Re: [OpenAFS] Help setting up openafs on debian bookworm
Ernesto Alfonso: Now my problem is still understanding why `bos listkeys` now succeeds but returns an empty set when asetkey does list 4 keys. Because you deleted the wrong key. The AFS principal should be named "afs/@". Just follow the instructions in https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be all set. Also note that if you setup multiple servers, you only need to do the kadmin part once, and copy the resulting rxkad.keytab (and probably KeyFileExt) to all servers, since the kvno needs to be the same on all servers, but exporting the key increases it. HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Help setting up openafs on debian bookworm
Ernesto Alfonso: sudo asetkey list rxkad_krb5 kvno 5 enctype 17; key is: rxkad_krb5 kvno 5 enctype 18; key is: rxkad_krb5 kvno 9 enctype 17; key is: rxkad_krb5 kvno 9 enctype 18; key is: I'm a little bit confused about the key version numbers (kvno). They should IMHO be the same. Are those question marks the same string for the respective enctypes? You could also check the content of your keytab, by running "ktutil". In ktutil, read your keytab file using "rkt /etc/openafs/server/rxkad.keytab" and then list the keys using the "l" (lowercase "L") command. It should list multiple keys, which all have the same kvno. If not delete the ones with the lower kvno's, using "delent " and save the file using "wkt /etc/openafs/server/rxkad.keytab". HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Advice on using BTRFS for vicep partitions on Linux
Ciprian Craciun: Well, I base this supposition on my simple observation with OpenAFS's own client which is also out-of-tree and requires custom module builds (via DKMS or equivalent). For example I use OpenSUSE Tumbleweed (rolling release), and sometimes I need to delay my updates until the distribution manages to get the modules ready (with the latest Linux kernel). Ah, OK, I see. Yeah, I also sometimes see this with the OpenAFS module on Debian *testing*, where it can happen that the kernel is too new so that the module doesn't build until a compatibilty fix is released. I usually swtich to the in-kernel AFS module temporarily in these cases. However, this never happened on Debian *stable*, neither for OpenAFS, nor for ZFS. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Advice on using BTRFS for vicep partitions on Linux
Ciprian Craciun: it's not in-kernel; which means sooner or later one would encounter problems. Can you please elaborate? I run two ZFS systems @home where one is an OpenAFS fileserver and client, the other one a client only. They both started as Debian Stretch and have been updated to Buster and then Bullseye and I've never had any problems because of ZFS being out-of-tree. The Debian DKMS system does quite a good job. The OpenAFS client module is out-of-tree too, BTW... Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?
jukka.tuomi...@finndesign.fi: I wonder if anybody has OpenAFS client working with GDM in Ubuntu 22.04 (or 20.04)? That is, allowing users to log into their homedirs graphically. You can't. Most of the Gnome stuff nowadays heavily depends on systemctl --user which doesn't work when $HOME is in /afs (because systemd starts the systemctl --user separate from the user session and thus it doesn't get a token at login). Unfortunately, systemd folks are not willing to fix this nonsense. SDDM works fine, though. HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Limiting mount point to known cells
Ingo van Lil: git tries to access the directory /afs/.git, and I see that afsd sends multiple DNS requests to the loopback address 127.0.0.53. Not sure why it does that, it seems to be somehow related to systemd-resolved in Fedora Linux. Yes, systemd-resolved provides a local caching DNS server on that address and configures /etc/resolv.conf (by symlinking it to its own file in /run) to use it. HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Question for admins regarding pts membership output
Ed Rude: > I think I prefer the new behavior you are suggesting as the default. I'd prefer to have the current behavior as default, as to not break current scripts. Admins can then decide to enhance their scripts as needed instead of being forced to change them because they got broken. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Dave Botsch: > Maybe it's not in newer release of openssh? Nope. Also looked up Debian Stretch's man page for OpenSSH 7.9. Doesn't have it. See https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Dave Botsch: > KerberosUniqueCCache=yes in sshd.conf Could you elaborate on what this option is good for? I can't find it in sshd_config(5), neither on a Debian Bookworm system with OpenSSH 9.0, nor in online man-pages of Arch Linux or upstream OpenSSH. Is this some special RH-only thing? Thanks a lot... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Jeffrey E Altman: > Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later). Ah, OK. As a non-RH user, I wasn't aware they threw it out. Thanks for clarifying. > The replacement is sssd which supports Kerberos ticket acquisition but > not AFS token acquisition. The recommendation for acquiring AFS tokens > on sssd enabled systems is to use pam_afs_session Yep, that's what I also do on my sssd-enabled (because of AD) Debian systems. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Stephan Wonczak: > Any advice would be greatly appreciated! As Benjamin wrote: Try pam_afs_session. Should be added to the "auth" and "session" blocks of your PAM setup. https://packages.debian.org/bullseye/libpam-afs-session https://www.eyrie.org/~eagle/software/pam-afs-session HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Benjamin Kaduk: > Are you aware of pam_afs_session > (https://github.com/rra/pam-afs-session)? Without knowing more about > what you're using pam_krb5 for it's hard to make specific suggestions > about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS
Ken Hornstein: >> Anyway, I checked the krb5 sources, and it is defined in >> lib/krb5/ccache/cc_keyring.c: >> >>/* >> * Keyring name prefix and length of random name part >> */ >>#define KRCC_NAME_PREFIX "krb_ccache_" >>#define KRCC_NAME_RAND_CHARS 8 > My reading of the code is that random cache name is only used _if_ you > call the function krb5_cc_gen_new(), which suggests to me that pam_sss > or something pam_sss is calling is explicitly doing that (most Kerberos > programs simply call krb5_cc_default() which should result in it taking > a compiled-in default or whatever you specify in krb5.conf). Switched from sssd to winbind and got it to work using the standard FILE cache type. With KEYRING, something(TM) added the ":${UID}" suffix twice... Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS
Markus Köberl: > ccache and ccache_dir options for pam_krb5 might help. > Have a look at man pam_krb5. I'm using pam_sss. Anyway, I checked the krb5 sources, and it is defined in lib/krb5/ccache/cc_keyring.c: /* * Keyring name prefix and length of random name part */ #define KRCC_NAME_PREFIX "krb_ccache_" #define KRCC_NAME_RAND_CHARS 8 Maybe other distributions patch this out and Debian doesn't... Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS
Carson Gaspar: > > On 8/13/2021 11:01 AM, Dirk Heinrichs wrote: >> Tried the setup right away on Debian, but it doesn't work. Seems Debian >> adds some random string to the cache name, even if it's set to KEYRING: >> >> % LC_ALL=C klist|head -1 >> Ticket cache: KEYRING:persistent:1000:krb_ccache_inOQJ0u > > This may be OpenSSH (or at least Debian's patched version). If you log > in via GSSAPI, sshd generates a unique per-session ccache, whether you > like it or not. But this happens with local logins as well. However, I'm using sssd to login via AD (samba). Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS
Jonathan Billings: > On Fri, Aug 13, 2021 at 05:38:54PM +0200, Dirk Heinrichs wrote: >> Jonathan Billings: >> >>> # Set ccache name >>> export KRB5CCNAME="KEYRING:persistent:$UID" >> Am I correct to assume that the "regular" login session also needs to be >> configured this way? >> >> Thanks... > Yes, I have this in my /etc/krb5.conf: > > [libdefaults] > default_ccache_name = KEYRING:persistent:%{uid} Tried the setup right away on Debian, but it doesn't work. Seems Debian adds some random string to the cache name, even if it's set to KEYRING: % LC_ALL=C klist|head -1 Ticket cache: KEYRING:persistent:1000:krb_ccache_inOQJ0u Of course, this doesn't fit with the KRB5CCNAME as set in the script. Any ideas how I can convince Debian not to add that string to the cache name? Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS
Jonathan Billings: > Yes, I have this in my /etc/krb5.conf: > > [libdefaults] > default_ccache_name = KEYRING:persistent:%{uid} > > By default it is "FILE:/tmp/krb5cc_%{uid}" which isn't particularly > secure, as mentioned earlier in the thread. Great, thanks a lot. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] Redux: Linux: systemctl --user vs. AFS
Jonathan Billings: > # Set ccache name > export KRB5CCNAME="KEYRING:persistent:$UID" Am I correct to assume that the "regular" login session also needs to be configured this way? Thanks... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] aklog and AFS DB server timeouts
RL: > 192.168.*.* > is a private thingie that never gets resolved with DNS That's non-sense. They will of course not get resolved by *public* DNS servers, but nothing prevents you from resolving them through a *private* one. My private network is running on 192.168.1.x addresses and they get resolved just fine (through my private, samba based DNS server). Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Borderline offtopic: OpenAFS as ~ for Samba AD?
Am 19.01.20 um 22:53 schrieb Måns Nilsson: This means, that I'd like to cross-realm ("AD Trust", but not entirely) between my Heimdal realm (where I run the AFS cell) and the Heimdalish Kerberos that is part of Samba 4. I went this route a few years ago, in my own home network. However, I didn't see the need to run two directory servers, so I completely replaced my MIT Kerberos/OpenLDAP based setup with Samba 4 AD. No need to setup cross realm trust. HTH... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Question regarding vos release and volume
n...@phobos.ws: > Lately I've resized on of the LVM partitions, resized the filesystem and > since then "vos release" won't do it anymore. Could you be more specific? What filesystem type? Grow or shrink? And how did you do it (with two separate commands or by using lvresize -r)? Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Administrators with a slash
Am 06.03.19 um 16:59 schrieb Dave Botsch: > I'm curious what problems you have run into. We are bouncing Win10 > against MIT Kerberos just fine, so clearly something is different in > our attempted setups. Can't really remember, too long ago. Is this Home or Pro? Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Administrators with a slash
Am 06.03.19 um 14:28 schrieb Ciprian Dorin Craciun: > Indeed this was my experience also, the Kerberos deployment was quite > trivial (once I've done it); Please note that if you're ever going to add Windows (Professional) systems to your setup you should use a (Samba-) AD server for Kerberos. Windows has quite some problems talking to standard Kerberos/LDAP servers while Linux is fine talking to AD (using either winbindd or sssd). Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Red Hat EL Support Customers - Please open a support case for kafs in RHEL8
Am Samstag, den 08.12.2018, 14:08 -0500 schrieb Jeffrey Altman: > On 12/8/2018 5:21 AM, Dirk Heinrichs wrote: > > Dirk Heinrichs: > > > > > Did a quick test (on Debian, btw., which already ships kafs) and > > > it > > > works fine. > > > > While getting tokens at login work with this setup, things start to > > fail > > once the users $HOME is set to be in /afs. While simple scenarios > > like > > pure shell/console logins work, graphical desktop environments have > > lots > > of problems. XFCE4 doesn't even start, Plasma works to some degree > > after > > presenting lots of error dialogs to the user. > > As Harald indicated, "systemd --user" services are a problem not just > for kafs but for openafs as well. But that's not the problem here. Both work fine with the OpenAFS client. > There has been discussions on this > mailing list of the issues dating back more than a year. I know. I've been involved ;-) > In summary, > "systemd --user" services are incompatible with "session keyrings" > which > are used to represent AFS Process Authentication Groups. Yes. > You have no indicated which kernel version you are using nor am I > aware > of the options used to build AF_RXRPC and KAFS on Debian. The Linux > kernel versions that are recommended are 4.19 with a couple of back > port > patches from the forthcoming 4.20 and the 4.20 release candidate > series. Ah, OK. Debian buster is still on 4.18. Will give it another try once 4.20 is out... > Regardless, it would be useful for you to file bug reports with the > Linux distribution describing the issues you are experiencing. > > Debian: https://wiki.debian.org/reportbug Yep, know this. > Fedora: https://fedoraproject.org/wiki/Bugs_and_feature_requests > > > Seems there's still some work to do until this becomes an > > alternative > > for the standard OpenAFS client. > > All software including OpenAFS has work to do. Sure. But the OpenAFS client is mature and just works (except for the systemd --user thing, which isn't OpenAFS' fault). > The kafs to-do list of known work items is here: > > https://www.infradead.org/~dhowells/kafs/todo.html > > > So I wonder why RH customers would want that? > > Obviously, no one wants bugs, but at the same time this community > does want: > > 1. A solution to "systemd --user" service compatibility with AFS. ACK. > The required changes are going to require Linux distribution > intervention because systemd is integrated with differences > to each distribution. At the moment there is no interest among > the systemd developers to work to fix a behavior they consider > to be a bug in OpenAFS, an out of tree file system. So they need to understand it's a problem with an in-tree fs as well? I see... > 2. The RHEL AFS user community needs an end to the repeated breakage > of /afs access following each RHEL dot release. How many times > has getcwd() broken because RHEL kernels updates preserve the API > between releases but do not preserve the ABI. While this permits > third party kernel modules to load it does not ensure that they > will do the right thing. If the community is lucky the symptoms > are visible. If unlucky, the symptoms are hidden until someone > reports silent data corruption. As a Debian user I didn't have these kind of problems in the past *HINT* :-) But, OTOH, mine is just a small home setup. > The need for an in-tree Linux AFS client extends to all Linux > distributions not just Red Hat. Any OpenAFS Linux developer can > attest > to the extensive effort that must be expended to maintain > compatibility > with the mainline Linux kernel. Then multiply that effort by all of > the > Linux distributions that ship modified kernels such as RHEL, SuSE, > Ubuntu, Oracle, ACK Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: This is a digitally signed message part
Re: [OpenAFS] Red Hat EL Support Customers - Please open a support case for kafs in RHEL8,Re: [OpenAFS] Red Hat EL Support Customers - Please open a support case for kafs in RHEL8
Am Sat, 08 Dec 2018 13:32:08 +0100 (CET) schrieb Harald Barth : > Is this a problem due to AFS or due to the startup of the graphical > environment which nowadays may involve systemd --user services > instead of running all processes in the same session? No, it's not. Both desktop environments work fine with the OpenAFS client. The systemd --user thing is a different story. Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: This is a digitally signed message part
Re: [OpenAFS] Red Hat EL Support Customers - Please open a support case for kafs in RHEL8
Dirk Heinrichs: > Did a quick test (on Debian, btw., which already ships kafs) and it > works fine. While getting tokens at login work with this setup, things start to fail once the users $HOME is set to be in /afs. While simple scenarios like pure shell/console logins work, graphical desktop environments have lots of problems. XFCE4 doesn't even start, Plasma works to some degree after presenting lots of error dialogs to the user. Seems there's still some work to do until this becomes an alternative for the standard OpenAFS client. So I wonder why RH customers would want that? Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Red Hat EL Support Customers - Please open a support case for kafs in RHEL8
Jonathan Billings: > On my systems, I install the kafs-client package (currently in COPR, but > eventually to be in Fedora 29) that includes a kafs-aware aklog package, > and use pam_exec to have it run aklog as part of the PAM stack. Here's the > source: http://git.infradead.org/users/dhowells/kafs-client.git Nice. Wasn't aware of this. > I append this to my PAM config, where I use pam_sss to get kerberos tickets > for UMICH.EDU. > session optional pam_exec.so quiet seteuid /usr/bin/aklog umich.edu Did a quick test (on Debian, btw., which already ships kafs) and it works fine. > I've not tried getting pam-afs-session to work with the kafs version of > aklog. It does look like program=/path/to/kafs-aklog would work. Turns out this module checks for the "traditional" AFS client, so it doesn't work with kafs. Anyway, the pam_exec method makes for a good workaround ;-) Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Red Hat EL Support Customers - Please open a support case for kafs in RHEL8
Am 07.12.18 um 00:33 schrieb Jeffrey Altman: > 5. Are there features that OpenAFS has that kafs does not? > > Yes. kafs does not split horizon caching, it does not have an > equivalent of cache bypass, it does not implement any of the rxdebug or > xstat_cm statistics collection. Nor does it provide pioctls and there is > no fs, vos, pts, bos command suite. kafs does not export afs2nfs. What about PAM integration? Does pam-afs-session also work with kafs? Or is there any other way for users to get access to their $HOME in /afs? From the documentation inside the kernel tree I take it that there's currently only a klog program, which needs to be invoked explicitly (so AFTER the user has logged in). Or can it be used by said PAM module by using its "program=path" configuration option (see pam_afs_session(5))? Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Obtaining tokens at login on Ubuntu 18.04
Am 19.08.2018 um 00:46 schrieb Prasad K. Dharmasena: > So, we must pick our poison? A: live w/o '"systemctl --user" and all > that stuff' or B: pam_afs_session with 'nopag' Tried the latter (incl. re-install of dbus-user-session), but still didn't get systemctl --user to work (after re-login of course). Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Obtaining tokens at login on Ubuntu 18.04
Am 17.08.2018 um 11:38 schrieb Gaja Sophie Peters: > The main problem that we face at the moment is that there are TWO > sessions opened, and (especially in "Ubuntu"-Session) With "Ubuntu", you mean Gnome, I guess. KDE doesn't suffer from that problem. Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Obtaining tokens at login on Ubuntu 18.04
Am 18.08.2018 um 02:44 schrieb Prasad K. Dharmasena: > Thanks for the pointer. I did 'dpkg -r dbus-user-session' and > rebooted. Now 'pam-afs-session' does the right thing and obtains a > token. BTW: That's not pam-afs-session's fault. It did the right thing before uninstalling dbus-user-session. It's gdm's (or better Gnome's) fault, because it meanwhile heavily depends on the systemd/systemctl --user stuff. sddm, for example doesn't have this problem (AFAIK). Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] fs newcell / clients CellServDB / adding new db server
Am 13.06.2018 um 14:06 schrieb Andreas Ladanyi: > i understand that a change in CellServDB on client does have no effect > until reboot. Hmm, is this also true when using DNS SRV records instead of CellServDB? Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] using Samba to access AFS volume
Am 07.05.2018 um 06:49 schrieb S P Arif Sahari Wibowo: I am looking for configuration for accessing AFS volume using current version of Samba. Wondering about the use case here. There's an AFS client for Windows as well... Bye... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Linux: systemctl --user vs. AFS
Am 08.03.2018 um 18:54 schrieb Jeffrey Altman: >> 2. let AFS use the per-user keyring instead of the per-session one >> (suggested in the systemd bug discussion) >> >> Does the second one sound reasonable? > Switching to the user keyring is unreasonable. The impact of such a > change is that all user sessions on a system share the same tokens and > an effective uid change permits access to those same tokens. > > Process Authentication Groups (PAGs) exist explicitly to establish a > security barrier to prevent such credential leakage. I understand. However, why not let the user (or better: admin) decide? I assume this is coded in the cache manager, so the module could be enhanced with a parameter that allows to choose between the two variants at module load time. The current behaviour of using the session keyring could still be the default. Adding my own two cents... Bye... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
[OpenAFS] Linux: systemctl --user vs. AFS
Hi, as some Linux users might already have noticed, there's an incompatibility issue between systemctl --user and users having their $HOME below /afs. Background: systemctl --user is the per-user equivalent of systemctl, which means starting services on behalf of the current user. For this to work, a corresponding systemd --user process is started upon the users first login. However, the problem here is that this process is not started from the users session, but from PID 1, and runs through its own PAM stack (which is non-interactive and therefor doesn't get an AFS token). The result is that any systemctl --user command gets a permission denied, for example: % systemctl --user enable syncthing Failed to enable unit: Access denied because the systemd --user process is denied access to the users $HOME. There are discussions about this already in both the Debian and systemd bug trackers (see links below). The outcome of both seems to be that the problem can be solved with a combination of two changes: 1. make sure the PAM stack for systemd --user includes pam_keyinit.so (suggested in the Debian bug discussion) 2. let AFS use the per-user keyring instead of the per-session one (suggested in the systemd bug discussion) Does the second one sound reasonable? Bye... Dirk 1. Debian bug <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846377> 2. systemd bug <https://github.com/systemd/systemd/issues/7261#issuecomment-370509405> -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] connection timed out, how long is the timeout?
Am 04.02.2018 um 13:29 schrieb Jose M Calhariz: > The core of my infra-structure are 4 afsdb Wasn't it so that it's better to have an odd number of DB servers (with a max. of 5)? Bye... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Windows 10, OpenAFS 1.7, heimdal 7.4 kerberos enctype issue
Am 19.01.2018 um 09:28 schrieb Andreas Ladanyi: > i try so setup windows 10, heimdal kerberos for windows and network > idendity manager. You don't need all this anymore nowadays. The Auristor installer <https://www.auristor.com/openafs/client-installer> should contain all you need. HTH... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] 1.6.20 pam_afs_session bug ?
On 07.04.2017 05:41, Benjamin Kaduk wrote: > Hmm, this feels more like systemd fallout, the more I think about > it. (Ubuntu 16.10 is on systemd now, right?) Now that you mention it: I've also had some problem with lost tokens on Debian Stretch a few months ago, where lot's of messages about unwritable files started popping up in KDE (with user's $HOME in AFS). Uninstalling dbus-user-session solved it for me. Please lookup Debian bug #846377 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846377> for reference. HTH... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de
Re: [OpenAFS] Connection timed out on new mount point
Am 02.12.2016 um 17:48 schrieb Jeffrey Altman: > The client has cached information for the volume group that indicates > that no backup volume exists. > > fs checkvolumes That solved it, indeed. Thanks a lot. Bye... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Connection timed out on new mount point
Hi, I'm currently facing a strange problem with connection timeouts after creating a mount point (fs mkm) for a new volume: # fs mkm tester home.tester.backup # ll ls: cannot access 'tester': Connection timed out total 132K ... ?? ? ? ? ?? tester The mount point has been created from a client workstation and only becomes available there after reboot or cache manager restart. OTOH, it's accessible immediately on the server (where /afs is usually not accessed): # ll total 134K ... drwx-- 2 1005 1001 2.0K Dec 1 21:49 tester Both server and client are up-to-date Debian Stretch systems running OpenAFS 1.6.18.3. Any ideas what could be causing the problem? Thanks... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] ad+openafs
Am 03.05.2016 um 10:39 schrieb zhaoxy...@ustc.edu.cn: > 2 install ad on windows 2008 r2 If you don't already have AD and or Windows, yet, you can also use Linux/Samba. Bye... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Start of afsd fails with "afsd: Error -1 in basic initialization."
Am 10.02.2016 um 17:05 schrieb Karl-Philipp Richter: > Starting `sudo /usr/local/sbin/afsd` after installing in default > prefix on Ubuntu 15.10 with Linux 4.3.3 fails with `afsd: Error -1 in > basic initialization.`. In `config.log` I see that `sysname` is > `amd64_linux26` and [I > found](https://lists.openafs.org/pipermail/openafs-info/2004-November/015432.html) > that if `sysname` is wrongly detected by `configure` similar errors > might occur. Can you confirm that this is the right `sysname`. In case > it isn't which one would be the correct one (`configure --help` > doesn't list possiblities). Did you consider using Ubuntu's packages (openafs-client, openafs-modules-dkms)? That will usually get you going in a few seconds. Depending on your setup, you might also want to add openafs-krb5 (might be pulled in as dependency anyway) and libpam-afs-session (to get tokens at login). HTH... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Cross-platform DFS
Am Mittwoch 23 Dezember 2015, 19:10:59 schrieb Bruno Andrade: [Wonder why this post reached me/the list just today, is your date set correctly?] > Ideally, we wanted to build a pool of storage with 42TB (combining all > windows and linux servers), but without changing the windows servers to > linux > > Is that possible with OpenAFS? Without changing the Windows servers to Linux, no. There's no OpenAFS server for Windows, just the client. Unless you also want to use the Windows servers for something else (Domain Controller, ...) it doesn't make much sense to leave them on Windows (IMHO). Bye... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Migrating Kerberos/LDAP to Samba DC
Am 13.11.2015 um 04:26 schrieb Benjamin Kaduk: > Although in theory one might be able to write a logon provider that can > obtain a token without an external kerberos implementation, the current > OpenAFS code appears to require a third-party kerberos installation for > that functionality.[*] (It's possible that I'm misreading the code, > though.) OK, thanks. > [*] Okay, not if you're using kaserver. But I try to pretend that > kaserver doesn't exist. No, I don't. And I pretend the same ;) Bye... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
[OpenAFS] Migrating Kerberos/LDAP to Samba DC
Hi, I'd need to add some Windows Professional clients to my otherwise Linux only setup. So I thought about replacing Kerberos/LDAP with a Samba DC. On the Windows clients, would I still need to install a 3rd-party Kerberos package to access AFS, or is Windows' own implementation sufficient? Thanks... Dirk -- Dirk Heinrichs <dirk.heinri...@altum.de> GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Request for Assistance with OpenAFS
Am 18.08.2015 um 15:56 schrieb Adem-Deniz Yavuz: as I read in some of the comments, it is that a client for Windows 10 is not offered in the near future. As far as I understood it, Your Filesystem Inc. will provide ONE version of a W10 capable client, but not more. In fact, you can download it from their site https://www.your-file-system.com/openafs/client-installer-download/ (I am using it @home). I need reliable sources that confirm this, because we are just in the planning stage with OpenAFS with many Windows 10 clients. Search archives of this list. HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Migrating existing data onto vice partition on the fly
Am Dienstag 30 Dezember 2014, 16:45:27 schrieb Levente Peres: Hello Jeff, Thank you for answering. I might have been a little obscure... I'll try to clear this up for you. So... Right NOW I have a partition called /vicepa, which exists right now, and has an XFS volume, which is used actively. It has some terabytes of data and about 2.5 times of free space as the actual data. Why did you mount it as /vicepa at all? It's not an AFS partition. This data has to be migrated within the same server to AFS. Why same server? An AFS setup usually consists of several servers, especially if you want to serve terabytes of data. Not to mention the needed kerberos server. Unfortunately, I have only this one partition remotely big enough to hold the data and/or fast enough to handle in a reasonable amount of time. Fast enough for what? To copy over the data or to serve it afterwards? My idea was based on the following: Somewhere I remember reading, that it would be OK to have AFS filesystem data and normal files coexist on the same partition for a while, if I watched carefully not to run out of space. This may or may not be true - it was a long time. Yes, it could work, but you should definitely test it on a spare machine first. So my original concept was that I would create the AFS filesystem on top of the existing data on the /vicepa partition, then copy it over to the cell's logical mount, then just delete the old data and have a pure AFS partition left after. You should also plan to divide the data into logical chunks that you can store on different AFS volumes (even if you stay on your single server), as it will make backups or migration of your data to other /vicepX partitions (maybe on other AFS servers) easier. HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Migrating existing data onto vice partition on the fly
Am Dienstag 30 Dezember 2014, 17:33:44 schrieb Levente Peres: Why same server? An AFS setup usually consists of several servers, especially if you want to serve terabytes of data. Not to mention the needed kerberos server. Same server because I need the transfer to be quick. Once I start - I need to do the migration in max 1-2 hrs... tops. I know... I know... Copy over some terabites of data in 1-2 hours? That's challenging. AFS is a network filesystem, and your data will need to go through the cache manager anyway. That means you MUST run the AFS client AND server on this same machine while it still serves the data from the old location. Still, what about the kerberos setup? Do you have one already? If not, you'll have to set it up, too (before setting up AFS). Unfortunately, I have only this one partition remotely big enough to hold the data and/or fast enough to handle in a reasonable amount of time. Fast enough for what? To copy over the data or to serve it afterwards? Both I guess but that's not the main issue, first problem is migrating it in a very short time. So I need to do it the ugly way, within the same server... I don't have 8Gb switches or the like and storage fabric etc to assist me in this externally... simple work with what you got issue... But you have rsync at your service. You can use it to copy most of the data over in the background. You can even do several iterations and then do the last iterations after ensuring that the data can't be modified anymore. And that's where you'll get into trouble. You can't mount it ro since it's also your /vicepa partition. If you serve it via NFS currently, you could re- export it ro, though. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] k5start and AFS tokens
Am Sonntag 28 September 2014, 04:44:07 schrieb Jaap Winius: Okay, I figured it out. No, not quite yet, I'm afraid. I altered /etc/init.d/zz by adding the following line to the do_start function just before the zz daemon is started up: start-stop-daemon --start --pidfile /run/zz/k5start-zz.pid \ --chuid $USER:$GROUP --exec /usr/bin/k5start -- \ -b -p /run/zz/k5start-zz.pid \ -K 10 -l 24h -k /tmp/krb5cc_107 -o zz \ -L -t -U -f /etc/krb5-zz.keytab You don't let k5start start your zz daemon. IOW: You don't do the start part of k5start, only the k5 part. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Tox: he...@toxme.se Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] k5start and AFS tokens
Am Freitag 26 September 2014, 22:49:53 schrieb Jaap Winius: This creates Kerberos TGT, an AFS service ticket and -- thanks to the -t option -- an AFS token. Now, how can I do this for a user other than root? Use su in front of k5start and make sure the user has read access to the keytab. HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: This is a digitally signed message part.
[OpenAFS] Getting tokens at login time on FreeBSD
Hi, while reading about FreeBSD in the additional OpenAFS 1.6.9 binaries available thread, the following question came to my mind: I've set up a FreeBSD 10 test VM some time ago and wanted to run OpenAFS on it. It works, but pam-afs-session doesn't seem to exist for FreeBSD (at least it's not in the ports). What do FreeBSD people use to get AFS tokens at login time (to access their $HOME in /afs)? Thanks... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de Sichere Internetkommunikation: http://www.retroshare.org signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Linux OpenAFS EncFS?
Am Montag 17 Februar 2014, 14:05:23 schrieb Lars Schimmer: Or does anyone has another idea on howto encrypt a directory in OpenAFS on client system without any further interaction? What about Truecrypt? Has the advantage of being platform-independent. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key CB614542 | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
[OpenAFS] Problem integrating Windows 8.1 (Home/64bit)
Hi, on a Windows 8.1 Home 64bit system with Heimdal, OpenAFS 1.7.28 and Network Identity Manager 2.0 installed, I don't get tickets/tokens at logon. Instead, I need to type the kerberos password into NIM again to obtain credentials. The same setup works fine on a Win7 Enterprise 64bit. Indeed, it seems I don't need NIM there at all since I get an AFS token without NIM obtaining a kerberos ticket, first. Is this because Win7 Enterprise has Kerberos builtin? Thanks... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Problem integrating Windows 8.1 (Home/64bit)
Am Sonntag 12 Januar 2014, 11:37:02 schrieb Jeffrey Altman: If you are logging in with a domain account then NIM will use your domain credentials to acquire an AFS token (if it can). You're refering to the Win7 case, right? No, I don't use a domain account. It's a local machine account, which has a counterpart in a MIT Kerberos realm. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Trying OpenAFS, and missing
Am 01.01.2014 03:31, schrieb Kristofer Pettijohn: Hello, I am trying OpenAFS, but it does not seem to be working correctly with Kerberos. I am attempting to install an OpenAFS server and client on the same machine (Ubuntu 13.10), using Samba4 as an AD controller with its built in Kerberos server. The server uses PowerBroker for authentication and kerberos. The steps I followed and documented as I went (from the Quickstart guide for Linux) are listed below. On Debian/Ubuntu, you can also run the afs-newcell script after installation. No matter what I do, I receive an error about an unknown key version number. root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth key 6 has cksum 1466094097 Keys last changed on Tue Dec 31 21:06:31 2013. All done. root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com bos: ticket contained unknown key version number error encountered while listing keys root@ueafs1:/etc# The keytab appears to be fine, and shows the correct verision: root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keytab Keytab name: WRFILE:/etc/afs.keytab KVNO Principal -- 6 afs/ad.domain@ad.domain.com What might I be missing? I've spent a solid 8 hours monkeying with this and making no progress. Did you check that the kvno in your OpenAFS keyfile matches the kvno of the key in your KDC? If they don't match, you need to export the key again (each modification changes the kvno). # Add OpenAFS repository add-apt-repository ppa:openafs/stable apt-get update # Install OpenAFS packages # Set cell name to match Kerberos Realm when prompted apt-get install libpam-openafs-kaserver openafs-client openafs-dbserver openafs-fileserver openafs-krb5 You don't want libpam-openafs-kaserver, but libpam-afs-session (but that's not related to your problem). # Stop OpenAFS processes and start BOS with -noauth /etc/init.d/openafs-fileserver stop /usr/sbin/bosserver -noauth # Edit /etc/openafs/CellServDB and add realm and server bos setcellname servername cellname -noauth bos listhosts servername -noauth # Ensure that proper IP address is in /etc/openafs/server/CellServDB, and not 127.0.0.1 bos create ueafs1.ad.domain.com buserver simple /usr/lib/openafs/buserver -noauth bos create ueafs1.ad.domain.com ptserver simple /usr/lib/openafs/ptserver -noauth bos create ueafs1.ad.domain.com vlserver simple /usr/lib/openafs/vlserver -noauth # Create afs user in AD samba-tool spn add afs/ad.domain.com afs samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com Is ad.domain.com your actual cell name, or is it only domain.com? # Also tried from Windows using the following and copying the keytab: ktpass -princ afs/ad.domain@ad.domain.com -mapuser a...@ad.domain.com mailto:a...@ad.domain.com -mapOp add -out keytab.afs +rndPass -ptype KRB5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC # Copy /tmp/afs from Samba (or from Windows) to OpenAFS server in /etc/afs.keytab /opt/pbis/bin/kinit administra...@ad.domain.com /opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com asetkey add 6 /etc/afs.keytab afs/ad.domain.com Starting with 1.6.5.1, you don't need to use asetkey anymore. You can export the key to /etc/openafs/server/rxkad.keytab directly and it will be used by OpenAFS just fine. You're also not restricted to DES-CBC-CRC anymore. bos adduser ueafs1.ad.domain.com admin -noauth bos adduser ueafs1.ad.domain.com kpettijohn -noauth bos listkeys ueafs1.ad.domain.com -noauth # Kill bos and restart pkill bosserver /usr/sbin/bosserver -noauth # Initialize Protection Database pts createuser -name admin -noauth pts createuser -name kpettijohn -noauth pts adduser admin system:administrators -noauth pts adduser kpettijohn system:administrators -noauth pts membership admin -noauth bos restart ueafs1.ad.domain.com -all -noauth # Start file server processes bos create ueafs1.ad.domain.com fs fs /usr/lib/openafs/fileserver \ /usr/lib/openafs/volserver /usr/lib/openafs/salvager -noauth You should consider using the new demand attach fileserver (DAFS) instead, gives much better performance. HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: [OpenAFS-announce] OpenAFS 1.6.5.1 release available
Am Freitag 11 Oktober 2013, 20:32:50 schrieb Stephan Wiesand: can be built against kernels without keyring support, What's the impact of this? Isn't keyring support needed for PAGs? Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] ZFS-on-Linux on production fileservers?
Am Samstag 05 Oktober 2013, 18:16:54 schrieb Ken Dreyer: The reason I have advocated against ZFS-on-Linux at work for our fileservers is that out-of-tree modules on Linux are such a hassle. Hmm, not on Debian derivatives, thanks to DKMS. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] [ Openafs : cache on zfs ]
Am Donnerstag 03 Oktober 2013, 19:34:27 schrieb nicolas prochazka: after some tests to use zfs as afs cache, linux kernel tells : BUG : soft lockup - CPU0 stuck for 23s ! [ afs_cachetrim:2908] Any ideas are welcome, You could put the cache on a normal Linux FS inside a ZVOL. See http://pthree.org/2012/12/21/zfs-administration-part-xiv-zvols/ HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] ZFS-on-Linux on production fileservers?
Am Freitag 04 Oktober 2013, 10:31:47 schrieb Jeff Blaine: We're still a 100% Solaris + ZFS file server shop. We're EOLing our Sun SPARC hardware (with tears in our eyes) this year. Before we spend a significant amount of time evaluating this, I figured I'd ask first. Any brief response would be greatly appre- ciated. The generously longer the better :) * Are you using ZFS-on-Linux in production for file servers? * If not, and you looked into it, what stopped you? * If you are, how is it working out for you? A couple of weeks ago, I tried to install a _desktop_ system on ZFSonLinux. Can't remember the exact reason, but I quickly decided to stick with a native Linux FS. OTOH, I run my own small home cell on an Arm box (Guruplug) using btrfs (both vicepXX and client cache). If it must be ZFS, would FreeBSD be an option? Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] ZFS-on-Linux on production fileservers?
Am Freitag 04 Oktober 2013, 16:51:28 schrieb mi...@task.gda.pl: See my presentation about it last year. Link? Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] ZFS-on-Linux on production fileservers?
Am Freitag 04 Oktober 2013, 17:18:24 schrieb mi...@task.gda.pl: http://conferences.inf.ed.ac.uk/eakc2012/slides/AFS_on_Solaris_ZFS.pdf Thanks a lot. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Re: git.openafs.org RSS/Atom feeds broken?
Am Mittwoch 04 September 2013, 11:56:17 schrieb Andrew Deason: Oh, or if you want a workaround, information about all of the commits are sent to a mailing list. You can get an RSS feed of that list via http://rss.gmane.org/messages/excerpts/gmane.comp.file-systems.openafs.scm and maybe elsewhere, as well. That's for all branches, though, so I don't know if that's helpful for you. Ah, OK. Thanks a lot to all for clarifying the issue. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] getting (re)started on debian
Am Freitag 24 Mai 2013, 16:56:07 schrieb Benjamin Kaduk: I'm not sure what pam configuration you want, so I can't say more about that. There are two PAM modules needed in OpenAFS/KRB5 context: pam_krb5 (to get tickets) and pam_afs_session (to get AFS tokens). Both are automatically configured correctly during installation thanks to Debians pam-auth-update. Speaking of that, Debian is the easiest platform to setup OpenAFS/KerberosV on due to a) its great install time configuration dialogs and b) its automatic kernel module management (DKMS). Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] getting (re)started on debian
Am Freitag 24 Mai 2013, 22:50:17 schrieb Dave Cottlehuber: The formal docs look good but I'm thinking of something that cover debian startup scripts and setting up pam stuff etc. This will all be set up automatically on Debian. To (re-)configure PAM one usually uses pam-auth-update on Debian. For service management I install sysv- rc-conf (systemd is also quite usable on Debian). Todo (by yourself): * Create afs principal in Kerberos and setup AFS key file (asetkey). * In /etc/openafs, adapt afs.conf.client cacheinfo server/UserList to your needs * Create and mount /var/cache/openafs (on clients) * Create and mount /vicepXX (on servers) * Setup AFS db-/fileserver processes (on servers) Don't know how long you didn't use OpenAFS, so you may not be aware of the new DAFS (Demand Attach) file servers introduced with 1.6. I'd recommend using these instead of the old file server (the docs will tell you how to set them up). Did I forget something? HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Upgrading
Am Donnerstag 04 April 2013, 10:04:16 schrieb Ted Creedon: then I install the new linux, recompile openaffs, install the init scrips and everything works fiine on 3 servers. There's no need to do that on Debian, of course. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Upgrading
Am Donnerstag 04 April 2013, 05:45:27 schrieb J: Wondering if anyone can offer advice as to how best upgrade OpenAFS on Debian 5.0.2. The OpenAFS kernel module package is listed as openafs-modules-2.6.26-2-486. Should I upgrade Linux first, then OpenAFS? Or vice versa? Another option would be to build a new server, but I'm wondering which would be the less convoluted path. Any tutorials or information you can point me to is appreciated. Just follow http://www.debian.org/releases/stable/i386/release-notes/ch-upgrading.html to upgrade from lenny to squeeze. The same procedure should then also work to further update from squeeze to wheezy. Note that wheezy is the first version to come with OpenAFS 1.6.x. If you want that in squeeze (yes, you do, because of dafs), you can install it from Debian backports. HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Guide to upgrading from 1.4 to 1.6?
Am Samstag 16 März 2013, 18:28:56 schrieb Jason Edgecombe: Are there any guidelines for upgrading from 1.4 to 1.6 on the backend servers? When I did the upgrade of my private cell, I just installed the new packages (Debian) and restartet the server processes. How should I change the options that I start the file servers with? I didn't change anything here. However, a few weeks later I also switched over to dafs, but that's in the docs. HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Rsync-ing a vice* partition
Am Freitag 11 Januar 2013, 00:14:21 schrieb Derrick Brashear: as long as you preserve owner, group and mode you're fine. -o (owner) -g (group) -p (perms) needed, but -a (archive) implies all those. so the usual -auv that people use is fine. Usual for me is -acv (c = checksum), will take a bit longer, though. And, depending on the filesystem on /vicepx, I'd add --exclude lost+found. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
[OpenAFS] Cache partition choice still limited to ext2 on Linux?
Hello, if I remember right, somebody wrote a few weeks ago, that with 1.6.x the choices for the cache partition on Linux systems aren't limited to ext2 only anymore. Is this correct? If yes, which filesystems are possible to use (which ones are not)? Does the cache even need its own partition nowadays? Thanks... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: Digital signature
Re: [OpenAFS] Cache partition choice still limited to ext2 on Linux?
Am Mittwoch 07 November 2012, 09:02:44 schrieb Marc Dionne: In my (limited) experience with memcache, it doesn't behave very well if the system is memory contrained and is under pressure. Hmm, I wouldn't call a system with 4G memory and not much more running than KDE with a handful of apps (mail, web browser) memory constrained ;) Thanks a lot. The idea was to setup a btrfs-only VM for testing purposes, and use a subvolume for the cache. Not sure about the loop-mount method in this case, since you also can't put swapfiles on btrfs. I have some machines that have used btrfs as a cache for a long time. It initially exposed a few bugs in the caching code but I'm not aware of any issues in the 1.6 releases. OK, great. So it shouldn't be a problem to use a btrfs subvolume and (maybe) set some quota. Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] Re: Transferring data from old server to new server
Am Montag 13 August 2012, 15:07:00 schrieb Youssef Eldakar: Just want to make sure, to move everything, is it enough to just move the root.afs volume? No. root.afs just acts as an anchor for all your other volumes. As such, it is more or less empty (it usually only contains the mount points for root.cell, which in turn contains a tree of your data volumes). As others already wrote in this thread, to move data from one server to another, you can either vos move all volumes located on server A to server B (I guess this is the preferred method, as it works w/o downtime) or use rsync to copy your /vicepX partitions from A to B. HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] HowTo setup OpenAFS cell PDF, german
Am 28.03.2012 18:32, schrieb Lars Schimmer: The workshop at the Chemnitz Linux Tag 2012 is done and today I changed some parts in the script of that workshop. It is now available, I just link here the Chemnitz Linux Tag pages, and it is still in german. But if you follow the commands, you should be able to setup a new cell on your own. I think I've spotted a small error. The AFS keyfile is named afs.keyfile in your text, but on my (Debian) server it's named Keyfile. Is this one of these anoying little Ubuntu/Debian differences or really a mistake in the text? Oh, and I think the afs3 enctype is not needed anymore nowadays, or am I wrong here? Otherwise great description! Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Installation of OpenAFS on Ubuntu 11.10
Am 28.03.2012 18:28, schrieb Lars Schimmer: There are quite perfect packages of 1.6.1pre4 in debian available which will work in ubuntu, to. For ubuntu, there are also two PPAs: openafs/master for development releases and openafs/stable for the stable ones. Add one of them to your sources.list.d via sudo add-apt-repository ppa:name of ppa Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows: Hosts of foreign cells listed
Am 26.03.2012 23:19, schrieb Jeffrey Altman: On 3/26/2012 4:37 PM, Dirk Heinrichs wrote: But now I have a different (albeit minor) problem. I have a volume musik.bo mounted on a mountpoint called B.O.. Not a valid file name on Windows. There is no method by which you can represent the trailing .. Yeah, already expected this to be one of Windows' braindead features. Thanks for the clarification. Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Windows: Hosts of foreign cells listed
Hi, I've installed OpenAFS 1.7.8 on a Windows XP virtual machine. Although I've removed all but my own cell from the OpenAFS configuration (AFS Client Configuration - AFS Cells), there are several file and volume location servers listet under AFS Client Configuration - Preferences, which do NOT belong to my local cell, like PENN.CENTRAL.ORG GRAND.MIT.EDU ... Also, in the Windows explorer, when I type \\afs into the url bar, I get openafs.org, .openafs.org and .root. And I get the RO-path of my own cell only after assigning a drive letter to it (via Extras menu). Any hints as to how to fix this. Thanks... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows: Hosts of foreign cells listed
Am 26.03.2012 20:55, schrieb Jeffrey Altman: Apparently you installed the client using the default settings so that openafs.org is the workstation cell. Yes, you're right. Simply forgot to change the default cell name. But now I have a different (albeit minor) problem. I have a volume musik.bo mounted on a mountpoint called B.O.. I can access this volume from Linux clients, but I have problems accessing it from Windows. I can't change into this directory neither from Windows Explorer nor from command line. Additionaly, while I can list its ACL from the command line, the corresponding AFS context menu for ACLs is greyed out (and I also don't see an AFS ACL tab in the properties dialog). If I mount the volume under a different name, which does'nt contain any dot, I can access it just fine (I also have mount points containing blanks or german umlauts, which also work fine). Is this a known issue? Thanks... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] No space left on device?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 30.12.2011 02:00, schrieb TIARA System Man: the device still has enough inodes free. [root@nuage vicepa]# df -i FilesystemInodes IUsed IFree IUse% Mounted on /dev/sdb12994978624 12878848 29820997761% /vicepa the file system type is xfs. XFS is a journaling filesystem and as such needs some percentage of the device for its journal (or log). it looks like that is device problem. not afs problem. however, i can't move any volume to another afs server. because of the /vicepa is not able to add new files. but, i can delete files from afs. You could try to temporarily remount the filesystem with a different device for the log, which should (in theory) make the space on the main device available so that you can do the needed AFS maintenance operations. Or, you could try to grow the filesystem if the underlying device allows it. HTH... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFO/XOt8NVtnsLkZ7sRAqydAKCI+VeB12HZCorCxz5Nq+Iv4rMhqgCfV4JO lFltCTkfEdTMdJWSNPhjSxI= =f81c -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Writing allowed where it's not expected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 19.09.2011 16:39, schrieb Andrew Deason: Yes, sorry, I read 'below' as 'above'. In this case, perhaps the client still had old vldb information, which did not contain the RO site? The 'vos examine' info for the RO said: CreationSat Sep 17 09:41:04 2011 CopySat Sep 17 09:41:04 2011 Backup Never Last Access Sat Sep 17 09:40:59 2011 Last Update Sat Sep 17 09:40:59 2011 And the original problem was seen around: % touch sw/foo % ll -g -n sw/foo -rw--- 1 100 0 2011-09-17 11:14 sw/foo Which is less than two hours later. If around 9:40 on Saturday was the first time that RO had existed, you need to wait about 2 hours to guarantee all clients will see the new RO (or you can run 'fs checkv' on specific clients, to not need to wait). Thanks a lot for the clarification. Can this 2 hour delay be configured somewhere? Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFOeLZa8NVtnsLkZ7sRAvo8AKCy9/+JdQX+BwilOJOQrkjfYPbnZACfS58f yyJ5eFLSLzFwp4QeIvaE8wI= =XSTi -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Writing allowed where it's not expected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 17.09.2011 17:51, schrieb Jeffrey Altman: And is the sw.readonly volume accessible? Yes, I think so. vos examine sw.readonly -cell altum.de sw.readonly 536871303 RO 3 K On-line rohan.altum.de /vicepa RWrite 536871302 ROnly 536871303 Backup 0 MaxQuota 5000 K CreationSat Sep 17 09:41:04 2011 CopySat Sep 17 09:41:04 2011 Backup Never Last Access Sat Sep 17 09:40:59 2011 Last Update Sat Sep 17 09:40:59 2011 0 accesses in the past day (i.e., vnode references) RWrite: 536871302 ROnly: 536871303 number of sites - 2 server rohan.altum.de partition /vicepa RW Site server rohan.altum.de partition /vicepa RO Site Is it because both are on the same partition? I guess not... Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFOdaIX8NVtnsLkZ7sRAl5eAKChRuwECjTdXZC4n8KhpMX0ln7mUQCeO0B2 TRt7ykSEgmAcoTGoeqipy+8= =TBzH -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Writing allowed where it's not expected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 18.09.2011 09:47, schrieb Dirk Heinrichs: Am 17.09.2011 17:51, schrieb Jeffrey Altman: And is the sw.readonly volume accessible? Yes, I think so. vos examine sw.readonly -cell altum.de sw.readonly 536871303 RO 3 K On-line rohan.altum.de /vicepa RWrite 536871302 ROnly 536871303 Backup 0 MaxQuota 5000 K CreationSat Sep 17 09:41:04 2011 CopySat Sep 17 09:41:04 2011 Backup Never Last Access Sat Sep 17 09:40:59 2011 Last Update Sat Sep 17 09:40:59 2011 0 accesses in the past day (i.e., vnode references) RWrite: 536871302 ROnly: 536871303 number of sites - 2 server rohan.altum.de partition /vicepa RW Site server rohan.altum.de partition /vicepa RO Site Is it because both are on the same partition? I guess not... Hmm, for some reason not entirely clear to me, it now works as expected. % pwd /afs/altum.de % touch sw/foo touch: cannot touch `sw/foo': Read-only file system % cd ../.altum.de % touch sw/foo % ll -g -n sw/foo - -rw--- 1 100 0 2011-09-18 10:16 sw/foo % cd - /afs/altum.de % ll -g -n sw/foo ls: cannot access sw/foo: No such file or directory % vos release sw Released volume sw successfully % ll -g -n sw/foo - -rw--- 1 100 0 Sep 18 10:16 sw/foo The only thing I did was to vos release _another_ volume that was mounted below .../sw and which showed up as not released in the output of vos listvldb. Does this also count as being on a read/write path? Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFOdam18NVtnsLkZ7sRAgAUAJ9tan2EpjircwslV3mS6mVHiPbRQACeORGK NeWbmq+mol5Ed4N2eYFW7io= =EvFb -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Writing allowed where it's not expected
Hi, I currently observe a strange behavior where I can write to a volume although I am on a read-only path, like: % pwd /afs % fs lsm altum.de 'altum.de' is a mount point for volume '#altum.de:root.cell' % fs lsm .altum.de '.altum.de' is a mount point for volume '%altum.de:root.cell' % cd altum.de % fs lsm sw 'sw' is a mount point for volume '#sw' % vos listvol rohan a |grep sw sw536871302 RW 4 K On-line sw.readonly 536871303 RO 3 K On-line % ll sw/foo zsh: no such file or directory: sw/foo % touch sw/foo % ll -g -n sw/foo -rw--- 1 100 0 2011-09-17 11:14 sw/foo Shouldn't the write operation be prevented, since I am on a read-only path? Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Writing allowed where it's not expected
Am Samstag, den 17.09.2011, 05:32 -0400 schrieb Jeffrey Altman: fs exa /afs/altum.de/sw File /afs/altum.de/sw (536871302.1.1) contained in volume 536871302 Volume status for vid = 536871302 named sw Current disk quota is 5000 Current blocks used are 4 The partition has 330552352 blocks available out of 472767424 what version of openafs on what operating system? 1.6.0 (both server and client) on Linux (server is Debian with 2.6.39.4, client is Ubuntu with 3.0.0). Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows 7 x64: \\afs\cs.uwm.edu refers to a location that is unavailable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 01.05.2011 17:40, schrieb Jeffrey Altman: Either the Microsoft Loopback Adapter is not installed, not enabled in or in conflict with another network adapter on the machine. Yep, that was indeed the cause for the problem. Took me some time to figure out that the loopback adapter was not installed and how to install it. But now it's working fine. Thanks a lot... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNwDGH8NVtnsLkZ7sRAswDAJ9uy1NFGq2ZeemhOH04MhImR1pEZwCePUEo Bhv77vUiR5aIwphoVEPrGvg= =Kjbt -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Broken mount points in user backup volumes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 01.05.2011 03:59, schrieb Jaap Winius: In Richard Campbell's Managing AFS: the Andrew File System (Prentice-Hall, 1998), regarding backup volumes it says on page 100 that: User backup volumes can be mounted once in some well-known area, either one set aside for all backups or perhaps inside the home directory itself. The latter appealed to me, so I tried it out, It's not so apppealing as you might think. Consider users searching their home directory for some file, using the find command. It will always need to search through twice the amount of data. If they also combine the find with a grep to search for some content... You get the point. Better mount the backup volumes outside, I use .../home/.backup. Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNvRHj8NVtnsLkZ7sRAhFeAJ0bRAP7C73ebwQQz69z4wOrYbe3HACfSo01 pkLcMhXOX/I1VtLHaAImzOI= =QwQc -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows 7 x64: \\afs\cs.uwm.edu refers to a location that is unavailable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 28.04.2011 21:31, schrieb Jeffrey Altman: Execute the following commands, place the resulting output somewhere in /afs that I can access them, and file a bug report at openafs-b...@openafs.org. Filed a bug (#129803) and tried to attach the logs as gzipped tarball, but it doesn't show up in RT. Any other place I can upload them to? Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNu8qb8NVtnsLkZ7sRAjAgAJ0QneQ6MWusaTYF4rm2xkWK210M8ACdFM0p fxaPy/IXsPwydR2Uq0PBwlM= =lfaR -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows 7 x64: \\afs\cs.uwm.edu refers to a location that is unavailable
Am 28.04.2011 19:20, schrieb John Tang Boyland: Here is the problem I alluded to earlier: I have a student who bought a new laptop with Windows Version 6.1.7600 and installed NIM and OpenAFS 1.5.9904 and things ALMOST work. They can get tokens and can go to \\afs\openafs.org and \\afs\cs.wisc.edu but not \\afs\cs.uwm.edu When they try, they get the message: \\afs\cs.uwm.edu refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check... Just integrated my first Windows client into my otherwise Linux only cell and have a similar problem here. System is WinXP SP3 (32bit) with OpenAFS 1.5.99d/KfW 3.22. Everything works fine except UNC path access. I get a message similar to the above (translated from german) when I enter the UNC path into Windows Explorer's address bar: The file \\afs\altum.de was not found. Please check spelling and repeat the action or search for the file by clicking on Start and then on Search. Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Windows 7 x64: \\afs\cs.uwm.edu refers to a location that is unavailable
Am 28.04.2011 21:31, schrieb Jeffrey Altman: Execute the following commands, place the resulting output somewhere in /afs that I can access them, and file a bug report at openafs-b...@openafs.org. Unfortunately my cell is not publicly accessible, so it would be nice if you could tell me a warm place for the files (via private mail, of course). Thanks... Dirk signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] afs: Waiting for busy volume 0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 27.03.2011 01:42, schrieb Russ Allbery: Dirk Heinrichs dirk.heinri...@altum.de writes: No. They're both installed as K02* in /etc/rc6.d (default). So I guess it's up to the init system how to order them. In the openafs-client init script, add openafs-fileserver to the end of the Should-Start configuration line in the header and add a Should-Stop line like: # Should-Stop: openafs-fileserver Sorry about that. I'll fix that in the next release. Found some time today to reboot that box and the problem has disappeared. However, I don't think it's related to init script ordering. IMHO they should be completely independant, since one can run the server on one box and the client on another, or am I completely wrong, here? Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNlkK78NVtnsLkZ7sRAiGTAJwNXSgKE0OiVUnBo8WO8W4uqrd+DACfcqgL yrZsIkR+9du0tBV9obtW+2E= =25LK -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] afs: Waiting for busy volume 0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On my Debian Squeeze system shutdown became really slow recently because of afs: Waiting for busy volume 0 for several minutes, like: Stopping OpenAFS services. Stopping OpenAFS BOS server: bosserver. Stopping Postfix Mail Transport Agent: postfix. Stopping AFS services:afs: Lost contact with file server 192.168.1.1 in cell altum.de (all multi-homed ip addresses down for the server) afs: Lost contact with file server 192.168.1.1 in cell altum.de (all multi-homed ip addresses down for the server) afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 afs: Waiting for busy volume 0 ... OpenAFS is 1.6pre3, kernel 2.6.38.1. Any hints what could be the cause for this? Thanks... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNjZ0m8NVtnsLkZ7sRAm0nAKCgvMlnfwC/3f7f1El57n/ZW/hJBgCeKpz8 +qdxTlZUndBZaQ7BTJPGfVc= =EIcw -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afs: Waiting for busy volume 0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.03.2011 14:30, schrieb Derrick Brashear: alt-sysrq-t (assuming logging is still up at that point) would make it much easier to discern what's up. It's a headless ARM system (GuruPlug), no alt-sysrq. The posted output was captured by connecting via serial console. Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNjhzm8NVtnsLkZ7sRArWvAJ40OWReqmV/vGcjSmbRwG93FBqFRQCgmB44 W+ZC93WGjoK8sIhrnPUCvJk= =zJ5D -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afs: Waiting for busy volume 0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.03.2011 13:55, schrieb Rogier Krieger: It's merely a guess, but did your fileserver go into shutdown before your client/cache manager? I imagine you'd prefer things to go the other way around. According to the output I've posted, yes: Stopping OpenAFS services. Stopping OpenAFS BOS server: bosserver. Stopping Postfix Mail Transport Agent: postfix. Stopping AFS services:afs: Lost contact with file server 192.168.1.1 in Any changes in the order of your start/stop scripts? No. They're both installed as K02* in /etc/rc6.d (default). So I guess it's up to the init system how to order them. Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNjjLr8NVtnsLkZ7sRAldaAJ9xvBybMAUWEOTLSnNYHcj+RNyvvgCfQANc ZuKUPcd26mkfNiHfZkSBZ2A= =gy9H -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] afs: Waiting for busy volume 0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 26.03.2011 18:07, schrieb Derrick Brashear: echo t /proc/sysrq-trigger Ah, ok. But it seems I first need to recompile the kernel with SYSRQ support enabled :( Bye... Dirk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNjjQU8NVtnsLkZ7sRAm5jAKCL2qZXil/A0DQLOpT9BbpW0Lj1WQCeOVKQ EgZWV5lScoFgwrDeXZs4+N0= =k2b4 -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Multiple logins
Am 18.03.2011 22:54, schrieb Jaap Winius: My site uses OpenAFS and MIT Kerberos with OpenLDAP for user meta data (all running on Debian squeeze). Is it possible to prevent users from logging in more than once, or at least to prevent them from starting up the same desktop environment on multiple hosts with the same account, since this usually leads to problems? No, you can't. Which desktop env. is it that makes problems? Maybe using another one is an option. OTOH, why can they start it up on the other host at all? There's no need to install one in the first place since users can login using ssh with X11 forwarding and their windows will popup on their local X server display. And then there's VNC. HTH... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] OpenAFS/Krb5/LDAP: No OpenSSH agent forwarding
Hi, don't wether this fits here or not, but since I don't have this issue in non-afs environments I guess it does. I've got a working Debian/Ubuntu setup with OpenLDAP, MIT Kerberos5 and OpenAFS. Upon login to one machine, an SSH agent is startet and my key is added (via keychain). I also get kerberos tickets and an AFS token so I can access my $HOME just fine. However, when I now open an SSH connection to another host, I can login without w/o any password and have immediate access to my $HOME there as well, but the SSH agent connection is not being forwarded, although all relevant options in sshd_config and ssh_config on the local and the remote host are set. That means that keychain jumps in and asks me for my SSH key passphrase again on the remote machine. A second login to the remote machine then works w/o any further passphrase request. Any hints as to what could be wrong? Thanks... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Thank you for your great work!
Hi everybody, I've upgraded to 1.5.78 a couple of weeks ago and was really impressed by the performance improvement I got compared to 1.4.12 (I run a small private cell on a Marvell Guruplug). Yesterday, when 1.6.0pre1 packages hit my maschine, I also switched to DAFS. Just wanted to say Thank you! to all OpenAFS developers for this great job. Happy new year and keep on hacking... Dirk signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Package Management in AFS
Hi everybody, thank you very much for all your replies. Will surely look into all mentioned options. Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Package Management in AFS
Hi, I'm currently thinking about a good way to deploy software packages in (eventually replicated) AFS volumes. One possible way I can think of is to use (x)stow, but that would imply a lot of manual work (download, unpack, compile, install to rw volume, xstow, vos release). Does anyone know of a simpler (more automated) solution, maybe something like Gentoo portage or Nix? Thanks... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Package Management in AFS
Am 20.12.2010 19:26, schrieb Booker Bense: My 2 cents... Outside of a few very specialized apps, putting software in AFS is a losing proposition these days. Since local disk space is growing so fast, there really is little justification for not simply using the package management system of the OS and simply installing locally. That would again mean that the sw had to be installed over and over again, on every single machine. That may be OK for 2 or 5 machines, but for a larger number this becomes a tedious task. And what about diskless clients? AFS is a great place to store rpms, dpkgs, etc... But there is so much sysadmin overhead in deploying apps in AFS, that unless you have a very standardized client base it simply isn't worth it for 99.9% of applications. I don't get that point. If there was an AFS aware package manager out there (which was my question), then that overhead would drop to (nearly) zero. Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS version of sudo for admin ?
Am Freitag 17 Dezember 2010, um 15:29:41 schrieb John Tang Boyland: Does anyone know of a sudo like command for AFS admin commands? Errh, what about sudo? You could create a special kerberos principal with a random key (scripts), which is stored in a keytab (/etc/scripts.keytab). Also make it an afs user and put it into system:administrators. Put the following commands at the beginning of your script: export KRB5CCNAME=/tmp/krb5cc_scripts kinit -k -t /etc/scripts.keytab scripts aklog and these ones at the end: unlog kdestroy The rest is configuring sudo properly so that only selected users can execute the script. HTH... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Overview? Linux filesystem choices
Am 28.09.2010 21:49, schrieb Russ Allbery: Jeff Blaine jbla...@kickflop.net writes: What's the tried-and-true production-quality Linux equivalent? Anything? Last I read, nothing. There's nothing really equivalent to ZFS. Barring an equivalent, what Linux setup... a) seems most stable b) is fsck-less Even quick grunt responses are appreciated. We use ext3. It isn't the fastest or the most featureful, but it's the core file system that everyone uses on Linux and for us it's been rock solid. You're the least likely to run into strange problems. Lots of people also use XFS, and it should be reasonably stable. I would avoid ReiserFS and JFS due to lack of developers and widespread use. ext4 is getting to the point that it's mature enough to use, but I'm not sure I'd trust it yet. I run btrfs already, which is (or will be) equivalent to ZFS (somehow). Bye... Dirk signature.asc Description: OpenPGP digital signature