bit kernel. Now, today, that probably is the default. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm RELIGIOUS!! I love a man with a HAIRPIECE!! Equip me with MISSILES!! ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] enctype issues with Heimdal and debian for afs/cell
Hi all, After some time, I'm finally getting around to putting my personal cell back up (this time on debian with openafs-1.6.4 from wheezy-backports and Heimdal. My afs/cell principal is setup thusly: kadmin get afs/coyhile.com Principal: afs/coyhile@coyhile.com Principal expires: never Password expires: never Last password change: 2013-07-19 10:00:32 UTC Max ticket life: 1 day Max renewable life: 1 week Kvno: 3 Mkvno: unknown Last successful login: never Last failed login: never Failed login count: 0 Last modified: 2013-07-19 10:00:32 UTC Modifier: kadmin/ad...@coyhile.com Attributes: Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[3], des3-cbc-sha1(pw-salt)[3], arcfour-hmac-md5(pw-salt)[3], des-cbc-md5(pw-salt())[3] PK-INIT ACL: Aliases: kadmin ext -k AFSKEYFILE:/etc/openafs/server/KeyFile afs/coyhile.com kadmin and in krb5.conf, I do have allow_weak_crypto = true in libdefaults. All in all, Heimdal is working fine, but aklog is failing to get me tokens: chaos:/var/log # kinit admin ad...@coyhile.com's Password: chaos:/var/log # klist Credentials cache: FILE:/tmp/krb5cc_1141449863_q94vTe Principal: ad...@coyhile.com IssuedExpires Principal Jul 19 10:07:40 2013 Jul 20 10:07:36 2013 krbtgt/coyhile@coyhile.com Jul 19 10:07:40 2013 Jul 20 10:07:36 2013 afs/coyhile@coyhile.com chaos:/var/log # aklog -d Authenticating to cell coyhile.com (server chaos.coyhile.com). Trying to authenticate to user's realm COYHILE.COM. Getting tickets: afs/coyhile@coyhile.com Kerberos error code returned by get_cred : -1765328370 aklog: Couldn't get coyhile.com AFS tickets: aklog: unknown RPC error (-1765328370) while getting AFS tickets chaos:/var/log # and in the KDC logs, I see this: 2013-07-19T10:07:40 ENC-TS Pre-authentication succeeded -- ad...@coyhile.com using aes256-cts-hmac-sha1-96 2013-07-19T10:07:40 ENC-TS pre-authentication succeeded -- ad...@coyhile.com 2013-07-19T10:07:40 AS-REQ authtime: 2013-07-19T10:07:40 starttime: unset endtime: 2013-07-20T10:07:36 renew till: 2013-07-26T10:07:36 2013-07-19T10:07:40 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 2013-07-19T10:07:40 Requested flags: renewable, forwardable 2013-07-19T10:07:40 sending 738 bytes to IPv4:37.153.98.57 2013-07-19T10:07:40 TGS-REQ ad...@coyhile.com from IPv4:37.153.98.57 for afs/coyhile@coyhile.com [canonicalize, renewable, forwardable] 2013-07-19T10:07:40 Server (afs/coyhile@coyhile.com) has no support for etypes 2013-07-19T10:07:40 Failed building TGS-REP to IPv4:37.153.98.57 2013-07-19T10:07:40 tgs-req: sending error: -1765328370 to client Does *everything* need a DES key, or just the afs/cell principal? -c ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] enctype issues with Heimdal and debian for afs/cell
-Original Message- Maybe you should remove the non des-cbc ones and couldn't hurt to have a des-cbc-crc one as well before generating the KeyFile I'll give that a shot. and in krb5.conf, I do have allow_weak_crypto = true in libdefaults. On kdc afs servers and client? Both . In this case, the KDC and the (first) OpenAFS dbserver are collocated. -c ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] enctype issues with Heimdal and debian for afs/cell
Maybe you should remove the non des-cbc ones and couldn't hurt to have a des-cbc-crc one as well before generating the KeyFile That certainly helped. Now I'm getting a different set of errors from aklog; chaos:/var/log # aklog -d Authenticating to cell coyhile.com (server chaos.coyhile.com). Trying to authenticate to user's realm COYHILE.COM. Getting tickets: afs/coyhile@coyhile.com Using Kerberos V5 ticket natively About to resolve name admin to id in cell coyhile.com. Id 1 Set username to AFS ID 1 Setting tokens. AFS ID 1 @ coyhile.com aklog: unknown cell was passed to SetToken while obtaining tokens for cell coyhile.com Yet the server seems to know its cell: chaos:/var/log # bos listhosts chaos -localauth Cell name is coyhile.com Host 1 is chaos.coyhile.com chaos:/var/log # Am I conflating error messages since I've configured neither the client (besides whatever configuration debconf did on install) nor the (da)fileserver yet? -c ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] enctype issues with Heimdal and debian for afs/cell
The problem seems to be that the client (even if it on same box) needs to know about the dbserver(s). You have two choices: 1. Add them to the /etc/openafs/CellServDB on each client, or 2. set up two SRV records on dns: _afs3-vlserver._udp.coyhile.com _afs3-prserver._udp.coyhile.com for each db servers in your cell. IMHO first method is faster to accomplish with a small number of clients, second is more future proof as new client systems get added to your cell. Thanks Geza. You sorted it out. When I created the records with fs newcell rather than just editing cellservdb, I'm good now. Thanks for your help; it's been a while. -c ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] Windows 8.1, SkyDrive and Roaming Profiles
Wouldn't most organizations disable these defaults via a global GPO? From: openafs-info-ad...@openafs.org on behalf of Jeffrey Altman Sent: Saturday, June 29, 2013 4:09 PM To: OpenAFS Subject: [OpenAFS] Windows 8.1, SkyDrive and Roaming Profiles Last Wednesday Microsoft released the one and only preview release of Windows 8.1 in conjunction with the Microsoft Build conference which I attended. The one big change relating to file systems is the integration of SkyDrive into the Shell and its selection as the primary storage location for end user documents. The SkyDrive integration adds shell recognition for files that are located in the locally sync'd copy of the SkyDrive directory tree but which have not been copied locally. Microsoft now represents these files with a new Reparse Point (Tag: 0x8015) which is a sparse file and an offline file. The file will not be visible to applications that browse the directory from the command line but will be displayed in the Explorer Shell and Modern application views of the SkyDrive directory. The SkyDrive folder tree is stored in the user's profile at \Users\username\SkyDrive. When the profile is on NTFS this works fine. When the roaming profile is stored in AFS this is going to cause problems because at logout an error will be generated when attempts are made to copy this new reparse point to AFS. I urge organizations to begin testing Windows 8.1 Preview immediately and to file bug reports with Microsoft as soon as possible. This is a feature that will not be altered once Windows 8.1 RTM is cut. It is critical that Microsoft hear about issues that will effect their customers while there is time to make adjustments. Jeffrey Altman ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Windows clients / roaming profiles and OpenAFS
I'm finally getting aorund to getting my cell set back up (mostly for playing around), and I have something new in the mix that I didn't have last time: Windows clients. What is considered best practice for dealing with Windows profiles and OpenAFS? I see the following possibilities: (1) Make all the profiles local, users have to copy things to AFS by hand (2) Make profiles local (or roaming using MSFT infrastructure) and redirect folders such as My Documents/Music/etc to \\AFS UNC path (3) Store the roaming profile data in AFS directly. What's the Right Way(tm) to do it? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
The problem is likely related to the fact that you're using both dots *AND* slashes. As I recall, the principal example/admin@YOURREALM would automatically map itself to pts user example.admin, so my WAG is that ptserver is trying to map to 'bobb.crosbie/admin' and coming up with 'bobb.crossbie.admin' or somethning like that. Others can certainly speak with more definitive voices than I. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] mixing AFS versions for db servers?
On Sat, Oct 22, 2011 at 12:18 AM, Jeffrey Altman jalt...@secure-endpoints.com wrote: Database servers all must be the same version. You can run 1.4.7 database servers on the 1.6.x fileserver machine but all of the database servers must match. Mixed versions are not supported. Out of curiousity (as I'm sure I'll come across it soonn enough after I rebuild my cell), if all dbservers must run the same version, what is the supported process for updating dbservers? Certainly if you did yum upgrade list-of-openafs-packages on all three and rebooted them simultaneously, you'd have an outage -- however short it may be. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Why the KfW/Heidmdal dependency with OpenAFS for Windows?
I'm almost certainly missing something obvious here, but why do we have the dependency on either KfW or Heimdal for the Windows OpenAFS client? Microsoft already ships Kerberos libraries as part of Active Directory; why can we not link against those directly? thanks, -Coy ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Deploying OpenAFS on VMs
On Mon, Jun 20, 2011 at 12:56 PM, Hoskins, Matthew matthew.hosk...@njit.edu wrote: · Many fileservers / smaller fileservers: This philosophy has evolved as we have moved more into virtualized fileservers. With physical hardware you are limited by ABILITY TO PURCHASE. Meaning, you can only get “x” number of servers of “n” size. This means if you want highly resilient servers, you can only afford to by a few of them. This can lead to very fat fileservers. If you go for many cheap fileservers, you might be able to get more distributed but end up suffering more small individual outages. With virtualized fileservers you have full flexibility. On the virtual platform, you get HA by default on every VM. After that you get to design your fileserver layout decisions based on the DATA they will store. For example, in our layout we have the following classes of fileservers: o Infrastructure (INF) Fileservers: Very small fileserver, for highly critical root.*, software, etc. the “bones” of the cell. Replicated of course. o User fileservers (USR): Home volumes, nuff said o Bulk Fileservers (BLK): Almost everything else, projects, web content, research data, yadda yadda o Jumbo Fileservers (JMB): Used for ridiculously large volumes. These fileservers are the only fileserver that has a VARIABLE vicep partition size. Used for archival data and some research projects. Matt, What do you use for vicep* partition sizes? Thanks, ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] 1.6.0pre6 for RHEL
I'm interesting in deploying DAFS when I deploy a new test cell. My fileservers will be running CentOS 5 (or 6 if 6 actually becomes sometime between now and when hell freezes over.) Is there any ETA when RHEL5 RPMs will be available? Or, failing that, is there a publicly available spec file that I could use without much trouble to spin up my own such RPMs. Thanks, -c ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Deploying OpenAFS on VMs
I have a question about deployment of OpenAFS on VMWare. Assume for the sake of argument that one has a requirement to deploy OpenAFS on VMs -- to include deploying his fileservers as VMs. Has anyone actually done that sort of deployment? If so, did you make the vice partitions directly mapped disk LUNs (be they SAN LUNs or iSCSI LUNs), or did you just allocate additional disks as standard vmdk files? Is the additional overhead of using .vmdk files for vice partitions such that it would render the installation unusable? Thanks, -Coy ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS and Windows user account password syncronization
On Thu, May 26, 2011 at 8:16 AM, Claudio Prono claudio.pr...@atpss.net wrote: Il 25/05/2011 20.14, Ken Dreyer ha scritto: On Wed, May 25, 2011 at 7:12 AM, Claudio Prono claudio.pr...@atpss.net wrote: When the Windows Client change his Kerberos password on the OpenAFS server I'm not sure what this means, because OpenAFS servers (besides kaserver) don't store users' passwords. Can you provide more information about your Kerberos environment, specifically, what implementation of Kerberos (kaserver, Heimdal, MIT) you are using to authenticate users to AFS? - Ken I use Mit Kerberos to store users passwords. You shouldn't really have to synchronize anything at all. If you're doing the dummy account dance on the AD side; that is, the user object in AD is mapped to a principal in your MIT realm via alternate security IDs, then the user simply has to change his password in the MIT realm directly. Where I went to school did this; they simply have a webpage where users can change their passwords. -- Coy Hile coy.h...@coyhile.com ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Automatically Renewing Tokens?
Good morning, all, I know that things exist to automatically renew kerberos tickets up until the maximum renewal lifetime (Russ' k5start and Quest's autorenew capability as part of Quest Authentication Services come to mind) What are the suggested ways to auto-renew users' tokens as well? Think Joe who doesn't logout of his PC and needs access to \\AFS or someone who's running a screen session. Somewhat unrelated, is there the availablility to do the following at all: (1) Store %USERPROFILE% for windows users in a subdir of his user volume in AFS (thus making roaming profiles easy)? (2) Install Windows applications in \\AFS so that, for example, I need only install Visual Studio or Office 2010 once and have all windows boxes be able to find it? Thanks, -C ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Multiple logins
On Sat, Mar 19, 2011 at 1:23 PM, Jaap Winius jwin...@umrk.nl wrote: Quoting Dirk Heinrichs dirk.heinri...@altum.de: ... Is it possible to prevent users from logging in more than once ... No, you can't. ... Couldn't you potentially write a PAM module to do exactly that? At the top of the session stack, have it store the status of the user's session in LDAP somewhere (or potentially in some other database, and then on logout, remove the Joe has an active session flag. Then, upon a second or subsequent attempt at login, the PAM module could kick the user out? I don't know the logistics of doing so, unfortunately; potentially Russ could give a better hand-wave solution? -Coy ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] Re: [OpenAFS-Doc] Forwarded documentation rant
I for one find for some things like the sorts of docs that are the admin guide/admin ref/etc, that having printable copies works well. Maybe I'm just a curmudgeon, though. (No need for comments from the peanut gallery on that one :)) From: openafs-info-ad...@openafs.org [openafs-info-ad...@openafs.org] on behalf of Russ Allbery [...@stanford.edu] Sent: Monday, April 19, 2010 3:08 PM To: openafs-info@openafs.org Subject: Re: [OpenAFS] Re: [OpenAFS-Doc] Forwarded documentation rant Chas Williams (CONTRACTOR) c...@cmf.nrl.navy.mil writes: it is still there. btw, you cant reference by page numbers. this is a very strange idea. different media is going to have different page numbers. references inside the admin reference manual were lost though. however, that documents has changed enough that it probably wasnt very correct. POD is capable of including enough information that you could get them back, and most of the high-level references are still there. The low-level references (to specific sections of particular pieces of documentation) would need additional annotations. Some work on the generation scripts to get more of the references to hyperlink properly would be good, as would some investigation of currently available POD formatters to see which ones would give the best cross-referenced printable output. On the other hand, I'm not sure how large the audience is for that work any more. Printing things like this out has I think become a lot less common over the years. That's one of the reasons why our original focus was on turning the reference guide into man pages; on our UNIX-like platforms, that's a far more common documentation access method than printed or printable manuals. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] Purging the client cache
-Original Message- From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On Behalf Of Russ Allbery Sent: Saturday, January 09, 2010 5:53 PM To: openafs-info@openafs.org Subject: [OpenAFS] Purging the client cache One of the concerns raised by our Information Security Office is that a primary point of this space is to get the data off of people's hard drives and into central storage that can be managed securely. If the data persists in users' caches after they disconnect from the VPN required to access the secure space directly, this would partly defeat this purpose. Do you have the ability to control which clients can access this space? If so, would saying, Thou shalt use memcache (perhaps followed by mandatory reboot) mitigate the issue? -c ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] openafs and tivoli backup client
I'm fairly certain the TSM 5.1 client here has AFS support (as I use it now): ftp://ftp.software.ibm.com/storage/tivoli-storage- management/maintenance/client/v5r1/AIX/AIX32bit/v517/ Oh, I didn't realize they still had the 5.1 client available. Yes, that approach will work for the time being if that comes with the *.afs binary. Note, though, that the current version of Tivoli is 5.5, and I'm fairly sure that later versions no longer include AFS support. We've been told by IBM that they do not support it and eventually it will break. I'd be interested to find out if those binaries still work with TSM 6.1 that came out last week. Officially, only clients at levels 5.3 or newer are supported with 6.1, IIRC, but we all know the difference between supported, and it works. -C ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Documentation to install openAFS in NokiaN800
On Sat, 15 Mar 2008, Jason Edgecombe wrote: BTW, all of this is for the client. Nobody has tried to run a fileserver on an N8X0...yet. ;) Give Brashear time :) -- Coy Hile [EMAIL PROTECTED] Unarmed combat is what we enter into when we have been foolish enough not to have a weapon; careless enough to lose our weapon, or unlucky enough to have broken our weapon ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: where does volserver deposit its core dumps?
On Sat, 3 Nov 2007, Adam Megacz wrote: Christopher D. Clausen [EMAIL PROTECTED] writes: Could anybody tell me where volserver leaves its core dumps? (the answer is not /var/lib/openafs/cores/) Probably depends on the platform. On sun4x_510, I think cores ended up in /usr/afs/logs Thanks, but no luck. This is linux-sparc64, by the way. Does linux have something akin to coreadm(1M) or syscorepath (on AIX)? If it does, then I think the answer would be where you configured core dumps to be dropped. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] AFS client causing kernel panics on Solaris 10 Update 4
Hi all, Has anyone else seen issues with the OpenAFS client causing kernel panics on startup on Solaris 10 update 4 (KJP 120011-14) SPARC? I find that the servers start fine, but when /usr/vice/etc/afsd starts I get a panic. If anyone would like, I can try to get a panic. Thanks, -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] config options for openafs.org provided builds
Is there any documentation anywhere which lists with which config options the various binary distributions available on openafs.org are built? I'm currently using the solaris 10 namei builds on the solaris boxes here, but I want to start playing around with --enable-tivoli-tsm to see how that actually works. Is that built-in to the provided builds? (Doug?) Likewise, same question would go for the rs_aix builds. (I don't care about Linux as I woudln't use a linux box as the backup client to backup AFS space =) Thanks, -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] One of my users has married - what to do?
On 4/27/07, Christopher D. Clausen [EMAIL PROTECTED] wrote: Derrick J Brashear [EMAIL PROTECTED] wrote: On Thu, 19 Apr 2007, Helmut Jarausch wrote: what do I have to do to rename a user. It was easy with pts but how to rename a user with kas. You can't. My old trick was to use a tool which we had hacked up to pull a key from the database, and reinject that key for the new username, then delete the old one. Is it possible to perform a similar trick directly on true Kerberos 5 principals? Interesting idea, but it does beg the question why rename the username at all? Update the GECOS and perhaps mail aliases, but why change the principal? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] backing up OpenAFS file space
All, What provision do you recommend for backing up AFS volumes? I have access to TSM, but from what I've seen only the binaries for AIX support direct backup of files in AFS unless I'm wrong. TIA. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: afs vs nfs
On Tue, 22 Nov 2005 [EMAIL PROTECTED] wrote: On Tue, 22 Nov 2005 [EMAIL PROTECTED] wrote: I don't know why the AFS community continues to support this convention which breaks location independence. *shrug*. Okay, support was a bad choice of words, why its supported should be pretty obvious. It'd still be nice to see some alternatives more widely discussed. I'm new to the game. What alternatives exist? -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] openafs and dce cell
On Tue, 8 Nov 2005, Ken Hornstein wrote: Nope, this is the old aklog from the afs-krb5 migration. The 1.4.1 packages will have the openafs aklog. So, um ... what happened? Was this intentional? I ask because this is probably the second or third person who posted on the list saying, Hey, this damn aklog doesn't work as advertised. For the record the aklog that's built by 1.4.0 and the 1.4.1-RC line works for me on both Solaris and my Mac. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Mapping btw. AFS tokens and Kerberos tickets (Heimdal)
On Tue, 8 Nov 2005, Florian Daniel Otel wrote: After some more digging I narrowed down the problem to aklog. The problem is that apparently aklog does some translation on the Kerberos principal name. In particular, if the Kerberos principal contains a / -- like e.g. florian/admin, aklog actually tries to resolve florian.admin instead (which doesn't exist in the cell) thus resolves it as ID 32766 (i.e. anonymous). kdc-hostname:~# kauth florian/admin florian/[EMAIL PROTECTED]'s Password: kauth: NOTICE: ticket renewable lifetime is 1 week kdc-hostname:~# aklog -d -force Authenticating to cell domain.com (server kdc-hostname.domain.com). We've deduced that we need to authenticate to realm DOMAIN.COM. Getting tickets: afs/[EMAIL PROTECTED] About to resolve name florian.admin to id in cell domain.com. Id 32766 Set username to florian.admin Setting tokens. florian.admin / @ DOMAIN.COM kdc-hostname:~# tokens Tokens held by the Cache Manager: Tokens for [EMAIL PROTECTED] [Expires Nov 9 07:09] --End of list-- Create your PTS usernames as florian.admin rather htan florian/admin (while retaining the latter as your krb5 account names) and the transations will be done automatically. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Stopping afsd on Solaris?
On Thu, 27 Oct 2005, E. Chris Garrison wrote: There seems to be no way to stop and restart the afsd on Solaris. Try this: #cd / #umount /afs #/usr/vice/etc/afsd -shutdown #modunload `modinfo | grep afs` to shutdown the client. I also use # /usr/afs/bin/bos shutdown localhost -localauth # kill `pgrep bosserver` to shutdown the server processes. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Stopping afsd on Solaris?
On Thu, 27 Oct 2005, E. Chris Garrison wrote: Thanks for the suggestions, Coy. It doesn't complain about any of those, but the afsd processes are still running and 'modinfo' still shows the module. I've seen the same thing here on my systems. When the processes are stuck (I think they're waiting for kernel threads or something so they can't be killed), the only recourse I've had is to reboot. But, I've also found that when I shutdown the client first, then the server using the process I listed (though if the machine in question is running both the client and server, don't modunload until the end), the afsd processes shutdown. One caveat though is that if things are trying to access files in AFS on the client while you shutdown the client, the afsd processes won't die. I'm in no way an authority on this; Im just sharing my experiences. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Stopping afsd on Solaris?
On Thu, 27 Oct 2005, John Lockard wrote: How about not running the afs client on the servers. Will cut down on overhead and you won't have that pesky problem. -John Good idea, but doesn't quite work that way in a lot of cases; the machine doing file service may also run services that need access to files stored in AFS. In princpal, I agree with you. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Solaris 10/SMF
For those of you who work on Solaris 10, what would you recommend as far as writing manifests and methods to migrate OpenAFS to smf(5)? I was thinking of creating services openafs/server and openafs/client with the former doing nothing but starting the bosserver and loading the appropriate and the latter doing basically the client section of afs.rc. I'll submit my manifests and methods to -devel As I am also making my local zones pseudo AFS clients (via a lofs mount of /afs from the global zone), I was going to make svc:/system/zones a dependent of svc:/network/afs/client. Does anybody else have any thoughts? -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OS 10.4 and Kerberos 5 aklog
On Fri, 14 Oct 2005, Ken Hornstein wrote: (3) The aklog directory is not built on MacOS X because it is part of the login build group and the login build group is not built on MacOS X. Changes to the makefile dependencies will have to be made. Is this a change? Because OS X (under 10.3) was one of my test platforms for aklog, and it was definately built by default (once you specified it with the right configure options, of course). It build for me once I specified --with-krb5 and set KRB5LIBS and KRB5CFLAGS building 1.4.0-RC6 under panther about 3 days ago. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OS 10.4 and Kerberos 5 aklog
On Fri, 14 Oct 2005, Jeffrey Altman wrote: It build for me once I specified --with-krb5 and set KRB5LIBS and KRB5CFLAGS building 1.4.0-RC6 under panther about 3 days ago. I'm glad to hear it. One less thing to do. The configure script should still be modified to auto-configure Kerberos support on Mac OS X. I don't speak autoconf particularly well, but I can try to patch this change in if somebody's got a handy beginner's guide to hacking autof00. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] idiotic openafs on OS X question
Okay, this is a *really* stupid question, but I cannot think of an answer. I've done a 'sudo make package' when building various releases on OS X to create OpenAFS.pkg then install that using the builtin installer mechanism. My question is this. For those of you running with OS X cliens, how do you easily upgrade/uninstall the OS X clients? When an app puts all its stuff in one folder, simply nuking that folder removes it, but the OpenAFS install appears to put things in multiple (at least two that I can find) places on disk. Again, apols for the newbie question. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS docs in AFS?
On Fri, 23 Sep 2005, Frank Burkhardt wrote: I don't know about an AFS source but debian offers a compressed archive containig the html docs: http://ftp.debian.org/debian/pool/main/o/openafs-doc/openafs-doc_1.4rc3.orig.tar.gz Okay, now I feel stupid. What I want is available here: http://dl.openafs.org/dl/openafs/candidate/1.4.0-rc4/openafs-1.4.0-rc4-doc.tar I guess I need more coffee this morning. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] changing underlying filesystem?
Just thinking aloud here, but does this make any sense, or am I totally off my rocker? From what I can glean from the docs, it appears that AFS uses the underlying filesystem on partitions (/vicepxx slices); that is, UFS on Solaris, XFS on SGI, whatever AIX uses on AIX and then stores metadata about acls and volumes. If that is the case, how difficult would it be for Solaris users to use ZFS as the underlying filesystem rather than UFS (once ZFS is available externally)? -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] OpenAFS docs in AFS?
Are the OpenAFS docs (the IBM manuals) available under http://www.openafs/doc/ available in AFS somewhere? That would be a lot easier than grabbing the whole directory via wget to archive a local copy. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Installing 1.4.0RC4 to use SEAM Krb5
Hello, I'm attempting to install 1.4.0RC4 onto my machines and create a local cell for myself to experiment with OpenAFS. Currently, I have SEAM ( Solaris 10 GA) running and working for user authentication. The installation documents that I found state, if you're going to use Kerberos rather than AFS authentication and authorization, contact IBM support to see how to change this installation procedure. What I'd like to know is whether there are documents that tell me (hopefully in baby steps as I am new to Kerberos as well) what I need to do to integrate OpenAFS with my existing SEAM/krb5 install. Users currently authenticate through the pam_krb5 module that ships with SEAM. Thanks, -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Installing 1.4.0RC4 to use SEAM Krb5
On Mon, 19 Sep 2005, Douglas E. Engert wrote: o The configure was done using: KRB5CFLAGS=-I$K5BUILD/$SYS/krb5/include KRB5LIBS=/usr/lib/gss/mech_krb5.so -R/usr/lib/gss export KRB5CFLAGS export KRB5LIBS ./configure --enable-transarc-paths \ --with-krb5=yes \ --enable-largefile-fileserver \ --host=sparc-sun-solaris2.10 Okay Doug, I have another question. You reference $K5BUILD and $SYS in the environment variables above. From that, I gather that you're populating the filesystem with various krb5 headers that (for reasons unknown to us) Sun do not ship. Where in the filesystem do you put those headers? Thanks again, and I apoplogize for seeming like such a neophyte; Kerberized services are something of a new thing for me. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Installing 1.4.0RC4 to use SEAM Krb5
On Mon, 19 Sep 2005, Douglas E. Engert wrote: Date: Mon, 19 Sep 2005 15:13:00 -0500 From: Douglas E. Engert [EMAIL PROTECTED] To: Coy Hile [EMAIL PROTECTED] Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Installing 1.4.0RC4 to use SEAM Krb5 Also as said, I was using gssklog, that uses a standrd API that does not have these problems. I build from AFS, and $K5BUILD point into our cell where these where at. $SYS is in effect @sys i.e. sysname of sun4x_510 Let me pose another question. Let's assume that I have my PAM stack setup like you mentioned in your first mail (and end up using gssklog to do the krb5 to OpenAFS token stuff). In itializing the first machine in my cell, what (if any) modifications do I need to make to the instructions given here http://www.openafs.org/pages/doc/QuickStartUnix/auqbg005.htm#HDRWQ50 under the sections Starting the Database server processes, initializing cell security and starting the fileserver, Volume Server and Salvager to ensure that my krb5 installation is used for authentication and authorization? Unless I am misunderstanding setting up the cell security, some non-krb5 password ends up getting used for auth. Apologies for the innane questions, but parts of this take a while to get one's head around the first time. -- Coy Hile [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info