10. Re: Re: Kerberos V and xscreensaver/xlock (Charles Clancy)
11. Re: Authentication weirdness (Tino Schwarze)
12. Re: Re: Kerberos V and xscreensaver/xlock (Christian Pfaffel)
--__--__--
Message: 1
Date: Tue, 29 Oct 2002 19:32:28 -0500
To: Derrick J Brashear <[EMAIL PROTECTED]>
From: Rodney M Dyer <[EMAIL PROTECTED]>
Subject: Re: [OpenAFS] afsd dying on win2k
Cc: [EMAIL PROTECTED]
At 11:57 AM 10/29/2002 -0500, you wrote:
On Tue, 29 Oct 2002, Rodney M Dyer wrote:
From the looks of it, I don't think anything is going to be done about
the
problem since no one on the OpenAFS group cares anything about
Windoz...
I don't think that's clear, but I can tell you I certainly don't have the
time to care.
Just on the side, my colleagues and I think it's funny that you say
this. Are you paid as an OpenAFS help desk person? You seem to have
enough time to respond to just about everything that hits this list. Do
you ever have time for anything else? ;)
I can only hope my sting was "mostly harmless", but it was intended to draw
out comments on just what is going on in the group relative to Windows
support. Yes, I am VERY appreciative of the support I'm getting out of
this list. On at least a couple of occasions I've gotten good help. I'm
sorry if I offended anyone. Believe me, the last time we had to get a very
small problem debugged in the Transarc client, it ended up costing us a few
thousand dollars to get fixed.
I'm glad to hear from Mr. Phil Moore at Morgan Stanley. I'm glad to hear
that someone is pony'ing up for support. But, is the version that Morgan
Stanley using available as open source? Can anyone get a copy of it? Is
it a forked version of OpenAFS? What is different about it? How much
would it cost us?
We've been in a real push now for over a year to get a single-sign-on
system developed between our Windows/UNIX/Mac machines. Using Kerberos V
as the authentication mechanism and AFS as the filesystem, we've managed to
glue everything together as a working unit. It all works great except now
we are having trouble weaning ourselves away from the kaserver. Seems the
Transarc/OpenAFS "klog.exe" can't be forwarded to the "fakeka"
daemon. This wouldn't be a problem except that it is a real annoyance for
our users to "kinit" then "aklog" at the command line by hand. And, we're
having problems with "aklog" behind a NAT router for some reason I can't
fathom (yes, we've tried addressless tickets).
BTW, for anyone who cares, if you setup cross-realm authentication for an
AD domain to a Kerberos V realm, you may have trouble with AD domain file
share access. This seems to be caused by a bug/feature/design flaw in the
Kerberos V replay packet detection. Microsoft and MIT are currently
working the issue out. We still need AD domain shares because we store
files and databases there that AFS cannot support because it doesn't have
complete record locking capability.
Rodney
I know a couple of people who probably care, but I'm not
going to out them; They're welcome to comment themselves or not, and I
have no idea if they can, or have the time, to look into this.
I don't suppose anyone has an actual recipe for reproducing this, or is
this one of those deals where someone should pray that their network is
the same as yours?
(Yes, now I'm being sarcastic. How about attaching a hub and a machine
with tcpdump next to a dying client and seeing what's going on as close to
when it dies as possible?)
_______________________________________________
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
--__--__--
Message: 2
To: [EMAIL PROTECTED]
Subject: Re: [OpenAFS] afsd dying on win2k
Date: Tue, 29 Oct 2002 20:35:49 -0500
From: Ken Hornstein <[EMAIL PROTECTED]>
We've been in a real push now for over a year to get a single-sign-on
system developed between our Windows/UNIX/Mac machines. Using Kerberos V
as the authentication mechanism and AFS as the filesystem, we've managed to
glue everything together as a working unit. It all works great except now
we are having trouble weaning ourselves away from the kaserver. Seems the
Transarc/OpenAFS "klog.exe" can't be forwarded to the "fakeka"
daemon. This wouldn't be a problem except that it is a real annoyance for
our users to "kinit" then "aklog" at the command line by hand.
Rodney, it seems to me like it would be trivial to have kinit call aklog
after it's gotten you a TGT. Didn't you even consider trying that? And
have you heard the phrase, "If you're not part of the solution, you're
part of the problem?"
And, we're
having problems with "aklog" behind a NAT router for some reason I can't
fathom (yes, we've tried addressless tickets).
I suspect the problem is related to the fact that some versions of the
524 library wouldn't accept an addressless v5 TGT.
--Ken
--__--__--
Message: 3
From: Lester Barrows <[EMAIL PROTECTED]>
Organization: Asani Solutions, LLC
To: [EMAIL PROTECTED]
Subject: Re: [OpenAFS] cache performance
Date: Tue, 29 Oct 2002 20:06:33 -0700
Whenever a file is accessed on the client, I believe it contacts the cach=
e=20
manager to ensure that it hasn't changed. Perhaps the cache manager, rath=
er=20
than the file server, would be the most authoritative place to collect th=
is=20
information.
Regards,
Lester Barrows
On Tuesday 29 October 2002 03:08 pm, Nathan Neulinger wrote:
What sort of additional logging are you looking for in the file server?
Also, how do you plan on handling the "if it's already in the cache, th=
e
file server probably won't see a request" issue?
Adding more logging is relatively easy to do, just come up with a list.
-- Nathan
--__--__--
Message: 4
Date: Tue, 29 Oct 2002 22:19:53 -0500 (EST)
From: Derrick J Brashear <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [OpenAFS] afsd dying on win2k
On Tue, 29 Oct 2002, Rodney M Dyer wrote:
I don't think that's clear, but I can tell you I certainly don't have the
time to care.
Just on the side, my colleagues and I think it's funny that you say
this. Are you paid as an OpenAFS help desk person?
I have 2 jobs, some percent of one of them is devoted to OpenAFS issues
and the other is also OpenAFS related.
You seem to have
enough time to respond to just about everything that hits this list. Do
you ever have time for anything else? ;)
Some.
I can only hope my sting was "mostly harmless", but it was intended to draw
out comments on just what is going on in the group relative to Windows
support.
A lot, but not coherently organized. Perhaps that is part of the problem.
that someone is pony'ing up for support. But, is the version that Morgan
Stanley using available as open source? Can anyone get a copy of it? Is
it a forked version of OpenAFS? What is different about it? How much
would it cost us?
It's not (apparently) forked OpenAFS, we got patches from Morgan Stanley
for the real OpenAFS windows client (the incident is still open in the
openafs-bugs queue)
glue everything together as a working unit. It all works great except now
we are having trouble weaning ourselves away from the kaserver. Seems the
Transarc/OpenAFS "klog.exe" can't be forwarded to the "fakeka"
daemon. This wouldn't be a problem except that it is a real annoyance for
our users to "kinit" then "aklog" at the command line by hand. And, we're
having problems with "aklog" behind a NAT router for some reason I can't
fathom (yes, we've tried addressless tickets).
I suppose replacing kinit with one that does aklog is right out? We
(OpenAFS) are going to have to deal with this in the near future to
support the Kerberos 5 bridge proposal support which is actually expected
to be useful (though not mandatory) in 1.2.8.
--__--__--
Message: 5
Subject: Re: [OpenAFS] cache performance
From: Nathan Neulinger <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Organization: University of Missouri - Rolla
Date: 29 Oct 2002 21:23:15 -0600
The cache manager is part of the client. So, yes, it is contacted.
As long as a callback is still present with the server, there shouldn't
be any communication with the file server.
So, one possible solution would be a cache manager debug set (fs setset)
that had a very minimal amount of logging generated - to where you could
reasonably run fstrace regularly on clients. i.e. not a full bore -
every access, just file opens.
-- Nathan
On Tue, 2002-10-29 at 21:06, Lester Barrows wrote:
Whenever a file is accessed on the client, I believe it contacts the cache
manager to ensure that it hasn't changed. Perhaps the cache manager, rather
than the file server, would be the most authoritative place to collect this
information.
Regards,
Lester Barrows
On Tuesday 29 October 2002 03:08 pm, Nathan Neulinger wrote:
What sort of additional logging are you looking for in the file server?
Also, how do you plan on handling the "if it's already in the cache, the
file server probably won't see a request" issue?
Adding more logging is relatively easy to do, just come up with a list.
-- Nathan
_______________________________________________
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
