Re: [OpenAFS] Access Denied with OA 1.7 and Win XP SP3
Hi, On Mon, Dec 02, 2013 at 02:26:14PM -0500, Jeffrey Altman wrote: On 12/2/2013 3:33 AM, Frank Burkhardt wrote: Hello Jeffrey, On Thu, Nov 28, 2013 at 02:49:39PM -0500, Jeffrey Altman wrote: Frank, A quick test from an XP SP3 system upgraded from 1.6.1 to 1.7.28. Using a Limited user local account I am able to access AFS from cmd.exe using both UNC paths and NET USE mapped drive letters. Your description of the problem is quite lacking in details so it is impossible for me to determine whether or not I have an appropriate test case. [snip] Domain User or Local User? Both. It doesn't work as long they are not administrators. If domain user, does the user have persistent drive letter mappings to \\AFS via the Microsoft Network in the user's profile? No. A single drive mapping to afs is created for domain users via a logon script: net use f: \\afs\cbs.mpg.de However, accessing AFS via UNC doesn't work either. Best, Frank Burkhardt ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Access Denied with OA 1.7 and Win XP SP3
Hello Jeffrey, On Thu, Nov 28, 2013 at 02:49:39PM -0500, Jeffrey Altman wrote: Frank, A quick test from an XP SP3 system upgraded from 1.6.1 to 1.7.28. Using a Limited user local account I am able to access AFS from cmd.exe using both UNC paths and NET USE mapped drive letters. Your description of the problem is quite lacking in details so it is impossible for me to determine whether or not I have an appropriate test case. I'm sorry to not have more information on this but I just tested it again on a regular (german) Windows XP installation incl. SP3 with just Openafs 1.7.2800 and KFW 3.2.2. The admin user is fine but a user which is only in the Users group gets Access denied in AFS. Which additional information would be of use? Best, Frank Burkhardt ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Access Denied with OA 1.7 and Win XP SP3
Hi everyone, we've got several Windows XP machines (I know, we'll have to replace them eventually) which we upgraded to SP3 recently. After that we tried to upgrade from Openafs 1.5 to Openafs 1.7.2700, however: With Windows XP SP3 and OA 1.7 it is impossible to access the AFS as a regular user. The cmd.exe error message when cding into AFS space is Zugriff verweigert (which is german for Access Denied or maybe Permission Denied). Administrators can access the AFS via UNC or a substed drive perfectly fine but regular users can't. With SP2 it's working fine. Does anyone have an explaination for this? Thank you for any hint, Frank Burkhardt ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Not enough disk space
Hi everybody, most of our file servers exceed the magical limit of 2TiB per partition. When I try to save a file via MS Word 2010 on a volume there, an error is shown There is not enough disk space. Free enough disk space, and the try again. It seems to be related to the free disk blocks on the partition exceeding 2^31 . I'm not quite sure, if my users started using MS Word for files on those partitions recently of if the Windows AFS Client's behaviour changed during an upgrade. I'm using 1.7.1700 here. Depending on the Fileserver's AFS version, doing 'fs exa' on a directory in an affected volume shows different kinds of values for the partitions free space: # openafs 1.4.12.1 $ fs exa my/folder [...] The partition has 1385923784 blocks available out of -1290650952 # Wrong: 5.2TiB is available # openafs 1.6.1: [...] The partition has -1 blocks available out of -1 # Wrong: 5.4TiB is available Writing those Word files works fine as long as version[fileserver] == 1.4.12 and (bytesfree[partition] mod 2^42) 2^41 . Is there a solution to that problem? Best Regards, Frank Burkhardt ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] VL server preferences
Hi Everyone, I'm currently doing a testrun with Ubuntu Natty + openafs 1.6.0 (Russ Allbery's Debian package version 1.6.0-1). When I do root@myhost fs setserver -vl someserver 1000 I get this message: This cache manager does not support VL server preferences. This was working in 1.4.x . Is this a permanent change? Is there an alternative to change VL-Server priority? Maybe via DNS (I'm using -afsdb)? Regards, Frank Burkhardt ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Low load on multi core fileserver
Hi AFS-Fans, is the openafs-fileserver supposed to take advantage of multiple cpu cores? I got a new big server which I tried to use as a afs-fileserver (just for fun - the server will be dedicated to something else later). However, 7 of its 8 cores seems to idle all the time - even when 7 afs-clients are writing data into volumes on harddisks attached to the server. BTW: There's one harddisc per volume. The network seems not to be a bottleneck - performance varies between 10 and 20 MB/s on a 1GBit-Link. I admit to have a rather old Openafs version (1.4.10). Is there a chance to increase utilisation of this server? Will upgrading to 1.4.12 fix this? The server runs Debian Lenny without further modifications - kernel is 2.6.26 (x86_64). Thank you for any help. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Modifying the output of vos commands to include server UUIDs
Hi, On Wed, Apr 14, 2010 at 11:23:17AM -0400, Jeffrey Altman wrote: [snip] I'm a long-time fan of having a switch that causes tools to dump their data in an easy-to-machine-parse format. That isn't always doable, but when it is, it's a big win. [snip] Anyone want a -xml option? print Yes - me. x $very_often; Especially for listvol it would be very helpful. Best, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Cache size limit?
Hi, On Mon, Mar 22, 2010 at 02:38:50PM +, Stephen Quinney wrote: I was wondering if there are set limits on the AFS cache size for a client? Or are there any limiting factors which mean it is not worth going beyond a certain point? In this case, this is on a 32bit Linux machine but I am also interested in getting an answer for the same question for x64_64 Linux. The machine is being used by multiple users simultaneously to do big (i.e. large memory cpu usage, lots of filesystem access, long running) computation jobs so I am trying to work out the best way to optimise the AFS access. I've got about 100 linux hosts (x86_64,Debian Lenny,OA 1.4.10) here using a 30GB disk cache. However, I would be interested in some information about cache limits, too. One of my user is very dissapointed about our AFS' performance. So I put an additional 200GB HDD into his computer, set the cache to 175GB ... and it just didn't work. I do not know exactly what the symptoms were but if anyone is interested, I can do it again and post what happens. OK - back to the most interesting question: What are the theoretical and practical limits of the cache size on linux? How do the practical limits vary between machines accessing lots of small files and hosts accessing some large files? Thank you in advance for any information. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Specify size reported by 'df' ?
Hi, On Fri, Apr 02, 2010 at 04:17:25PM -0400, Richard Brittain wrote: Hi, I'm wondering if anyone has tried to customize the (fake) size reported by 'df', and specifically if anyone has looked into how hard it might be to make that configurable per-client, with something like a root-only 'fs setdfsize' ? We occasionally run into problems with the 900 k value when some tool wants to start dumping 10GB into AFS and decides to check first. I've got a similiar problem here. For MacOSX, I've to compile AFS myself - changing the free-space-constant before that. Otherwise, our beloved Finder refuses to copy largish data sets (which I have to move around a lot) into AFS. However, another fs subcommand might not be necessary - just increasing the reported free space to 2TiB-1Block should be sufficient since most volumes' quota is considerably smaller than that. Are there any programs known to break when reported free space is that high? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] open/free imbalance
Hi, On Mon, Nov 23, 2009 at 02:29:35PM +, Simon Wilkinson wrote: On 23 Nov 2009, at 08:52, Frank Burkhardt wrote: Does anyone know, what it means? It means that we're not informing the IMA audit layer when we open a disk cache file for writing. Unfortunately for us, the kernel is telling it when that file gets closed, and so you get an imbalance between opens and closes. Normally, it would be simple to fix this, but sadly the IMA API can only be called from GPL'd code. So, at present, all we can say is that the OpenAFS cache manager is incompatible with kernels built with IMA support. Fortunately, as you're building your own kernel, there is a simple solution - just disable IMA when you configure your kernel build. I'll do so. My main concern was that those messages could mean Warning: Data is being shredded. Thank you for the explaination. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] open/free imbalance
Hello everyone, to prevent security issues, I upgraded to a more recent kernel. It's 2.6.31.6 - without any patches from kernel.org. Since I'm using that kernel with openafs 1.4.11 (actually it's Russ Allbery's Debian package, version 1.4.11+dfsg-5), my kernel prints out lots of lines like this: ima_file_free: V9356 open/free imbalance (r:0 w:-21 o:-21 f:0) and sometimes bugs like that: Pid: 5626, comm: afs_cachetrim Tainted: P 2.6.31.6-f4c #1 Call Trace: [c11af2d8] ima_file_free+0x83/0xdb [c10ab6d9] __fput+0xd1/0x172 [c10ab793] fput+0x19/0x1b [c10a8f14] filp_close+0x51/0x5b [f880d472] osi_UFSClose+0x25/0x31 [openafs] [f87d35ef] afs_FreeDiscardedDCache+0x16a/0x206 [openafs] [f87d7bbc] afs_CacheTruncateDaemon+0x217/0x386 [openafs] [f8816bce] afsd_thread+0x34b/0x5c9 [openafs] [f8816883] ? afsd_thread+0x0/0x5c9 [openafs] [c1009097] kernel_thread_helper+0x7/0x10 All the numbers (except of the zeros) vary. Since V... seem to be files of the AFS cache manager, I was wondering, if this has to do with the AFS kernel module. Does anyone know, what it means? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: PAGs in Ubuntu Karmic
Hi, On Thu, Nov 05, 2009 at 02:12:01PM -0600, Andrew Deason wrote: On Thu, 5 Nov 2009 20:55:51 +0100 Frank Burkhardt f...@gmx.net wrote: $ aklog -setpag Do you need to use -setpag to obtain a new PAG? From the shell, using 'pagsh' is a much more reliable way of getting a PAG, but gives you a PAG in a new shell, not your calling process. I hadn't used pagsh since aklog did the job (until now). However, I do not really need a given process to get a new pag - a subprocess is fine. pagsh works perfectly for me. Thanks you very much, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] PAGs in Ubuntu Karmic
Hi, On Thu, Nov 05, 2009 at 08:12:35AM +, Simon Wilkinson wrote: On 5 Nov 2009, at 06:20, Russ Allbery wrote: I suspect that what you're seeing is that AFS uses keyrings with current kernels instead of GID-based PAGs to accomplish the same purposes. The AFS part works the way it always has, but the supplemental groups may not show up as GIDs. Currently, we always push the supplemental groups in the users additional group list - so even when keyring based PAGs are in use, you should see the additional entries. But it's hard to be sure without more details on what you mean by not working any more. I meant Explicitly opening a new PAG as user. Indeed. One option (and this is a shot in the dark) is that it's a PAM issue. If Ubuntu have started using pam_keyinit, then it's vital that this is run before any AFS PAM module. Otherwise, pam_keyinit will happily replace AFS's keyring with its own. Keyring's fine, I think. There's a session wide PAG in place: $ keyctl show Session Keyring -3 --alswrv 0 65534 keyring: _ses.2711 52561941 s--v 0 0 \_ afs_pag: _pag Here's an example: $ kinit frank Password for fr...@alpha: $ aklog $ tokens Tokens held by the Cache Manager: User's (AFS ID 1000) tokens for a...@alpha [Expires Nov 6 22:35] --End of list-- $ bash $ kinit afstest Password for afst...@alpha: $ aklog -setpag Tokens held by the Cache Manager: User's (AFS ID 1097) tokens for a...@alpha [Expires Nov 6 22:36] --End of list-- $ exit $ tokens Tokens held by the Cache Manager: User's (AFS ID 1097) tokens for a...@alpha [Expires Nov 6 22:36] --End of list-- I expected to be in a different PAG when the second tokens is executed. But I'm not. When the subshell is left, I end up with the token of the subshell. Since I use non-default PAM-files (the same I'm using on my debian machines), I don't think it's an PAM issue but a kernel or aklog one. Best, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Strange kernel messages from yesterday...
Hi, On Mon, Nov 02, 2009 at 12:30:10PM +0100, Anders Magnusson wrote: Harald Barth wrote: Ext3 works too (server or client), but slower. Hm, is ext3 slower if used on server? In that case, anyone checked why? After some benchmarking a while ago - see here: http://fbo.no-ip.org/cgi-bin/twiki/view/Instantafs/WhichFs I decided to use ext3 since most people I asked hadn't been happy with reiser3's stability. However, hardware configuration mentioned on the benchmark page is no longer in use here (Core2Quad instead of Xeon, RAID6/Areca instead of RAID5/3Ware). Maybe some of the filesystems' properties changed, too. I'm currently 95% happy with ext3. There is just one problem. Sometimes (esp. when my nightly debian mirror script runs), removing a directory takes forever (up to 10 sconds per rmdir() according to strace) while there's no other load on either the server and the client. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Fileserver doesn't recognise host-principals
Hi, On Wed, Sep 03, 2008 at 10:34:18AM -0700, Russ Allbery wrote: Frank Burkhardt [EMAIL PROTECTED] writes: I've got a strange problem here. Some of my AFS-client-machines must put some stuff into AFS on a regular basis. Since all of them have a host/...-Keytab, I wanted to use it as AFS-identity: [EMAIL PROTECTED] $ pts create host.somehost.cbs.mpg.de User host.somehost.cbs.mpg.de has id 200044 AFS uses K4 principal naming, so the PTS ID has to be rcmd.somehost. AFS will map host/somehost.your.domain to rcmd.somehost internally before checking ACLs. Thank you - that was the problem. Is there any reason for this anomaly? Is it possible to disable it? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Fileserver doesn't recognise host-principals
Hi, I've got a strange problem here. Some of my AFS-client-machines must put some stuff into AFS on a regular basis. Since all of them have a host/...-Keytab, I wanted to use it as AFS-identity: [EMAIL PROTECTED] $ pts create host.somehost.cbs.mpg.de User host.somehost.cbs.mpg.de has id 200044 [EMAIL PROTECTED] # kinit -k -t /etc/krb5.keytab [EMAIL PROTECTED] # klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/[EMAIL PROTECTED] Valid starting ExpiresService principal 08/26/08 16:22:11 08/27/08 18:22:11 krbtgt/[EMAIL PROTECTED] Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 08/26/08 16:22:49 08/27/08 18:22:11 [EMAIL PROTECTED] Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] # aklog [EMAIL PROTECTED] # tokens Tokens held by the Cache Manager: User's (AFS ID 200044) tokens for [EMAIL PROTECTED] [Expires Aug 27 18:22] --End of list-- However, when I try to create a file in AFS, I'm recognised as anonymous: [EMAIL PROTECTED] # cd /afs/cbs.mpg.de/tmp/leipzig;rm -f xxx [EMAIL PROTECTED] # touch xxx [EMAIL PROTECTED] # ls -la xxx -rw-r--r-- 1 anonymous root 0 Aug 26 16:25 xxx There's nothing suspicious in the AFS-client's dmesg or in the fileserver's FileLog. Does anyone have an idea, what might cause this problem? I use keytabs+AFS all the time. The problem just affects host-keytabs - on at least 3 of my machines. Thank you for any hints. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Bug? No space left on device
Hi, On Thu, Apr 24, 2008 at 08:40:56PM -0400, Jason Edgecombe wrote: [snip] Yes, there is a 2TB limit on volumes and vice partitions for AFS versions, but I think it has been fixed in the last release of 1.5.x or the next 1.5.x release. The fix was very recent and only addresses the vice partition limitation. volumes are still limited to 2TB. If you're using debian or ubuntu, you might want to have a look at ftp://instantafs.cbs.mpg.de/instantafs/debian The most recent openafs-packages (1.4.7 ...) there are patched to support 2GB partitions. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] speed of OpenAFS fileserver
Hi, On Sat, Feb 23, 2008 at 02:18:23PM +0100, Lars Schimmer wrote: [snip] Is there any limit built in? Has anyone reached more than 10 MB/sec from debian filserver package? Yes - we have :-) : Reading a single large file: 55.5 MiB/s Writing a single large file: 63.5 MiB/s This is the configuration: * G33-DS3R mainboard * Intel Core2Quad Q6600 , 2.4GHz * 2GB of RAM * 1GBit/s ethernet * 10x 750 GB in a RAID-6 on an Areca 1231 controller * ext3 as /vicepa * Debian Etch + latest updates * Kernel is vanilla 2.6.23.8, results are nearly the same for 2.6.24.0 The given performance values were measured between two of those servers which were connected via a single low-cost GE-switch. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Strange group behaviour.
Hi, On Fri, Jan 25, 2008 at 11:01:52AM +0100, Anders Magnusson wrote: Hi, I have just encountered a non-working behavior of group membership, and I cannot see what I'm doing wrong. Environment: Redhat, OpenAFS 1.4.5 on both server and client. I have an user: % pts examine afs-backup Name: afs-backup, id: 99942, owner: system:administrators, creator: afs-fiddler, membership: 3, flags: S, group quota: 20. % pts membership afs-backup Groups afs-backup (id: 99942) is a member of: system:backup system:ptsviewers But, this user cannot access directories where system:backup has rl as permissions, which it should. Adding afs-backup directly with rl to the directory works fine. I really don't understand why this does not work, other users membership in other groups works just fine. Any hints? I think this is a really trivial problem, but I cannot understand what's wrong :-) Did you get a new token for afs-backup after adding it to system:backup? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS + Citrix = ?
Hi, Sorry for the long delay... On Tue, Dec 11, 2007 at 07:09:27AM -0500, Jeffrey Altman wrote: [snip] Oh - one more thing: We don't have Active directory here. Does anyone has experience with Citrix + AFS or has an idea, what to try? Regards, Frank Citrix and OpenAFS have worked together for years with integrated logon as part of an Active Directory domain. Citrix is not your problem. Problem ist, although we've got a domain (Samba based), we do *not* have an Active directory. So the question is: Is there anyone who ever got Citrix to work with integrated AFS-logon but without Active Directory? Regards, Frank Burkhardt ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS + Citrix = ?
Hi, On Fri, Jan 11, 2008 at 12:35:30PM -0500, Jeffrey Altman wrote: David Bear wrote: being completely citrix ignorant here, I wonder why integrated logon would fail regardless of what the domain logon provider was. AFS Integrated Logon looks up the location of the user's profile to determine if it is in AFS or not. Our user's profiles are not in AFS but on a Samba share. However, they can successfully (=they get tokens) logon to a non-citrix windows workstation. Regards, Frank -- Frank Burkhardt [EMAIL PROTECTED] phone: +49 341 9940-142 Max Planck Institute for Human /\ Cognitive and Brain Sciences \ / ASCII Ribbon Campain Leipzig, GermanyX against HTML Mail +- / \ ---+ | GPG: 6DCA A8BA 4DBD 14EE 7D4C 3F0C A015 6284 7146 EC5F | +-+ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] AFS + Citrix = ?
Hi, we've got an AFS cell here which contains our user's unix homedirectories. Users are able to successfully login using MIT 5 kerberos on linux workstations. User-to-homedir-mapping is provided via an openldap server. Some of our users have local windows machines which they are able to login at using a windows profile served by a samba PDC which uses our openldap server. When they're logged in, their unix- (afs-) homedirectory volume is assigned a drive letter and they are able to access it correctly (using a token). Unfortunately we've some applications that are using node locked licenses. They are served via 5 Citrix Presentation server windows servers. Until now, we've not been able to configure such a server to accept logins the way a local windows computer does. Citrix somehow hooks into the login process and users don't have authenticated AFS access in their sessions after login. Oh - one more thing: We don't have Active directory here. Does anyone has experience with Citrix + AFS or has an idea, what to try? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Strategy for disaster recover of an AFS fileserver
Hi, On Thu, Oct 25, 2007 at 09:09:11PM +0200, Lars Schimmer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jose Calhariz wrote: In recent past I had lost a /vicepa partition with half of the volumes of my cell and found that my backup procedure is not fast enough for recovering so many volumes and data. I am using amanda without afs patch. What plans do you have for quick recovering from massive loss of data on an AFS cell? first: no loss of data ;-) second: a extra server with HD space and a RO copy of ALL volumes third: 2-4 RO copies of all RW volumes spread over 4 fileservers fourth: vos convertRotoRW You forgot three-dot-fifth: Put RO- and RW-servers as far as possible away from each other. This is worth more than a fire insurance. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Automatic move of volumes
On Wed, Oct 24, 2007 at 01:34:51PM +0200, Jacob Volstrup wrote: Hi, For quite some time I've been searching for something to help me move some volumes from a constantly failing /vicepa raid to my new /vicepb. The reason for not doing this manually is partly that I'm lazy and Further, I would like to have this fully automated if I would like to move them back in the future (perhaps when the disks for /vicepa are replaced). If you can afford some downtime, the most efficient way is to simply copy the files from /vicepa to /vicepb on the server's filesystem: cd /vicepa;cp -a . /vicepb Make sure, /vicepb is empty before that. Warning: This worked for me lots of times but be carefull anyway. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Automatic move of volumes
Hi, On Wed, Oct 24, 2007 at 09:31:55AM -0400, Steve Devine wrote: [snip] If you can afford some downtime, the most efficient way is to simply copy the files from /vicepa to /vicepb on the server's filesystem: cd /vicepa;cp -a . /vicepb Make sure, /vicepb is empty before that. Warning: This worked for me lots of times but be carefull anyway. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info Wow this seems like a recipe for disaster. Do you then sync the vldb or rename the partiton to vicepa Sorry - I forgot. Of course the data partition name has to be the same after the copy process. I tried it once using syncvldb and ended up having multiple RW instances of the same volume on the server. I mostly use cp for simple harddisk upgrades (on small machines). For Multi-TB-servers vos move to a different server is the better choice mainly because of the low uptime. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Strange access problems on one client
Hi, On Mon, Sep 24, 2007 at 10:31:35PM -0700, Russ Allbery wrote: [snip] It looks like this is Linux kernel breakage. According to a Debian bug reporter with the same problem, it appears to reliably trigger on x86 with 2.6.22.6, and reliably not trigger with 2.6.22.5. I tested with 2.6.22.5 (+ xen-patches) and the problem is the same. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Nested groups
Hi afs-fans, I asked the same question some years ago - may something changed since then: Its there some way to find out, which groups a given group is member of? 'pts membership' always shows just the members of a group and not, which groups it is member of. Maybe there's some undocumented switch? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Strange regular afs failure
Hi, On Mon, Sep 24, 2007 at 08:54:58AM -0400, Derrick Brashear wrote: The afs server threads servicing that client blocked and there was a race caught when the client tried making more of the same RPC while the previous one was still being serviced. I don't fully understand that. Does this mean, my network duplicates packets? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Strange regular afs failure
Hi, an afs client of mine does some cron job on a regular basis (once per 5 minutes) which involves reading from and writing to a single afs volume. Every monday Morning ~ 7:30 the job failes with IO errors. Client logs shows several kernel: afs: failed to store file (5) messages, FileLog on the volumes Fileserver shows this: Mon Sep 24 07:33:30 2007 FindClient: stillborn client 8221900(1ef6f034); conn 823f0d0 (host 10.0.54.228:7001) had client 8221c48(1ef6f034) Mon Sep 24 07:33:30 2007 FindClient: stillborn client 82215b8(1ef6f03c); conn 823fd80 (host 10.0.54.228:7001) had client 8221900(1ef6f03c) Mon Sep 24 07:33:30 2007 FindClient: stillborn client 8220fd0(1ef6f028); conn 823d0f0 (host 10.0.54.228:7001) had client 82215b8(1ef6f028) The fileservers is set to automatic restart at 01:45 the same day which means, the job ran several times successfully before it failed after the restart. Restart times of my DB-servers are set to sunday morning. I checked the network - client and server are connected via a single switch which is managed and doesn't show any log entry for at least 1 hour around the event. I can also rule out other cron jobs on client and server - none of them runs near 07:30 . The only timely related event is one of our NFS-servers's restart which is done on a regular basis. The NFS server returned seconds before the afs-failure: Sep 24 06:09:06 hagen kernel: nfs: server helena not responding, still trying [...] Sep 24 07:33:27 hagen kernel: nfs: server helena OK Sep 24 07:33:33 hagen kernel: afs: failed to store file (5) What do the logentries on the AFS server mean? Does anyone have an idea, where to look for the cause of the problem? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Strange access problems on one client
Hi, On Mon, Sep 24, 2007 at 06:41:31AM +0200, Harald Barth wrote: [EMAIL PROTECTED] ~ % LANG= ll /afs/grand.central.org/ ls: cannot access /afs/grand.central.org/local: No such file or directory ls: cannot access /afs/grand.central.org/software: No such file or directory total 14K drwxrwxrwx 3 root root 2.0K Jun 17 2004 archive/ drwxrwxrwx 2 root root 2.0K May 7 2006 cvs/ drwxrwxrwx 3 root root 2.0K Mar 21 2003 doc/ ?? ? ?? ?? local drwxrwxrwx 2 root root 2.0K Jun 17 2005 project/ drwxrwxrwx 5 root root 2.0K Jan 30 2007 service/ ?? ? ?? ?? software drwxrwxrwx 2 root root 2.0K Aug 25 00:15 user/ drwxrwxrwx 5 root root 2.0K Aug 24 20:10 www/ That is really strange because I can't see why doc should differ from software. Both are mountpoints with similar ACL and permissions. I'd like to point out that on my machine not only mountpoints are affected but directories and files as well. Is this the same on your's, Dirk? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Strange access problems on one client
Hi, I'm having a similiar problem. On Sun, Sep 23, 2007 at 09:54:31AM +0200, Dirk Heinrichs wrote: Hello, since I got a mail from another person who had this same problem, I would like to follow up on this. Here's what I wrote back in august: [snip] [EMAIL PROTECTED] ~ % LANG= ll /afs/altum.de ls: cannot access /afs/altum.de/music: No such file or directory ls: cannot access /afs/altum.de/cells: No such file or directory total 4.0K d? ? ? ??? cells/ drwx-- 2 heini users 2.0K Jun 29 20:10 data/ drwx-- 2 root root 2.0K Sep 1 2006 home/ d? ? ? ??? music/ Same here: some directories _and files_ are un-stat()-able although they're listed by readdir() - i can't see a pattern. It's not a permission problem: the problem includes files and directories with system:anyuser=rl . I had a similiar problem some years ago when I used XFS as cache-partition but this time it's ext2 - I swear. This is what I use: * Debian Unstable (Sid) * in a Xen domain (domU) * Openafs 1.4.4 (exact debian version is 1.4.4.dfsg1-7) (*1) * Vanilla kernel 2.6.22.7 + Xen Patch (*2) * afsd options automatically chosen (*1) The debian-openafs-package afaik contains several patches but it runs fine on a non-xenified (vanilla) kernel 2.6.22.2. (*2) The xen patch was stolen from ubuntu gutsy's linux-kernel-2.6.22 package. It's available at ftp://fbo.no-ip.org/t/xen-2.6.22.diff.gz . I had the same problem with kernel 2.6.18 which was downloaded and patched automatically during the xen-3.1 build process. First I though of xen as the guilty piece of software, until I read Dirk's post. Does anyone have a clue, what this might be? How can help debugging this? Regards, Frank -- Frank Burkhardt [EMAIL PROTECTED] phone: +49 341 9940-142 Max Planck Institute for Human /\ Cognitive and Brain Sciences \ / ASCII Ribbon Campain Leipzig, GermanyX against HTML Mail +- / \ ---+ | GPG: 6DCA A8BA 4DBD 14EE 7D4C 3F0C A015 6284 7146 EC5F | +-+ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Removing a backup volume
Hi, On Fri, Jul 20, 2007 at 06:17:43PM +0200, [EMAIL PROTECTED] wrote: Hi, On Fri, 20 Jul 2007, Frank Burkhardt wrote: Hi, I did some benchmarks to find out, which filesystem is best: http://fbo.no-ip.org/cgi-bin/twiki/view/Instantafs/WhichFs thanks for sharing this. Are you reading linux-ide-arrays? There was a thread this week where someone pointed out that it's important to set the sunit and swidth parameters according to your RAID setup when creating XFS filesystems. Was your filesystem tuned this way? Hi, thank you for pointing me in that direction. But ... I tried using sunit/swidth and did the whole benchmark again - there was no difference regarding performance :-( . Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS not able to support large files?
Hi, On Mon, Jul 23, 2007 at 09:01:11AM -0400, Jesse W. Asher wrote: I ran across the below paragraph in an IBM document at http://www.redbooks.ibm.com/redbooks/pdfs/sg246657.pdf (page 7). When talking about NFSv4, they said: * NFS has evolved into a powerful enterprise file system that enables it to take advantage of today's more powerful servers and storage. Earlier enterprise file systems such as AFS and DFS have architectural limitations that limit their ability to process large files and take advantage of the increased memory and multiprocessor support available in modern servers.* I know that AFS is used extensively at large companies like Intel and IBM. I was wondering how true the above really was?? AFS is able to handle large ( 2G) files. It is a configure option which is (at least in the openafs debian package) on by default. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Removing a backup volume
Hi, I did some benchmarks to find out, which filesystem is best: http://fbo.no-ip.org/cgi-bin/twiki/view/Instantafs/WhichFs Now my boss want's me to use ext3, I would prefer reiser3 - difficult decision :-) . Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] ACL for system:administrators
Hi, On Mon, Jul 16, 2007 at 04:57:04PM +0200, El Barto wrote: HI I have a little problem with acl and the system:administrators group. I remove the right for system:administrators on my afs volume : ([EMAIL PROTECTED] 105)fs la Access list for . is Normal rights: vadot_e rlidwka ([EMAIL PROTECTED] 106) Now I can't list or re-define acl for this volume (it's seems logical) but I want to. How can I do ? Members of system:administrators have implicit 'l' and 'a' everywhere. You should be able to set ACLs as admin. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Which file system is the best for AFS data partitions?
Hi, On Mon, Jun 25, 2007 at 04:46:29PM -0400, Steven Jenkins wrote: * What is the underlying filesystem? what features do you have enabled? ( e.g., the output of dumpe2fs -h or equivalent on your system) Ok ... I replaced my beloved XFS by reiserfs (3), created a volume containing 19 files. Removing its backup clone took 54s which is more than 500 times faster (considered, the time needed by the operation depends on the # of files only) than on XFS. I'll take the chance to ask everyone about their filesystem preferences for (namei-) AFS data partitions. I'm especially interested in things like I used XYfs but moved to YZfs because of XX. Please write about non-linux servers filesystem preferences, too. Thank you in advance, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] [vos] listvldb
Hi, On Mon, Jul 02, 2007 at 12:14:22PM -0400, Derrick Brashear wrote: On 7/2/07, Alessio Rocchi [EMAIL PROTECTED] wrote: Hi everybody. I'm writing to ask you for the meaning of New release -- old release and old release -- old release configurations, appearing while issuing the vos listvldb command. Reading the documentation didn't help me :( a vos release was done, and didn't complete to the sites listed old release I don't think, Alessio meant that. Sometimes a volume instance' state is New release -- old release and not just Old release. I would be interested in an explaination, too. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Removing a backup volume
Hi, On Mon, Jun 25, 2007 at 04:46:29PM -0400, Steven Jenkins wrote: On 6/25/07, Derrick Brashear [EMAIL PROTECTED] wrote: On 6/25/07, Steven Jenkins [EMAIL PROTECTED] wrote:... The root problem here is the underlying filesystem presumably offers poor performance for deleting files, and the way to fix it is to use a filesystem that doesn't. Deleting a volume is really deleting a tree of files and directories, and it won't run any faster for OpenAFS than it does for anything else. I'm just trying a different filesystem on one of my servers (Reiserfs). Maybe XFS is a poor choice for AFS. Frank, let me ask some additional questions: * What OS are you on? (including distribution, release, etc) * What is the underlying filesystem? what features do you have enabled? ( Filesystem is XFS (no options used for mkfs.xfs). OS information can be found in my first mail (digest: OS=Debian Etch 4.0, Kernel=2.6.21.0 (vanilla;self-compiled), Openafs=1.4.4). With that information, we might be able to help explain things more clearly and completely. Thank you, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Having trouble releasing volumes to newsite
Hi, On Thu, Jun 21, 2007 at 08:56:02AM -0400, David Sonenberg wrote: I have a newly created file and database server, that I am first trying to add replicas to. I had a problem which looked exactly like yours some days ago. It was caused by a badly configured firewall. Make sure UDP/7005 is allowed in both directions. Ragards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Removing a backup volume
Hi, I'm currently removing a backup clone which belongs to a volume containing ~ 55 GB in ~ 102000 files. 'vos status' shows a DeleteVolume transaction which is running since 63 min now. Is it supposed to take that long? I've seen this on all of our file servers - especially when performing clone operations (e.g. vos backup, vos release). However: cpus are ~99.5% idle (cpu load is always ~1.0 ). The fileserver removes the clone exclusively - noone else accesses content from the volume's volumegroup and it's the only volume on the server. Is there a way to speed things up? Here are some data about the machine: * 2x Xeon 2.66GHz * OS: Debian Etch 4.0 * Vanilla Linux kernel (2.6.21.0), SMP, no patches * Openafs 1.4.4 (Sam Hartman's package backported from Debian Sid) * Data partition resides on a SATA-RAID connected via a PCI-X-3Ware-Controller Thank you for any hint, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Salvaging an RO-Volume
Hi, a broken RO-volume resides on one of my fileserver: $ vos listvol [fileserver] a [...] Could not attach volume 536877628 Total volumes onLine 352 ; Total volumes offLine 1 ; Total busy 0 I don't need it, so I want to remove it: # vos remove [heilbutt] a 536877628 Transaction on volume 536877628 failed Volume needs to be salvaged Volume needs to be salvaged Error in vos remove command. Volume needs to be salvaged Ok - let's salvage it: # bos salvage [fileserver] a 536877628 -showlog Starting salvage. bos: salvage completed SalvageLog: @(#) OpenAFS 1.4.4 built 2007-04-23 06/13/2007 09:10:23 STARTING AFS SALVAGER 2.4 (/usr/lib/openafs/salvager /vicepa 536877628) 06/13/2007 09:10:23 536877628 is a read-only volume; not salvaged That doesn't work :-( . What is the best way to handle this? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Salvaging an RO-Volume
Hi, On Wed, Jun 13, 2007 at 09:41:08AM +0200, Hartmut Reuter wrote: You need to specify the RW-volumeId for salvage even if there is no RW volume in the partition! Thank you, that solved the problem :-) . Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] eliminating non-ptserver authorization (was: vos dump authorization based on bos adduser)
Hi, On Fri, Jun 08, 2007 at 03:23:48PM -0500, Christopher D. Clausen wrote: Adam Megacz [EMAIL PROTECTED] wrote: Christopher D. Clausen [EMAIL PROTECTED] writes: So how would I issue bos shutdown for an entire cell, and then bos startup? I guess that's the only case where this is a problem. But how often does somebody without login access to any of the fileservers shut down an entire cell (for that matter, how often does anybody ever shut down an entire cell)? Logon to one of the AFS servers so that I have access to the KeyFile? This isn't ideal in certain situations. If you are on the UserList, can't you (ab)use bos exec to steal the KeyFile anyways? There is a --enable-bos-restricted-mode configure option. I'm pretty sure that it disables bos -exec. Maybe someone can specify what exactly bos restricted mode enables or disables? I found this (german) page about that topic: http://archiv.tu-chemnitz.de/pub/2001/0097/data/bosserver1.html It basically says: -restricted mode disables bos (exec|create|delete|install|uninstall) -restricted mode rejects bos getlog-requests for filenames starting with / (hopefully this mode will check for '..'s in the path ;-) ) -to enable restricted mode either start bos with '-restricted' option or use 'bos setrestricted' -to disable restrited mode use 'killall -FPE bosserver' Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] speed of vos dump on linux gbit ethernet
Hi, On Thu, Jun 01, 2006 at 02:02:15PM +0200, Sven Oehme wrote: ok, what are the normal debian-startup.. i am running SUSE or Rehat servers .. There's nothing special about the debian startup. Usually file-/volserver are run without parameters but the admin is free to modify BosConfig. I think, Lars was refering to the content of afs.conf.client which contains client startup options (afsdb, dynroot, fakeroot, ...) only. They are not used for afs-servers. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS implementation questions.
Hi, On Thu, May 25, 2006 at 12:23:01PM -0700, Brady Catherman wrote: I am currently considering moving our environment to OpenAFS but before I can switch I need to make sure a few things are going to keep working.. We have users that use or systems for months on end without logging off and I am concerned that the kerberos ticket they are being issued will expire. Having them log back into kerberos/openafs isn't really a good option for us (I am having a hard enough time selling even the basic conversion, let alone anything that requires user action!) Use some kind of reauthentication. On one of my AFS-clients there are 4 processes running *always* (-they start when the computer boots up, they terminate only, when the computer is going to reboot). I'm using a self-written tool tokenmgr which knows how to execute kinit, aklog and some other programs in the right way to ensure that a valid token is always available. In most cases, I'm using keytabs to provide the necessary Kerberos credentials. A different method can be used for interactive or semi-interactive sessions. When someone logs in by ssh, he would just type 'tokenmgr -R' (and enter his passwort twice) to get an arbitrary number of virtual terminals (using the almighty 'screen' command). All programs run in those terminals will always have a valid token. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAfs and MS Office: Delayed Write Failed
Hi, On Mon, May 22, 2006 at 09:31:04AM -0400, Jeffrey Altman wrote: Please generate the logs again and this time make sure that Clock Time and Show Milliseconds are selected in both DbgView and FileMon prior to capturing the log data. This will allow the events in one log to be synchronized with the data in the other log. Here they are: http://fbo.no-ip.org/mail-temp/crash-debug-23052006.log http://fbo.no-ip.org/mail-temp/crash-filemon-23052006.log Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAfs and MS Office: Delayed Write Failed
Hi, On Tue, May 16, 2006 at 10:06:38AM -0400, Jeffrey Altman wrote: [snip] You are going to have to follow the directions in the release notes to configure OpenAFS to export debugging data and then capture it using SysInternals' File Monitor and Debug Viewer. This will provide me the necessary data to determine what is failing. I finally managed to get those two log files. They can be downloaded here: http://fbo.no-ip.org/m/crash-debug.log http://fbo.no-ip.org/m/crash-filemon.log The log files were recorded while trying to save a 4MB word document. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] OpenAfs and MS Office: Delayed Write Failed
Hi, we are currently trying to get MS Office to work with files within AFS. Unfortunately we failed to successfully save files 4MB. The OpenAFS-Clients crashed, giving only this error message Windows - Delayed Write Failed Windows was unable to save all the data for the file \\brandis-afs\auto1\tmp\leipzig\nebel\~WRD0003.tmp. The data has been lost. This error may be caused by a failure of your computer hardware or the network connection. Please try to save this file elsewhere. , requiring a reboot to regain access to AFS. Some information about the software we use: -Client: -Windows XP SP2 -OpenAFS for Windows 1.4.1 -MS Office 2003 SP2 -Server: -Debian GNU/Linux Sarge, Vanilla Kernel 2.6.13 -OpenAFS 1.4.0 We do not have any firewall between Client and Server - the Windows-Firewall is disabled. None of our (~300) linux client does have any problems. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAfs and MS Office: Delayed Write Failed
Hi, On Tue, May 16, 2006 at 08:58:01AM -0400, Jeffrey Altman wrote: By any chance are you using McAfee as your anti-virus software? No. The only software installed on the computer is * Windows * OpenAFS * Mozilla We eventually want to setup some firewall/antivirus software - most likely from Symantec. Maybe it's important: * I chose to get DB-servers from DNS * Freelance mode ist off * No loopback device is installed Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] finding change rate of volumes
Hi, On Wed, May 10, 2006 at 01:35:23AM +0200, Lars Wilke wrote: Hi, out of curiosity. Is it possible to get the change rate of the data stored inside a volume on a daily (or other time frame) basis? I am looking for a way to find out how many bytes were changed since day XY. I am using openafs 1.4.0 btw. If your volumes are small, you could try this: vos dump [volume] -time [current time minus e.g. one day] | wc -c Of course you shouldn't do this with multi-TB-volumes. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] SSO with AFS and Windows without ActiveDirectory
Hi, we're currently setting up some Metaframe servers (Windows-Terminal servers) which should be able to access AFS. Problem is the authentication against (MIT) Kerberos. Users have to enter their passwort twice (Windows-Login, Kerberos-Login). Is there any chance to use the Windows-Login-Password to get AFS tokens without using MS-Kerberos and AD? Is anyone actually doing this? Thank you for any hints, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] SSO with AFS and Windows without ActiveDirectory
Hi, On Thu, Apr 27, 2006 at 06:48:56AM -0400, Jeffrey Altman wrote: Frank Burkhardt wrote: [snip] Problem is the authentication against (MIT) Kerberos. Users have to enter their passwort twice (Windows-Login, Kerberos-Login). Is there any chance to use the Windows-Login-Password to get AFS tokens without using MS-Kerberos and AD? There are a variety of ways to do this. [snip] Thank you but I would like not to use AD. Is there no way to do this without Active Directory? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS Cell Name change
Hi, On Thu, Apr 06, 2006 at 04:49:38PM +0100, Nuno Miguel da Cruz Neves wrote: Hello. I maintain an AFS cell whose domain registration just got lost... :( Now, I am trying to get the domain back, but it seems hard to do (unresponsive address on the other side). So, I would like to know what is envolved in changing the AFS domain name. For instance, If I change the ThisCell on every server and client and the afs.root mappings, will it work? Will it maintain the entire structure below? Yes - as long as you do not use target cell names in your volume mountpoints unter /afs/[yourcell] which is very unlikely. But you have to do some more than just changing ThisCell. You have to change the server-CellServDB on any DB-server (Debian-Linux places it at /etc/openafs/server/CellServDB). The most interesting thing will be the Kerberos database. I don't know, if you are using kaserver - I don't. My kerberos database contains an explicit realm name on each principal plus the password hashes are salted using the realm name. I would have to either get all my users to reset their passwords or give up my 'realm=uc(cellname)' rule which would cause other problems. What steps should I take to ensure everything keeps working? I think, it's impossible to actually Keep everything working during a Cell name change. You will suffer some downtime. BTW: How many servers/users do you have? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] ticket/token forwarding debian - info
Hi, On Fri, Mar 31, 2006 at 11:38:50AM +0200, Lars Schimmer wrote: [snip] After some time with krb5 and pam working but with no ticket forwarding I want to set that up. Anyone got krb5-ticket forwarding with automatic token generation on remote debian pc running and has tips for me to set this up? I'm using a modified version of ssh that executes aklog after authentication. Feel free to download it @ ftp://instantafs.cbs.mpg.de/instantafs/debian/sarge/openssh+afs/4.2p1-5+2afs There are some hints (in german) on how to use it in this document: ftp://instantafs.cbs.mpg.de/instantafs/doc/admin-guid.pdb (8.11.1 In einer SSH-Shell...) And does this work from winxp krb5 to debian krb5, to? I dont know. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] FAM and OpenAFS
Hi, On Tue, Feb 21, 2006 at 09:48:26AM +0100, Lars Schimmer wrote: [snip] Here on Debian the famd consumes up to 100% load from to time, I just restart the famd and everything is back normal. All I got from the mailinglist is: take another monitotr daemon, famd is well known for this problem. Here on Debian we just removed famd after having some problems. We are using KDE 3.0 .. 3.5. OT: What is famd needed for? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Understanding questions backup volume
Hi, On Thu, Feb 09, 2006 at 11:43:45AM +0100, Lars Schimmer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! I start using backup volumes ;-) It is fairly easy to create one and mount them. But: Where is the difference between RO copies and a backup volume? I know, backup volumes should be used for backup, RO for distributing data all over the cell. Backup volume instances are explicitely disk space efficiently stored plus they can be referred by a volume mount point. Hint: additional volume instances (clones) of a RW instance can be create using 'vos clone' but it's not easy to mount them. A backup should be made of the backup volumes, because this doesn't lock the RW volumes for a long time. Yes. Especially if you use the backup volume for different backup strategies (see below). And if I vos dump the backup volumes to a backup server (amanda-afs or just plain dump) I could rebuild the backup volumes. Does this help me in case of a lost RW volume? If you use 'vos dump', a backup volume is not necessary. Using 'vos dump -clone' clones the RW instance first, dumps this clone and removes it after the dump. At least a RO copy could be converted to a RW volume in nearly NO time, but a backup volume? A backup volume can't because it's stored as a diff against the RW which means, it's damaged when the RW is. Our cell is designed to have a RO copy of every RW volume. And if one RO copy of a RW volume resist on a file server housed in a datacenter far away I've got a quick and easy 1-day-backup in case of big error here. With the ROtoRW convert the cell is back up very fast. So why use backup volumes? I'm using 3 backup strategies here: * Backup volumes are create - any user can restore yesterday's data (covering 95% of all cases of lost data) * ROs are stored on a server differing from the RW one (for disaster recovery) and are updated regularly (Actually I never needed those ROs but it's a good feeling to have them :-) ) * the afs backup system uses the backup volumes to write full and incremental backups to hard disk giving a used with a deleted file ~ 3 months. Are backup volumes built incremental? They are not built. Backup volumes are updated to reflect the current state of the RW instance. They are *stored* differencially to the RW instance. hth Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS Help!
Hi, On Wed, Feb 01, 2006 at 11:12:21AM -0500, Pierre Ancelot wrote: If someone of openafs project read this I agree with amir about the openafs documentation, it sounds messy... Any project to re-organise it someday ? I wrote an AFS-documentation for beginners covering all the administrative stuff around AFS. Unfortunately it's in german but have a look if you like: Homepage: http://instantafs.cbs.mpg.de Documentation: https://wiki.cbs.mpg.de/bin/viewfile/Openafs/DokuMentation?rev=1.9;filename=admin-guide.pdf Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] bets practices on WAN
Hi, On Wed, Feb 01, 2006 at 11:52:56AM -0500, Wes Chow wrote: Our site has machines in three geographically distant areas. Right now, we have one kdc and openafs vldb server in each location, the rationale being that in case of network disconnections, each location would still be able to access its local services. Does this seem like reasonable setup? Do clients prefer using vldbs that are on the same subnet, like how they prefer RO volumes? Every client has entries for every vldb in the CellServDB file.. sometimes, when there's a short period of network disconnect with the remote vldbs, it seems like clients hang while trying to access those servers, despite the local vldb still being available. Is this possible? If so, is it recommended to remove remote vldbs from client CellServDB files? Use 'fs setservreprefs -vlservers ...' to make each client prefer the local VLDB (lower the pref-value on the local VLDB below all others). From this time on, the client will only ask the local VLDB with fallback to remote ones (when the local VLDB becomes unavailable). Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAfs for Mac OSX 10.4
On Fri, Jan 27, 2006 at 09:50:04AM +, [EMAIL PROTECTED] wrote: Hi, I should first explain that I am just starting off with OpenAfs and so don't really understand much, ... Welcome to AFS :-) Everything I'm writing is related do 1.4.1rc4 - didn't have time to make a rc5 package, yet. 1) When I installed OpenAFS 1.4.1 Release Candidate 5, it says that one has to select your cell from the ThisCell file. My problem is that this file contains only one entry, openafs.org. Should I put the cellname that I want to connect to above this or is there something else ? Just put your cellname into this file ( /var/db/openafs/etc/ThisCell ). 2) I went into /Library/StartupItems/OpenAFS to find out why OpenAfs was not running and get this message when I try to start it: Starting OpenAFS Loading AFS kernel extensions kextload: extension /var/db/openafs/etc/afs.kext is already loaded Starting afsd afsd: some file missing or bad in /var/db/openafs/etc afssettings: sysctl 3.20.1.0.1 = 0: Operation not supported on socket Hmm ... don't know this problem. Maybe CellServDB is missing? Do you use AFSDB-DNS-records? If yes, you still need the CellServDB file but you probably want it to be empty: echo -n /var/db/openafs/etc/CellServDB Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] pts group restore?
Hi, On Mon, Jan 23, 2006 at 08:12:55AM -0500, Steve Devine wrote: Over the weekend one of our admins deleted a pts group. Is there any easy way to restore just one pts group with its member ids? IE .. we have backups of the pts database but to put it in place we will lose pts data changes since the last backup. Use this command to get an ascii-list of groups and their members from a PT-database file: pt_util -members prdb.DB0 A small perl script should to the rest. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] How to change afs-key
Hi, how often should I change the afs cell key and what is the exact algorithm (e.g. fileservers first, database servers later, ...). Is this documented somewhere? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] NetRestrict - change existing openafs server to use a single network interface
On Tue, Jan 17, 2006 at 12:36:07PM +, Vladimir Konrad wrote: hello, we have a openafs server (configured before i turned up) with two ehernet network interfaces (one for normal network activity, one for backup access). this is a production server. the operating system is Debian Woody, openafs 1.2.11... [snip] what is the correct method to remove use of a network interface on openafs fileserver with existing volumes? Create a file NetInfo and put all IPs you want to use inside (one per line). I had to put the file in /etc/openafs/server-local but I think the woody-version of openafs expects it in /var/lib/openafs . Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Bogus volumes
Hi; On Tue, Jan 10, 2006 at 11:44:20AM +0100, Erland Fristedt X3M (KI/GIS) wrote: Hi, I have a problem with bogus volumes on a Redhat ES3 AFS server with OpenAFS 1.2.13 bogus.536870915 536870915 RW 0 K Off-line bogus.536871424 536871424 RW 0 K Off-line ... It's possible to remove the volumes with vos remove ... but after a bos salvage .. the volumes reappears again. Sometimes such volume instances are on my fileservers, too. I simply ignored them until I found out, that the size information is incorrect. So I removed the AFSIDat-subdirectories associated to the volume ids. Use this at your own Risk! Read /vicep*/AFSIDat/README first! For a linux namei-server those names are: 536870915 : AFSIDat/1/1+++U 536871424 : AFSIDat/+/+6++U Think twice before 'rm -rf'ing anything! /Use this at your own Risk! Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] PAGs - where can I use them?
Hi, On Wed, Jan 04, 2006 at 01:30:02PM -0500, Derrick J Brashear wrote: [snip] And MacOS supports them but because of how the login window stuff works they aren't used. Thank you - MacOSX is the OS, I was most interested in. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS-Backup-Limits
Hi, On Mon, Dec 26, 2005 at 06:05:10PM +0100, Frank Burkhardt wrote: Hi, are there any known limits to OpenAFS' backup database? I'm most interested in: * max number of volume sets * max number of tapes * max number of dumps Thank you for sharing your experience on that. But where can I find information about theoretical limits? My primary concern is some arbitrary limit caused i.e. by the data types being used - maybe something like max[tapes]=65536 . Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] PAGs - where can I use them?
Hi, which plattforms/OSs are PAGs supported on? Is it linux only? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS-Backup-Limits
Hi, On Mon, Dec 26, 2005 at 02:31:34PM -0600, Tracy Di Marco White wrote: [snip] We stopped using the AFS backup system two weeks ago. What were the reasons? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] AFS-Backup-Limits
Hi, are there any known limits to OpenAFS' backup database? I'm most interested in: * max number of volume sets * max number of tapes * max number of dumps Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Anyone experienced these probs with 1.4 ?
Hi, On Mon, Dec 19, 2005 at 04:19:01PM -0500, Jeffrey Altman wrote: Lars Schimmer wrote: Hi! Today I had a strange problem. 1.4 server, 1.4 clients on win and linux. A user could went down a path to a directory and there were just 0 byte files in it. a directory listing with 0 byte files is a side-effect of not being able to obtain stat data either because the user does not have appropriate tokens or because all servers registered for that volume are marked as being down. Use the tokens and fs checkservers commands on the I was curious and tried to reproduce this situation. I found a strange (- inconsistent) bahoviour of the (linux-)openafs-client. This is what I did: [EMAIL PROTECTED] mkdir test;cd test;fs sa -clear joe .;echo test test [EMAIL PROTECTED] cd test;ls -la total 12 drwxrwxr-x 2 daemon root 2048 2005-12-20 11:00 ./ drwxr-xr-x 97 root users 10240 2005-12-20 10:57 ../ ?- ? ? ? ?? test And here is what I didn't expect: [EMAIL PROTECTED] cd test;ls -la total 15 drwxrwxr-x2 daemon root 2048 Dec 20 11:00 ./ drwxr-xr-x 97 root users 10240 Dec 20 10:57 ../ -rw-r--r--1 daemon root5 Dec 20 10:52 test My guess: The openafs-client doesn't seem to enforce the r-permission correctly when the stat-data of the examined file is cached. Is this wrong, wanted or unavoidable behaviour? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Homedir Backup Strategies
Hi, On Tue, Dec 13, 2005 at 05:21:03PM -0800, [EMAIL PROTECTED] wrote: Does it work to: 1. Have homedirs be forced-r/w mountpoints, use vos addsite / vos release for backups and do 'vos convertROtoRW' as recovery? I can't see why this one wouldn't work. 2. Do a 'vos copy' to another fileserver and then 'vos rename' the copy back to the original name for a restore? I'm concerned that the numeric ID of the volume would change and that cache managers might wind up confused? I'm trying to get fast on-line/near-line recovery in the event of a failed shelf or otherwise corrupt fileserver, without going through 'vos restore' for every volume. The 'vos backup[sys]' command doesn't get me what I want because in the event of a shelf failure the clone is gone as well. What about this solution: 1. Homedirs are RW-mountpoints (they always should be...), volumes are on fileserver f1. 2. There's RO-copy of all homedir-volumes an a different fileserver (f2), updated on a regular basis (vos release). 3. When f1 crashes, you do this: for v in [all homedir volumes]; do \ vos convertROtoRW -server f2 -partition a -id $v; \ done; \ bos salvage -server f2 4. Make sure f1 stays down! There should be no change in volume ids but maybe other side effects that are unavoidable in such a situation. Example: ~/.Xauthority is not up-to-date - users will have to relogin into their X-sessions. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] minor bug: -afsdb does not understand CNAME
Hi, On Sun, Dec 11, 2005 at 10:50:34PM -0800, Adam Megacz wrote: Apparently if the host listed in an AFSDB entry is a CNAME record, afsd will not chase the reference. I take it that afsd doesn't use the usual gethostbyname() to resolve the hostname it gets after pulling an AFSDB record... is there a reason why this is the case? $ host -t AFSDB -l cbs.mpg.de cbs.mpg.de. AFSDB 1 afsdb1.cbs.mpg.de. cbs.mpg.de. AFSDB 1 afsdb2.cbs.mpg.de. cbs.mpg.de. AFSDB 1 afsdb3.cbs.mpg.de. cbs.mpg.de. AFSDB 1 afsdb4.cbs.mpg.de. cbs.mpg.de. AFSDB 1 afsdb5.cbs.mpg.de. $ host afsdb1 afsdb1.cbs.mpg.de CNAME dresden.cbs.mpg.de dresden.cbs.mpg.de A 10.0.181.11 It's working here - all AFSDBs are CNAMEs. are you using a single-component-cellname (foobar) and not a multi-component one (foo.bar) ? There's a bug in recent glibc which makes using AFSDB-DNS-records impossible for dotless cells - at least without a patch applied to the openafs-source. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Perl Modules for OpenAFS 1.4
Hi, On Wed, Dec 07, 2005 at 12:35:40PM -0800, Mike Polek wrote: In case anyone else uses the Perl modules for OpenAFS and needs them working with OpenAFS 1.4 before the the AFS-2.2.4 version of the Perl code comes out, the following patch appears to fix up some minor problems with the upgrade to 1.4. Cool :-) Unfortunately the patch doesn't apply to libafs-perl-2.2.3 . $ tar -xzf AFS-2.2.3.tar.gz $ patch -p0 patch.txt patching file AFS-2.2.3/src/Makefile.PL Hunk #1 FAILED at 140. 1 out of 1 hunk FAILED -- saving rejects to file AFS-2.2.3/src/Makefile.PL.rej patching file AFS-2.2.3/src/AFS.xs Hunk #1 FAILED at 2012. Hunk #2 FAILED at 2053. Hunk #3 FAILED at 3663. 3 out of 3 hunks FAILED -- saving rejects to file AFS-2.2.3/src/AFS.xs.rej Could you post (or send in private) the modified sources or a diff that applies to the libafs-perl-sources from CPAN? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] 1.4.1-rc2 Mac File Oddities
Hi, On Fri, Dec 02, 2005 at 03:07:54PM -0700, Mike Bydalek wrote: [snip] Is it possible, that your Mac is behind a firewall or somehow not able to get the callbacks? It would completely fit what you're describing. No, this is all on the same subnet - so nothing is interfering between the Mac client and the Server. Maybe the packet filter of MacOSX itself is the problem. Try to disable it in control center/Sharing (Don't know, if this application's is correct because I own just a german MacOS). Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] AFS-Kerberos-Plugin for MacOSX 10.4
Hi, is anyone using the Kerberos-aklog-Plugin with MacOSX 10.4? This plugin is used to automagically get AFS-Tokens whenever i.e. kinit is executed. The binary (got it from http://www.acm.uiuc.edu/admin/afs/aklog-1.0.dmg) worked for me in 10.3 but it's not working in 10.4 :-( . I think http://rescomp.stanford.edu/~akosut/macosx/kfm_aklog.tar.gz is the source of that plugin but there's no make file or configure script. Does anyone have a working Kerberos-LoginLogout-Plugin for MacOSX 10.4? Does anyone have a tip, how to compile kfm_aklog.tar.gz? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Mac OS Tiger, 1.4.1RC2 and aklog problem
Hi, On Thu, Dec 01, 2005 at 10:20:22AM -0500, Derrick J Brashear wrote: That looks like either an old aklog or no cache manager running. 11862788 (ktc).4 = a pioctl failed What's ktrace tell you? (No, we don't need thewhole output, just the failure) I've got the same problem so I post my ktrace-dump: 616 aklogCALL poll(0x14,0,0x800c5603) 616 aklogRET poll -1 errno 22 Invalid argument 616 aklogCALL write(0x2,0x32550,0x5e) 616 aklogGIO fd 2 wrote 94 bytes aklog: unable to obtain tokens for cell cbs.mpg.de (status: AFS kernel pioctl doesn't exist). Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Mac OS Tiger, 1.4.1RC2 and aklog problem
Hi, On Thu, Dec 01, 2005 at 12:38:35PM -0500, Ken Hornstein wrote: I've got the same problem so I post my ktrace-dump: 616 aklogCALL poll(0x14,0,0x800c5603) 616 aklogRET poll -1 errno 22 Invalid argument 616 aklogCALL write(0x2,0x32550,0x5e) 616 aklogGIO fd 2 wrote 94 bytes aklog: unable to obtain tokens for cell cbs.mpg.de (status: AFS kernel pioctl doesn't exist). That sure looks like an old aklog/no cache manager running to me. Are you sure you're running the aklog that comes with RC2? No, I wasn't. I mistakenly used aklog of rc1 that was overwritten by the rc2 package which was built without krb5. It's working now. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: aklogin plugin request...
Hi, On Wed, Nov 30, 2005 at 10:14:49AM -0500, Everette Allen wrote: Frank, I noticed you said: I'm using a 'aklog-kerberos-plugin' to get a token using a krb5-TGT. in a recent post to OpenAFS Info. Does this plugin work for 10.4 and if so would you share the src and/or binary with me? Yes, I will. Have a look @ ftp://instantafs.cbs.mpg.de/instantafs-collection This is my collection of usefull AFS-related stuff. Look into the url.txt files for information about the origin of the collected files. I don't know, if this plugin works on 10.4 . I wasn't able to build OpenAFS for Tiger, yet. Regard, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Building OpenAFS on MacOSX
Hi, as a linux admin with ~ 0 knowledge about MacOSX I've got a little problem. I need AFS on some MacOSX machines. I know how to compile software packages on linux but I don't have a clue, even where to start on MacOSX. Is there a howto (what packages to install, what traps to watch for, how to build a MacOSX-Package) for building OpenAFS on MacOS?. Yes, I could use the prebuild packages from openafs.org but Finder isn't able to handle big files in AFS correctly which is why I want to change some details in the OpenAFS sources. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] perl CPAN AFS modules for debian
Hi, On Tue, Nov 29, 2005 at 03:58:03PM +0100, Lars Schimmer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! At the openafs-workshop in Paderborn I get known to a nice perlscript. To get this script run, I need 2 CPAN perl module installed here on my debian box. AFS::VLDB and AFS::VOS But everytime I try to install them via perl-shell, I get: /usr/bin/ld: cannot find -lubik collect2: ld returned 1 exit status ERROR from evaluation of /root/.cpan/build/AFS-2.2.3/src/Makefile.PL: Could not compile test code to retrieve the version of AFS system libraries... I installed the debian-package-source of openafs and told perl that directory. Has anyone a tip or maybe two debs for me? Got debs :-) : ftp://instantafs.cbs.mpg.de/instantafs/sarge/libafs-perl/ and a tip: apt-get install libopenafs-dev and another one: AFS::VOS doesn't work with either kernel-2.6+ or openafs-1.3+ - I'm not sure which one is was... Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Building OpenAFS on MacOSX
Hi, On Tue, Nov 29, 2005 at 10:11:13AM -0600, Douglas E. Engert wrote: [snip] I too amy not a real Mac person. You may need the MacOS xcode code development packaged, I had it installed before I looked at OpenAFS. Actually I found it rather easy to build OpenAFS on MacOS 10.4, as it is based on unix based. ./configure \ --enable-largefile-fileserver \ --with-krb5-conf=/usr/bin/krb5-config make all make dest make packages After removing --enable-lagefile-fileserver (I just need the client so this doesn't matter) it compiled. I fixed the finder-problem and it works like a charm :-) . Thank you, Frank PS: What about this --with-krb5-conf ? There's no /usr/bin/krb5-config on my MacOS (10.3). ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Building OpenAFS on MacOSX
Hi, On Tue, Nov 29, 2005 at 02:41:20PM -0700, Mike Bydalek wrote: PS: What about this --with-krb5-conf ? There's no /usr/bin/krb5-config on my MacOS (10.3). You need to set KRB5LIBS and KRB5CFLAGS when doing a ./configure. Here's what I used for 10.3: KRB5LIBS=-L/usr/lib -Wl,-search_paths_first -lkrb5 -lk5crypto -lcom_err -lresolv KRB5CFLAGS=-I/usr/include Hmm... './configure --with-afs-sysname=ppc_darwin_70' worked for me - configure didn't complain about missing krb5-options. The resulting package behaves like the original one from openafs.org. I'm using a 'aklog-kerberos-plugin' to get a token using a krb5-TGT. Is there any improvement that can be achived by using krb5-options for compiling the openafs package? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Log Filtering
Hi, On Tue, Nov 22, 2005 at 09:01:41AM -0500, Jeffrey Altman wrote: [snip] The 1.4 series supports the ability to write debug and audit logs from the various servers to named pipes instead of files. You can implement filtering by deploying a process that reads from a named pipe and outputs the desired entries where you would like them to go. Is there a documentation or some hint on how to use this feature? Regards, Frank I'm not sure I understand the question. From a technical perspective all that was done was to remove a restriction that the file name which is opened for the purpose of writing log data must be a physical file on disk. Now it can also be a pipe. Are you looking for documentation on how to use UNIX pipes or something else? No, I just thought, there'd be some kind of undocumented cmdline parameter for fileserver, volserver, ... - something like '-debug_to_pipe [filename]'. Thanks for clarifying. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] ip based ACLs
Hi, On Mon, Nov 21, 2005 at 05:47:33PM -0600, Christopher D. Clausen wrote: [snip] what do you mean there are, i haven't seen anything like this in the openafs documentation.Or is it a sysadmin hack? resulting in a PC with a special IP possessing a legal token as the user. sounds interesting..could you elaborate more on that? http://www.duke.edu/~jhv/answers/afs-ip-acls.html There's one important hint missing in the documentation: Using IP base ACLs means that there's no token involved which means that your AFS-traffic is neither signed nor encrypted when travelling over the network. It's up to you to decide if that's a problem or not. It's one for me which is why I never use IP-ACLs. I believe that it is even documented in the IBM docs on openafs.org Your're right - i.e. here: http://www.openafs.org/pages/doc/AdminReference/auarf211.htm Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Log Filtering
Hi, On Sat, Nov 19, 2005 at 12:05:34PM -0500, Jeffrey Altman wrote: David Sonenberg wrote: I read in the release announcement that 1.4.0 includes a facility for setting up log filtering. I would like to set up my server so that a separate log file is created for each user. Would this be possible with the new facility and if so how? The 1.4 series supports the ability to write debug and audit logs from the various servers to named pipes instead of files. You can implement filtering by deploying a process that reads from a named pipe and outputs the desired entries where you would like them to go. Is there a documentation or some hint on how to use this feature? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] loging into afs: ssh vs gdm
Hi, On Mon, Oct 31, 2005 at 11:05:34AM -0500, Ron Croonenberg wrote: [snip] Now .. I cannot login with gdm/xdm, it looks like I get logged in but the session terminates immediately. I see the same entry in /var/log/messages as above and this one: Oct 31 10:56:49 oort gdm(pam_unix)[67775]: session opened for user cowboy by (uid=0) and that's not correct, uid should be 1219 Any ideas about what is going on here ? (local drug store is already wondering what I need that much advil for) Just a guess: Maybe you should have a look @ the last lines of ~cowboy/.xession-errors . I once had a problem that looked like yours. I blamed AFS/Kerberos/NSA but is was just a syntax error in /etc/X11/XSession.d/somefile which prevented the session itself from starting. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] AFS on MacOSX: Finder doesn't like big files
Hi, when I try to copy a 16.2GB-file (I bet the magic limit is 1600kB) from a local disk into AFS, the finder fails with an Out of space error (I don't know the exact error message in english - it's a german MacOSX 10.3). Yes - I know, it's the finder's fault and the mail should better be sent to [EMAIL PROTECTED] But is there any chance to solve the problem - i.e. by increasing the fake free-space value of /afs ? BTW: Why is this fake-value 16GB only and not i.e. 2048GB? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS on MacOSX: Finder doesn't like big files
On Mon, Oct 24, 2005 at 08:47:20AM -0400, Derrick J Brashear wrote: On Mon, 24 Oct 2005, Frank Burkhardt wrote: Hi, when I try to copy a 16.2GB-file (I bet the magic limit is 1600kB) from a local disk into AFS, the finder fails with an Out of space error (I don't know the exact error message in english - it's a german MacOSX 10.3). And I suppose you'd like us to guess what OpenAFS version? No I don't - sorry. It's 1.3.82 - the latest one I found precompiled for MacOSX. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Pauses in vos dump commands
Hi, On Fri, Oct 14, 2005 at 08:47:37AM -0500, E. Chris Garrison wrote: [snip] Another person on the list named Steve suggested I try to substitute cat /dev/null for the archive command and run strace on the vos dump and archive. Well, when I use the cat /dev/null, it pauses in the exact same way. Good test though, at least it helps make the case that it's the vos dump not the archive command that's the problem. The strace hangs at this point: rt_sigprocmask(SIG_BLOCK, [INT CHLD], [CHLD], 8) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7ff2708) = 28554 rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0 close(3)= 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0 rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0 rt_sigaction(SIGINT, {0x807603b, [], SA_RESTORER, 0x587a48}, {SIG_DFL}, 8) = 0 waitpid(-1, Not that I know what all the code means, but it's odd that it pauses in the middle of printing out the command like that. It's not. It means, that waitpid() is called, which blocks the program until a child process terminates. If you want to see, what's going on within the child processes, use 'strace -f' instead of 'strace' to (f)ollow child processes spawned by the straced process. A guess of mine: Maybe one of your DB-Servers or one of your DNS-Servers is down? This is a problem, I have in one of my cells although I have to wait ~ 30s instead of 10min. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Group memberships
Hi, how can I get the list of (super)groups, a group is member of? This seems to be possible for users only (pts m [user]) but not for groups. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Changing reserved block on ext3 with fs running
Hi, On Wed, Oct 05, 2005 at 01:20:32PM +0200, Stephan Wonczak wrote: [snip] We can't do much about the number of inodes, but we are still sitting with the 5% reserved blocks. Over all partitions this adds to a lot of wasted space (~500GB). Now, obviously we would rather use this space :-) [snip] Now the question: Are there any repercussions when changing the number of reserved blocks in this way, or are there any subtle side effects on the fileserver? AFAIK there should be no problem using 'tune2fs -r' or 'tune2fs -m' on a mounted filesystem (I just tried it). But you most probably needn't do that. The reserved blocks are only accessible to a given user (see 'tune2fs -l /dev/ice | grep uid') when the limit is reached. But this given user is root by default and AFS-Fileservers are running as root. Reserved blocks simply don't matter in this case. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] database server hardware requirements?
Hi, On Mon, Oct 03, 2005 at 05:32:35PM -0400, Jiann-Ming Su wrote: What are minimal hardware requirements (drive size, memory, etc) for a database only server for OpenAFS? The smallest one I've ever had in production was a Pentium-I 120 with 64MB RAM and a 340MB IDE-Drive but I bet it could be even smaller :-) It depends on the size of your cell but if it's really only a Database server, you should just make sure that the Database fits into the disk cache (my current database is ~ 8MB for 5 fileservers, 1300 volumes and 500 users). You should add some CPU power if the server is a Kerberos-KDC, too. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] changing administrative principal?
Hi, On Tue, Oct 04, 2005 at 12:30:13PM -0400, Jiann-Ming Su wrote: How do I change the administrative principal of my cell? And is it necessary to have the my_afs_princ/admin notation if my_afs_princ is dedicated specifically for being the admin principal for my OpenAFS cell? Remove the current admin principal from the system:administrators group, add the new one to this group (pts add ..., pts remove ...). Remove the current admin from the userlists of *all* afs-servers of your cell and add the new one to userlist of *all* afs-servers (bos removeuser ..., bos adduser ...). Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS docs in AFS?
Hi, On Thu, Sep 22, 2005 at 07:43:41PM -0700, Coy Hile wrote: Are the OpenAFS docs (the IBM manuals) available under http://www.openafs/doc/ available in AFS somewhere? That would be a lot easier than grabbing the whole directory via wget to archive a local copy. I don't know about an AFS source but debian offers a compressed archive containig the html docs: http://ftp.debian.org/debian/pool/main/o/openafs-doc/openafs-doc_1.4rc3.orig.tar.gz (This link might become invalid when new openafs-versions are put into the debian repository) Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS and Xen
Hi, On Tue, Sep 20, 2005 at 05:51:50PM +0200, Sven Oehme wrote: i used 1.3.84 , but all 1.4-rc* should work too It's working like a charm :-) - Thank you (Kernel 2.6.13, OA 1.4rc1, Debian 3.1) Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] OpenAFS and Xen
Hi, is it possible to use the OpenAFS-Client under Linux running in a Xen-Domain? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS and Xen
Hi, On Tue, Sep 20, 2005 at 04:50:01PM +0200, Sven Oehme wrote: it just works. compile the kernel module with ARCH=xen and it works . Sounds good :-) . Which OpenAFS-version did you use? Is 1.4rc1 sufficient? Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] To read a file from a directory whose ACL is r-l (read permission but no lookup permission)
Hi, On Tue, Sep 13, 2005 at 04:10:35PM +0300, acemi wrote: Hello, I want that users can't browse the directory's content (files list) but they can open/read a file if they know the name of the file. To do that I set r-l (read permission but no lookup permision) as ACL, but user can't read the file in this case. AFAIK this is not possible but why would you want to do that? It's Security throug Oscurity (aka The Windows Way ;-) ). The l-Permission is more an Enter the directory- than a List the directory's content-permission. You could create seperate directories for all the files you want to protect and change the ACLs os those directories as you like. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] debian, login, pam.d, home on afs and aklog
Hi, On Fri, Sep 09, 2005 at 12:16:12PM +0200, Lars Schimmer wrote: [snip] So: where is the magic knob on debian to execute aklog for every login? There's a pam-plugin for debian which does the job (package libpam-openafs-session). You need a pam configuration file like this for any service that should get a token: auth required pam_krb5.so auth required pam_openafs_session.so Have a look at http://fbo.no-ip.org/m/common-auth-afs for a more complex example. And: has anyone ticket forwarding running on debian sarge and has a small guide for it? I do. Knowing that you're a german speaker, I would suggest you to read Anhang A - SSH-Login-Varianten of the InstantAFS-admin-guide which can be downloaded here: https://wiki.cbs.mpg.de/twiki/pub/Openafs/DokuMentation/admin-guide.pdf There are packages available for sarge. Look here for further information: https://wiki.cbs.mpg.de/cgi-bin/twiki//view/Openafs/DebianPakete Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] multi-homed issue
Hi, On Thu, Sep 08, 2005 at 12:45:09PM -0700, Pucky Loucks wrote: Hi everyone, is there a way to make a fileserver start and chose the ipaddress that it binds too. No. i.e. I have 3 ips and I only want to use 1. ... but it's possible to register only given adresses in the VLDB: http://www.openafs.org/pages/doc/AdminReference/auarf025.htm Addresses that are not registered will not be used by AFS-clients. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Debian - openafs -noauth problems
On Tue, Aug 09, 2005 at 10:01:01PM -0400, Madhusudan Singh wrote: Hi I was wondering if I could ask a few questions regarding AFS setup on Debian. I am trying to follow the instructions http://www.gentoo.org/doc/en/openafs.xml?style=printable in a Cell A, Realm B type setup. # bos setcellname omega.domain.edu omega.domain.edu -noauth bos: failed to set cell (you are not authorized for this operation) I am running above as root. Running it as root doesn't help as long as the bosserver wasn't started with '-noauth'. Try this: # /etc/init.d/openafs-fileserver stop # /usr/sbin/bosserver -noauth What does one do from here ? Even the AFSwiki instructions seem to involve a lot of -noauth setup commands. And if I need to issue pts commands for adding users, what credentials do I use ? There is a tool called pt_util for initially creating a PTDB-Database-file without any tokens needed (The first space in the 3rd line is important!): # cat /tmp/initial_ptdb admin 128/20 1 -204 -204 system:administrators 130/20 -204 -204 -204 admin 1 # pt_util -p /var/lib/openafs/db/prdb.DB0 -w /tmp/initial_ptdb # After you've got the admin-account, you should use it to issue pts-commands. Regards, Frank ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info