Re: [OpenAFS] k5start and AFS tokens

Quoting Jaap Winius : start-stop-daemon --start --pidfile /run/zz/k5start-zz.pid \ --chuid $USER:$GROUP --exec /usr/bin/k5start -- -b \ -p /run/zz/k5start-zz.pid \ -K 10 -l 24h -k /tmp/krb5cc_107 -o zz \ -L -t -U -f /etc/krb5-zz.keytab \ $($DAEMON $DAEMON_ARGS) || return 2

Re: [OpenAFS] k5start and AFS tokens

Quoting Dirk Heinrichs : You don't let k5start start your zz daemon. IOW: You don't do the "start" part of k5start, only the "k5" part. Okay, how about this? start-stop-daemon --start --pidfile /run/zz/k5start-zz.pid \ --chuid $USER:$GROUP --exec /usr/bin/k5start -- -b \ -p /run/zz

Re: [OpenAFS] k5start and AFS tokens

Quoting Benjamin Kaduk : On Fri, 26 Sep 2014, Jaap Winius wrote: Are you suggesting that I alter the /etc/init.d/ script that starts up the daemon in question, ... That's the general idea, yes. ... Okay, I figured it out. I altered /etc/init.d/zz by adding the following line t

Re: [OpenAFS] k5start and AFS tokens

Quoting Benjamin Kaduk : The k5start mindset is to avoid having to have a separate periodic process that prepares tickets/tokens for some independent process to consume -- instead, the process consuming the tickets/tokens is a child process, wrapped by k5start. ... Are you suggesting that I no

Re: [OpenAFS] k5start and AFS tokens

Quoting Benjamin Kaduk : Passing -t tells k5start to literally run 'aklog' (unless AKLOG is set in the environment), not /path/to/long-running-command, when it gets tickets. Well, that's all I want it to do, in addition to keeping a Kerberos ticket alive. In the mean time, I've actually su

Re: [OpenAFS] k5start and AFS tokens

On 26/09/14 19:34, Brandon Allbery wrote: This is because, if you specify a command, it runs that command and then cleans up and exits. It's specifically intended to run a long-running command or daemon while maintaining Kerberos tickets and optionally AFS tokens for that command. Which leads to

[OpenAFS] k5start and AFS tokens

Hi folks, How should k5start (kstart 4.1-2 on Debian wheezy) be configured for /etc/inittab to maintain a Kerberos ticket *and* an AFS token for an arbitrary server process not running as root? The -t option seems to do nothing for me, while any command option placed at the end of the sta

[OpenAFS] Cross-realm access

Hi folks, After setting up Kerberos cross-realm access and then creating a system:authuser@ group in a foreign cell, it seems that basic rl access to the cell's contents is only possible after that group is given rl access to every single directory that system:authuser has access to. Not

[OpenAFS] X11 logout script

Hi folks, Some of the the sites that I maintain use an elaborate logout script, located in /etc/X11/Xreset.d/, that runs as root and contains many sudo commands to make changes to each user's home directory. It works because these directories are made available via NFSv3 (another story),

[OpenAFS] Fstab options for AFS on SSDs

Hi folks, Recently I've started using SSDs in both servers and workstations and this article -- https://wiki.debian.org/SSDOptimization -- offers some suggestions on which options to use in /etc/fstab, e.g. "discard,noatime,commit=600,defaults" for /boot. But would it be okay to use these

Re: [OpenAFS] Removing stuff from /afs

Quoting Brandon Allbery : If you're using dynroot, that's an autocreated directory which can be used to access any volume directly: try /afs/.:mount/local.cell:root.cell (replacing "local.cell" with the name of the local cell). Well, whaddya know: it's not a mistake, it's a feature! Must be ne

Re: [OpenAFS] Removing stuff from /afs

Quoting Benjamin Kaduk : I assume that you are not using dynroot? Actually, I am using it. In /etc/openafs/afs.conf.client I have: AFS_DYNROOT=true The standard way to do such things is to make an additional mount of the root.afs volume somewhere else in the local cell, and use a read-

[OpenAFS] Removing stuff from /afs

Hi folks, Could someone please remind me how to remove stuff from the /afs directory? I recently discovered an empty directory there, called: /afs/.:mount Obviously it was created there by accident, probably by me. However, when I try to remove it I get: rmdir: failed to remove `/afs

Re: [OpenAFS] Re: byte-range lock errors

Quoting Andrew Deason : That doesn't stop you from trying an experimental version of it or something, though. If you wanted to try it out, I'm sure Matt can help you out. (I don't think I have any of that code, or if I do, I'm sure it's very old.) That doesn't sound like a bad idea. [Somethi

Re: [OpenAFS] Re: byte-range lock errors

Quoting Andrew Deason : Is it possible to enable support for byte-range locks in this version of OpenAFS, Well, they are on, sorta. They're on as much as they can be on, with current OpenAFS. I seem to remember a somwhat woozy Matt Benjamin delivering a presentation about a solution for th

[OpenAFS] byte-range lock errors

Hi folks, Although I upgraded my site's server machine from Debian squeeze to wheezy and from openafs-fileserver 1.4.12.1 to 1.6.1 months ago, I only upgraded my workstation to wheezy with openafs-client 1.6.1 this week. However, since the latter I've been seeing very many of these errors

Re: [OpenAFS] PTS database dump and restore?

Quoting Brandon Allbery : pt_util? Ah! I missed that. It's a pity, though, that the dump file format doesn't include supergroup information. Thanks, Jaap ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/li

[OpenAFS] PTS database dump and restore?

Hi folks, While documenting a very simple AFS backup script, I realized it was not making any backups of the PTS database. A quick search revealed a pts man page for the Arla project that does mention an option for performing a PTS database dump. Unfortunately, the pts man page that comes

Re: [OpenAFS] Re: Performance issues

Quoting Brandon Allbery : It's currently set to 128 MB on all of the workstations. I could increase that, but by how much? I'm under the impression that, not far beyond this point, the returns tend to diminish. That was the old conventional wisdom, but these days people find 1GB caches useful

Re: [OpenAFS] Re: Performance issues

Quoting Brandon Allbery : First: is the cache big enough? The working set of even a lightweight desktop manager is pretty big. It's currently set to 128 MB on all of the workstations. I could increase that, but by how much? I'm under the impression that, not far beyond this point, the re

Re: [OpenAFS] Re: Performance issues

Quoting Andrew Deason : What approximate throughput are you seeing in the two cases? ... I've been monitoring bandwidth usage with Cacti, which shows that even internal throughput does not normally exceed 3 Mbps. The graphs for the main Internet connections are pretty much the same and the

Re: [OpenAFS] Re: Deleted db servers still being queried

Quoting Andrew Deason : What's the source port on these packets from the 'master' dbserver? The source port is usually 7001 with destination port 7003. However, for less than 30 minutes this morning, I saw packets arriving for destination port 7002 from arbitrary unprivileged port numbers.

Re: [OpenAFS] Deleted db servers still being queried

Quoting Chris Hoy Poy : if you still have the old IPs in your control, put an iptables (or some other firewall rule) up to log any traffic to/from the ports. That's how I know where the packets are coming from and where they are going. All of the queries are coming from the current ubik mas

[OpenAFS] Deleted db servers still being queried

Hi folks, My AFS network used to have six hosts: thee db servers and three fs servers. Thinking that I might be able to end some unexplained behavior, I decided to consolidate them and have three hosts. I did this by creating a new db server on each fs server host and then deleting the db

[OpenAFS] Performance issues

Hi folks, Some six months after launching my first AFS project, I've learned some things but would also like to make some improvements. My site has three locations, each with one physical server machine running Debian squeeze, as well as two Internet connections. To avoid Kerberos identit

Re: [OpenAFS] Re: Replication problem

Quoting Andrew Deason : Explain "won't replicate"; Um, that it was taking longer than expected? :-) ... what does "vos release" say when you try? Nothing. It just wasn't giving me my prompt back. trans 3 on volume 536870967 is older than 360 seconds trans 3 on volume 536870967 i

[OpenAFS] Replication problem

Hi folks, Two of my volumes are refusing to replicate. "vos examine" shows that some replicas are flagged as "Old release", but when I try a "vos release", even with the "-force" option they won't replicate. A lot of bandwidth was used in my attempts, but I'm not sure for what. Applying "

Re: [OpenAFS] File server memory requirements

Quoting "Matt W. Benjamin" : ... If you're not already setting a million or so, for rw file service, you might consider increasing that parameter. It looks like it would be possible to increase that parameter by using the "fileserver" command along with, say, the -L option. First I'd delet

RE: [OpenAFS] File server memory requirements

Quoting Chaz Chandler : A memory cache is a client-side thing. So although technically you could have one on a server (if you also had the AFS cache manager, aka client, on there), it would probably not do what you are thinking. Okay, so a memory cache, like a disk cache, is just client st

[OpenAFS] File server memory requirements

Hi folks, Although my OpenAFS file servers will probably never see more than a dozen simultaneous client connections, what would be a good amount of memory to give them? They currently each have only 1 GB of RAM, but I can give them a lot more than that if it would make a difference. Also

Re: [OpenAFS] Deploying OpenAFS on VMs

Quoting Coy Hile : I have a question about deployment of OpenAFS on VMWare. Assume for the sake of argument that one has a requirement to deploy OpenAFS on VMs -- to include deploying his fileservers as VMs. Has anyone actually done that sort of deployment? Well, I have something similar tha

Re: [OpenAFS] Re: UDP timeouts

Quoting Andrew Deason : If you want to look at this further, capturing network traffic to/from an idle client that triggers this would help say why. ... Or, if you turn the fileserver debugging up to at least 2 ... you could see how often you see this message: Checking for dead venii & clie

Re: [OpenAFS] Re: UDP timeouts

Quoting Andrew Deason : That's against the 1.4 head, but it should apply fine to your source as well. You still want a timeout of at least around 20 minutes with that, but try adjusting the tim

Re: [OpenAFS] Re: UDP timeouts

Quoting Andrew Deason : Sorry for the delay. Apply this: That's against the 1.4 head, but it should apply fine to your source as well. You still want a timeout of at least around 20 minutes wi

Re: [OpenAFS] Re: UDP timeouts

Quoting Andrew Deason : The patch for this is simple, though. Jaap, if you want to run with smaller timeouts, we can get you a fileserver patch that should make them workable. (I'm assuming this is a 1.4 fileserver?) That would be welcome! My fileserver version is 1.4.12.1+dfsg-4 (Debian squ

Re: [OpenAFS] UDP timeouts

Quoting Jeffrey Altman : The next question is what do ip_conntrack_udp_timeout and ip_conntrack_udp_timeout_stream actually control? Are those values "timeouts" from the last traffic seen or hard caps on how long a mapping can exist? It sounds like you are experiencing a hard cap. Yesterday

Re: [OpenAFS] UDP timeouts

Quoting Avinesh Kumar : The VMware Player tool comes with a network configuration utility, using which I set up UDP timeout for NAT to "0" that would mean to not timeout... This is working pretty good for me, if you have similar configuation you may try this out. Unfortunately, I have a produ

Re: [OpenAFS] UDP timeouts

Quoting Jeffrey Altman : Which party is behind the NAT? Server or Client? The clients. All of the clients are separated from the servers by a stateful firewall and NAT -- even when the server is local. Cheers, Jaap ___ OpenAFS-info mailing list

Re: [OpenAFS] UDP timeouts

Quoting Jeffrey Altman : 10 to 15 minutes is more than sufficient. Since ip_conntrack_udp_timeout and ip_conntrack_udp_timeout_stream were decreased from 28800 to 900 seconds, I've been seeing lots of dropped packets again. Any explanations? I've now increased both values to 3600. Chee

Re: [OpenAFS] UDP timeouts

Quoting Jeffrey Altman : 10 to 15 minutes is more than sufficient. Ah, that makes me feel much better! Nevertheless, 10-15 minutes is still 20-30x the default value. As an alternative solution, could setting something like... fs checkservers -interval 10 ... on the clients be just as

Re: [OpenAFS] UDP timeouts

Quoting Stanisław Kamiński : Could you share how did you find that they are dropped? Mostly I's see lines like the following in the syslog of the host running the firewall: Apr 30 16:33:16 noord kernel: [181949.998779] DROP IN=br1 OUT= PHYSIN=eth1 MAC=00:16:0a:24:d5:3d:00:25:2e:64:1a:8f:

[OpenAFS] UDP timeouts

est solution in this situation? Is a 28800-second timeout value for UDP connections okay, or can I do with less? Or, would it be an better idea to instead configure all of the workstations with the following command? fs checkservers -interval 10 Thanks, Jaap Winius *) http://www.cs.

[OpenAFS] Broken mount points in user backup volumes

Hi folks, In Richard Campbell's "Managing AFS: the Andrew File System" (Prentice-Hall, 1998), regarding backup volumes it says on page 100 that: "User backup volumes can be mounted once in some well-known area, either one set aside for all backups or perhaps inside the home directo

Re: [OpenAFS] .dmrc file being ignored

Hi folks, After some more work on this issue I seem to have it licked. What's interesting is that all that seems to be necessary is setting the "l" (list) permission bit for system:anyuser for the user home directories. Initially, I also took the trouble to create a separate dmrc volume a

Re: [OpenAFS] .dmrc file being ignored

Quoting Stephan Wiesand : this works fine here on EL <= 6 (EL6 has gdm-2.30). Debian squeeze has gdm 2.20. Are you suggesting that I'm dealing with a gdm bug or a Debian bug? I always liked it that gdm, unlike other *dm, reads the file after acquiring the user's credentials. Unfortunate

[OpenAFS] .dmrc file being ignored

Hi folks, When using gdm (the GNOME Display Manager) on Debian squeeze for login purposes along with multiple locales, if a user selects a language other than the default with which to start their session, they get the following error immediately after entering their password: "User's $HO

Re: [OpenAFS] Multiple logins

Quoting Jason Edgecombe : Is this enforcing a policy decision or just preventing technical problems caused by multiple logins? For my site it is strictly to prevent technical problems. I'm wondering because we us gnome on RHEL5 with AFS home directories and multiple logins on different mac

Re: [OpenAFS] Multiple logins

Quoting Dirk Heinrichs : ... Is it possible to prevent users from logging in more than once ... No, you can't. ... Thought so. A workaround may be to install different desktop environments and applications on some hosts. Which desktop env. is it that makes problems? KDE, although I do

[OpenAFS] Multiple logins

Hi folks, My site uses OpenAFS and MIT Kerberos with OpenLDAP for user meta data (all running on Debian squeeze). Is it possible to prevent users from logging in more than once, or at least to prevent them from starting up the same desktop environment on multiple hosts with the same accou

Re: [OpenAFS] Re: Listing bos cron jobs

Quoting Andrew Deason : bos status srv.example.com -long Ooo, I was so close before I posted this question: ~# bos status -server srv.example.com -long cron bos: Too many values after switch -server ~# _ Thanks also to Neil Davies for coming up with the same answer! Cheers, Jaap _

[OpenAFS] Listing bos cron jobs

Hi folks, Today I succeeded in creating my first bos cron job: ~# bos create -server srv.example.com -instance vrdicomz \ -type cron -cmd "/usr/bin/vos release dicom-z -localauth" 17:37 It works! :-) However, if you make a bunch of these, how do you list them? Thanks, Jaap _

Re: [OpenAFS] Multihomed issues

Quoting Jaap Winius : ... Besides putting the external address in NetInfo and the internal one in NetRestrict, I probably need to make sure that each server's name always refers to its external address, both internally and externally. I do something simple, like make up some new names fo

Re: [OpenAFS] Re: Multihomed issues

Quoting Andrew Deason : If you're giving "vos addsite" a server name that resolves to an internal IP, well, there you go. You can have the fileserver set up completely correctly, but if you tell AFS 'vos addsite 192.168.1.1', it's going to add 192.168.1.1 as a site. "vos" doesn't have a way of k

Re: [OpenAFS] Multihomed issues

Quoting Derrick Brashear : are both addresses reachable internally? Yes. can't do it, alas. if both are reachable, list only the outside, everywhere. otherwise, list only the inside, inside. That's what I thought. Yet, AFS keeps finding and using its internal IP address. then you don'

Re: [OpenAFS] Multihomed issues

Quoting Derrick Brashear : If this is all because of DNS, what should I do? Both AFS servers also run Bind9 with split views -- internal and external. Each AFS server sees an internal view that includes its private IP address. then some systems *need* the internal address to be able to reach t

Re: [OpenAFS] Multihomed issues

Quoting Derrick Brashear : I kind of follow what you're saying here. However: 1) CellServDB is "where are database servers" 2) what's in the VLDB is "where are the volumes" so just because it appeared in 1, well, that has nothing to do with 2. mantra: "solve the real problem" Makes sense. Righ

Re: [OpenAFS] Multihomed issues

Quoting Russ Allbery : Hm, I would have thought that would be enough. If you have NetInfo, that should be all you need. What directory did you create that file in? /var/lib/openafs/local/ I did mean /etc/openafs/server/CellServDB, but, like the original server, this new (second) server is

Re: [OpenAFS] Multihomed issues

Quoting Russ Allbery : The file server is what tells the VLDB that it has those addresses, so I think the same solution should work there. The trick is that you have to create the NetInfo and NetRestrict files before the first time you start the file server. It should then not register them.

[OpenAFS] Multihomed issues

Hi folks, After messing around with a couple of multihomed hosts for a while, I get the impression that AFS, or at least the Debian squeeze install procedure for it, doesn't like to work this way. It's possible to prevent the file server from listening to certain interfaces (addresses) by

Re: [OpenAFS] sysid

Quoting Derrick Brashear : ... when does the system automatically recreate the sysid file, and when does it not do this? What are the requirements and can they be checked? if it's missing it should be recreated when the server registers with the VLserver. what does the FileLog tell you? Oh,

[OpenAFS] sysid

Hi folks, After experimenting with /var/lib/openafs/local/NetInfo on my Debian squeeze servers (OpenAFS v1.4.12.1+dfsg-3), I've noticed that if I rename the sysid file and restart the file server process, the sysid is not automatically recreated. Running "/etc/init.d/openafs-fileserver re

Re: [OpenAFS] Windows client options

Quoting omall...@msu.edu: You might be able to use pgina which is a windows login screen replacement. There was someone working on a kerberos plugin for it. I am not sure how far they got. (I haven't tried the 2.x series) I do know I had openldap (with failover) working with it via a sasl-p

Re: [OpenAFS] Windows client options

Quoting Jeffrey Altman : OpenLDAP is not a replacement for Active Directory. You either need to manage local Windows accounts that are mapped to Kerberos identities for logon or you need to use Active Directory (or an Active Directory equivalent) to manage the accounts for you. In either case,

[OpenAFS] Windows client options

Hi folks, So far, I've been able to get Linux clients to work perfectly with my MIT Kerberos V / OpenLDAP / OpenAFS servers. No need to create any local accounts: anyone with a network account can login to any workstation and none of their personal files are stored locally. I hope I'm wro

Re: [OpenAFS] Re: Redundant Internet links

Quoting Derrick Brashear : ... Each database server should never consider that it has any other IP address except one in particular. The single IP addresses that they each use to reach their remote companions will never change either. Only the routing in between will occasionally change as nee

Re: [OpenAFS] Re: Redundant Internet links

Quoting Derrick Brashear : Yeah, I suspected that would be a problem... despite the fact that the names following the "#" behind the IP addresses would be the same. So, I'll just use one IP address per server in the CellServDB files of the DB/file server machines and let the routing system take

Re: [OpenAFS] Re: Redundant Internet links

Quoting Andrew Deason : ... We don't provide the tools for a split-horizon vldb (yet, anyway). Actually, if we're all going to move to IPv6 anyway, of what use would that be? To be clear, the fileserver does not become readonly; what becomes readonly are the databases that contain volume

Re: [OpenAFS] Re: Redundant Internet links

Quoting Andrew Deason : Is the "internal" address only routable from that site? No. Although each of the three sites will be connected to a small internal network with private IP addresses, the broadband modems will be in bridged mode and the server will also have two public IP addresses

[OpenAFS] Redundant Internet links

Hi folks, It won't be long now before I'll be installing my first OpenAFS cell at a client site! It's exciting. Even though the organization in question is small, employing only a dozen people, the network is interesting: three locations, each with an OpenAFS DB/file server, redundant Int

Re: [OpenAFS] Re: Bash fails to execute on login

Quoting Andrew Deason : Well, as you said, the shell problem was because you were running dash. This suggests the NSS data is just wrong (your login shell is configured to /bin/sh instead of e.g. /bin/bash), which doesn't really have much to do with AFS. True, but at least it's fixed now. Now

Re: [OpenAFS] Re: Bash fails to execute on login

Quoting Jaap Winius : It feels like I'm missing something basic here. And I was. The problem was dash -- the new default system shell for squeeze. ~# dpkg-reconfigure dash Use dash as the default system shell (/bin/sh)? _No_ ~# _ Problem solved. Strange that dash doesn&

Re: [OpenAFS] Re: Bash fails to execute on login

Quoting Andrew Deason : ... upon logging in with ssh, Logging in how? With GSS, using a password, ... ? That's correct. I'm not clear on what exactly you mean by "bash fails to execute", For instance, my color prompt is shown as a long list of escape characters and the bash history does

[OpenAFS] Bash fails to execute on login

Hi folks, Back in June I figured out how to get a Kerberos/OpenLDAP/OpenAFS client working on Debian squeeze. It still runs fine on my main workstation, but now when I install new squeeze test clients (sans xserver), upon logging in with ssh, bash fails to execute (in some cases it won't

Re: [OpenAFS] OpenAFS on ext4?

Quoting Steve Simmons : And now I see later in the other thread there's already one successful case. But if there are others...___ Yeah, I've been running OpenAFS (v1.4.12) with ext4 on my private server (Debian squeeze) since June. Its workload

[OpenAFS] Plans for IPv6

Hi all, In the current version of the OpenAFS Road Map, it seems IPv6 is only mentioned in the title of one subsection -- RX/TCP and IPv6 -- and nowhere else. Would anyone care to comment on what plans there are to support IPv6 and when they may be implemented? Thanks, Jaap _

Re: [OpenAFS] hard link behavior

Quoting Todd Lewis : Sounds like you're thinking about the hardlink-fest that is the heart of BackupPC. ... Yup. I use faubackup and rsync stitched together with one of my own scripts. You're right: OpenAFS isn't a good place to put such storage. What, "period", or just at the moment? I'm

Re: [OpenAFS] hard link behavior

Quoting "Chas Williams (CONTRACTOR)" : this would be fraught with peril to implement safely and isnt reversible. say someone changes their mind about this acl policy. ... You could write a conversion tool, but why bother? The circumstances under which the setting I've suggested would be imp

[OpenAFS] hard link behavior

Hi all, Regarding the way OpenAFS handles hard links, my understanding is that, to prevent ACL conflicts, this is allowed to work between files as long as they are in the same directory. This results in two types of responses: 1.) If a hard linked file is moved to another directory in

[OpenAFS] ext4

Hi folks, How does ext4 currently compare to ext3 and ext2 for reliability when used with an OpenAFS client or file server? Of the people who have tried it, are there any who can say that they are pleased with it, or are most just sorry that they ever tried it? Thanks, Jaap _

Re: [ SPAM? ] [OpenAFS] Read-only replication

Quoting Lars Schimmer : Simple - Load Balancing. Imagine a cell at three countries hold together by small ISDN lines - a RO copy local to each faculty and the have fast access. Yes, but "In an organization where it is only necessary for an administrator to either give users read-write access

[OpenAFS] Read-only replication

Hi folks, Here's a hypothetical question regarding the replication of AFS volumes: In an organization where it is only necessary for an administrator to either give users read-write access to volumes, or no access at all, what would be the advantage of creating any read-only replicas, beyond

Re: [OpenAFS] OpenAFS DB server on a Soekris box?

Quoting Lars Schimmer : As a DB server I guess it would be perfectly fine. Sounds encouraging... I got a Atom330 class computer at home with debian and for a small network it could also handle the OpenAFS fileserver part quite well (not as fast as gigabit, but hey...). MiniITX systems with

[OpenAFS] OpenAFS DB server on a Soekris box?

Hi all, So far, my only experience with OpenAFS has been in a virtual environment, but I'm feeling confident enough now to use it for the next version of my home network in order to gain some more experience. I'd like to use three Debian Linux servers: two file- and database servers and a