Re: [OpenAFS] changing just the name of a database server?
On Wed, 20 Dec 2017, Benjamin Kaduk wrote: Hi Steve, On Tue, Dec 19, 2017 at 09:19:36AM -0500, Steve Gaarder wrote: I want to change the name of one of my database servers, while keeping the IP address the same. Besides making the change in the DNS and the machine's hostname, is there anything else I need to do? You should also notify cellser...@grand.central.org so that the central CellServDB records can be updated. IIRC, at least windows clients use the name after the '#' for address lookups -- it is not just a comment field. Thanks for that info. Does it matter whether the name is a CNAME or not? I'm thinking that, to ease the transition, I could make the new name a CNAME for the existing name, tell grand.central to change the cellservdb, and later rename the machine. cheers, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] changing just the name of a database server?
I want to change the name of one of my database servers, while keeping the IP address the same. Besides making the change in the DNS and the machine's hostname, is there anything else I need to do? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] AFS in the age of the wild west internet
Yes, of course we do that. My question is whether there is also a way to say that some volumes cannot be accessed from outside our network regardless of credentials. Would it work to put all those volumes on a server with a firewall that blocks access? Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu On Tue, 3 May 2016, Brandon Allbery wrote: fs sa /path/to/whatever system:anyuser none -Original Message- From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On Behalf Of Steve Gaarder Sent: Friday, March 4, 2016 10:05 AM To: openafs-info@openafs.org Subject: [OpenAFS] AFS in the age of the wild west internet While I really like the concept of AFS as a world-wide filesystem, I'm starting to wonder if it's a good idea in the modern age of cyberattacks. How safe is it to leave AFS open to the world? Some of the data we store in AFS does not need to be accessed from outside of our network; is there a good way of blocking access to it from outside while preserving access to other data in the cell? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info :?? Tj)b? b?өzpJ)ߢ?^??좸!~ا~??ȧ~
[OpenAFS] AFS in the age of the wild west internet
While I really like the concept of AFS as a world-wide filesystem, I'm starting to wonder if it's a good idea in the modern age of cyberattacks. How safe is it to leave AFS open to the world? Some of the data we store in AFS does not need to be accessed from outside of our network; is there a good way of blocking access to it from outside while preserving access to other data in the cell? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Openafs vs Red Hat's Netkey
I fired up Wireshark and took a look. I set up IPSEC to use authentication only, so I can still see inside the packets. What I see, on both server and client, is this: When performance is poor, I see two fetch-data-64 packets from the server followed by an ACK packet from the client. There is about a 4 ms delay between the two fetch-data-64 packets. The sequence numbers are consecutive and I see no sign of any retransmissions. When performance is good, I see 8 or more fetch-data-64 packets in a row followed by a bunch of ACK packets in return. The time between fetch-data-64 packets is on the order of microseconds. The 4 ms delay seems responsible, but I haven't figured out what might be causing that. Andrew pointed me to a link about IPSEC problems under RHEL 6. I do not see the high ksoftirqd usage that the article mentions. I tried changing /proc/sys/net/ipv4/xfrm4_gc_thresh, as they suggest, and got occasional speedups but nothing repeatable. thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Openafs vs Red Hat's Netkey
I run a network of machines running Scientific Linux 6 (a Red Hat Enterprise clone). We have both AFS and NFS file servers. In an effort to add some security to NFS, we are using IPSEC. I have discovered that IPSEC, specifically Red Hat's NETKEY protocol stack, sends OpenAFS performance through the floor. To try this on an SL/RHEL/Centos box, install Openswan and set it up on an OpenAFS server and client according to these instructions: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html Then try copying a large file from AFS to the client's local storage, e.g. with rsync --progress. You will see performance steadily drop to miserable levels. If you switch the client to the KLIPS stack (by using the kernel module that comes with the Openswan source), things run fine. It does not seem to matter which stack is on the server. Any ideas about what is going on? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Openafs vs Red Hat's Netkey
On Mon, 9 Dec 2013, Andrew Deason wrote: On Mon, 9 Dec 2013 11:24:55 -0500 (EST) Steve Gaarder gaard...@math.cornell.edu wrote: Then try copying a large file from AFS to the client's local storage, e.g. with rsync --progress. You will see performance steadily drop to miserable levels. Could you specifically say what the before/after rates are, for what you're seeing? These terms are really subjective; some people would call the normal performance you get already miserable. By miserable I mean transfers well under 1 MB/sec on a 100 Mbps link. Normal is 6-7 MB/sec. A guess would be that something is causing packets to get dropped somewhere along the line. Do you have any idea if you're using jumbograms? I don't see any config setting in the files that activates jumbograms, and the default is not to do them, so I don't think I'm using them. You could also just try testing iperf UDP and see if this seems to impact the results similarly. Now it gets weird. Iperf shows the same performance with or without IPSEC. But if I run iperf under IPSEC, openafs performance jumps back up to normal and stays there for several minutes. Does this give anyone any ideas? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] False replay error with 1.7 on Win 7 client
I made the change and everything seems to be working fine. Thanks for all your advice and enjoy the holidays! Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu On Wed, 12 Dec 2012, Brandon Allbery wrote: On Wed, Dec 12, 2012 at 8:45 AM, Steve Gaarder gaard...@math.cornell.edu wrote: On Tue, 11 Dec 2012, Harald Barth wrote: 1. Create afs/math.cornell@math.cornell.edu 2. Store the key in a keytab file 3. Use asetkey to add the key to the keyfile on each of the AFS servers Methinks between 1. and 3. tokens with the new key may fail. Yes, I think you're right. THe time period is short enough, though, that I think I can live with that. If you script it (kadmin *is* scriptable in recent MIT, with some pain), the time between creating and adding to the first KeyFile can be milliseconds; script pushing that to the other servers and it's still likely to be a few seconds at most. If using Heimdal, you can use 'ktutil get' and do the first one in effectively a single operation (ktutil get -k AFS3KEYFILE:... afs/cell@REALM). Then Kerberos-authenticated parallel ssh to push to the other servers for minimum latency. :) -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)
I am trying to get Openafs 1.7.21 working on a Windows 7 machine. I followed the directions on http://wiki.openafs.org/WindowsEndUserQuickStartGuide/ and installed Heimdall and the Network Identity Manager from the links on that page. Using the Identity Manager, I am able to get a Kerberos ticket but not an AFS token. If I use aklog from the command line, sometimes I get a token and sometimes I don't. WHen it does not work, the error is ERR_REPEAT (Request is a replay). A packet trace confirms this, and shows that this is also what happens every time I try it with Identity Manager. Our KDC is using the principal a...@math.cornell.edu, not afs/math.cornell@math.cornell.edu. According to the packet trace, the client tries afs/math.cornell@math.cornell.edu twice before falling back to a...@math.cornell.edu. The first try is always rejected with PRINCIPAL_UNKNOWN. Sometimes the second try hits the same error, and sometimes it hits ERR_REPEAT, in which case the client gives up. I assume there is a timing issue here, with the requests sometimes having the same timestamp. So how can we fix this? THe KDC is running MIT Kerberos 1.6 on Scientific Linux 5. I read on the net that there have been some replay cache improvements since then, so a KDC upgrade is one option for trying to fix this, but I can't do that right away. It seems to me that switching to afs/math.cornell@math.cornell.edu is likely to fix the problem, but I am uncertain about how to do that without creating any service disruptions. If I do this: 1. Create afs/math.cornell@math.cornell.edu 2. Store the key in a keytab file 3. Use asetkey to add the key to the keyfile on each of the AFS servers will it allow existing tokens that authenticated with a...@math.cornell.edu to still work? Any other ideas? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] False replay error with 1.7 on Win 7 client (fwd)
On Tue, 11 Dec 2012, Jeffrey Altman wrote: Upgrading your AFS principal from afs@ to afs/math.cornell.edu@ will fix this problem and shorten the time it takes all AFS clients to obtain afs tokens. Thanks. My next question is: if I do this, will it break existing sessions using tokens obtained via afs@? Here's how I think I should make the change: 1. Create afs/math.cornell@math.cornell.edu 2. Store the key in a keytab file 3. Use asetkey to add the key to the keyfile on each of the AFS servers thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Aklog at login in MacOS 10.8
I finally figured out how to set up MacOS Mountain Lion so that all users get an automatic kinit and aklog at login, and thus can have home directories in AFS. AFSBackgrounder doesn't do the job because it has to be configured for each user, and needs access to the home directories before it gets the token. I got Kerberos to get a usable ticket by properly configuring /Library/Preferences/edu.mit.Kerberos and modifying /etc/pam.d/authorization so that the first non-comment line looks like: auth sufficient pam_krb5.so use_first_pass default_principal This creates a credential cache, and gives it a random name, but does not put that name in the environment. So I wrote a Perl script that looks in /tmp for the most recent CC file for the user, puts that path into the environment, and runs aklog. I put a plist file in /Library/LaunchAgents to run it. The source for those is at the end of this message. We use LDAP for authorization, set up through the directory utility. Since we use plain unauthenticated LDAP, we needed to disable fancy authentication as shown here: http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on-os-x-lion/ Hope this proves useful for others. Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu -Perl Script /usr/local/sbin/afsaklog.pl #!/usr/bin/perl $me = $ENV{'LOGNAME'}; chdir /tmp; $thetime = 0; $thefile = ; $myuid = getpwnam($me); while (krb5cc*) { ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($_); if (($uid == $myuid) ($thetime $mtime)) { $thetime = $mtime; $thefile = $_; } } if ($thefile ne ) { $ENV{'KRB5CCNAME'} = /tmp/$thefile; system(aklog); } /Library/LaunchAgents/edu.cornell.math.loginhook.plist ?xml version=1.0 encoding=UTF-8? !DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd; plist version=1.0 dict keyLabel/key stringedu.cornell.math.loginhook/string keyProgram/key string/usr/local/sbin/afsaklog.pl/string keyRunAtLoad/key true/ /dict /plist ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Journal abort caused a problem
Early this morning, one of my AFS servers (Red Hat Enterprise Linux 4, Openafs 1.4.0) complained of an aborted ext3 journal on /vicepb (which is an md-mirrored pair). The system declared the filesystem to be read-only, and AFS stopped serving the volumes on that partition. I had to reboot, fsck the partition, and salvage the volumes. Does anyone have any idea why this might have happened, and what can be done to prevent a repetition? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Can I use Parted to change the size of an AFS partition?
I want to rearrange some of my disk space, including shrinking the size of one of my AFS partitions (/vicepa). Is is safe to use GNU Parted to do this (with the file server shut down, of course)? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA gaar...@math.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] problems with root volumes
A couple weeks ago, one of my AFS servers lost its disks. I recovered the root partition from backup. I did not have a backup of the /vicepa partition, no problem, I thought, since it only contained RO replicas. I just generated a new one. Well, it turns out that it also contained the RW copies of root.afs and root.cell. So now I get some odd behavior, and vos.examine says: vos examine 536870915 Could not fetch the information about volume 536870915 from the server : No such device Volume does not exist on server bernoulli.math.cornell.edu as indicated by the VLDB Can I regenerate RW copies from the RO ones, or? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: Upgrade plan - any gotchas?
Christopher D. Clausen wrote: What do you mean by Primary? Do you only have one AFS DB server for your cell? Most cells run at least 3 AFS DB servers (just look through the CellServDB file.) When you say second, what do you mean? I have two DB/PTS/file servers; the primary has IP xx.12, the second server xx.16. You probably want at least three VLDB, PTS, (and possibly BackupDB, if you use that) servers total. (So that two are up at any given time.) Ubik (syncronization protocol that AFS uses) grants an extra vote to the server with the lowest IP address, and if the server you take down has the lowest, you might not reach quorum and bad things can happen. Okay - I will set up a third VLDB/PTS server. 5. Copy /usr/afs/db, /usr/afs/etc/, and /usr/afs/local from the old system partition to the new one. Mount /vicepa same as on the old system. You should NOT copy /usr/afs/db. These DBs will auto replicate from the other server and there is no need to pre-populate that directory. In fact, doing so may cause problems. And you can have all kinds of issues if you copy the sysid file from another server (this might be better now, but in general copying unique identifiers is NOT a good idea.) Also be aware that different servers may have different NetRestrict or NetAllow files and you don't want to copy them. In this case, tho, I am not copying from another server but from the old installation of the *same* server. Under those circumstances, don't I want the sysid file to be the same? From: ted creedon [EMAIL PROTECTED] Don't forget that upserver and upclient re-populate the /usr/afs/etc directories automatically. This machine is the update server, however - will it get repopulated or will it depopulate the others? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Upgrade plan - any gotchas?
Here's my plan for upgrading both OS and OpenAFS on my primary AFS server. Please let me know if you see any potential problems, gotchas, etc. These items I have already done: 1. Set up a second VLDB and file server. Change all the CellServDB files to include both servers. (Authentication is via Krb5; neither AFS server is a KDC) 2. Move all non-replicated volumes to the second server. Have replicas of the others on both servers. Here is what I plan to do: 3. Shut down the primary server. I can do this during regular hours because the secondary server will carry all the load. 4. Install the new OS (RHEL 4) on a new partition. Install OpenAFS 1.4.0 but don't start it. 5. Copy /usr/afs/db, /usr/afs/etc/, and /usr/afs/local from the old system partition to the new one. Mount /vicepa same as on the old system. 6. Start up AFS and all should be well - or am I missing something? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Upgrading/Migrating to new OpenAFS and host OS versions
I have a server running OpenAFS 1.2.13 on Red Hat Enterprise 3, using Kerberos 5 for athentication (the AFS server is not one of the KDCs). I want to upgrade to OpenAFS 1.4.0 and RH Enterprise 4. It seems to me that the sanest approach may well be to do a fresh install of the OS (on another partition), install 1.4.0 on it, and then copy all the necessary site-specific stuff over to the new OS. Questions: - is this indeed the best way to go? - what files/directories do I need to copy to the new installation? - any gotchas I should know about? thanks, Steve Gaarder System Administrator, Dept of Mathematics Cornell University, Ithaca, NY, USA ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info