rnatively, you could edit the Makefile, removing the line:
${COMPILE_PART1} pam ${COMPILE_PART2} ;; \
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
Hasn't pam_krb5 with built-in AFS support pretty much obsoleted
pam_openafs-session?
On Sat, 7 Jun 2003, Derek Atkins wrote:
> If you find out, let me know.. I'd like to include it in the Red Hat RPMs.
>
> -derek
>
> Richard Wallace <[EMAIL PROTECTED]> writes:
>
> > Hey guys,
> >
> > Does anyone
e Rx vunerability, as long as you "fs setcrypt on", you'd only
have to worry about a denial of service attack. Of course, you're running
Win98, so an AFS DoS is the least of your worries.
[ t. charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
rce of my
> > > troubles running aklog.exe to get Kerberos5/AFS tokens.
> > > The "troubles" are that everytime a run aklog.exe on Windows 98, it crash.
> > > Thank you.
> >
> > I'm looking at main() in src/WINNT/afsd/afsd95.c. I see none.
>
&
On Thu, 5 Jun 2003, Ryan Underwood wrote:
> On Wed, Jun 04, 2003 at 11:12:44PM -0500, Charles Clancy wrote:
> >
> > Best bet: download krb5-win32.exe from ftp.cmf.nrl.navy.mil. It has a
> > krb5 client and a functional aklog.exe. Install Win9x version of the
> > Ope
or your help,
It will not affect any of your data. For that matter, it won't even
affect your existing accounts (you could theoretically have both MIT and
Heimdal running simultaneously). You're *adding* a new key, not
*overwriting* the existing key in this process.
[ t. charles clan
> Do the AFS servers need special
> configuration for encryption to work?
Nope.
[ t. charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
a
krb5 client and a functional aklog.exe. Install Win9x version of the
OpenAFS client, and be sure to start it with the appropriate command line
argument to disable kaserver authentication. It should all just work.
[ t. charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
__
On Mon, 17 Mar 2003, seph wrote:
> Charles Clancy <[EMAIL PROTECTED]> writes:
>
> > On Mon, 17 Mar 2003, Tim C. wrote:
> >
> >>server fs1.afs partition /vicepa RW Site
> >>server fs1.afs partition /vicepa RO Site
> >
> > What p
y in kerberos, you need to create a
ptserver entry in AFS. Try "pts adduser [username]".
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
On Wed, 5 Mar 2003, Frank Burkhardt wrote:
> On Tue, Mar 04, 2003 at 09:47:08PM -0600, Charles Clancy wrote:
>
> > Have you considered using pam_krb5afs, rather than pam_krb5 and
> > pam_openafs_session?
>
> Can pam_krbafs be used with mit-krb5 ?
>
The pam_krb5afs
On Tue, 4 Mar 2003, Frank Burkhardt wrote:
> On Sat, Mar 01, 2003 at 11:13:53PM -0600, Charles Clancy wrote:
> > On Sat, 1 Mar 2003, Frank Burkhardt wrote:
> > > On Wed, Feb 26, 2003 at 02:01:49PM -0600, Charles Clancy wrote:
> > >
> > > > Try removing
On Thu, 16 Jan 2003, Chris (Ducky) Chapin wrote:
> Does OpenAFS (or AFS, for that matter) support sparse files? I'm not
> finding any definative info one way or the other (except for a 'no' for
> pre 3.4 of Transarc AFS). =/
Nope. Use gzip. ;)
[ t charles clan
adow/www/afs/afs-with-kerberos.html
A pretty good FAQ:
http://www.mathematik.uni-karlsruhe.de/~iwrmm/Persons/Schulz/Unix/afs/afs-krb5.html
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[E
che managers (client machines) who have
a cached copy.
There's a complete description in the wiki, AdminFAQ section 3.07:
http://grand.central.org/twiki/bin/view/AFSLore/AdminFAQ#3_07_How_does_AFS_maintain_consi
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
__
to start with the HTML versions and then convert them
to the POD source you suggest.
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
What's ~/.AFSSERVER for? I saw it in a recent truss output:
open("/home/tclancy/.AFSSERVER", O_RDONLY) Err#2 ENOENT
open("/.AFSSERVER", O_RDONLY) Err#2 ENOENT
[ t charles clancy ]--[ [EMAIL PROTECTED] ]
uot;/bin/sh"); }
chown root it, chmod 4755 it, and then can easily get root on any client
machine. I suppose we have to trust our AFS admins. ;)
The fix is of course "fs setcell -nosetuid", but that could possible cause
other problems, depending on what you're distributing o
s?
I suggest you follow all the steps from scratch in the README for getting
your AFS and Kerberos keys configured. The one I suggested was just for
setting the kvno on your Kerberos principal. There's also the issue of
importing that key into AFS with asetkey. The documentati
From what I recall, it should work if you upgrade
your SSH client.
This code section seems particularly useful:
/* XXX - punt on backward compatibility here. */
...
case SSH_CMSG_HAVE_AFS_TOKEN:
packet_send_debug("AFS token passing disabled before authentication.");
break;
...
[ t cha
s going again.
Interestingly enough, two PowerPoint presentations I saved in AFS space
from the XP client are perfectly readable under Solaris.
Was it a Solaris bug, a Windows bug, or a general bug?
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
_
ut ones not compatable with Solaris?
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
he _same_ as the highest kvno in your
AFS KeyFile, e.g.:
% ./asetkey list
kvno3: key is: ...
kvno5: key is: ...
All done.
% kadmin.local -q "modprinc -kvno 5 [EMAIL PROTECTED]"
[ t ch
#x27;asetkey list'. You probably mistyped
something when you did your original asetkey.
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
response rather than a
"closed" response, depending on what firewall is being used (if there even
is one).
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
On Sun, 3 Nov 2002, Tommy Mann wrote:
>
> Tommy
>
>
> On 3 Nov 2002, Derek Atkins wrote:
>
> >
inly does not involve PAM. The module
pam_afs.so can only do password-based authentication.
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
timeouts?
In my experience, I can get one client to work fine from behind a NAT by
using long UDP timeouts. However, dispite what others have reported, I've
never been able to get multiple clients to work from behind a NAT (using
both IPF on Solaris and Win2K Server's built-in NAT rou
ct with a verbose client:
$ ssh -v -v -v user@host
Check the massive amounts of debug info for things that look
inappropriate.
I don't recall if you said so earlier -- but does your pam_afs.so work
with other applications? Is your SuSE box running the same version of
sshd?
[ t charles c
ague idea, that this was what one could expect.
Do you have an admin token?
Do "vos remove wallace vicepa root.afs -localauth" from your AFS server.
That avoids authentication and token problems.
[ t charles clancy ]--[ [EMAIL PRO
ll existed (if not expired) by
> typing "tokens" at terminal window.
This is expected. Use "klog -setpag" if you want to create a PAG. I
suggest you read the documentation on klog and pagsh.
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
__
utilities would presumably be run from some sort of
login script or startup shortcut.
Alternatively, there's a utility that combines the functionality of ms2mit
and aklog into a single binary:
http://www.rose-hulman.edu/TSC/software/wake/
[ t charles clancy ]--[ [EMAIL PROTECT
? There has got to be someone who has this available? Someone has got
> to have used krb5 + windows before. How? Am I stuck trying to find a C
> compiler and going from source?
You have all the files; now you just need to get them all to play nicely
together.
[ t charles
n, you'll need the Kerberos 5
client and a copy of aklog.exe. Alternatively, you can try and use
WinXP's built in kerberos support, and use ms2mit.exe with aklog.exe (or
WAKE).
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
__
-based tools for managing
users, resetting passwords, home directory quotas, etc. I'm not aware of
any pre-packaged web interfaces, however.
[ t charles clancy ]-[ [EMAIL PROTECTED] ]-[ uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL
l
http://lists.openafs.org/pipermail/openafs-info/2002-March/003872.html
http://ismene.csl.uiuc.edu/afs-mig/doc/ (Ken Hornstein's docs)
[ t charles clancy ]-[ [EMAIL PROTECTED] ]-[ uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTE
is caused by AFS
servers with their system clocks too skewed relative to one another.
It doesn't seem to have much to do with your problem, though.
[ t charles clancy ]-[ [EMAIL PROTECTED] ]-[ uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
rking because your client isn't
properly started, because the cache is hosed. So, try the "rm -rf"
approach. Perhaps that's not "non-drastic" but rebuilding the cache isn't
a big deal.
[ t charles clancy ]-[ [EMAIL PROTECTED] ]-[ uiuc.edu/~tclancy ]
_
inux, IRIX, Solaris, and AIX:
http://ismene.csl.uiuc.edu/afs-mig/
[ t charles clancy ]-[ [EMAIL PROTECTED] ]-[ uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
at the same security hole exists in all the machines
anyway. (Bad argument, I know...)
[ t charles clancy ]-[ [EMAIL PROTECTED] ]-[ uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
ata.
Wow. Use NFS.
I apologize if my comments are a bit sardonic. If you're going to ignore
our advise, don't ask for it. In my opinion, you are completely missing
the point of AFS. From everything you've said, I strongly suggest you
stick with NFS. It would be more appropriate
instead to get
> the information needed?
People have brought it up before, but it's just not practical. The data
is *mostly* static, and not very redundant. Even in very large
environments, moving to LDAP wouldn't make administration any more or less
difficult.
[ t. charles clancy
'vos remsite?' That would at least let me use my volumes again.
As long as "vos listvol" doesn't show any real volumes in existance, you
should be able to "vos syncvldb" to syncronize apparently confused VLDB
with th
gest trying to
recreate the volume with a "vos backup user". If you have no desire to
keep the volume, then delete it "properly" with a "vos remove papadoc
vicepa user.backup".
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
client
> will do useful authentication
Also any FTP server supporting PAM will work too.
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
scripts, you should be able to get a
reasonable backup system going.
[ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ]
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
00178374C00
> gcc --version
2.95.2
Any suggestions?
Also -- are there any plans for an HP-UX port of OpenAFS?
--
t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
of the AFS
server as root, open two dtterm's, do a butc -localauth in one, and a
backup -localauth in the other.
--
t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
rt (MIT and Heimdal) and with AFS
> support.
The point of the original post was to be able to refresh tokens when
unlocking the screensaver. How is that done in a program that natively
supports kerberos and AFS? Can you tell it whether or not it should
"-setpag" when it g
what you want to use.
Incidentally, fetchmail didn't crash on me.
$ fetchmail --version
This is fetchmail release 5.1.0
SunOS ismene 5.8 Generic_108528-12 sun4u sparc
--
t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy
___
Ope
ls'
root.cell's mounted. If you are using '-dynroot', trim your CellServDB to
only include the cells you want to show up.
Out of curiosity, what would happen during an 'ls /afs' if both '-afsdb'
and '-dynroot' were used?
--
t. charles clancy <>
have local /etc/passwd entries
for this information. If you want to use NIS, I'd recommend setting the
password field in the shadow map to "*NP*", so NIS only provides name
service and not authentication. See one of the MANY responses to this
exact question in the mailing l
to log in? If you
want AFS users to log in, you'll want to double check the status of PAM
support, or use Kerberos 5 support (if you are running kerberos 5 in your
cell).
--
t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
the security problem of NIS!
--
t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
client UDP
port changes? If so, then the client should continue to work (perhaps not
optimally) without UDP timeout increased.
--
t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
> Charles Clancy <[EMAIL PROTECTED]> writes:
>
> > Would this possibly fix the problem of multiple AFS clients behind a NAT
> > gateway?
>
> No. You can already have multiple AFS clients behind a NAT -- you
> just need to set the NAT UDP timeouts to be fair
OpenAFS, see:
http://www-106.ibm.com/developerworks/linux/library/os-afs.html
--
t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy
___
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
n admin token, even though
root isn't logged in (since I didn't setpag, it's using UID to identify
processes with access to the token). Then, dtlogin running as root is
able to access users' ~/.dt directories. Of course, that only lasts 25
hours, before the token exp
> Can anyone out there tell me if there is any kind of SAMBA - AFS
> bridge?? (apologies to Charles Clancy for the mis-send)
In which direction? Providing access to AFS via SMB, or providing access
to SMB shares via AFS?
For the first case, simply compile Samba with PAM support, and u
o apache can get to the
~/public_html directory and sendmail can get to the ~/Public/.forward
file. Depending on your existing environment, you may decrease overall
security by doing this.
--
t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy
_
On 31 May 2001, Martin Schulz wrote:
> Charles Clancy <[EMAIL PROTECTED]> writes:
>
> > So, I wrote a simple little PAM module that when used in conjunction with
> > Kerberos PAM will get a TGT and AFS token for users logging in, regardless
> > of what service the
On Fri, 27 Apr 2001, Derrick J Brashear wrote:
> On Fri, 27 Apr 2001, Charles Clancy wrote:
>
> > Is there any [easy] way to migrate accounts from the kaserver to krb5? I
> > figure that since kaserver is basically krb4, there should be some sort of
> > "upgrade
asswords stored
consistently between krb4 and krb5? Could that then be imported? I just
don't to avoid assigning new passwords for all the accounts currently on
the system.
Thanks!
_______
Charles Clancy -- [EMAIL PROTECTED]
Senior UNIX Admini
and file service to NT workstations,
but I couldn't get around the plain-text password requirement of
Samba.
_____
Charles Clancy, [EMAIL PROTECTED]
Senior UNIX Administrator, Rose-Hulman CS
___
OpenAFS-info mail
is-ftpd and pro-ftpd via PAM, and it works great.
___
Charles Clancy -- [EMAIL PROTECTED]
Senior UNIX Administrator, Rose-Hulman Computer Science
___
OpenAFS-info mailing list
[EMAIL PROTE
64 matches
Mail list logo