Re: [OpenAFS] changing just the name of a database server?

[Steve Gaarder]

On Wed, 20 Dec 2017, Benjamin Kaduk wrote:


Hi Steve,

On Tue, Dec 19, 2017 at 09:19:36AM -0500, Steve Gaarder wrote:

I want to change the name of one of my database servers, while keeping the
IP address the same.  Besides making the change in the DNS and the
machine's hostname, is there anything else I need to do?


You should also notify cellser...@grand.central.org so that the
central CellServDB records can be updated.  IIRC, at least windows
clients use the name after the '#' for address lookups -- it is not
just a comment field.



Thanks for that info.  Does it matter whether the name is a CNAME or not? 
I'm thinking that, to ease the transition, I could make the new name a 
CNAME for the existing name, tell grand.central to change the cellservdb, 
and later rename the machine.


cheers,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] changing just the name of a database server?

[Steve Gaarder]

I want to change the name of one of my database servers, while keeping the 
IP address the same.  Besides making the change in the DNS and the 
machine's hostname, is there anything else I need to do?


thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

RE: [OpenAFS] AFS in the age of the wild west internet

[Steve Gaarder]

Yes, of course we do that.  My question is whether there is also a way to 
say that some volumes cannot be accessed from outside our network 
regardless of credentials.  Would it work to put all those volumes on a 
server with a firewall that blocks access?


Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu

On Tue, 3 May 2016, Brandon Allbery wrote:


fs sa /path/to/whatever system:anyuser none

-Original Message-
From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On 
Behalf Of Steve Gaarder
Sent: Friday, March 4, 2016 10:05 AM
To: openafs-info@openafs.org
Subject: [OpenAFS] AFS in the age of the wild west internet

While I really like the concept of AFS as a world-wide filesystem, I'm starting 
to wonder if it's a good idea in the modern age of cyberattacks.
How safe is it to leave AFS open to the world?

Some of the data we store in AFS does not need to be accessed from outside of 
our network; is there a good way of blocking access to it from outside while 
preserving access to other data in the cell?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA 
gaar...@math.cornell.edu ___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
:??Tj)b?   b?өzpJ)ߢ?^??좸!~ا~??ȧ~

[OpenAFS] AFS in the age of the wild west internet

[Steve Gaarder]

While I really like the concept of AFS as a world-wide filesystem, I'm 
starting to wonder if it's a good idea in the modern age of cyberattacks.

How safe is it to leave AFS open to the world?

Some of the data we store in AFS does not need to be accessed from outside 
of our network; is there a good way of blocking access to it from 
outside while preserving access to other data in the cell?


thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Openafs vs Red Hat's Netkey

[Steve Gaarder]

I fired up Wireshark and took a look.  I set up IPSEC to use 
authentication only, so I can still see inside the packets.  What I see, 
on both server and client, is this:


When performance is poor, I see two fetch-data-64 packets from the server 
followed by an ACK packet from the client.  There is about a 4 ms delay 
between the two fetch-data-64 packets.  The sequence numbers are 
consecutive and I see no sign of any retransmissions.


When performance is good, I see 8 or more fetch-data-64 packets in a row 
followed by a bunch of ACK packets in return.  The time between 
fetch-data-64 packets is on the order of microseconds.


The 4 ms delay seems responsible, but I haven't figured out what might be 
causing that.


Andrew pointed me to a link about IPSEC problems under RHEL 6.  I do not 
see the high ksoftirqd usage that the article mentions.  I tried changing 
/proc/sys/net/ipv4/xfrm4_gc_thresh, as they suggest, and got occasional 
speedups but nothing repeatable.


thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Openafs vs Red Hat's Netkey

[Steve Gaarder]

I run a network of machines running Scientific Linux 6 (a Red Hat 
Enterprise clone).  We have both AFS and NFS file servers.  In an effort 
to add some security to NFS, we are using IPSEC.  I have discovered that 
IPSEC, specifically Red Hat's NETKEY protocol stack, sends OpenAFS 
performance through the floor.  To try this on an SL/RHEL/Centos box, 
install Openswan and set it up on an OpenAFS server and client according 
to these instructions:


https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html

Then try copying a large file from AFS to the client's local storage, e.g. with 
rsync --progress.  You will see performance steadily drop to miserable levels.


If you switch the client to the KLIPS stack (by using the kernel module that 
comes with the Openswan source), things run fine.  It does not seem to matter 
which stack is on the server.


Any ideas about what is going on?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Openafs vs Red Hat's Netkey

[Steve Gaarder]

On Mon, 9 Dec 2013, Andrew Deason wrote:


On Mon, 9 Dec 2013 11:24:55 -0500 (EST)
Steve Gaarder gaard...@math.cornell.edu wrote:


Then try copying a large file from AFS to the client's local storage,
e.g. with rsync --progress.  You will see performance steadily drop to
miserable levels.


Could you specifically say what the before/after rates are, for what
you're seeing? These terms are really subjective; some people would call
the normal performance you get already miserable.

By miserable I mean transfers well under 1 MB/sec on a 100 Mbps link. 
Normal is 6-7 MB/sec.



A guess would be that something is causing packets to get dropped
somewhere along the line. Do you have any idea if you're using
jumbograms?

I don't see any config setting in the files that activates jumbograms, and 
the default is not to do them, so I don't think I'm using them.



You could also just try testing iperf UDP and see if this
seems to impact the results similarly.


Now it gets weird.  Iperf shows the same performance with or without 
IPSEC.  But if I run iperf under IPSEC, openafs performance jumps back up 
to normal and stays there for several minutes.  Does this give anyone any 
ideas?


thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] False replay error with 1.7 on Win 7 client

[Steve Gaarder]

I made the change and everything seems to be working fine.  Thanks for all 
your advice and enjoy the holidays!


Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu

On Wed, 12 Dec 2012, Brandon Allbery wrote:


On Wed, Dec 12, 2012 at 8:45 AM, Steve Gaarder gaard...@math.cornell.edu
wrote:
  On Tue, 11 Dec 2012, Harald Barth wrote:
1. Create afs/math.cornell@math.cornell.edu
2. Store the key in a keytab file
3. Use asetkey to add the key to the keyfile on
each of the AFS
servers


  Methinks between 1. and 3. tokens with the new key may
  fail.


Yes, I think you're right.  THe time period is short enough, though,
that I think I can live with that.


If you script it (kadmin *is* scriptable in recent MIT, with some pain), the
time between creating and adding to the first KeyFile can be milliseconds;
script pushing that to the other servers and it's still likely to be a few
seconds at most.  If using Heimdal, you can use 'ktutil get' and do the first
one in effectively a single operation (ktutil get -k AFS3KEYFILE:...
afs/cell@REALM).  Then Kerberos-authenticated parallel ssh to push to the
other servers for minimum latency.  :)

--
brandon s allbery kf8nh                               sine nomine associates
allber...@gmail.com                                  ballb...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net

[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)

[Steve Gaarder]

I am trying to get Openafs 1.7.21 working on a Windows 7 machine.  I followed 
the directions on http://wiki.openafs.org/WindowsEndUserQuickStartGuide/
and installed Heimdall and the Network Identity Manager from the links on that 
page.


Using the Identity Manager, I am able to get a Kerberos ticket but not an AFS 
token.  If I use aklog from the command line, sometimes I get a token and 
sometimes I don't.  WHen it does not work, the error is ERR_REPEAT (Request is 
a replay).


A packet trace confirms this, and shows that this is also what happens every 
time I try it with Identity Manager.


Our KDC is using the principal a...@math.cornell.edu, not 
afs/math.cornell@math.cornell.edu.  According to the packet trace, the 
client tries afs/math.cornell@math.cornell.edu twice before falling back to 
a...@math.cornell.edu.  The first try is always rejected with PRINCIPAL_UNKNOWN. 
Sometimes the second try hits the same error, and sometimes it hits ERR_REPEAT, 
in which case the client gives up.  I assume there is a timing issue here, with 
the requests sometimes having the same timestamp.


So how can we fix this?  THe KDC is running MIT Kerberos 1.6 on Scientific 
Linux 5.  I read on the net that there have been some replay cache 
improvements since then, so a KDC upgrade is one option for trying to fix 
this, but I can't do that right away.


It seems to me that switching to afs/math.cornell@math.cornell.edu is 
likely to fix the problem, but I am uncertain about how to do that without 
creating any service disruptions.  If I do this:


1. Create afs/math.cornell@math.cornell.edu
2. Store the key in a keytab file
3. Use asetkey to add the key to the keyfile on each of the AFS servers

will it allow existing tokens that authenticated with a...@math.cornell.edu 
to still work?


Any other ideas?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] False replay error with 1.7 on Win 7 client (fwd)

[Steve Gaarder]

On Tue, 11 Dec 2012, Jeffrey Altman wrote:


Upgrading your AFS principal from afs@ to afs/math.cornell.edu@ will
fix this problem
and shorten the time it takes all AFS clients to obtain afs tokens.

Thanks. My next question is: if I do this, will it break existing sessions 
using tokens obtained via afs@?  Here's how I think I should make the 
change:


1. Create afs/math.cornell@math.cornell.edu
2. Store the key in a keytab file
3. Use asetkey to add the key to the keyfile on each of the AFS servers

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Aklog at login in MacOS 10.8

[Steve Gaarder]

I finally figured out how to set up MacOS Mountain Lion so that all users 
get an automatic kinit and aklog at login, and thus can have home 
directories in AFS.  AFSBackgrounder doesn't do the job because it has to 
be configured for each user, and needs access to the home directories 
before it gets the token.


I got Kerberos to get a usable ticket by properly configuring 
/Library/Preferences/edu.mit.Kerberos and modifying 
/etc/pam.d/authorization so that the first non-comment line looks like:


auth   sufficient pam_krb5.so use_first_pass default_principal

This creates a credential cache, and gives it a random name, but does not 
put that name in the environment.  So I wrote a Perl script that looks in 
/tmp for the most recent CC file for the user, puts that path into the 
environment, and runs aklog.  I put a plist file in /Library/LaunchAgents 
to run it.  The source for those is at the end of this message.


We use LDAP for authorization, set up through the directory utility. Since 
we use plain unauthenticated LDAP, we needed to disable fancy 
authentication as shown here:


http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on-os-x-lion/

Hope this proves useful for others.

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu

-Perl Script /usr/local/sbin/afsaklog.pl

#!/usr/bin/perl

$me = $ENV{'LOGNAME'};
chdir /tmp;

$thetime = 0;
$thefile = ;
$myuid = getpwnam($me);

while (krb5cc*) {

($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks)
 = stat($_);
if (($uid == $myuid)  ($thetime  $mtime)) {
$thetime = $mtime;
$thefile = $_;
}
}
if ($thefile ne ) {
$ENV{'KRB5CCNAME'} = /tmp/$thefile;
system(aklog);
}

/Library/LaunchAgents/edu.cornell.math.loginhook.plist

?xml version=1.0 encoding=UTF-8?
!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN 
http://www.apple.com/DTDs/PropertyList-1.0.dtd;
plist version=1.0
dict
   keyLabel/key
   stringedu.cornell.math.loginhook/string
   keyProgram/key
   string/usr/local/sbin/afsaklog.pl/string
   keyRunAtLoad/key
   true/
/dict
/plist
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Journal abort caused a problem

[Steve Gaarder]

Early this morning, one of my AFS servers (Red Hat Enterprise Linux 4, 
Openafs 1.4.0) complained of an aborted ext3 journal on /vicepb (which is 
an md-mirrored pair).  The system declared the filesystem to be read-only, 
and AFS stopped serving the volumes on that partition.  I had to reboot, 
fsck the partition, and salvage the volumes.  Does anyone have any idea 
why this might have happened, and what can be done to prevent a 
repetition?


thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Can I use Parted to change the size of an AFS partition?

[Steve Gaarder]

I want to rearrange some of my disk space, including shrinking the size of 
one of my AFS partitions (/vicepa).  Is is safe to use GNU Parted to do

this (with the file server shut down, of course)?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] problems with root volumes

[Steve Gaarder]

A couple weeks ago, one of my AFS servers lost its disks.  I recovered the root 
partition from backup.  I did not have a backup of the /vicepa partition, no 
problem, I thought, since it only contained RO replicas.  I just generated a 
new one. Well, it turns out that it also contained the RW copies of root.afs 
and root.cell.  So now I get some odd behavior, and vos.examine says:


vos examine 536870915
Could not fetch the information about volume 536870915 from the server
: No such device
Volume does not exist on server bernoulli.math.cornell.edu as indicated by the 
VLDB


Can I regenerate RW copies from the RO ones, or?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
[EMAIL PROTECTED]

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Re: Upgrade plan - any gotchas?

[Steve Gaarder]

Christopher D. Clausen wrote:


What do you mean by Primary?  Do you only have one AFS DB server for
your cell?  Most cells run at least 3 AFS DB servers (just look through
the CellServDB file.)
When you say second, what do you mean?


I have two DB/PTS/file servers; the primary has IP xx.12, the second 
server xx.16.


You probably want at least three VLDB, PTS, (and possibly BackupDB, if
you use that) servers total.  (So that two are up at any given time.)
Ubik (syncronization protocol that AFS uses) grants an extra vote to the
server with the lowest IP address, and if the server you take down has
the lowest, you might not reach quorum and bad things can happen.


Okay - I will set up a third VLDB/PTS server.


5.  Copy /usr/afs/db, /usr/afs/etc/, and /usr/afs/local from the old
system partition to the new one. Mount /vicepa same as on the old
system.


You should NOT copy /usr/afs/db.  These DBs will auto replicate from the
other server and there is no need to pre-populate that directory.  In
fact, doing so may cause problems.  And you can have all kinds of issues
if you copy the sysid file from another server (this might be better
now, but in general copying unique identifiers is NOT a good idea.)
Also be aware that different servers may have different NetRestrict or
NetAllow files and you don't want to copy them.


In this case, tho, I am not copying from another server but from the old 
installation of the *same* server.  Under those circumstances, don't I 
want the sysid file to be the same?



From: ted creedon [EMAIL PROTECTED]

Don't forget that upserver and upclient re-populate the /usr/afs/etc
directories automatically.


This machine is the update server, however - will it get repopulated or 
will it depopulate the others?


thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
[EMAIL PROTECTED]


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Upgrade plan - any gotchas?

[Steve Gaarder]

Here's my plan for upgrading both OS and OpenAFS on my primary AFS server.
Please let me know if you see any potential problems, gotchas, etc.

These items I have already done:

1.  Set up a second VLDB and file server.  Change all the CellServDB files
to include both servers.  (Authentication is via Krb5; neither AFS server
is a KDC)

2.  Move all non-replicated volumes to the second server.  Have replicas
of the others on both servers.

Here is what I plan to do:

3.  Shut down the primary server.  I can do this during regular hours
because the secondary server will carry all the load.

4.  Install the new OS (RHEL 4) on a new partition.  Install OpenAFS 1.4.0
but don't start it.

5.  Copy /usr/afs/db, /usr/afs/etc/, and /usr/afs/local from the old
system partition to the new one. Mount /vicepa same as on the old system.

6.  Start up AFS and all should be well - or am I missing something?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Upgrading/Migrating to new OpenAFS and host OS versions

[Steve Gaarder]

I have a server running OpenAFS 1.2.13 on Red Hat Enterprise 3, using 
Kerberos 5 for athentication (the AFS server is not one of the KDCs).  I 
want to upgrade to OpenAFS 1.4.0 and RH Enterprise 4.  It seems to me that 
the sanest approach may well be to do a fresh install of the OS (on 
another partition), install 1.4.0 on it, and then copy all the necessary 
site-specific stuff over to the new OS.  Questions:


- is this indeed the best way to go?

- what files/directories do I need to copy to the new installation?

- any gotchas I should know about?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info