[OpenAFS] Retirement of grand.central.org AFSDB records

TL;DR: AFSDB records for grand.central.org and openafs.org will go away at the end of March. Over the next several months, we'll be making a number of changes and improvements to the infrastructure behind grand.central.org and openafs.org. Much of this work will be mostly or completely transpa

Re: [OpenAFS] afs stalled for large files, opeanfs 1.6.1, ubuntu 12.04, particular network

On Sun, 2014-04-13 at 18:19 +0200, Liza M wrote: > Hello, > > I am having a rather interesting problem with opeanfs 1.6.1, ubuntu 12.04 : > on one particular network I do not seem to be able to work with files with > size ~> 1.4 kB . > When trying to e.g. copy or open larger files, the afs p

Re: [OpenAFS] Linux OpenAFS & EncFS?

On Mon, 2014-02-17 at 13:11 -0600, Troy Benjegerdes wrote: > So $10k for design, and $100k for implementation sufficient to protect a > small business's data worth between $250k, and $1M. No, that's not what Jeff said. What he said was that doing the design and analysis work required to come up

Re: [OpenAFS] Re: DB servers "quorum" and OpenAFS tools

On Fri, 2014-01-24 at 08:01 +, Simon Wilkinson wrote: > On 24 Jan 2014, at 07:48, Harald Barth wrote: > > > You are completely right if one must talk to that server. But I think > > that AFS/RX sometimes hangs to loong on waiting for one server > > instead of trying the next one. For exam

Re: [OpenAFS] Re: DB servers "quorum" and OpenAFS tools

On Thu, 2014-01-23 at 14:58 +, Peter Grandi wrote: > My real issue was 'server/CellServeDB' because we could not > prepare ahead of time all 3 new servers, but only one at a time. > > The issue is that with 'server/CellServDB' update there is > potentially a DB daemon (PT, VL) restart (even i

Re: [OpenAFS] Re: DB servers "quorum" and OpenAFS tools

On Thu, 2014-01-23 at 10:44 -0600, Andrew Deason wrote: > > For example in an ideal world putting more or less DB servers in > > the client 'CellServDB' should not matter, as long as one that > > belongs to the cell is up; again if the logic were for all types > > of client: "scan quickly the lis

Re: [OpenAFS] compilation problem for release 1.7.28

On Mon, 2014-01-13 at 16:11 -0800, Wojciech Tadeusz Fedorko wrote: > Hello, > Tried compiling release 1.7.28 on a Ubuntu box: The latest stable OpenAFS release for non-Windows platforms is 1.6.5.2 (though 1.6.6 is due out very soon). 1.7.x releases are for Windows only. ___

Re: [OpenAFS] Re: DB servers "quorum" and OpenAFS tools

On Fri, 2014-01-17 at 14:21 -0600, Andrew Deason wrote: > On Fri, 17 Jan 2014 18:50:13 + > p...@afs.list.sabi.co.uk (Peter Grandi) wrote: > > > Planned to do this incremental by adding a new DB server to the > > 'CellServDB', then starting it up, then removing the an old DB > > server, and so

Re: [OpenAFS] Re: DB servers "quorum" and OpenAFS tools

On Fri, 2014-01-17 at 14:12 -0600, Andrew Deason wrote: > time, so presumably if we contact a downed dbserver, the client will not > try to contact that dbserver for quite some time. To elaborate: the cache manager keeps track of every server, and periodically sends a sort of "ping" to each ser

Re: [OpenAFS] Re: Extract files from /vicepa

On Fri, 2014-01-17 at 14:41 -0600, Andrew Deason wrote: > On Fri, 17 Jan 2014 19:57:55 +0100 > Stephan Wiesand wrote: > > > In a perfect world, Andrew would now pick up your CVS repository, > > merge the improvements into the github one he mentioned, and start > > submitting the results to gerrit

Re: [OpenAFS] Extract files from /vicepa

On Fri, 2014-01-17 at 16:52 +0100, Stephan Wiesand wrote: > On 2014-01-17, at 16:43, Coy Hile wrote: > > > > >> > >> I have a perl script from 2005 that could do this - but only for pure r/w > >> volumes. If there's a backup or readonly clone on the same partition, it > >> will probably fail

Re: [OpenAFS] Re: Ubik trouble

On Mon, 2014-01-13 at 23:22 -0600, Andrew Deason wrote: > On Mon, 13 Jan 2014 12:32:12 -0500 > Jeffrey Hutzelman wrote: > > > A worse situation arises when server A makes an RPC to server B, but the > > best route from server B back to the original source address goe

Re: [OpenAFS] Re: Ubik trouble

On Tue, 2014-01-14 at 00:55 +0100, Harald Barth wrote: > > The sad truth is that in order to properly support multi-homed hosts, Rx > > needs to be fixed so that it identifies all available interfaces, binds > > a separate socket for each interface, and keeps track of to which > > interface an inc

Re: [OpenAFS] Re: Ubik trouble

On Mon, 2014-01-13 at 15:00 +0100, Harald Barth wrote: > (1) I had an old NetInfo file with a wrong IP addr lying around. This > id _not_ prevent the server to start nor to prevent sync completely. > The protection server synced fine and the volume location server > refused. The NetInfo and NetRe

Re: [OpenAFS] About openafs discon mode

On Fri, 2013-12-20 at 20:11 +0100, nicolas prochazka wrote: > ok, > so discon mode cannot work ? I didn't say that. However, as it turns out, the cache manager appears to be discarding volume-level information, such as the name-to-id mappings you need to evaluate mount points. What this means is

Re: [OpenAFS] About openafs discon mode

On Fri, 2013-12-20 at 18:02 +0100, nicolas prochazka wrote: > I only use afs files in read only , so it should not be a problem, > I cannot find this parameter ( cache entry timeout ) of two hours in code. That's because there is no parameter. As I said, vcache entries become invalid at the callb

Re: [OpenAFS] About openafs discon mode

On Fri, 2013-12-20 at 17:30 +0100, nicolas prochazka wrote: > ok, > is it possible to define cache entrie timeout by configuration or by > hacking code ? Not if you don't want corrupted files. Callback lifetime is determined by the fileserver, and the protocol requires that clients invalidate cac

Re: [OpenAFS] Question about how to use vos shadow

On Fri, 2013-12-13 at 15:51 +0100, Harald Barth wrote: > (and nothing in the VLDB about it). However, when I try do make shadow > readonly vols or shadow vols which are readonly, I'm not as successful: > > # vos shadow H.haba.test.alanine -fromserver beef.stacken.kth.se > -frompartition c -toser

Re: [OpenAFS] Re: How to remove a bogus (127.0.1.1) server entry for readonly?

On Tue, 2013-12-10 at 10:15 -0800, Russ Allbery wrote: > Coy Hile writes: > > On 12/10/13, 4:10 AM, "Harald Barth" wrote: > > $ more hosts > 127.0.0.1localhost > 127.0.1.1peter.cae.uwm.edu peter > > >>> I know various Linux distributions do > >>> this by def

Re: [OpenAFS] Help rekeying cell when both service principals (afs@REALM and afs/cell@REALM) exist

On Thu, 2013-11-21 at 10:34 -0700, Kim Kimball wrote: > I don't have direct access to the ancient Transarc clients for testing. > Always a wrinkle. I've built some tools for the older platforms but > tools for _all_ the ancient *NIX clients are probably not reliably > included in that, nor do

Re: [OpenAFS] Help rekeying cell when both service principals (afs@REALM and afs/cell@REALM) exist

On Wed, 2013-11-20 at 18:05 -0500, Jeffrey Altman wrote: > The underlying problem that Kim's cell has is that it is not permitted > (or perhaps even physically possible) to upgrade the clients that issue > the Kerberos afs service ticket request. In this scenario the clients > cannot be updated t

Re: [OpenAFS] Help rekeying cell when both service principals (afs@REALM and afs/cell@REALM) exist

On Mon, 2013-11-11 at 08:42 -0700, Kim Kimball wrote: > I've got clients going back as far as Transarc 3.6 -- don't ask > there are clients that cannot be changed/rebooted/updated due to > "extreme sensitivity to change." What software are these ancient clients using to get tokens? klog?

Re: [OpenAFS] Re: aklog error: unknown RPC error (-1765328184) while getting AFS tickets allow_weak_enctypes may be required in the Kerberos configuration

On Fri, 2013-11-08 at 10:19 -0600, Andrew Deason wrote: > Part of the protocol that OpenAFS uses for authenticated communication > over the network uses a short-term DES key. Semi-recently, Kerberos > implementations started not allowing DES to be used by default, to > encourage people to not use

Re: [OpenAFS] Windows and Mac auto-update?

On Sat, 2013-10-12 at 12:51 -0400, step...@physics.unc.edu wrote: > What's the current thinking (plans?) regarding auto-update functionality > for the Windows and Mac OpenAFS client packages? No thanks. The infrastructure from which these software packages are distributed is operated on a volunt

Re: [OpenAFS] Re: Questions about multihoming servers

On Wed, 2013-10-02 at 11:07 -0500, Andrew Deason wrote: > On Wed, 02 Oct 2013 11:43:42 -0400 > Jeffrey Hutzelman wrote: > > > On Wed, 2013-09-25 at 11:42 -0500, Andrew Deason wrote: > > > > > if 15640 still occurs, that's a bug > > > > 15640 w

Re: [OpenAFS] Re: Questions about multihoming servers

On Wed, 2013-09-25 at 11:42 -0500, Andrew Deason wrote: > if 15640 still occurs, that's a bug 15640 was not a bug in OpenAFS when it was submitted 9 years ago, and it's still not a bug in OpenAFS. If you want multi-homed dbservers to work, then the primary addresses listed for each server in Ubi

Re: [OpenAFS] Re: Questions about multihoming servers

On Wed, 2013-09-25 at 11:33 -0400, Jeffrey Altman wrote: > All that logic does is IP address aliasing for the purpose of elections. > However, it does not permit the use of multiple addresses. UBIK does > not distribute RPCs across all of the DISK_UpdateInterfaceAddr() listed > addresses. It al

Re: [OpenAFS] Re: vos shadow to backup user homes

On Mon, 2013-08-26 at 10:28 -0500, Andrew Deason wrote: > On Sun, 25 Aug 2013 21:05:41 +0530 (IST) > Shouri Chatterjee wrote: > > > I wanted to ask about "vos shadow" and whether it is being used as a > > solution on production systems to back-up user home directories. > > I believe it is, but I

Re: [OpenAFS] reading files from problem volume

On Thu, 2013-08-22 at 14:24 +, sabah s. salih wrote: > Dear All, > We have the following case. Is there away where we could recover files > from this volume please. > > > # vos exam 536873829 > vsu_ClientInit: Could not get afs tokens, running unauthenticated. > Could not fetch the inf

Re: [OpenAFS] scan client version

On Thu, 2013-08-01 at 12:30 -0400, Jeffrey Altman wrote: > The rxkad-kdf change does not get rid of 1DES. It simply permits the > afs cell key to be a non-1DES key. All wire encryption and the actual > rxkad challenge/response is still performed using 1DES. Actually, that's not strictly true.

Re: [OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

On Tue, 2013-07-30 at 19:44 -0400, Jeffrey Altman wrote: > On 7/30/2013 7:32 PM, Benjamin Kaduk wrote: > > On Tue, 30 Jul 2013, Jeffrey Altman wrote: > > > >> This is an incorrect description. The explicit problem occurs when the > >> following combination is true: > >> > >> 1. user has one or mo

Re: [OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

On Fri, 2013-07-26 at 10:57 +0200, Sergio Gelato wrote: > Speaking of which, is anyone known to be working on rxkad-kdf support for > Heimdal's libkafs? I'd like kinit --afslog to do the right thing. It's on my todo list, but I won't complain if someone else gets there first. -- Jeff __

Re: [OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle - OK?

On Thu, 2013-07-25 at 11:38 -0500, Andrew Deason wrote: > On Thu, 25 Jul 2013 11:36:52 -0400 (EDT) > Benjamin Kaduk wrote: > > > and in the absence of other information, the KDC should not assume > > that a service supports an enctype for which it has no long-term key. > > After thinking about t

Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

On Thu, 2013-07-25 at 09:11 -0400, step...@physics.unc.edu wrote: > Hi, > > In the cell rekeying instructions found at > , there is a note for > sites using Heimdal KDCs. It mentions a bug present in "certain versions" > of the Heimdal KDC sof

Re: [OpenAFS] Multi-homed server and NAT-ed client issues

On Wed, 2013-07-17 at 17:43 +0300, Ciprian Dorin Craciun wrote: > Hello all! I've encountered quite a blocking issue in my OpenAFS > setup... I hope someone is able to help me... :) > > > The setup is as follows: > * multi-homed server with, say S-IP-1 (i.e. x.x.x.5) and S-IP-2 > (i

[OpenAFS] Re: [AFS3-std] Changing RXAFS_GetVolumeStatus access check to support volume lock down

On Wed, 2012-07-04 at 11:14 -0400, Jeffrey Altman wrote: > The RPC that is used to obtain the volume statistics from the file > server is RXAFS_GetVolumeStatus. This RPC returns a subset of the > information displayed by "vos examine " but is intended for use > by AFS clients. Well, not entirely.

[OpenAFS] Consensus Call - AFS3-Standardization Charter

IMPORTANT: This has gotten fairly lengthy, but please read through to the end. This message contains important information on the future of AFS protocol standardization work, and a specific request for input from the AFS community (that is, YOUR input) within the next 2 weeks. PLEASE send fo

Re: [OpenAFS-devel] Re: [OpenAFS] Re: 1.6 and post-1.6 OpenAFS branch management and schedule

--On Friday, June 18, 2010 04:17:19 PM -0400 Tom Keiser wrote: On Fri, Jun 18, 2010 at 2:56 PM, Chas Williams (CONTRACTOR) wrote: In message <20100618093541.46bc13bc.adea...@sinenomine.net>,Andrew Deason writes: It's pretty easy to make a supergroup if it's turned on; you may not realize it

Re: [OpenAFS] Re: [OpenAFS-devel] 1.6 and post-1.6 OpenAFS branch management and schedule

--On Thursday, June 17, 2010 11:38:18 PM +0100 Simon Wilkinson wrote: On 17 Jun 2010, at 21:40, Russ Allbery wrote: There is that. I intend to ship with DAFS enabled for Debian, but the Debian packages have always taken a fairly aggressive approach to enabling features. (They have had sup

Re: [OpenAFS] Re: [OpenAFS-devel] 1.6 and post-1.6 OpenAFS branch management and schedule

--On Thursday, June 17, 2010 01:45:14 PM -0500 "Christopher D. Clausen" wrote: I have heard that, but I have never experienced any problems myself in many years of running that way. In general the way I see it is that if the power goes out, my server stays up for a little longer due to its UP

Re: [OpenAFS-devel] Re: [OpenAFS] Re: 1.6 and post-1.6 OpenAFS branch management and schedule

--On Thursday, June 17, 2010 04:12:48 PM -0500 Andrew Deason wrote: On Thu, 17 Jun 2010 15:54:25 -0500 Andrew Deason wrote: And as has been mentioned elsewhere in the thread, you need to wait for the VG hierarchy summary scan to complete, no matter how fast salvaging is or how many you do i

Re: [OpenAFS] Re: [OpenAFS-devel] 1.6 and post-1.6 OpenAFS branch management and schedule

--On Thursday, June 17, 2010 11:59:29 AM -0700 Russ Allbery wrote: I'm quite sure that, after an unclean crash, your Windows server doesn't remount the file system without doing a consistency check. No operating system treats its file systems that way. MS-DOS did. Of course, that hardly qu

[OpenAFS] Re: [OpenAFS-devel] Re: Thinking about 1.6

--On Wednesday, December 16, 2009 11:25:05 PM + Simon Wilkinson wrote: On 16 Dec 2009, at 23:03, Jeffrey Hutzelman wrote: --On Wednesday, December 16, 2009 01:46:04 PM -0500 Derrick Brashear wrote: bos exec still works unless you give the restricted command line switch. if you turn

Re: [OpenAFS] Re: [OpenAFS-devel] Thinking about 1.6

--On Wednesday, December 16, 2009 11:24:10 PM + Simon Wilkinson wrote: On 16 Dec 2009, at 23:03, Jeffrey Hutzelman wrote: How do you propose to automate that, given that the existing configuration could provide arbitrary arguments or even use arbitrary binaries for the various fs bnode

Re: [OpenAFS] Re: [OpenAFS-devel] Thinking about 1.6

--On Wednesday, December 16, 2009 12:40:18 PM -0800 Russ Allbery wrote: "Buhrmaster, Gary" writes: Many (linux) packaging systems will just replace older versions without a discussion with the installer about what else they need to change (it is actually a pet peeve of mine that there is no

[OpenAFS] Re: [OpenAFS-devel] Thinking about 1.6

--On Wednesday, December 16, 2009 06:04:58 PM + Simon Wilkinson wrote: *) Remove the --disable-afsdb switch, and associated #ifdefs, so AFSDB comes as standard. As long as we don't remove the ability to turn it off at runtime. I just had a conversation today with someone who needs to r

Re: [OpenAFS] Re: [OpenAFS-devel] Re: Thinking about 1.6

--On Wednesday, December 16, 2009 02:37:32 PM -0500 omall...@msu.edu wrote: Solaris 8/9 hit the darn near unsupported list from Sun. By the time 1.6 reaches production there won't be anyone running it at least on production hardware. HA HA HA you are so funny You must think that people who ru

[OpenAFS] Re: [OpenAFS-devel] Re: Thinking about 1.6

--On Wednesday, December 16, 2009 01:46:04 PM -0500 Derrick Brashear wrote: bos exec still works unless you give the restricted command line switch. if you turn on random options without reading what you're doing, you get what you paid for. Perhaps you missed the part where Simon advocated m

[OpenAFS] Re: [OpenAFS-devel] exposing RPC code<->name mappings via rxgen extension, a library, and a new utility

--On Thursday, January 15, 2009 02:00:09 PM -0500 Steven Jenkins wrote: I would like to expose RPC code<->name mappings so that other programs within OpenAFS can avoid hard-coding the mappings, as well as be able to export them to the users (who might find them useful in debugging network trac

[OpenAFS] Re: [OpenAFS-devel] interface for vos split

--On Thursday, January 08, 2009 12:32:20 PM -0800 Russ Allbery wrote: "Steven Jenkins" writes: fs getfid (like virtually all of the fs subcommands) is implemented by marshalling arguments and then making a PIOCTL call into the kernel. Without a cache manager, you can't get a response to tha

Re: [OpenAFS] Re: Implicit "A" in fileserver

On Friday, April 13, 2007 05:14:28 PM -0700 Adam Megacz <[EMAIL PROTECTED]> wrote: Bill Stivers <[EMAIL PROTECTED]> writes: I know that this discussion was beaten 7 ways from Sunday in the recent past, but I thought it worth asking. Did someone ever get around to committing a patch that e

Re: [OpenAFS] Add new fileserver

On Thursday, April 12, 2007 10:41:28 AM -0500 "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: chas williams - CONTRACTOR <[EMAIL PROTECTED]> wrote: In message <[EMAIL PROTECTED]>,Steve Simmons write s: my servers dont start with afs. is this a common thing? Most cells I've seen do t

Re: [OpenAFS] Maximum # of users

On Wednesday, April 11, 2007 11:55:18 AM -0400 Dave Botsch <[EMAIL PROTECTED]> wrote: Hmmm... interestingly enough, the group quota for my system:[EMAIL PROTECTED] is set at 7 (I suppose 7 is the default?) yet somehow 23 members have been automatically created in that group. The default is

Re: [OpenAFS] com_err hell (WAS: asetkey: failed to set key, code 70354694)

On Tuesday, April 10, 2007 03:56:03 PM -0400 Marcus Watts <[EMAIL PROTECTED]> wrote: Granted, it's not as pretty as it should be, and it would be good for all those groups you named to come to a better consensus as to how this should all work. That is a discussion for comerrers. The quest

Re: [OpenAFS] Maximum # of users

On Monday, April 09, 2007 06:51:33 PM -0400 Marcus Watts <[EMAIL PROTECTED]> wrote: Max user id is 851087 and max group id is -19786. It's always fun to watch you demonstrate to someone that they're not really as big as they think they are. It helps the rest of us keep a sense of perspe

RE: [OpenAFS] REMINDER: LAST DAY [AFS & Kerberos Best Practices Workshop 2007: CFP Extended]

On Friday, April 06, 2007 08:12:12 PM -0700 ted creedon <[EMAIL PROTECTED]> wrote: Depends who is smart enough.. tedc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derrick J Brashear Sent: Friday, April 06, 2007 4:41 PM To: 'OpenAFS-info' Subject:

Re: [OpenAFS] uw-imap & tokens

On Wednesday, April 04, 2007 08:33:34 PM +0100 David Howells <[EMAIL PROTECTED]> wrote: That'd be my bet too. I suspect that the PAM module (if that's what it is) that issued setpag occurs before the pam_keyinit PAM module also. Oh, hm. That's not good. We may find ourselves back in exa

Re: [OpenAFS] uw-imap & tokens

On Wednesday, April 04, 2007 06:07:46 PM +0100 David Howells <[EMAIL PROTECTED]> wrote: How's the afs_pag key getting allocated? Is it by a PAM module? No; it gets allocated by AFS as part of the setpag operation. Of course, the setpag may be being called by a PAM module, but that shoul

Re: [OpenAFS] Re: unix owner/group of files in AFS

On Friday, March 30, 2007 01:25:31 PM +0200 FB <[EMAIL PROTECTED]> wrote: I'll bet you also haven't tried it with a fileserver down. Yes. Actually, my test cell has some fileservers and one of 3 db-servers down-by-default. The only impact is a short delay on bootup of the afs-client until pt

Re: [OpenAFS] inspect pid-to-pag mapping? pag-to-tokens-mapping?

On Saturday, March 24, 2007 12:41:46 PM -0700 Russ Allbery <[EMAIL PROTECTED]> wrote: Adam Megacz <[EMAIL PROTECTED]> writes: Is it possible to find out what PAG a given PID belongs to (on linux, with local root)? grep Groups /proc//status if the PAG group still exists. They do. In v

Re: [OpenAFS] Streaming windows media?

On Friday, March 23, 2007 10:30:42 AM -0400 Jeffrey Altman <[EMAIL PROTECTED]> wrote: Robbie Foust wrote: Hi, Has anyone ever set up a Windows Media Server to point to content in AFS using the windows client? Just wondering how well that would work or how reliable it would be. I know the

Re: [OpenAFS] Problems setting up an initial AFS cell...

On Thursday, March 22, 2007 01:45:29 PM -0500 Marcus Watts <[EMAIL PROTECTED]> wrote: The current openafs cvs repository does contain the documentation from ibm - one of the things that needs doing is to update this documentation to reflect whatever we want people to be doing today. There a

Re: [OpenAFS] Re: chown()

On Wednesday, March 28, 2007 04:14:18 PM -0700 Adam Megacz <[EMAIL PROTECTED]> wrote: Jeffrey Hutzelman <[EMAIL PROTECTED]> writes: Not true. There are a number of subtle uses of file owners in AFS, particularly with regard to how directories work where you have 'i&#x

Re: [OpenAFS] Re: unix owner/group of files in AFS

On Thursday, March 29, 2007 09:45:47 AM +0200 FB <[EMAIL PROTECTED]> wrote: Bear in mind that when you do something like 'ls', your NSS module will be called to do an id-to-name lookup for _every file_. ls is a bad example because it doesn't ask once per file but once per UID (-> coreutils-i

Re: [OpenAFS] Re: chown()

On Thursday, March 22, 2007 09:55:22 PM -0700 Adam Megacz <[EMAIL PROTECTED]> wrote: Ryan Underwood <[EMAIL PROTECTED]> writes: Wouldn't it make sense for a user with 'admin' ACL to be able to chown() files, as long as the target ID is his own userid? Even better: let any user who can wr

Re: [OpenAFS] Security Advisory 2007-001: privilege escalation in Unix-based clients

On Wednesday, March 28, 2007 04:16:38 PM -0500 "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: Jeffrey Hutzelman <[EMAIL PROTECTED]> wrote: On Friday, March 23, 2007 10:04:28 AM -0400 Jeffrey Altman <[EMAIL PROTECTED]> wrote: Kim Kimball wrote: I'm

Re: [OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients

On Wednesday, March 21, 2007 02:53:50 PM -0400 Jason Edgecombe <[EMAIL PROTECTED]> wrote: Ok, so local access is required for OPENAFS-SA-2007-001 to be exploited? No, but it's a lot easier. Without local access, you not only need to convince the client that some file you can write to is

Re: [OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients

On Friday, March 23, 2007 10:04:28 AM -0400 Jeffrey Altman <[EMAIL PROTECTED]> wrote: Kim Kimball wrote: I'm still wondering if a. Removing system:anyuser from ACLs will prevent this privilege escalation b. Removing system:anyuser from ACLs except "system:anyuser l" will prevent the pr

Re: [OpenAFS] Re: unix owner/group of files in AFS

On Tuesday, March 20, 2007 08:58:41 PM +0100 FB <[EMAIL PROTECTED]> wrote: No. The nss-plugin actually returns this: ('frank','x',1000,65534,'frank','/afs/alpha/user/frank','/bin/bash') Nobody here uses a shell different from Bash which is why i didn't really cared about make the login shell

Re: [OpenAFS] jafs et al

On Tuesday, March 13, 2007 08:07:42 PM -0500 Marcus Watts <[EMAIL PROTECTED]> wrote: user vs kernel mode vs. "user kernel" mode Actually, we don't really have this dimension. No libraries are built for kernel-mode code; any code the kernel module requires from the rest of the tr

RE: [OpenAFS] OpenAFS Client Availability

On Thursday, March 08, 2007 12:05:07 PM -0900 ted creedon <[EMAIL PROTECTED]> wrote: This is true, but they are unset and I assume the default values are as noted in the sources. The definitions of ip_ct_udp_timeout and ip_ct_udp_timeout_stream are in seconds so I don't understand the jiffie

Re: [OpenAFS] Quota, Openafs

On Monday, February 26, 2007 01:28:10 PM +0100 Alexander Al <[EMAIL PROTECTED]> wrote: Hello, We have here a openAFS 1.4.x system on a FC5 server and the users have a quota of 1GB. But the trick is how do you give the users a signal that they almost through their quota? If you feel a need

Re: [security-discuss] Re: [OpenAFS] Hardware Grants from Sun

On Sunday, February 25, 2007 04:21:45 PM -0600 Nicolas Williams <[EMAIL PROTECTED]> wrote: A while back I designed such an API, which I called the generic credential store API (GCS-API) that provides a way to get a handle to the current credential store for a given thread, process, session o

Re: [security-discuss] Re: [OpenAFS] Hardware Grants from Sun

On Mon, 26 Feb 2007, Nicolas Williams wrote: > On Sun, Feb 25, 2007 at 06:47:38PM -0800, Henry B. Hotz wrote: > > On Feb 23, 2007, at 10:10 PM, Nicolas Williams wrote: > > >BTW, a PAG facility that's faithful to the AFS notion of PAGs > > >should be > > >relatively easy to specify and implement fo

Re: [OpenAFS] Re: building openafs kernelmodule on FC5

On Sat, 24 Feb 2007, Axel Thimm wrote: > On Fri, Feb 23, 2007 at 06:37:06PM -0500, Ron Croonenberg wrote: > > > > I am trying to build the kernel module for openafs-1.4.2, but it seems > > to break. (linux/config.h doesn't seem to exist ??) > > Just comment the includes or get ready to use rpms at

Re: [OpenAFS] Hardware Grants from Sun

On Sat, 24 Feb 2007, Nicolas Williams wrote: > I'm not sure how important it is to have per-session network > credentials, but I do sympathize -- if nothing else it's what AFS users > are accustomed to. Issues surrounding how per-user network credentials > are handled are a separate, but related

Re: [OpenAFS] Hardware Grants from Sun

On Friday, February 23, 2007 04:22:22 PM -0600 "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: Same here. Symlinks to a .Dotfile directory. Messy but works. (My home directory has been in AFS since 1992.) But until this general problem can be solved on *all* platforms one can not tighten down

Re: [OpenAFS] Hardware Grants from Sun

On Friday, February 23, 2007 12:03:58 PM -0600 "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: So to force sshd to use a session based cache we added a "pam_krb5_cache.so.1 cache=/tmp/krb5cc_%u_%p" to set the cache name. Horray for extensibility! Also as you must already know, I have bee

Re: [OpenAFS] Hardware Grants from Sun

On Friday, February 23, 2007 09:23:21 AM -0600 "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: So getting 100,000 in equipment is only part of it. If you are willing to state a desire to taget OpenSolaris, Sun should be willing to state a desire to integration of AFS credential handling in th

Re: [OpenAFS] Possible Kernel Memory leak, OpenAFS 1.4.2+, RH3 i686/amd64

On Tuesday, February 20, 2007 11:25:56 AM -0500 chas williams - CONTRACTOR <[EMAIL PROTECTED]> wrote: In message <[EMAIL PROTECTED]>,Kevin Hildebrand w rites: Eureka... I've found the problem, there is a missing 'crfree' in 'afs_linux_lookup'. I will submit this as a bug report. I'd stil

Re: [OpenAFS] Possible complete brain failure

On Thursday, February 08, 2007 08:21:12 PM -0500 Jeff Blaine <[EMAIL PROTECTED]> wrote: Jeff Blaine wrote: jblaine:cairo> fs lq . Volume Name Quota Used %Used Partition u.jblaine 5001855444% 9% jblaine:cairo> So, fixed. Looks

Re: [OpenAFS] Re: unable to login via klog

On Thursday, February 08, 2007 05:33:57 PM +0530 Srikanth Bhaskar <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED] ~]# kas -cell linafs Password for root: kas:interactive: Auth. as root to AuthServer failed: user doesn't exist Proceeding w/o authentication ka> list Password for root: list: Auth.

Re: [OpenAFS] refresh initial tokens

On Friday, February 02, 2007 02:16:27 PM +0100 Ronny Blomme <[EMAIL PROTECTED]> wrote: I am setting up openafs-1.4.2 client and server on FC4 with heimdal-0.7.2. I replaced the kas-server with kdc. When I login to this server with ssh, I get tickets/tokens (via /etc/pam.d/sshd). These initia

Re: [OpenAFS] afs_NewVCache errors

On Friday, February 02, 2007 01:01:47 PM +0100 Jasper Moeller <[EMAIL PROTECTED]> wrote: Hi, we recently migrated our AFS setup to version 1.4.2. Since then, we have spurious problems on our linux clients (the windows clients are running fine). Specifically, after some time, users only see

Re: [OpenAFS] Problems giving a daemon process permanent access to AFS

On Thursday, February 01, 2007 03:57:47 PM -0500 Earl Shannon <[EMAIL PROTECTED]> wrote: Hello, I don't know what all your security considerations are, but I'd suggest you create an IP ACL in the filespace the daemon needs to access. Don't do this. IP-address-based ACL's are not only ver

Re: [OpenAFS] Re: obsolete volumes

On Thursday, February 01, 2007 01:55:08 PM -0700 Kim Kimball <[EMAIL PROTECTED]> wrote: Jeffrey Hutzelman wrote: On Wednesday, January 31, 2007 03:44:35 PM -0800 Renata Maria Dart <[EMAIL PROTECTED]> wrote: Hi Jeff, Does -showsuid also imply -nowrite, or can it be used w

Re: [OpenAFS] Re: obsolete volumes

On Wednesday, January 31, 2007 03:44:35 PM -0800 Renata Maria Dart <[EMAIL PROTECTED]> wrote: Hi Jeff, Does -showsuid also imply -nowrite, or can it be used with -nowrite to avoid taking the server out? Yes, -showsuid also implies -nowrite. In general, you can always use -nowrite to run t

Re: [OpenAFS] Re: obsolete volumes

On Monday, January 29, 2007 10:04:30 AM -0800 Renata Maria Dart <[EMAIL PROTECTED]> wrote: On Mon, 29 Jan 2007, Joe Buehler wrote: Michael Robokoff wrote: Is there a way to list out existing volumes that are not mounted? The salvager has an option to list mount points: salvager -showm

Re: [OpenAFS] How to use the diff patch

On Sunday, January 28, 2007 12:43:10 PM +0100 "\"Jörg P.Pfannmöller\"" <[EMAIL PROTECTED]> wrote: Hello, I want to compile openafs-1.4.2-src.tar.gz on my system (Ubuntu 6.06 Kernel 2.6.15). Therefore I need to patch the source code with openafs-1.4.2-src.diff.gz. Since this is the openafs-

Re: [OpenAFS] run GNU mailman from AFS?

On Friday, January 26, 2007 11:18:18 AM -0600 "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: Anyone have an hints on running GNU mailman (http://www.list.org/) out of AFS? Are any AFS specific changes required? I attempted to search for such info, but since the openafs lists are mailm

Re: [OpenAFS] Re: fs setacl and permissions

On Sunday, January 28, 2007 01:10:11 AM +0200 Juha Jäykkä <[EMAIL PROTECTED]> wrote: So what it really comes down to is this: I claim that, if someone who "owns" a directory (i.e. has "explicit" a privs) defines a subdirectory and restricts someone else to non-a privs there, it is really a s

Re: [OpenAFS] Re: 1.4.2 client on RHEL5 beta 2

On Tuesday, January 23, 2007 02:14:55 PM -0500 Derrick J Brashear <[EMAIL PROTECTED]> wrote: On Tue, 23 Jan 2007, Rainer Laatsch wrote: I circumvented the MODPOST issue by patching /usr/src/kernels/2.6.18-1.2747.el5-i686/scripts/mod/modpost.c around line 1103 ; replacing 'fatal' by 'warn'

Re: [OpenAFS] Databases & AFS (revisited)

On Saturday, December 23, 2006 06:14:32 PM +0100 Davor Ocelic <[EMAIL PROTECTED]> wrote: Looking at [2], which appears to be CMU's class assignment, the students are supposed to create a Postgres database within their AFS volumes, without a word of problems that might create. A bit delayed

Re: [OpenAFS] 1.4.1 Linux client: callbacks on a directory fail to invalidate status info of files in it

On Wed, 17 Jan 2007, Rainer Toebbicke wrote: > When doing an 'rm xxx', the file server does not break callbacks for > "xxx", but only for the directory containing "xxx". Right; if the link count on the file goes to zero (the normal case), then callbacks are not broken, because since there is no n

Re: [OpenAFS-devel] Re: [OpenAFS] Solaris 10 11/06 afs 1.4.2 pam module panic.

On Tuesday, December 19, 2006 09:11:44 PM -0500 Dale Ghent <[EMAIL PROTECTED]> wrote: Okay, I looked into this more and a kind soul at Sun pointed me to the new (as of Solaris 10) ddi_cred(9F) man page. This page details public (yet "evolving") interfaces to the otherwise private cred_t st

Re: [OpenAFS] Solaris 10 11/06 afs 1.4.2 pam module panic.

On Tuesday, December 19, 2006 03:52:39 PM -0800 Carson Gaspar <[EMAIL PROTECTED]> wrote: > meem wrote: > Is there a reason they're not using crsetugid() (see ddi_cred(9F)) to > do this? Seems like if they had, everything would've worked fine. Well, that interface did not exist prior to S

Re: [OpenAFS] How to replicate files on different machines

On Tuesday, December 19, 2006 05:12:43 PM +0530 [EMAIL PROTECTED] wrote: I'm trying to use 'kinit' and 'aklog' to get admin tokens for accessing the cell under /afs on my client machine. Though these are installed on my machine, I'm not able to configure these, since I'm not able to find the

Re: [OpenAFS] How to replicate files on different machines

On Friday, December 15, 2006 11:56:07 AM +0530 [EMAIL PROTECTED] wrote: I'm using OpenAFS 1.4.2 on Fedora 5. I want to replicate file(s) on 2 machines (both Fedora 5). How could this be achieved? Do I need to install OpenAFS server on both the machines, and if this is the requirement, how co

Re: [OpenAFS] Undelete support feedback request

On Friday, December 08, 2006 01:09:04 PM -0600 "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: Jason Edgecombe <[EMAIL PROTECTED]> wrote: Being able to have snapshots of a volume or multiple backups of a volume from different times. I think the simplest approach would be to clone a vol

Re: [OpenAFS] Re: Undelete support feedback request

On Thursday, December 07, 2006 05:38:07 PM -0500 Marcus Watts <[EMAIL PROTECTED]> wrote: Sidney Cammeresi <[EMAIL PROTECTED]> posted the VMS way. Not that I'm advocating this is the right way (let alone have code that implements this), but here's how the same things could look in Unix: $ l

  1   2   3   4   5   6   >