URL: http://www.secure-endpoints.com/netidmgr/v2/
Secure Endpoints Inc. is proud to announce the public availability of
Network Identity Manager v2 (2.0.0.304). Version 2.0 is the end of a
three year effort to improve the usability and capabilities of
the product.
Improved usability:
* User
On Fri, 5 Mar 2010, Simon Wilkinson wrote:
However, if this was happening correctly, Eric should be seeing his
system load peak and trough. Performance will be good every 10
minutes, and then slowly deteriorate until the next garbage collector
run comes along. From what he's reporting, that doe
On Fri, 5 Mar 2010 13:14:19 -0600
Stephen Joyce wrote:
> I don't see any afsconf_GetKey entry in the filelog. I even bumped
> debugging up to 125 and restarted the fileserver without seeing any
> lines containing that text.
Keeping this on the list (this is a useful datapoint).
You shouldn't ne
On 5 Mar 2010, at 19:12, Andrew Deason wrote:
Okay, but how about signalling something else to do the cleanup, then?
Say, afs_Daemon (if it has nothing better to do) could unlink the
marked
unixuser(s) for us. It could just check a list of unixusers to
unlink or
something on each iteration,
On Fri, 5 Mar 2010 19:03:19 +
Simon Wilkinson wrote:
> > Could we remove the unixuser from the list in afs_PutUser if the
> > refCount drops to zero (possibly only under the same conditions as
> > the checks in afs_GCUserData)? I'm not sure I get the rationale for
> > having a separate occasi
On 5 Mar 2010, at 18:57, Andrew Deason wrote:
We call afs_pag_destroy when the key goes away, but that only
invalidates the credentials; it doesn't remove it from the appropriate
afs_users chain. So, correct me if I'm wrong, but I think until we
afs_GCUserData, afs_users lists can grow very larg
High number of calls to afs_ComputePAGStats, resulting in system
time being consumed unreasonably, due to it and corresponding
text.lock.spinlock system calls.
I can't see a call to afs_ComputePAGStats in afs_user.c - are you
just
commenting out the body of the function, or is there a ca
On Fri, 5 Mar 2010 09:22:04 +
Simon Wilkinson wrote:
> There's obviously something going awry here. In theory, you don't need
> to garbage collect keyring PAGs, because the keyrings are reference
> counted by the kernel, and our destructor is called when the keyring
> goes away.
We cal
On Fri, 5 Mar 2010, Simon Wilkinson wrote:
One thing I'd noticed in RHEL4 tests (systemtap doesn't seem to give
the same result under RHEL5) is that the system time usage
corresponds to high frequencies of calling afs_ComputePAGStats.
Compiling with AFS_NOSTATS defined or commenting out the sect
On 5 Mar 2010, at 18:34, eric.hagb...@morganstanley.com wrote:
This took a little longer to set up than I'd hoped, as 1.5.72
doesn't work under RHEL4 (the platform on which I was doing most of
my tests), due to the lack of zero_user_segments and page_offset in
the compiled kernel module.
On Fri, 5 Mar 2010 12:36:53 -0500 (EST)
Stephen Joyce wrote:
> The new keytab, when installed (and the former removed), shows the
> same results as before: kinit and aklog work, but AFS doesn't accept
> the tickets despite the fact that the key is in the keyfile in the
> correct slot for the kvno
At this point I think a debugger needs to be attached
to a service so that we can determine why rxkad is reporting
a key version number error.
Jeffrey Altman
On 3/5/2010 12:36 PM, Stephen Joyce wrote:
> A lil' bit more testing, but no solution yet.
>
> Extracted a new keytab on 2008R2 per Jeff
On Fri, 5 Mar 2010, Simon Wilkinson wrote:
Things are quite different in 1.5 - keyrings are the authoritative
source of PAG information. If you have time, it would be great if you
could do the same tests with 1.5, and see if you experience similar
problems.
This took a little longer to set up
A lil' bit more testing, but no solution yet.
Extracted a new keytab on 2008R2 per Jeff's suggestion. I omitted the kvno
flag, and repeated extraction until I got a kvno of sufficient value not to
interfere with existing keys.
For ktpass:
-crypto ALL creates a keytab with DES-CBC-CRC, DES-CBC
> There's a version for Solaris, which was last believed to work (I
> don't know of anyone who runs it, though).
Given NFS' lack of any strong authentication, I would have
expected that it always had a limited targeted audience.
> ... There's also a Linux
> version, which is in 1.5.x, but w
knfs still exists. I have no idea if it works, but it's there. And it
doesn't imply a hacked NFS client, from how I'm reading that section.
It's run on the NFS server, and associates NFS client accesses from
UID
X to be associated with AFS tokens Y.
There's a version for Solaris, which was l
On Fri, 5 Mar 2010 07:41:22 -0800 (PST)
Booker Bense wrote:
> > The source doesn't appear to have any references to afs2nfs, so
> > probably. However, I don't see 'afs2nfs' in the whole tree, including
> > the documentation; where is this mentioned?
>
> openafs/doc/xml/UserGuide/auusg010.xml
>
On Fri, 5 Mar 2010, Andrew Deason wrote:
On Thu, 4 Mar 2010 13:46:15 -0800 (PST)
Booker Bense wrote:
In the docs, it claims that if you have a token, the afs2nfs
program can use it to allow you afs privledged access via NFS.
This implies a hacked nfs client, does that code still exist and
i
On Fri, 05 Mar 2010 08:41:26 -0500
"John W. Sopko Jr." wrote:
> Thanks for the info. I am going to delete the rest of the non MH
> machines. One more question. Should the vldb database contain only
> file server machines?
Yes.
> One of the MH entries is our Kerberos 5 machine, it is not a AFS
On Thu, 4 Mar 2010 13:46:15 -0800 (PST)
Booker Bense wrote:
>
> In the docs, it claims that if you have a token, the afs2nfs
> program can use it to allow you afs privledged access via NFS.
>
> This implies a hacked nfs client, does that code still exist and
> is it part of the current OpenAFS
Thanks for the info. I am going to delete the
rest of the non MH machines. One more question.
Should the vldb database contain only file server
machines? One of the MH entries is our Kerberos 5
machine, it is not a AFS file or db server.
Does that need to be in the vldb db? The
k5 entry may have g
On 5 Mar 2010, at 01:20, eric.hagb...@morganstanley.com wrote:
I've found that if you run a program to generate tokens and pags
frequently (about once per second), that fairly soon, the cpu system
time on the machine will begin to swallow performance, though it
takes a little while to obse
22 matches
Mail list logo
