Re: [OpenAFS] AFS without Kerberos headache
Georg P. Israel wrote: Dear All, this might be stupid question, but I still like to post it on this list. Can I use OpenAFS without the Kerberos headache??? AFS is almost exactly what I need. Only this damn Kerberos makes my life miserable. In fact what I need ideally is a file system like NFS just with the added features needed to use it in a Metropolitan Network setup, i.e. local caching of files. AFS seems to do this in a good way, but Kerberos is a constant annoyance to it. I do have machines that generate simulation data and have to work for weeks. If I like to do this with the current OpenAFS setup, I'll have to log in once a day and refresh the damn Kerberos token :-(. Hence, is there a way to disable this Kerberos time out?? If you know of a solution to this, then please let me know. It sounds like you want to use IP ACL's as Harmut suggests. as an AFS admin, run the following: % pts createuser 192.168.1.1 % pts creategroup foo % pts adduser IP_ADDRESS foo % fs setacl simulation_folder foo rlidwk Substitute 192.168.1.1 for your IP address and foo for your group name in the above example. be careful 192.168.1.0 and 192.168.0.0 means the whole subnet and 255 subnets respectively. You can then use the "foo" group to give access to that particular machine to any folders that you wish. Sincerely, Jason ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS without Kerberos headache
Harald Barth wrote: In fact what I need ideally is a file system like NFS just with the added features needed to use it in a Metropolitan Network setup, i.e. local caching of files. As an added feature, I hope you want to have control who wrote a file. AFS seems to do this in a good way, but Kerberos is a constant annoyance to it. I do have machines that generate simulation data and have to work for weeks. If I like to do this with the current OpenAFS setup, I'll have to log in once a day and refresh the damn Kerberos token :-(. You can have longer timed tickets and tokens. You can save tickets in keytabs. If your hosts have keytabs, you can use them to generate tickets from. You can have system:anyuser write if you want to mimic NFS ;) And you can create pts groups based on IP-addresses and give such a group permissions in the ACL. That's less horrible than giving system:anyuser write access. But after you have done this you have to wait quite a while until the fileserver has re-evaluated those IP-groups (typically 2 hours) before they work. Hartmut Harald. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- - Hartmut Reuter e-mail reu...@rzg.mpg.de phone+49-89-3299-1328 fax +49-89-3299-1301 RZG (Rechenzentrum Garching)webhttp://www.rzg.mpg.de/~hwr Computing Center of the Max-Planck-Gesellschaft (MPG) and the Institut fuer Plasmaphysik (IPP) - ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS without Kerberos headache
On 2008 Dec 21, at 12:13, Georg P. Israel wrote: AFS seems to do this in a good way, but Kerberos is a constant annoyance to it. I do have machines that generate simulation data and have to work for weeks. If I like to do this with the current OpenAFS setup, I'll have to log in once a day and refresh the damn Kerberos token :-(. Hence, is there a way to disable this Kerberos time out?? Strictly speaking, no. You can however use kstart or Heimdal's kinit to start a process whose tickets and tokens will be renewed as needed until the process finishes. For more complicated processes, you can use a backgrounded shell loop to renew tickets periodically from a keytab. -- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allb...@kf8nh.com system administrator [openafs,heimdal,too many hats] allb...@ece.cmu.edu electrical and computer engineering, carnegie mellon universityKF8NH ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS without Kerberos headache
> In fact what I need ideally is a file system like NFS just with the > added features needed to use it in a Metropolitan Network setup, i.e. > local caching of files. As an added feature, I hope you want to have control who wrote a file. > AFS seems to do this in a good way, but Kerberos is a constant annoyance > to it. I do have machines that generate simulation data and have to work > for weeks. If I like to do this with the current OpenAFS setup, I'll > have to log in once a day and refresh the damn Kerberos token :-(. You can have longer timed tickets and tokens. You can save tickets in keytabs. If your hosts have keytabs, you can use them to generate tickets from. You can have system:anyuser write if you want to mimic NFS ;) Harald. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info