Re: [OpenAFS] openafs versus systemd

2023-06-06 Thread Ken Hornstein
>I'm aware this issue has been discussed before on the mailing list and >also on the systemd bug tracker > but I'm still really >unclear on what the community feels is the best solution to this >problem. >From my limited imperfect understanding, it s

Re: [OpenAFS] Kerberos + Windows

2022-08-24 Thread Ken Hornstein
>I then created the service account srvAFS, and extracted a keytab on the >Domain Controller using the following command: So I'm not the expert on how AD works, so I can't speak for what happens if you create a service account called _one_ thing and then have a different principal name. Like, wha

Re: [OpenAFS] Kerberos + Windows

2022-08-24 Thread Ken Hornstein
>The docs do show how to set up using the new scheme but assume >Kerberos, not AD. I've tried a few different things but I can't seem >to get default_tkt_enctypes and default_tks_enctypes set correctly. In the normal course of things you never, ever want to put any entries for default_tkt_enctype

Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS

2021-08-14 Thread Ken Hornstein
>In general, it is not safe to have ticket caches in a world-writable >location, but KEYRING also had security troubles in the past. Care to elaborate? I have not heard of any security troubles with KEYRING but I would like to understand the pros and cons of all available ticket caches. --Ken __

Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS

2021-08-13 Thread Ken Hornstein
>Anyway, I checked the krb5 sources, and it is defined in >lib/krb5/ccache/cc_keyring.c: > >/* > * Keyring name prefix and length of random name part > */ >#define KRCC_NAME_PREFIX "krb_ccache_" >#define KRCC_NAME_RAND_CHARS 8 My reading of the code is that random cache name is

Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS

2021-08-06 Thread Ken Hornstein
>So why is storage in files so much more dangrous than storage in >memory? If one happens to get a process which can read the files in >local /tmp, why could that process not modify any of /proc//mem >on the same computer to get at the ticket cache anyway? A fair question. I mean, conceptually,

Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS

2021-08-05 Thread Ken Hornstein
>if [ ! $guard-against-system-accounts ]; then >export KRB5CCNAME=/path/to/cache-depending-on-$(id -u) I understand that with newer version of systemd this is becoming more common ... but can I offer up a cautionary tale? We have been using Kerberos for a LONG time; over 20 years. We are by

Re: [OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

2021-03-08 Thread Ken Hornstein
>We at MIT CSAIL stoped using crowdstrike partly becuase they refused >to fix this despite us providing a patch to falcon-sensor (whcih is >just a tarred pile of shell scripts). > >The need to excluse /afs from their scans there's several ways to do >this (they use "find" internally). > >We found t

Re: [OpenAFS] check in c (linux) whether a directory entry is a mount point for an AFS volume

2018-08-04 Thread Ken Hornstein
>I'm not sure that the application will have the ability to stat the >mount point object. The OpenAFS cache manager will always provide the >details of the target volume root directory unless the target volume >cannot be located or accessed. I can only say that this technique has worked for sever

Re: [OpenAFS] check in c (linux) whether a directory entry is a mount point for an AFS volume

2018-08-03 Thread Ken Hornstein
>is there an easy way to check in C (under linux) whether a directory >entry is a mount point for an afs volume and maybe also obtain the name >of the volume mounted? Assuming vanilla AFS ... the absolute easiest way to check to see if a directory entry is a mount point is stat() the directory.

Re: [OpenAFS] About the upgrading from Kerberos 4 to Kerberos 5

2018-05-15 Thread Ken Hornstein
>We are working on the upgrading of Openafs Kerberos 4 to KDC 5. We >checked some documents to know we have to use afs2k5db tool to convert >users in K4 to KDC 5. But it's really a pain to compile it with >Openafs-1.4.14-1 and krb5-server-1.10.3-65.el6.x86-64 due to the >incompitable of the higher

Re: [OpenAFS] space and vos zap problem

2016-11-29 Thread Ken Hornstein
>The one concern with -orphans remove when salvaging the entire partition >is if there were orphans that belonged volumes other than the one that >was deleted. If such files existed they are now lost. Yeah, that's certainly something to be aware of. I only suggested that because Gary said he had

Re: [OpenAFS] space and vos zap problem

2016-11-29 Thread Ken Hornstein
>bos salvage -server engr-f-200.eos.ncsu.edu -partition /vicepa -cell >eos.ncsu.edu >This is a demand attach fileserver. Are you sure you want to proceed with >a manual salvage? >must specify -forceDAFS flag in order to proceed. I mean, you said you moved all of the volumes off, right? Should b

Re: [OpenAFS] space and vos zap problem

2016-11-29 Thread Ken Hornstein
>/vicepa/AFSIDat/j/ > >which contains 316G of "something" > >Is it safe to delete this directory to bring the server back into service? >(As opposed to a re-install) Or all the directories under /vicepa/AFSIDat/ ? Did you try salvaging that partition? --Ken ___

Re: [OpenAFS] aklog -1765328189 on MacOSX after "port upgrade outdated"

2012-10-14 Thread Ken Hornstein
>Isn't one of the issues there that Apple pretty well broke Kerberos on Lion >by replacing it with an eviscerated Heimdal missing most of the useful >stuff? That's a completely different problem, but not relevant here. --Ken ___ OpenAFS-info mailing lis

Re: [OpenAFS] aklog -1765328189 on MacOSX after "port upgrade outdated"

2012-10-14 Thread Ken Hornstein
>Apparently when upgrading some macport program, it decided to >install kerberos too, which hadn't been installed (as a macport) before. You should file a bug; one of the macports developers started this whole mess by creating a dependency on Kerberos for cyrus-sasl (even though the macports docum

Re: [OpenAFS] OS X Lion: multiple Kerberos realms ?

2012-07-18 Thread Ken Hornstein
>Heh, yeah. Not knowing it's "not supposed to" work, I tried, and I got >tickets for both realms to show up in the viewer. True, klist will >only show one (whichever was acquired last), but once I have the >tickets, I can map Samba shares and work in AFS simultaneously, >without any apparent proble

Re: [OpenAFS] Re: 1.4.x quorum election process?

2011-10-26 Thread Ken Hornstein
>I thought there was some bug preventing this from working in the >specific case where the lowest IP was a clone. I remember reading a bug >report somewhere about it... but I can't find a ticket matching that >description. Anyone have any idea what I'm talking about, or am I just >making stuff up?

Re: [OpenAFS] 1.4.x quorum election process?

2011-10-26 Thread Ken Hornstein
>I would object. A quorum requirement is that all servers are in >agreement with the server configuration and the quorum algorithm. Any >change to the quorum algorithm needs to be exposed as part of the >negotiation in order for servers to not get into a state where a >misconfigured server or a s

Re: [OpenAFS] 1.4.x quorum election process?

2011-10-26 Thread Ken Hornstein
>The "lowest IP address" favoritism decision is totally arbitrary, no? Absolutely, yes. I think ... looking at the source code, the comparison is done in 3 places in vote.c. You could replace that with anything else. I've always thought that an explicit ordering would make more sense, but I neve

Re: [OpenAFS] 1.4.x quorum election process?

2011-10-26 Thread Ken Hornstein
>Can anyone point me at the docs where quorum election, IP >address numbering as it pertains to election, etc... lives? >I can't find what I am looking for on openafs.org > >I seem to recall that the "highest IP is sync site" (if I >have that right) nonsense was addressed, but again, cannot >find t

[OpenAFS] Poor OpenAFS performance on Lion

2011-10-26 Thread Ken Hornstein
We've recently got some MacOS Lion systems in, and we've noticed that OpenAFS seems to perform rather poorly on then. Specifically, we've noticed this when using nmh on these systems. Here's an example of what I mean. On an older iMac running 10.6.8/OpenAFS 1.4.11: % /usr/bin/time scan +kerbero

Re: [OpenAFS] significant delay for afs user to login as root via su

2010-03-26 Thread Ken Hornstein
>Are you using pam_afs_session? We've just discovered that when that is >enabled in the su stack, becoming root takes a very long time, whether >or not you have set the minimum_uid or not. The simple solution is to >not run pam_afs_session in the 'su' stack. I ran into this a while ago. The

Re: [OpenAFS] significant delay for afs user to login as root via su

2010-03-18 Thread Ken Hornstein
>You are correct in your assumptions. Regarding XAUTHORITY (with pam_xauth >in su): > >logging in at the machine, this is what I find: > >before su: > >[emat...@aerogold ~]$ echo $XAUTHORITY >/var/run/gdm/auth-for-ematlis-s3Q2Bx/database Ah-HA! Okay, that explains it. When you log in locally (I

Re: [OpenAFS] significant delay for afs user to login as root via su

2010-03-18 Thread Ken Hornstein
>No, I do not. So, let me understand you _completely_. When pam_xauth.so is in /etc/pam.d/su, and when you log in on the console: - "tokens" shows AFS tokens _before_ you su. - There is no delay for "su". - "tokens" shows no AFS tokens _after_ you su. When pam_xauth.so is in /etc/pam.d/su, and

Re: [OpenAFS] significant delay for afs user to login as root via su

2010-03-18 Thread Ken Hornstein
>Ok, one other data point- I should have mentioned in the very beginning that >I'm actually logging into the machine in question remotely, then issuing >the su command. This seems to make a difference. While I THOUGHT the >problem occurred either way, now I'm finding that if I actually sit down >

Re: [OpenAFS] significant delay for afs user to login as root via su

2010-03-18 Thread Ken Hornstein
>Just as another data point, when I try to su from a local account, >I experience no delay but /var/log/debug gives exactly the same output. Humor me for a minute. There should be in one of your pam config files a module called "pam_xauth" or something similar. Try commenting it out and see if t

Re: [OpenAFS] Problem getting AFS tokens on debian...

2010-02-09 Thread Ken Hornstein
>In my krb5.conf I have (among others): > >[libdefaults] >default_tgs_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1 des-cbc-md5 >des-cbc-crc >default_tkt_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1 des-cbc-md5 >des-cbc-crc Just some advice (although I don't think it has anything to d

Re: [OpenAFS] advice on troubleshooting blocked cache manager on MacOS?

2010-01-21 Thread Ken Hornstein
>Hi, lately I've been encountering a lot of situations where a process >seems to block for a really long time trying to access something in >/afs; it usually succeeds, but only after several minutes. This seems >to happen only on MacOS (1.4.11, although I saw it with 1.4.10 too). If it matters at

Re: [OpenAFS] AFS lag

2009-05-27 Thread Ken Hornstein
>>I'm no ubik engineer, but as far as I understand it, the protocol >>was not designed for even numbers of participating servers. For best >>results, three or five servers seem to be optimum. > >I hear this frequently, and don't see why it should be true. The tie >breaking mechanism during an elec

Re: [OpenAFS] AFS lag

2009-03-19 Thread Ken Hornstein
>> There is a lot of misinformation about Ubik out there; the voting >> protocol is actually not complicated, it's just not documented well. > >it's actually well-documented, if you find Kazar's paper on Quorum Completion. You know, we should try to find a copy of that and put it somewhere useful.

Re: [OpenAFS] AFS lag

2009-03-18 Thread Ken Hornstein
>I'm no ubik engineer, but as far as I understand it, the protocol was not >designed for even numbers of participating servers. For best results, three >or five servers seem to be optimum. There is a lot of misinformation about Ubik out there; the voting protocol is actually not complicated, it's

Re: [OpenAFS] Hang on shutdown with OSX ?

2009-01-23 Thread Ken Hornstein
>My first reply to Chris was inadvertantly private. I suggested if >there's a time he can leave it go for 10 minutes and see if it >completes, he should. But I guess the followon, which I forgot to >mention, is seeing, after that, what's in /var/log/system.log from the >reboot. When it has happene

Re: [OpenAFS] Hang on shutdown with OSX ?

2009-01-23 Thread Ken Hornstein
>I'm running openafs 1.4.8 on OSX 10.5, on a late 2008 MacBookPro >(intel). I'm new to OSX (but familiar with AFS on linux) so please >bear with me. > >After installing AFS, I am experiencing occasional hangs when shutting >down the machine - I have to do a hard reset. > >I have a suspicion t

Re: [OpenAFS] UW IMAP + AFS + Kerberos 5

2008-11-19 Thread Ken Hornstein
>The basic Kerberos/IMAP setup seems to work...as I can authenticate, >and read mail. But IMAP cannot write to the user's AFS based Sent >folder. Nor can the user access any of their other AFS based mail >folders via IMAP. My question to you is ... "how did this work before?" Authentication t

Re: [OpenAFS] 1.4.8, Rx Performance Improvements, and a Small Business Innovative Research grant

2008-10-03 Thread Ken Hornstein
>With those observations... does rx-over-tcp look like a solution? On >the packet-transmission side probably, but the encapsulation very >likely still demands significant processing power. And running a >server with 1 or 2 TCP connections does not sound that obvious >either. Here's wha

Re: [OpenAFS] no quorum elected

2008-06-03 Thread Ken Hornstein
>> This, of course, is wrong in the case of AFS DB-Servers. The master- >> server (usually the one with the lowest IP) has an additional half- >> vote. So no split-brain possible here. > >When did we change this? All of the documentation I ever read said you >needed three so you could have a q

Re: [OpenAFS] host principal and keytab

2008-01-08 Thread Ken Hornstein
>It doesn't have permissions as rcmd.server, either. rcmd.server (like Jeff said) is the correct name. I am wondering ... what are the sequence of steps that you did? For example, did you create rcmd.server _after_ you ran aklog? If so, you might need to run "aklog -force" to get the AFS filese

Re: [OpenAFS] 'afs' principal

2007-10-30 Thread Ken Hornstein
>The concepts. The mechanics I can follow (and have). > >I just think it would be great to have a very clear >description of what those few steps are all about >(for my documentation which I intend to make as clear >as possible for everyone and share). Well ... this gets back into the overlap bet

Re: [OpenAFS] 'afs' principal

2007-10-30 Thread Ken Hornstein
>Something I've never been very clear on as part of the >conversion to Kerberos 5: The whole asetkey and afs >principal operation. > >Could anyone explain what is going on there in detail >for my (and everyone's) understanding/documentation? Are you unclear on the concepts, or the mechanics of wha

Re: [OpenAFS] kaserver.DB0 converted, no success authenticating

2007-10-29 Thread Ken Hornstein
>> Could changing realm names be another possibility? Jeff, are you >> using the same realm name in your KDC as in the kaserver? Just as a side note: that is definately not the problem here. This is evident by the KDC log message mentioning "DECRYPT_CLIENT_KEY" - that can only occur if the princ

Re: [OpenAFS] kaserver.DB0 converted, no success authenticating

2007-10-29 Thread Ken Hornstein
>Oct 29 12:58:13 silmaril krb5kdc[13245](info): AS_REQ (7 etypes {18 17 >16 23 1 3 2}) xxx.xx.11.213: DECRYPT_CLIENT_KEY: [EMAIL PROTECTED] for >krbtgt/[EMAIL PROTECTED], Decrypt integrity check failed One little thing I always forget about afs2k5db it currently only works if your master key

Re: [OpenAFS] Password transition to krb5 - your methods?

2007-10-25 Thread Ken Hornstein
>The MIT License is compatible with OpenAFS. Someone could simply copy >the necessary routines out of MIT Kerberos and build a package that >doesn't require MIT Kerberos at all. The problem is that since crypto functions are involved, it would require a good chunk of the MIT library (and the db l

Re: [OpenAFS] Password transition to krb5 - your methods?

2007-10-25 Thread Ken Hornstein
>IMO, it should be distributed with it and referenced >in a new README.kaserver (which also should include >the elders EOL statement regarding kaserver). > >It doesn't have to be referenced by the build process. > >I wouldn't surprise me to find that nobody agrees with >me again. Sigh. Jeff, I go

Re: [OpenAFS] AES Support ?

2007-09-27 Thread Ken Hornstein
>Correct me if I am wrong, but if there is to be a smooth transition >then I have to wait until every single afs client worldwide who might >access our cell has upgraded (and how would I even know this). Check your KDC logs? When you stop seeing requests for afs/cell principals, you can get rid o

Re: [OpenAFS] Usernames in pts

2007-08-01 Thread Ken Hornstein
>Perhaps in the meantime we should add a command line switch >--permit-dotted-krb5-names That would be fine with me; people who understood this issue could choose to disable the check. --Ken ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https:/

Re: [OpenAFS] Usernames in pts

2007-08-01 Thread Ken Hornstein
>become the same string. In order to prevent "joe.admin" from becoming >the administrative identity "joe/admin" we disable support for dots in >Kerberos v5 principal names. And yet somehow this isn't an issue when you use the 524 translator. --Ken ___

Re: [OpenAFS] Fedora Core 6 Kernel Module

2007-06-20 Thread Ken Hornstein
>> I am trying to build a kernel module for a Fedora Core 6 system >> with out >> any luck for the 2.6.20-1.2952.fc6 kernel. > >I know I'm going to regret asking this, but is there a reason you're >not using the pre-built one available from the OpenAFS site? When I tried doing that a few weeks

Re: [OpenAFS] "vos dump" authorization based on "bos adduser"?

2007-06-05 Thread Ken Hornstein
>However, it seems that the volserver bases "vos dump" permission on >whether or not a user's key is in the "bos adduser" list rather than >whether or not they are in system:administrators. Is there a reason >for this? I always assumed that was because the volserver doesn't normally need to talk

Re: [OpenAFS] Need help decoding kaserver debugging info

2007-05-23 Thread Ken Hornstein
>I'm trying to eliminate kaserver here, so I added the -debug flag to the >kaserver process as mentioned in a previous thread on this list. However, >now that I have debugging going, I'm not quite sure I understand the >different messages being written to the log. Unfortunately, the >documentati

Re: [OpenAFS] renaming principals (Was: One of my users has married - what to do? )

2007-04-29 Thread Ken Hornstein
>For us (iastate), they can certainly log into the unix account within a >few minutes, if moira's incrementals aren't sadly swamped. So how do you synchronize with the meatware? (the user who's getting the rename). That was really the point of that paragraph. I'm not considering the case of rena

Re: [OpenAFS] renaming principals

2007-04-29 Thread Ken Hornstein
>On forced id changes, yes. UIUC forced a large number of users with a >hyphen in their netid to change to one that did not have the hyphen. >(Usually dropping the hyphen if that id was available.) They also forcd >netid changes where there were conflicts between the 3 campuses (UIC, >UIS, UI

Re: [OpenAFS] renaming principals (Was: One of my users has married - what to do? )

2007-04-29 Thread Ken Hornstein
>The point would be to allow users who may not be able to physically come >in to the help desk and reset a password be able to change their user >id. (Or in some cases, have their user id forcably change by "powers >that be." Your criteria for a user changing their userid is less stringent the

Re: [OpenAFS] One of my users has married - what to do?

2007-04-29 Thread Ken Hornstein
> Password history is a moot point for us. Should we care > about that at some point, we'll worry about it then. So ... why DO you implement rename_principal, anyway? I had looked at doing that a bunch of years ago, but I came to the conclusion that it was basically equivalent to a delete/ad

Re: [OpenAFS] One of my users has married - what to do?

2007-04-29 Thread Ken Hornstein
>If I recall correctly, our method for handling the salt correctly for >any enctype now involves having the person set a new password >when they change their username. If you're going to do this anyway, and assuming you aren't doing the right magic to preserve the password history correctly (from

Re: [OpenAFS] asetkey: failed to set key, code 70354694

2007-04-09 Thread Ken Hornstein
>> This probably isn't good in the general case, but can't asetkey simply >> exec translate_et itself when an AFS error is encountered? Or is that a >> really bad idea? > >Ask Ken what I think of the exec method. Translation: Derrick will piss and moan about it for a few years, but eventually sto

Re: [OpenAFS] asetkey: failed to set key, code 70354694

2007-04-09 Thread Ken Hornstein
>In this particular case (asetkey), since the interesting thing is to >get ACFG errors out, and it's all on the AFS side of things, getting >the right thing to happen is doable. Sure, _this_ time you want the AFS errors ... what happens next time when you want the Kerberos error out? --Ken __

Re: [OpenAFS] asetkey: failed to set key, code 70354694

2007-04-09 Thread Ken Hornstein
>> >> "com_err sucks" >> >> Well, more precisely "no 2 com_errs are alike" >> > >Ok, so there is the whole com_err mess. But openafs has >its own com_err so that "shouldn't" matter. asetkey is one of those programs that has to link against Kerberos 5 as well as OpenAFS libraries. So, which co

Re: [OpenAFS] asetkey: failed to set key, code 70354694

2007-04-09 Thread Ken Hornstein
>In 1.5, you can use as many Kerberos realms as you want. It's extremely >useful when you want to have multiple local realms that are already >synchronized and should be treated as local rather than as cross-realm >realms. Ah, I see what I missed. There's that extra argument to afs_krb_lrealm().

Re: [OpenAFS] asetkey: failed to set key, code 70354694

2007-04-09 Thread Ken Hornstein
>It's a shame asetkey can't just print the error message directly. Another victim of com_err. Sigh. --Ken ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] asetkey: failed to set key, code 70354694

2007-04-09 Thread Ken Hornstein
>No, this is the /usr/afs/etc/krb.conf trick. I see some stuff under #ifdef AFS_KERBREALM_ENV, but I can't possibly see how it would work like it's supposed to ... afs_krb_get_lrealm() reads the _first_ line of /usr/afs/etc/krb.conf and returns that. There is a loop in afs_is_foreign_ticket_name(

Re: [OpenAFS] asetkey: failed to set key, code 70354694

2007-04-09 Thread Ken Hornstein
>That is assuming you don't have more than X Kerberos realms that you >want to use for an afs service principal. And if you want to change the >afs service principal in all trusted realms, you could end up needing 2X >"slots" in the KeyFile. I think you've got it backwards. You can only use o

Re: [OpenAFS] asetkey: failed to set key, code 70354694

2007-04-09 Thread Ken Hornstein
># ./asetkey add 10 /tmp/afs.tab [EMAIL PROTECTED] >./asetkey: failed to set key, code 70354694. % translate_et 70354694 70354694 (acfg).6 = no more entries Man, I had no _idea_ that was an error. Live and learn. I will echo Derrick's comment: get rid of some of those keys in your KeyFile. At

Re: [OpenAFS] aklog -setpag doesn't get a token

2007-03-22 Thread Ken Hornstein
>One thing that lead me astray for a while is that aklog does nothing if >your token hasn't changed, even if it is called with the -setpag option. I've always felt that behavior was dumb (it wasn't in the original aklog I committed, it appeared somewhere along the way in OpenAFS). As far as I can

Re: [OpenAFS] Server encryption keys

2007-03-20 Thread Ken Hornstein
>On a test cell, I've been able to change the encryption key as >follows: I change the afs password using kadmin and export it >to the KeyFile. I then have to kill the bos process and all >server processes on all servers, since my old admin tokens >don't work any more, nor do new ones when I reaut

Re: [OpenAFS] A problem with authentication

2007-03-08 Thread Ken Hornstein
>and I'm not sure why the difference exists, other than that the oldest >haven't changed their passwords since before we moved to heimdal. The short answer is that the plaintext password gets converted via a one-way algorithm to the encryption key used by Kerberos. So if you have an afs3-salted k

Re: [OpenAFS] Kerberos 5 encryption types and AFS

2007-03-06 Thread Ken Hornstein (Contractor)
>I've also found that if I took a client linked with a Kerberos library >that didn't understand AES keys (1.2 era), pointed it at a ticket cache >containing an AES TGT, and asked it to get a service ticket, it would >fail. With an AES TGT, or an AES session key as part of the TGT? The latter woul

Re: [OpenAFS] Kerberos 5 encryption types and AFS

2007-03-06 Thread Ken Hornstein
>In practice, 3DES has no problems here, but AES keys can confuse really >old clients. A slight expansion on this. Clients from the MIT 1.0.x era would reject service tickets if they were encrypted with an enctype they didn't know about (since clients don't decrypt service tickets they shouldn't

Re: [OpenAFS] Re: Windows AFS client / Kerberos V

2007-01-30 Thread Ken Hornstein
>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" [EMAIL PROTECTED] >> >> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION. > >I think -randkey causes the salt to be ignored -- I used :afs3 and >a subsequent getprinc says that the principal has no salt. It's a bit more complica

Re: [OpenAFS] asetkey, aklog and weird key/principal

2007-01-09 Thread Ken Hornstein
>ktpass -princ afs/@ -mapuser _afs -pass * -crypto >DES-CBC-MD5 -out c:\temp\unixkeytab I thought this was fixed in some version of OpenAFS ... but generally you should use DES-CBC-CRC instead of DES-CBC-MD5. Also, I think you managed to expose your afs key in the mail you provided. It doesn't s

Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog

2007-01-03 Thread Ken Hornstein
> CC and CPPFLAGS being ignored (I am using GNU make of course) > when building aklog. Also, isn't this supposed to build by > default, what with kaserver's deprecation and all... ? > >You want KRB5CFLAGS and KRB5LIBS. These are options to configure, not to >make. If this isn't documented som

Re: [OpenAFS] AFS rsh token passing

2006-10-30 Thread Ken Hornstein
>What's the best replacement for the old AFS rsh and >Transarc inetd which does token passing? > >I'm using this in a Linux cluster environment so speed is >fairly important - and I'd prefer something as easy to >setup as the old rsh. I use the MIT Kerberos rsh/rshd all of the time. I'm not sure

Re: [OpenAFS] kaserver deperecation, OpenAFS future, etc...

2006-10-19 Thread Ken Hornstein
>I spent weeks poking around at it several months ago. We >*were* well on our way toward a KDC-auth setup in our little >corner. I wouldn't *strongly* recommend it to anyone who >expects users to get tokens automatically when they login. >But usability is of no real concern to security guys. I d

Re: [OpenAFS] kaserver deperecation, OpenAFS future, etc...

2006-10-19 Thread Ken Hornstein
> I guess I'm a little surprised that nobody was > interested enough in "ka5server" to make it > happen -- do most sites not use kaserver? I think a number of people do use it still, but it's definately shrinking. Having grovelled around in the MIT KDC for too long, I can tell you writing a V5

Re: [OpenAFS] kaserver deperecation, OpenAFS future, etc...

2006-10-18 Thread Ken Hornstein
(Note: I don't have anything to do with making these decisions; I'm just giving you my view on things). > "kaserver is not being actively developed. In fact, > it is considered deprecated and I strongly recommend > that kaserver be replaced with a Kerberos 5 KDC." > >Is there anything else

Re: [OpenAFS] Removing file server preferences...

2006-09-19 Thread Ken Hornstein
>At 02:08 PM 9/19/2006, Ken Hornstein wrote: >>Stupid question #2: is it just a matter of tidying things up that you want >>those prefs removed? > >In our case yes, and to prevent time out failover lag. Okay ... but I thought that you said that all of the volumes had be

Re: [OpenAFS] Removing file server preferences...

2006-09-19 Thread Ken Hornstein
>If the client has a preference set for a server, then there is a server >entry and that server will be probed to determine if it is up or down >on a regular basis. Every ten minutes for UP servers and every three >minutes for DOWN servers. > >You might now want to be producing all of that additio

Re: [OpenAFS] Removing file server preferences...

2006-09-19 Thread Ken Hornstein
>We set the server preferences per building to minimize network traffic. I >believe it helps to know which servers your client will be trying to hit >first for their data. To each his own I suppose. Hey, I was just surprised that someone uses it; It just seemed like a big pain when I tried it

Re: [OpenAFS] Removing file server preferences...

2006-09-19 Thread Ken Hornstein
>Anyone know how to remove file server preferences once they have been >added? We've recently removed some file servers from operation and I can't >find a way to get rid of their preferences with "fs setserverprefs". Dumb question time ... why do you care? I don't think it matters if extra ser

Re: [OpenAFS] That infamous, magnificent bastard, error 19270408.

2006-09-10 Thread Ken Hornstein
>I wonder if this means Joe will have to speed up the pace of the AFS >upgrade, then. I thought someone said it was perfectly ok to run >OpenAFS database servers with Transarc Fileservers? That's a true statement. As you see, your cell still works. But there are some important caveats. One c

Re: [OpenAFS] That infamous, magnificent bastard, error 19270408.

2006-09-10 Thread Ken Hornstein
>Ok. If I understand this right, your past clients are using >"krb524d" to convert tickets -- and are storing a "real" kerberos 4 >ticket. This latter key can *only* be des, because that's the >only encryption mode supported by kerberos 4. >If you have slightly newer code, you may have a version

Re: [OpenAFS] That infamous, magnificent bastard, error 19270408.

2006-09-10 Thread Ken Hornstein
>The key files themselves were compared; I took your, and Christopher >Clausen's advice, and ran "bos listkeys" against each of our AFS >servers from a working client, and the results were identical: >[...] Okay ... this looks correct. But those are just your database servers ... I see that

Re: [OpenAFS] That infamous, magnificent bastard, error 19270408.

2006-09-10 Thread Ken Hornstein
>I've searched the archives pretty hard, but I'm still getting stymied >by your friend and mine, rxkad error 19270408. Our windows clients >are working perfectly, and our Solaris -8- configuration is working >perfectly with its internal k5/k4 bits but our Solaris 9 >configuration against s

Re: [OpenAFS] KeyFile generation issue

2006-09-01 Thread Ken Hornstein
>Unfortunately, I jumped the gun on this. Initial probing looked >fine - get tokens, create/mod/delete files/dirs. Actual AFS actions >like creating volumes, querying members of a group, etc, failed with >the following error: Since you're able to create files, that must mean that authenication s

Re: [OpenAFS] Further TransArc -> OpenAFS musings/planning

2006-08-16 Thread Ken Hornstein
>I don't know of any reason why this wouldn't work, but I have to admit >that I'm really partial to transferring the database over protocol rather >than making the new server read the old disk file format. I know that if >you bring up a new server and let Ubik handle the replication, you don't >ha

Re: [OpenAFS] FC6-T2 openafs

2006-08-10 Thread Ken Hornstein
> #define rx_PortOf(peer) ((peer)->saddr.ss_family == > AF_INET ? \ > ((struct sockaddr_in *) &(peer)->saddr)->sin_port : \ > ((struct sockaddr_in6 *) &(peer)->saddr)->sin6_port) > > you probably don't have struct sockaddr_in6 there. That's insid

Re: [OpenAFS] DB servers seperate from fileservers

2006-08-08 Thread Ken Hornstein
>As it turns out, VIOCCKSERV does not report up/down state for database >servers (though it does probe them, if you asked for probing). However, >the cache manager does maintain preferences for both fileservers and >vlservers, and VIOCGETSPREFS can be used to retrieve either set. Okay, I admit

Re: [OpenAFS] DB servers seperate from fileservers

2006-08-08 Thread Ken Hornstein
> Don't those deal with fileservers? > And isn't the case at hand dealing with DB servers? > > Seems to me that a far simplier method would be for stand-alone > clients to start with a short timeout and circle through the > DB servers quicker. The problem is that this code is embedded de

Re: [OpenAFS] DB servers seperate from fileservers

2006-08-08 Thread Ken Hornstein
>You mean like VIOCCKSERV, which tells you which servers the cache manager >currently thinks are down? Or more like VIOCGETSPREFS, which tells you >what preference order the cache manager has assigned to servers? I think that only works for fileservers, right? And it sort of returns rather inc

Re: [OpenAFS] DB servers seperate from fileservers

2006-08-08 Thread Ken Hornstein
>I was specifically talking about DB servers. Having one of them go >down, provided there are no volumes on that server, should not cause a >problem, right? In theory, no. In practice ... it's annoying. The problem is that AFS clients pick a DB server to talk to at random, and for most cases

Re: [OpenAFS] "VL_RegisterAddrs rpc failed"

2006-07-28 Thread Ken Hornstein
>I was thinking of removing the address that is in there. From what I >remember, the problem is that the vlserver thinks another server is >the one that has that IP address (I never figured out how I got >in that situation; I believe you could probably do it by doing a >"vos changeaddr" to change

Re: [OpenAFS] "VL_RegisterAddrs rpc failed"

2006-07-28 Thread Ken Hornstein
>> Maybe if you shut down the fileserver, then do a >> "vos changeaddr address -remove", then start it up again? (I don't remember >> how I fixed that problem here; there was a weird cycle of things that I >> had to do to fix it). > >Remove what address? There is only one listed in "vos listaddr >

Re: [OpenAFS] "VL_RegisterAddrs rpc failed"

2006-07-28 Thread Ken Hornstein
>> Does "vos changeaddr" help you out at all? > >I'm not sure what to do with it... "vos listaddr -noresolve" shows the >correct IP. > >It would help if there were actual diagnostics in place that the FileLog >error message told me to look! I had the same thing happen to me once. I think I had so

Re: [OpenAFS] "VL_RegisterAddrs rpc failed"

2006-07-28 Thread Ken Hornstein
>In article <[EMAIL PROTECTED]> you write: >> When I restarted the other two servers with a bos restart -all, the >> problem went away. > >I only have one server, and I have done both complete restarts of AFS >on it and rebooted the entire machine, with no change. Does "vos changeaddr" help you ou

Re: [OpenAFS] ka-forwarder -> fakeka malformed (bad password)

2006-06-29 Thread Ken Hornstein
>My Kerberos REALM name and CELL name our DIFFERENT. I need to do this >since our Windows group took over our the REALM name that is the same >as the AFS cell name for their Kerberos system. Unfortunately, this puts a bit of a crimp in things. But it may not be your real problem. You need to hav

Re: Re[2]: [OpenAFS] token lifetime

2006-06-29 Thread Ken Hornstein
>I am not using kerberos (yet), so I have to set it with kas. >Can it be set to never expire ? or is the maximum lifetime 720 hours ? Just as a note ... if you set you tickets to never expire (which I don't think is possible with the current code), you're just asking to be 0wned. Just my $0.02.

Re: [OpenAFS] what has happened to the Workshop web site?

2006-06-22 Thread Ken Hornstein
>On Thu, Jun 22, 2006 at 09:07:26AM +0200, Giovanni Bracco wrote: >> The site http://pmw.org/afsbpw06/ is no accessible anymore. What >> has happened? > >Nothing. Try http://www.pmw.org/afsbpw06/. Short answer: the domain expired yesterday. This has been fixed, but depending on the level of cach

Re: [OpenAFS] convertROtoRW safe on inode?

2006-06-20 Thread Ken Hornstein
>|Basically ... a bunch of internal things inside of a volume need to >|be mucked with to make convertROtoRW work. That code was written for >|namei fileservers ... it has not been written for inode fileservers. > >Hello! >Is it planed to do so (write it for inode fileservers) ? Someone has to ge

Re: [OpenAFS] convertROtoRW safe on inode?

2006-06-19 Thread Ken Hornstein
>I was reading through some of the posted talks from the AFS best >practices conference and saw something that mentioned vos convertROtoRW >only working on namei fileservers? Is this true? Does it just not work >on inode? Or do "Bad Things" (TM) happen when its used on inode >fileservers? Y

Re: [OpenAFS] OpenAFS implementation questions.

2006-06-09 Thread Ken Hornstein
>> Well, you should be able to get tickets/tokens through ssh, either via >> kerberos ticket passing or typing in a password. In those cases your >> users can still run re-auth. > >> However for batch processes, well, there's just not much you can do. > >For batch processes, you pretty much have t

  1   2   3   >