from:"Andreas Ladanyi"

Re: [OpenAFS] Setup a new OpenAFS cell on Debian bullseye v11

2022-05-02 Thread Andreas Ladanyi


Hi Jose,

we rekeyed our cell years ago. Maybe this help you.

https://www.openafs.org/pages/security/how-to-rekey.txt

https://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt

regards,

Andreas

Am 02.05.22 um 16:18 schrieb Jose M Calhariz:

I am helping my intern to setup a new OpenAFS Cell on Debian bullseye
(v11), for debug porposes.  We are lost.  Following the Debian
Documentation (README.server) we are stuck in creating a new key for
the cell.  The kerberos in Debian no longer allows DES keys, but the
commands we are using of OpenAFS 1.8.6-5 needs a DES key (asetkey).
Has anyone setup a new OpenAFS cell?  What documentation have you
followed?


Kind regards
Jose M Calhariz



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Migrating away from single DES

2020-09-14 Thread Andreas Ladanyi


Hi Stefano,

Rekey your AFS Server(s).

Have a look at this document:

https://www.openafs.org/pages/security/how-to-rekey.txt

An interesting discussion about "how-to-rekey.txt":

https://openafs-info.openafs.narkive.com/PVFdhGZD/afs-principal-rekeying-instructions-may-be-incomplete 



regards,

Andreas

Am 14.09.20 um 10:32 schrieb ProbaNet SRLS:

Hello!

     Recent releases of krb5 (> 1.18) no longer support single des
encryption (the "allow_weak_crypto = yes" option in krb5.conf client
side has no longer effect), so now we get this error with "aklog -d":

---

Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get X AFS tickets:
aklog: KDC has no support for encryption type while getting AFS tickets

---

How should we proceed?


Stefano

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AFS client hanged

2019-12-18 Thread Andreas Ladanyi

Hi,

>> kernel-2.6.32-696.20.1.el6.x86_64. After we upgrade to the new linux 
>> kernel and install the default openafs client version using yum(the version 
>> we used listed in the following), we have the hang issue. That's why I 
>> suspect the version compatibility.
>>
>> AFS clinet--sl7 : l.6.23
>>  [root@bws0825 ~]# rpm -qa|grep openafs
>> openafs-1.6-sl-client-1.6.23-289.sl7.x86_64
>> openafs-1.6-sl-authlibs-1.6.23-289.sl7.x86_64
>> openafs-1.6-sl-devel-1.6.23-289.sl7.x86_64
>> openafs-1.6-sl-module-tools-1.6.23-289.sl7.x86_64
>> openafs-1.6-sl-krb5-1.6.23-289.sl7.x86_64
>> openafs-1.6-sl-1.6.23-289.sl7.x86_64
>> openafs-1.6-sl-authlibs-devel-1.6.23-289.sl7.x86_64
>> kmod-openafs-1.6-sl-957-1.6.23-289.sl7.957.x86_64
>>
>> AFS client-SL6: 1.6.23
>> openafs-krb5-1.6.23-289.sl6.x86_64
>> openafs-client-1.6.23-289.sl6.x86_64
>> openafs-1.6.23-289.sl6.x86_64
>> openafs-kpasswd-1.6.23-289.sl6.x86_64
>> openafs-module-tools-1.6.23-289.sl6.x86_64
>> openafs-kernel-source-1.6.23-289.sl6.x86_64
>> openafs-firstboot-1.6-1.sl6.noarch
>> openafs-authlibs-1.6.23-289.sl6.x86_64
>> kmod-openafs-1.6.22.3-1.SL610.el6.noarch
>> openafs-compat-1.6.23-289.sl6.x86_64
>>
What i could see here is a version difference between kmod-openafs
1.6.22 and openafs-client 1.6.23

Does the issue appear on one client only or all clients which are upgraded ?

Re: [OpenAFS] AFS client hanged

2019-12-16 Thread Andreas Ladanyi

Hi ,

> Dear all,
>
> Recently, I'm stuck with some AFS issues.
>
> AFS client hanged with the following log message. In this case,
> the AFS instance blocked and jobs failed to access any files
> located in AFS. I have to reboot the work node to recover service.
>
> Dec  6 15:03:18 bws0825 kernel: INFO: task afs_callback:19124 blocked for 
> more than 120 seconds.
> Dec  6 15:03:18 bws0825 kernel: "echo 0 > 
> /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> Dec  6 15:03:18 bws0825 kernel: afs_callbackD 9860d826e180 0 
> 19124  2 0x
> Dec  6 15:03:18 bws0825 kernel: Call Trace:
> Dec  6 15:03:18 bws0825 kernel: afs_callbackD 9860d826e180 0 
> 19124  2 0x
> Dec  6 15:03:18 bws0825 kernel: Call Trace:
> Dec  6 15:03:18 bws0825 kernel: [] 
> schedule_preempt_disabled+0x29/0x70
> Dec  6 15:03:18 bws0825 kernel: [] 
> __mutex_lock_slowpath+0xc7/0x1d0
> Dec  6 15:03:18 bws0825 kernel: [] mutex_lock+0x1f/0x2f
> Dec  6 15:03:18 bws0825 kernel: [] 
> SRXAFSCB_InitCallBackState+0x34/0x470 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> afs_xdr_vector+0x57/0x90 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> SRXAFSCB_InitCallBackState3+0xe/0x10 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> RXAFSCB_ExecuteRequest+0x6f3/0x8a0 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> getnstimeofday64+0xe/0x30
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> afs_mutex_exit+0x29/0x40 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> rxi_ServerProc+0xcd/0x1e0 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> afs_shutdown_pagecopy+0x20/0x20 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> rx_ServerProc+0x87/0xe0 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> afs_RXCallBackServer+0x3d/0x50 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> afsd_thread+0x1e5/0x730 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> afs_shutdown_pagecopy+0x20/0x20 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] kthread+0xd1/0xe0
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> insert_kthread_work+0x40/0x40
> Dec  6 15:03:18 bws0825 kernel: [] 
> ret_from_fork_nospec_begin+0x7/0x21
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> insert_kthread_work+0x40/0x40
> Dec  6 15:03:18 bws0825 kernel: INFO: task afs_rxevent:19127 blocked for 
> more than 120 seconds.
> Dec  6 15:03:18 bws0825 kernel: "echo 0 > 
> /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> Dec  6 15:03:18 bws0825 kernel: afs_rxevent D 9860cbbf6180 0 
> 19127  2 0x
> Dec  6 15:03:18 bws0825 kernel: Call Trace:
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> del_timer_sync+0x52/0x60
> Dec  6 15:03:18 bws0825 kernel: [] 
> schedule_preempt_disabled+0x29/0x70
> Dec  6 15:03:18 bws0825 kernel: [] 
> __mutex_lock_slowpath+0xc7/0x1d0
> Dec  6 15:03:18 bws0825 kernel: [] mutex_lock+0x1f/0x2f
> Dec  6 15:03:18 bws0825 kernel: [] 
> afs_osi_TimedSleep+0x118/0x210 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> wake_up_state+0x20/0x20
> Dec  6 15:03:18 bws0825 kernel: [] 
> afs_osi_Wait+0x98/0xd0 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> afs_shutdown_pagecopy+0x20/0x20 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> afs_rxevent_daemon+0x95/0x140 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> afsd_thread+0x636/0x730 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> afs_shutdown_pagecopy+0x20/0x20 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] kthread+0xd1/0xe0
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> insert_kthread_work+0x40/0x40
> Dec  6 15:03:18 bws0825 kernel: [] 
> ret_from_fork_nospec_begin+0x7/0x21
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> insert_kthread_work+0x40/0x40
> Dec  6 15:03:18 bws0825 kernel: [] 
> ret_from_fork_nospec_begin+0x7/0x21
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> insert_kthread_work+0x40/0x40
> Dec  6 15:03:18 bws0825 kernel: INFO: task afs_checkserver:19870 blocked 
> for more than 120 seconds.
> Dec  6 15:03:18 bws0825 kernel: "echo 0 > 
> /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> Dec  6 15:03:18 bws0825 kernel: afs_checkserver D 9860c7811040 0 
> 19870  2 0x
> Dec  6 15:03:18 bws0825 kernel: Call Trace:
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> del_timer_sync+0x52/0x60
> Dec  6 15:03:18 bws0825 kernel: [] 
> schedule_preempt_disabled+0x29/0x70
> Dec  6 15:03:18 bws0825 kernel: [] 
> __mutex_lock_slowpath+0xc7/0x1d0
> Dec  6 15:03:18 bws0825 kernel: [] mutex_lock+0x1f/0x2f
> Dec  6 15:03:18 bws0825 kernel: [] 
> afs_osi_TimedSleep+0x118/0x210 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] ? 
> wake_up_state+0x20/0x20
> Dec  6 15:03:18 bws0825 kernel: [] 
> afs_osi_Wait+0x98/0xd0 [openafs]
> Dec  6 15:03:18 bws0825 kernel: [] 
> afs_CheckServerDaemon+0x118/0x1a0

Re: [OpenAFS] Windows 10 Pro and openafs client : cannot obtain token

2019-06-17 Thread Andreas Ladanyi

Hi Laurent,

i had similar problems in the past.

The "best practise" solutions was to only install the Auristor package
which delivers also the Heimdal client.

I didnt install the Network ID Manager.


To avoid the AFS login failed message (if you will get one in the
future) after windows restart have a look at this page:

https://www.tenforums.com/tutorials/49963-use-sign-info-auto-finish-after-update-restart-windows-10-a.html


Andreas


> Hi,
>
> I'm facong problems to obtain AFS token on WIndows 10 Pro computer
> integrated in a Windows Server 2016 domain.
> Configuration :
> Windows 10 Pro 1809,
> Heimdal 7.4.040
> Netwwork Identity Manager 2.5.0.106
> OpenAFS 1.7.3301 from Auristor
>
>
> Network Identity Manager obtains kerberos ticket well not the AFS one.
>
> aklog -d (in terminal) outputs
>
> Authenticating to cell CELLNAME
> Getting v5 tickets: afs/CELLNAME@REALM
> aklog: Couldn't get afs/CELLNAME@REALM ticket: Matching credential
> (afs/CELLNAME@REALM) not found
>
> Credentials exists
> It works perfectly under Windows 7 with both OpenAFS 1.7.3301 and
> OpenAFS 1.5.99.06 client.
>
> Thanks in advance.
> Laurent
>

-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AFS 1.8.2, afsd errors on FreeBSD

2019-04-29 Thread Andreas Ladanyi

Hi,

> On Tue, Apr 16, 2019 at 03:02:16PM +0200, Andreas Ladanyi wrote:
>> Hi,
>>
>> afsd -debug tells me:
>>
>> SScall(339, 28, 6601376)=-1 (78, Function not implemented)
>> SScall(339, 28, -18944)=-1 (78, Function not implemented)
>> SScall(339, 28, 1)=-1 (78, Function not implemented)
>> afsd: Forking rx listener daemon.
>> afsd: Forking rx callback listener.
>> SScall(339, 28, 15050)=-1 (78, Function not implemented)
>> afsd: Forking rxevent daemon.
>> SScall(339, 28, 15050)=-1 (78, Function not implemented)
>> afsd: Forking AFSDB lookup handler.
>> SScall(339, 28, 0)=-1 (78, Function not implemented)
>> SScall(339, 28, 1)=-1 (78, Function not implemented)
>> afsd: Error -1 in basic initialization.
> Is the kernel module loaded?

you are right. The module wasnt loaded. I tried to load the kernel
module in my freebsd jail:

kldload /boot/modules/libafs.ko

and get the error message:

kldload: can't load /boot/modules/libafs.ko: Operation not permitted


I red module loading in bsd jails is not possible. So i tried to load on
freenas host (which already contains the openafs jail) directly:

kldload /mnt/Pool1/iocage/jails/myjail/root/boot/modules/libafs.ko

The error message is:

kldload: an error occurred while loading the module. Please check
dmesg(8) for more details.

dmesg:

kldload: unexpected relocation type 4
link_elf_obj: symbol in_ifaddrhead undefined
linker_load_file: Unsupported file type


>
> -Ben

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] AFS 1.8.2, afsd errors on FreeBSD

2019-04-16 Thread Andreas Ladanyi

Hi,

afsd -debug tells me:

SScall(339, 28, 6601376)=-1 (78, Function not implemented)
SScall(339, 28, -18944)=-1 (78, Function not implemented)
SScall(339, 28, 1)=-1 (78, Function not implemented)
afsd: Forking rx listener daemon.
afsd: Forking rx callback listener.
SScall(339, 28, 15050)=-1 (78, Function not implemented)
afsd: Forking rxevent daemon.
SScall(339, 28, 15050)=-1 (78, Function not implemented)
afsd: Forking AFSDB lookup handler.
SScall(339, 28, 0)=-1 (78, Function not implemented)
SScall(339, 28, 1)=-1 (78, Function not implemented)
afsd: Error -1 in basic initialization.


regards,

Andreas


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AFS 1.8.2 , bus error on FreeBSD

2019-04-08 Thread Andreas Ladanyi

I cant see crashes when compiling with gcc. The "bos" binary was built. 
But "bus error" occurs when executing the "bos" binary.


if i understand you correctly the error is in the LWP code. There is a 
workaround for this issue only for clang. So if i use clang to compile 
the "bos" binary could start without "bus error" ?



Am 07.04.19 um 20:44 schrieb Benjamin Kaduk:

I don't think that's a requirement, no.
(Were the crashes with a gcc-compiled version?)

-Ben

On Sun, Apr 07, 2019 at 08:17:44PM +0200, Andreas Ladanyi wrote:

Ok so i have to compile OpenAFS 1.8 with clang instead of gcc at FreeBSD ?


Am 06.04.19 um 04:33 schrieb Benjamin Kaduk:

On Fri, Apr 05, 2019 at 08:39:23AM +0200, Andreas Ladanyi wrote:

Hi,

i compiled afs 1.8.2 on freebsd 11.2. When i want to execute bos command
it shows me a "Bus Error".  If i understand the problem correctly the
problem is that bos wants to access memory which CPU physically cant access.

Do i have to set some flags at configure time, before make ?

The LWP code ends up with a misaligned stack for the green thread and it's
kind of messy to track down a fix that works on all OS versions and with
all compilers.

The ports collection makefile adds -mstackrealign for clang, to work around
this issue.  The hope is that for OpenAFS 2.0 we'll have LWP entirely gone
and not need to worry about this any more...

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AFS 1.8.2 , bus error on FreeBSD

2019-04-07 Thread Andreas Ladanyi


Ok so i have to compile OpenAFS 1.8 with clang instead of gcc at FreeBSD ?


Am 06.04.19 um 04:33 schrieb Benjamin Kaduk:

On Fri, Apr 05, 2019 at 08:39:23AM +0200, Andreas Ladanyi wrote:

Hi,

i compiled afs 1.8.2 on freebsd 11.2. When i want to execute bos command
it shows me a "Bus Error".  If i understand the problem correctly the
problem is that bos wants to access memory which CPU physically cant access.

Do i have to set some flags at configure time, before make ?

The LWP code ends up with a misaligned stack for the green thread and it's
kind of messy to track down a fix that works on all OS versions and with
all compilers.

The ports collection makefile adds -mstackrealign for clang, to work around
this issue.  The hope is that for OpenAFS 2.0 we'll have LWP entirely gone
and not need to worry about this any more...

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] AFS 1.8.2 , bus error on FreeBSD

2019-04-05 Thread Andreas Ladanyi


Hi,

i compiled afs 1.8.2 on freebsd 11.2. When i want to execute bos command 
it shows me a "Bus Error".  If i understand the problem correctly the 
problem is that bos wants to access memory which CPU physically cant access.


Do i have to set some flags at configure time, before make ?


regards,

Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AFS fails to build on FreeBSD

2019-03-27 Thread Andreas Ladanyi

Hi,
> Hi,
>
>>> I don't have it in front of me right now, but at least on 1.8.x (I haven't 
>>> tried 1.6.x), it's necessary to create that file based on the FreeBSD 11.1 
>>> version and add a systype for 11.2 into some other file(s) (a grep for fbsd 
>>> should help).  It was actually pretty straightforward and it seems stable 
>>> (at least the client; I haven't tried the server).
> For FreeBSD 11.2:
>
> 1.8.2 compiles with the patch
>
> 1.6.x doesnt compile with the patch, i will have a look later

make fails with the error message:

error: unknown type name 'afs_uint32'

I could see  afs_uint32 is declared as typedef in include/afs/stds.h

>
>
> Andreas
>
>
>

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AFS fails to build on FreeBSD

2019-03-20 Thread Andreas Ladanyi

Hi,

>> I don't have it in front of me right now, but at least on 1.8.x (I haven't 
>> tried 1.6.x), it's necessary to create that file based on the FreeBSD 11.1 
>> version and add a systype for 11.2 into some other file(s) (a grep for fbsd 
>> should help).  It was actually pretty straightforward and it seems stable 
>> (at least the client; I haven't tried the server).

For FreeBSD 11.2:

1.8.2 compiles with the patch

1.6.x doesnt compile with the patch, i will have a look later


Andreas





smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] AFS fails to build on FreeBSD

2019-03-15 Thread Andreas Ladanyi

Hi,

AFS 1.6.23 fails to build on FreeBSD 11.2

make tells me:

dont know how to make ./param.amd64_fbsd_112.h. Stop

Could somebody assist me, please ?

thanks,

Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AFS Performance / ZFS

2019-03-07 Thread Andreas Ladanyi

Hi Jeffrey,
>> Hi,
>>
>> iam testing a box with FreeNAS  (BSD) and ZFS. On this box i use
>> virtualized byhve guest as afs server.
>> [...]
>> Any ideas why afs speed is only about 25 MByte/s ? Maybe i have to
>> adjust another afs server parameter ?
> There are performance bottlenecks in the byhve network virtualization
> that severely impact RX throughput.  The weaknesses in the OpenAFS RX
> implementation related to flow control, congestion avoidance, and pacing
> exacerbate the throughput limitations.

Thats an important information.

Whats the experience with docker containers (instead of byhve) and OpenAFS ?


Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] AFS Performance / ZFS

2019-03-07 Thread Andreas Ladanyi

Hi,

iam testing a box with FreeNAS  (BSD) and ZFS. On this box i use
virtualized byhve guest as afs server.

The box includes SAS drives (12G/s) on HBA (12G/s). I created some vice
partitions for the afs server guest and connect them with ahci. If

For ZFS pool which contains the vice partitions:

- atime and  deduplication are off

- lz4 compression is on

The afs server parameters:

- udp size is set to 2MB and 8MB for test

- afs sync is set to "never", zfs sync is enabled

>From afs client (desktop box, 1GE) to virtual afs server guest there is
1GE ethernet connection. If i test this connection with iperf i get
nearly 1GE test data speed.

If it test on client side with dd and create a file in the afs path i
get about 25 MB/s (200 MBit/s) with memcache and disk cache.

if i dd with oflag=direct to the unmounted  afs vicepa partition device
(/dev/sdX) in the afs server guest system then i get about 1 GBbyte/s
which nears to 12 Gbit/s of SAS drive/ HBA speed.


Any ideas why afs speed is only about 25 MByte/s ? Maybe i have to
adjust another afs server parameter ?


Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] rxperf

2019-03-07 Thread Andreas Ladanyi

Hi,

i want to test rx performance with rxperf. Where can i get rxperf ?

I cant find it in the openafs packages on ubuntu / centos.

rxdebug ist available.

regards,

Andreas


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] server crash / moving volumes without vos move

2018-12-17 Thread Andreas Ladanyi

Hallo,

one afs hardware server doesnt come up.

I have got a second working fileserver and want to mount the partition
from the crashed fileserver to the working fileserver.

crashed fileserver has a /vicepa (from external SAN)

working fileserver has a /vicepa (from external SAN)

So my idea is to mount the vicepa (from external SAN) from the crashed
file server to the working fileserver as /vicepb so i could get the
volumes and register the volumes to the working afs fileserver.

"vos move" wont work because second fileserver is off.

Is there a suggestion for another way ?

regards,

Andreas




-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] cache manager timeout

2018-11-26 Thread Andreas Ladanyi


Hi,

is it possible to adjust the timeout of the cache manager when asking 
the next CellServDB or afsdb entry when a server listed in CellServDB / 
afsdb is offline so for example the users dont get a long waiting for 
ssh login ?


regards,

Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] automatic replication of ro volumes

2018-11-12 Thread Andreas Ladanyi


Hi Jeffrey,

it is common an openafs admin has to sync an ro volume after something
is added to rw volume. This is done by the vos release command. I think
its the only way. Are there automatic sync functions in the vol / fs server.

The risk of automated volume releases is that the automated system does
not know when the volume contents are in a consistent and quiescent state.


ok, but vos release "knows" them ?

Is there something against a crontab script as root with vos lock and 
vos release to all volumes (with an ro site)  ?




Sites often use remctl to grant end users the ability to release their
own volumes.

Automated releases of RO volumes are a poor substitute for replicated RW
volumes.  RW replication is a feature which was never completed for OpenAFS.

Jeffrey Altman


Andreas
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] automatic replication of ro volumes

2018-11-09 Thread Andreas Ladanyi

Hi,

it is common an openafs admin has to sync an ro volume after something
is added to rw volume. This is done by the vos release command. I think
its the only way. Are there automatic sync functions in the vol / fs server.

Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] disk cache read error in CacheItems

2018-10-23 Thread Andreas Ladanyi

Hi Martin,
>
> Hi !
>
> In the last few days we've observed an increasing number of Nodes,
> which are no longer be reached and have to be rebooted
>
> In the /var/log/messages we see a lot of lines with e.g.
>
> Oct 22 18:48:26 bird858 kernel: afs: disk cache read error in
> CacheItems slot 25254 off 2020340/13880020 code -5/80
> Oct 22 18:48:26 bird858 kernel: afs: disk cache read error in
> CacheItems slot 25253 off 2020260/13880020 code -5/80
> Oct 22 18:48:26 bird858 kernel: afs: disk cache read error in
> CacheItems slot 25252 off 2020180/13880020 code -5/80
> Oct 22 18:48:26 bird858 kernel: afs: disk cache read error in
> CacheItems slot 25251 off 2020100/13880020 code -5/80
>
> till nothing happens anymore ...
>
> The clients are  Centos 7.5 , 3.10.0-862.14.4.el7.x86_64, OpenAFS
> 1.6.23 built 2018-09-12 (289.sl7.862.1...@fnal.gov)
>
> Any hints for the possible reason ?

I have the same constellation with AFS 1.6.23 client from jsbilling repo.

I cant see this messages in /var/log/messages yet.


regards,

Andy

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] OpenAFS Security Releases 1.8.2, 1.6.23 available

2018-10-13 Thread Andreas Ladanyi


Hi Brian,


For any other folks using Red Hat – what are you doing for deploying 
OpenAFS?  Are there any repos out there equivalent to the Ubuntu PPA?



https://copr.fedorainfracloud.org/coprs/jsbillings/openafs/packages/

regards,
Andy

Re: [OpenAFS] problems with ubuntu 18.04 client

2018-10-05 Thread Andreas Ladanyi

> You need to update your apparmor policy to allow rw access to
> /var/cache/openafs/**; accesses are performed by the kernel cache manager
> on behalf of all processes and apparmor's view of the credentials do not
> line up.  MIT's configuration does this as of
> https://github.com/mit-athena/apparmor-config/commit/e3b34ce4d455574a235bbb8a512ad99f75155bc7
>
> -Ben

Is the openafs bug which is workaround by the apparmor config since
release 1.8 or also in 1.6 ?

The date of the commit is from february this year. AFS 1.8 was released
at april this year.


Andy

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] problems with ubuntu 18.04 client

2018-10-04 Thread Andreas Ladanyi

Hi,

> if i login into the same Computer, the tree /afs/desy.de/user is also
> missing for me ...
>
Does a reboot solve the issue ?

Did you use ubuntu 18.04 and afs 1.6 before switching to afs 1.8 ?

Are there issues from volumes in the salvager log  ?


regards,

Andy

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] problems with ubuntu 18.04 client

2018-10-04 Thread Andreas Ladanyi

Hi Martin,

>
> Hi, again !
>
> Shortly after i send this mail to the list, one of the user report
> back ... same problemes like before ... :-(
>
> In an old  terminal (where afs was running well) everyhing seems to be
> ok, create files,folder, pwd... etc) but for  every new one terminal
> or GUI-Application the  AFS-Tree /afs/desy.de/user/  is not available
> anymore

are the volumes from the users online or offline ?

If the volumes are offline could you salvage (bos solvage ...) the
volumes which result in the volumes go online and later the volumes go
offline again ?

>
> Other directories in /afs/desy.de/ are available ...
>
cheers,

Andy

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] problems with ubuntu 18.04 client

2018-10-02 Thread Andreas Ladanyi



> We were probably just lucky, or the packages from the 1.8 ppa
> http://ppa.launchpad.net/openafs/stable/ubuntu never had the problem.
Did you use 1.8.0 from ppa for the clients in the past or did you start
at 1.8.2 when switching from 1.6 release ?
>
>
> Greetings,
> Gaja Peters
>
cheers,

Andy

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] problems with ubuntu 18.04 client

2018-10-02 Thread Andreas Ladanyi

Hi Martin,

we had the same problems.

We are using the 1.6 release from ppa ( 
https://launchpad.net/~openafs/%2Barchive/ubuntu/stable ) on server and client 
now and there seems to be no problems anymore.

1.8 pre on client from default ubuntu 18.04 repo and if i remember correctly 
1.8.0 from paa on the client was a problem.

And yes after rebooting a 1.8 client the problem has gone.


Andy

>
> Hi !
>
> In the last days we're getting more and more messages from users about
> having problems accessing their home-directories or subfolder or the
> hole user-tree /afs/desy.de/user is missing ...
>
> Using ubuntu 18.04 with the regular openafs-client 1.8.0 ~ pre5-1 and
> 4.15.0-34-generic kernel ...
> Server are running with mostly 1.6.22 / 1.6.23 with Centos7 ...
>
> Are any problems known here with this combination ?
>
> Solution seems to be only a reboot of the system ... Unfortunatley
> i've got not time to analyze one of these Desktops, because the user
> report this problem afterwards of the reboot ...
>
> Thanks & Cheers
>
>
>    Martin
>
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] volume could not be attached

2018-09-13 Thread Andreas Ladanyi

I want to report my results:

Salvaging the volume multiple times and switching back to 1.6.22 on the
client and waiting seems to solve the problem for now.

Are there known problems with the cache manager in 1.8.0 ? Maybe which
result in broken cache information which could be synced to the server
which results in a broken volume ?

In the past we had a lot of question mark issues with 1.8.0 clients on
directories which are changed by users before. After rebooting the
clients the question marks has gone. So it sounds like a broken cache or
sync issues for me.

Is the 1.8 client (cache manager) designed to work with an 1.6 server
generally ?


Andreas
> I manualy salvaged the volume with bos salvage and the volume goes
> online. The user accessed the cache manager mountpoint on the client and
> the volume goes offline again.
>
> FileLog:
>
> CopyOnWrite corruption prevention: detected zero nlink for volume
> 536875101 inode 5465217102250391 (dest), forcing volume offline
> VRequestSalvage: volume 536875101 online salvaged too many times; forced
> offline.
> VRequestSalvage: volume 536875101 online salvaged too many times; forced
> offline.
> FSYNC_backgroundSalvage: unable to request salvage for volume 536875101
>
>
> I could voldump the volume for testing and dont get an error message.
>
> For info:
>
> I have seen that the client was working with afs 1.8.0. Now its 1.6.22
> back again. (Ubuntu 16.04, kernel 4.4.0-134)
>
> The server is on 1.6.22 (kernel 4.15.0-20, Ubtuntu 18.04)
>
>
> Andreas
>
>
>> Hi,
>>
>> one volume could not be attached. This is not a new created volume.
>>
>> OpenAFS 1.6.22.2 (dafs) / Ubuntu 18.04
>>
>>
>> vos exa user.name:
>>
>>  Volume 536875101 is busy 
>>
>>     RWrite: 536875101 Backup: 536875103
>>     number of sites -> 1
>>    server ... partition /vicepa RW Site
>>
>>
>> vos online / offline:
>>
>> SetVolumeStatus: TransCreate Failed
>> Failed to set volume. Code = 103
>>
>>
>> VolserLog:
>>
>> 1 Volser: GetVolInfo: Could not attach volume 536875101
>> (/vicepa:V0536875101.vol) error=113
>> SYNC_ask: negative response on circuit 'FSSYNC'
>> FSYNC_askfs: FSSYNC request denied for reason=0
>> VAttachVolume: attach of volume 536875101 apparently denied by file server
>> attach2: forcing vol 536875101 to error state (state 0 flags 0x0 ec 103)
>> SYNC_ask: negative response on circuit 'FSSYNC'
>> FSYNC_askfs: FSSYNC request denied for reason=0
>> VAttachVolume: attach of volume 536875101 apparently denied by file server
>> attach2: forcing vol 536875101 to error state (state 0 flags 0x0 ec 103)
>>
>> FileLog:
>>
>> VRequestSalvage: volume 536875101 online salvaged too many times; forced
>> offline.
>> FSYNC_backgroundSalvage: unable to request salvage for volume 536875101
>>
>> SalsrvLog:
>>
>> 09/10/2018 10:12:37 Salvaged user.name (536875101): 160944 files,
>> 11976937 blocks
>> 09/10/2018 10:12:39 dispatching child to salvage volume 536875101...
>> 09/10/2018 10:12:40 2 nVolumesInInodeFile 64
>> 09/10/2018 10:12:40 CHECKING CLONED VOLUME 536875103.
>> 09/10/2018 10:12:40 user.name.backup (536875103) updated 09/08/2018 18:32
>> 09/10/2018 10:12:40 SALVAGING VOLUME 536875101.
>> 09/10/2018 10:12:40 user.name (536875101) updated 09/10/2018 10:12
>> 09/10/2018 10:12:40 totalInodes 160966
>> 09/10/2018 10:12:41 Found 40 orphaned files and directories (approx. 80 KB)
>> 09/10/2018 10:12:41 Salvaged user.name (536875101): 160944 files,
>> 11976937 blocks
>>
>> volinfo:
>>
>> Inode 2305861000965914623: Good magic 78a1b2c5 and version 1
>> Inode 2305861001033023487: Good magic 99776655 and version 1
>> Inode 2305861001100132351: Good magic 88664433 and version 1
>> Inode 2305861001301458943: Good magic 99877712 and version 1
>> Volume header for volume 536875101 (user.name)
>> stamp.magic = 78a1b2c5, stamp.version = 1
>> inUse = 0, inService = 1, blessed = 1, needsSalvaged = 1, dontSalvage = 0
>> type = 0 (read/write), uniquifier = 3587963, needsCallback = 0,
>> destroyMe = 0
>> id = 536875101, parentId = 536875101, cloneId = 0, backupId = 536875103,
>> restoredFromId = 0
>> maxquota = 16777216, minquota = 0, maxfiles = 0, filecount = 160944,
>> diskused = 11976937
>> creationDate = 1366961543 (2013/04/26.09:32:23), copyDate = 1533799185
>> (2018/08/09.09:19:45)
>> backupDate = 1536512433 (2018/09/09.19:00:33), expirationDate = 0
>> (1970/01/01.01:00:00)
>> accessDate = 1536568099 (2018/09/10.10:28:19), updateDate = 153656

Re: [OpenAFS] volume could not be attached

2018-09-11 Thread Andreas Ladanyi

I manualy salvaged the volume with bos salvage and the volume goes
online. The user accessed the cache manager mountpoint on the client and
the volume goes offline again.

FileLog:

CopyOnWrite corruption prevention: detected zero nlink for volume
536875101 inode 5465217102250391 (dest), forcing volume offline
VRequestSalvage: volume 536875101 online salvaged too many times; forced
offline.
VRequestSalvage: volume 536875101 online salvaged too many times; forced
offline.
FSYNC_backgroundSalvage: unable to request salvage for volume 536875101


I could voldump the volume for testing and dont get an error message.

For info:

I have seen that the client was working with afs 1.8.0. Now its 1.6.22
back again. (Ubuntu 16.04, kernel 4.4.0-134)

The server is on 1.6.22 (kernel 4.15.0-20, Ubtuntu 18.04)


Andreas


> Hi,
>
> one volume could not be attached. This is not a new created volume.
>
> OpenAFS 1.6.22.2 (dafs) / Ubuntu 18.04
>
>
> vos exa user.name:
>
>  Volume 536875101 is busy 
>
>     RWrite: 536875101 Backup: 536875103
>     number of sites -> 1
>    server ... partition /vicepa RW Site
>
>
> vos online / offline:
>
> SetVolumeStatus: TransCreate Failed
> Failed to set volume. Code = 103
>
>
> VolserLog:
>
> 1 Volser: GetVolInfo: Could not attach volume 536875101
> (/vicepa:V0536875101.vol) error=113
> SYNC_ask: negative response on circuit 'FSSYNC'
> FSYNC_askfs: FSSYNC request denied for reason=0
> VAttachVolume: attach of volume 536875101 apparently denied by file server
> attach2: forcing vol 536875101 to error state (state 0 flags 0x0 ec 103)
> SYNC_ask: negative response on circuit 'FSSYNC'
> FSYNC_askfs: FSSYNC request denied for reason=0
> VAttachVolume: attach of volume 536875101 apparently denied by file server
> attach2: forcing vol 536875101 to error state (state 0 flags 0x0 ec 103)
>
> FileLog:
>
> VRequestSalvage: volume 536875101 online salvaged too many times; forced
> offline.
> FSYNC_backgroundSalvage: unable to request salvage for volume 536875101
>
> SalsrvLog:
>
> 09/10/2018 10:12:37 Salvaged user.name (536875101): 160944 files,
> 11976937 blocks
> 09/10/2018 10:12:39 dispatching child to salvage volume 536875101...
> 09/10/2018 10:12:40 2 nVolumesInInodeFile 64
> 09/10/2018 10:12:40 CHECKING CLONED VOLUME 536875103.
> 09/10/2018 10:12:40 user.name.backup (536875103) updated 09/08/2018 18:32
> 09/10/2018 10:12:40 SALVAGING VOLUME 536875101.
> 09/10/2018 10:12:40 user.name (536875101) updated 09/10/2018 10:12
> 09/10/2018 10:12:40 totalInodes 160966
> 09/10/2018 10:12:41 Found 40 orphaned files and directories (approx. 80 KB)
> 09/10/2018 10:12:41 Salvaged user.name (536875101): 160944 files,
> 11976937 blocks
>
> volinfo:
>
> Inode 2305861000965914623: Good magic 78a1b2c5 and version 1
> Inode 2305861001033023487: Good magic 99776655 and version 1
> Inode 2305861001100132351: Good magic 88664433 and version 1
> Inode 2305861001301458943: Good magic 99877712 and version 1
> Volume header for volume 536875101 (user.name)
> stamp.magic = 78a1b2c5, stamp.version = 1
> inUse = 0, inService = 1, blessed = 1, needsSalvaged = 1, dontSalvage = 0
> type = 0 (read/write), uniquifier = 3587963, needsCallback = 0,
> destroyMe = 0
> id = 536875101, parentId = 536875101, cloneId = 0, backupId = 536875103,
> restoredFromId = 0
> maxquota = 16777216, minquota = 0, maxfiles = 0, filecount = 160944,
> diskused = 11976937
> creationDate = 1366961543 (2013/04/26.09:32:23), copyDate = 1533799185
> (2018/08/09.09:19:45)
> backupDate = 1536512433 (2018/09/09.19:00:33), expirationDate = 0
> (1970/01/01.01:00:00)
> accessDate = 1536568099 (2018/09/10.10:28:19), updateDate = 1536568099
> (2018/09/10.10:28:19)
> owner = 29724, accountNumber = 0
> dayUse = 9473; week = (20149, 14021, 403285, 46815, 88402, 59592,
> 32594), dayUseDate = 1536530400 (2018/09/10.00:00:00)
> volUpdateCounter = 161079
>
>
> Andreas
>
> ___________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] volume could not be attached

2018-09-10 Thread Andreas Ladanyi

Hi,

one volume could not be attached. This is not a new created volume.

OpenAFS 1.6.22.2 (dafs) / Ubuntu 18.04


vos exa user.name:

 Volume 536875101 is busy 

    RWrite: 536875101 Backup: 536875103
    number of sites -> 1
   server ... partition /vicepa RW Site


vos online / offline:

SetVolumeStatus: TransCreate Failed
Failed to set volume. Code = 103


VolserLog:

1 Volser: GetVolInfo: Could not attach volume 536875101
(/vicepa:V0536875101.vol) error=113
SYNC_ask: negative response on circuit 'FSSYNC'
FSYNC_askfs: FSSYNC request denied for reason=0
VAttachVolume: attach of volume 536875101 apparently denied by file server
attach2: forcing vol 536875101 to error state (state 0 flags 0x0 ec 103)
SYNC_ask: negative response on circuit 'FSSYNC'
FSYNC_askfs: FSSYNC request denied for reason=0
VAttachVolume: attach of volume 536875101 apparently denied by file server
attach2: forcing vol 536875101 to error state (state 0 flags 0x0 ec 103)

FileLog:

VRequestSalvage: volume 536875101 online salvaged too many times; forced
offline.
FSYNC_backgroundSalvage: unable to request salvage for volume 536875101

SalsrvLog:

09/10/2018 10:12:37 Salvaged user.name (536875101): 160944 files,
11976937 blocks
09/10/2018 10:12:39 dispatching child to salvage volume 536875101...
09/10/2018 10:12:40 2 nVolumesInInodeFile 64
09/10/2018 10:12:40 CHECKING CLONED VOLUME 536875103.
09/10/2018 10:12:40 user.name.backup (536875103) updated 09/08/2018 18:32
09/10/2018 10:12:40 SALVAGING VOLUME 536875101.
09/10/2018 10:12:40 user.name (536875101) updated 09/10/2018 10:12
09/10/2018 10:12:40 totalInodes 160966
09/10/2018 10:12:41 Found 40 orphaned files and directories (approx. 80 KB)
09/10/2018 10:12:41 Salvaged user.name (536875101): 160944 files,
11976937 blocks

volinfo:

Inode 2305861000965914623: Good magic 78a1b2c5 and version 1
Inode 2305861001033023487: Good magic 99776655 and version 1
Inode 2305861001100132351: Good magic 88664433 and version 1
Inode 2305861001301458943: Good magic 99877712 and version 1
Volume header for volume 536875101 (user.name)
stamp.magic = 78a1b2c5, stamp.version = 1
inUse = 0, inService = 1, blessed = 1, needsSalvaged = 1, dontSalvage = 0
type = 0 (read/write), uniquifier = 3587963, needsCallback = 0,
destroyMe = 0
id = 536875101, parentId = 536875101, cloneId = 0, backupId = 536875103,
restoredFromId = 0
maxquota = 16777216, minquota = 0, maxfiles = 0, filecount = 160944,
diskused = 11976937
creationDate = 1366961543 (2013/04/26.09:32:23), copyDate = 1533799185
(2018/08/09.09:19:45)
backupDate = 1536512433 (2018/09/09.19:00:33), expirationDate = 0
(1970/01/01.01:00:00)
accessDate = 1536568099 (2018/09/10.10:28:19), updateDate = 1536568099
(2018/09/10.10:28:19)
owner = 29724, accountNumber = 0
dayUse = 9473; week = (20149, 14021, 403285, 46815, 88402, 59592,
32594), dayUseDate = 1536530400 (2018/09/10.00:00:00)
volUpdateCounter = 161079


Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Obtaining tokens at login on Ubuntu 18.04

2018-08-17 Thread Andreas Ladanyi


Hi,

try to remove the dbus-user-session package and look if it works.

Have a look at https://github.com/systemd/systemd/issues/7261

regards,

Andy


Am 17.08.2018 um 02:41 schrieb Prasad K. Dharmasena:
I've installed OpenAFS and pam-afs-session on Ubuntu 18.04 (bionic) 
via (a) vendor supplied packages, and (b) building from source 
(1.6.22.3).  On both machines, logging in via gdm doesn't get me a 
token.  SSH in, however, does obtain a token.  For both gdm and ssh 
logins, the auth.log shows the following:


pam_afs_session(gdm-password:session): PAG apparently lost, recreating
pam_afs_session(sshd:session): PAG apparently lost, recreating

Has anyone else seen this on Ubuntu 18.04?  (I've had this working for 
a while now on Ubuntu 16.04 -- building from 1.6.20+ source with 
pam-afs-session 2.6.)


Thanks.


-pkd

[OpenAFS] fs newcell / clients CellServDB / adding new db server

2018-06-26 Thread Andreas Ladanyi

Hi Jeffrey,

i want to give a little feedback.

We finished the job. We bos added and then restarted / startet the pt/vl
servers beginning with lowest ip. The new ubik election and syncing
works great.

We distributed the CellServDB to clients and the execution of "fs
newcell"  with ansible. This also works great.

Is there a funtion / service in afs to manage clients cellservdb ? I
understand upclient/upserver are for servers only.

regards,
Andreas
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] fs newcell / clients CellServDB / adding new db server

2018-06-18 Thread Andreas Ladanyi

>
> The ubik clients do not rank servers based upon IP address.  What they
> do is:
ok. Then maybe i misunderstood the documentation
(http://docs.openafs.org/QuickStartUnix/HDRWQ114.html) which tells me
the machine with lowest ip is "usually"  elected as the ubik coordinator.

I followed the instruction on this paper to add a new db server machine
with lowest ip.
>
> 1. compute the length of the ordered server list
>
>   A B C D
>
> 2. then generate a random number from 0..
>
> 3. use that number as an index into the list to decide which is first
>
> 4. and reorder the list as if it were a circular queue.  So if the
> random number selected was 2, then the list would become
>
>   C D A B
>
> The only time the coordinator must be contacted is for a write
> transaction.  All read transactions are processed by the first server
> contacted.
ok. thanks for explanation.
>
> My conclusion is that there is something about your cell configuration
> that results in a write transaction for each token requested.  For example:
I straced aklog for some tests and could see if aklog sometimes ask the
new db server (which is offline) and then wait for a timeout (hangs
about 15 sec) and if ask the old online db servers from CellServDB
without timeout (hang).

This seems to cause the ssh login hanging symptom because pam debug
shows me hanging about 15 sec when pam_afs calls aklog.

So on summary it seems to be better to first add the new db server to
all db servers CellServDB / bos addhost and to bos restart the pt/vl
instances for ubik corrdinator election on the servers and then to
update the clients CellServDB.

The documentation tells to first update clients CellServDB (when new db
server with lowest ip) and then bring up new db server.
>
>  1. cell name:example.com
no, cellname a.b.c
>
>  2. One of the following is true:
>
> a. realm name:AD.EXAMPLE.COM
no AD

REALM = A.B.C, MIT Kerberos
>
> b. CellServDB's zeroth ubik server host domain:
>
>   subnet.example.com
I dont understand this example.
>
>  3. auto-registration of foreign PTS IDs enabled:
>
> a. pam_afs_session configuration doesn't disable it
>
> b. aklog executed without -noprdb
yes, pam_afs_session calls aklog without -noprdb
>
> If the "realm of cell" guessing algorithm decides that the current login
> is likely to be a foreign cell login, then an attempt to allocate a PTS
> ID for the authentication name will be performed.  This request is a
> write transaction and the ubik client will attempt to contact every ubik
> server in order until the coordinator is determined.
>
> Jeffrey Altman
>
Andi
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] fs newcell / clients CellServDB / adding new db server

2018-06-15 Thread Andreas Ladanyi

Hi Jeffrey,
>>> i understand that a change in CellServDB on client does have no effect
>>> until reboot.
>> The OpenAFS unix cache manager populates the list of location servers
>> (vlservers) at startup.  The loaded server list can be adjusted via the
>> "fs newcell" command at runtime.
>>
>> This behavior is specific to the OpenAFS unix cache manager.
>>
>> It does not apply to other cache managers nor does it apply to command
>> line tools such as aklog, vos, pts, etc..  Nor does it apply to PAM modules.
ok. so the process of change CellSrvDB on db servers and bos restart AND
updating (copying) new CellServDB to clients has to be done in a very
short time to minimize timeout symptoms for users, because db servers
has to be in sync and ubik coordinator has to be elected and the afs
clients with new CellServDB with the new db server (lowest ip) asks the
new db server (ubik coordinator) first.

>>
regards,
Andi
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Windows 10, KDC not reachable / AFS integrated login failed

2018-06-14 Thread Andreas Ladanyi

Hi Gaja,

you are great. Thank you. It works.

Andi


> Am 30.01.2018 um 14:09 schrieb Andreas Ladanyi:
>
>> Windows 10 Pro , Auristor AFS client package
>>
>> When starting the device and before login screen appears the messages
>> appears: [snip]
>>
>> AFS integrated login failed
>>
>> before it is possible to enter credentials at windows login box (display
>> manager).
>
> This is a rather late answer, but since I just happened to stumble
> again over the solution, I thought I'd post it here in case it is
> still useful for anybody.
>
>> Is it possible to start kerberos client and afs client after entering
>> the credentials at windows 10 ?
>
> Yes, that is possible. The solution is basically what is posted on
> this website:
>
> https://www.tenforums.com/tutorials/49963-use-sign-info-auto-finish-after-update-restart-windows-10-a.html
>
>
> Apparently, Windows 10 since some version is able to "remember"
> login-credentials over a reboot, and will use these internal
> credentials to sign-in to windows even before you enter the password.
> This unfortunately triggers also the "integrated login" to AFS, but
> since there is no password for it to work with, it will fail.
>
> Once this option in Windows is disabled, Windows will not try to do an
> integrated login without password and everything is ok.
>
> Greetings,
> Gaja Peters

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] fs newcell / clients CellServDB / adding new db server

2018-06-14 Thread Andreas Ladanyi

> On 6/13/2018 8:06 AM, Andreas Ladanyi wrote:
>> Hi,
>>
>> by reading
>>
>> http://docs.openafs.org/QuickStartUnix/HDRWQ114.html
>>
>> and
>>
>> http://docs.openafs.org/Reference/1/fs_newcell.html
>>
>> i understand that a change in CellServDB on client does have no effect
>> until reboot.
> The OpenAFS unix cache manager populates the list of location servers
> (vlservers) at startup.  The loaded server list can be adjusted via the
> "fs newcell" command at runtime.
>
> This behavior is specific to the OpenAFS unix cache manager.
>
> It does not apply to other cache managers nor does it apply to command
> line tools such as aklog, vos, pts, etc..  Nor does it apply to PAM modules.
>
>> So i copied the CellServDB which contain a new db server (and the old db
>> servers) which isnt online yet to clients and detect ssh shell logins
>> and sudo tasks takes a long time.
>>
>> When i removed the new db server from CellServDB ssh login and sudo
>> works great. I didnt add the new db server on client side with "fs
>> newcell" so kernel list wasnt recreated and shouldnt ask the new db
>> server because doesnt know about.
> Questions:
>
> * are DNS SRV records published for your cell?
no, host -t AFSDB domain reports no AFSDB record
>
> if yes, the CellServDB cell entry should contain the name of the cell
>   and an empty server list
>
> * where in the CellServDB cell list did you insert the new server?
The new server with lowest ip is at the end of the CellServDB

Andi
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] fs newcell / clients CellServDB / adding new db server

2018-06-13 Thread Andreas Ladanyi

Hi,

by reading

http://docs.openafs.org/QuickStartUnix/HDRWQ114.html

and

http://docs.openafs.org/Reference/1/fs_newcell.html

i understand that a change in CellServDB on client does have no effect
until reboot.

So i copied the CellServDB which contain a new db server (and the old db
servers) which isnt online yet to clients and detect ssh shell logins
and sudo tasks takes a long time.

When i removed the new db server from CellServDB ssh login and sudo
works great. I didnt add the new db server on client side with "fs
newcell" so kernel list wasnt recreated and shouldnt ask the new db
server because doesnt know about.

Did i understand something wrong with CellServDB / fs newcell ?

regards,
Andi
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] FreeNAS/ZFS and OpenAFS

2018-05-17 Thread Andreas Ladanyi


Hi,

i want to ask you if there is an experience of a setup with FreeNAS/ZFS 
storage and OpenAFS. Do  i need two server boxes. One FreeNAS storage 
box and one for the OpenAFS daemons and connect them with iscsi ?


Is it possible to run the OpenAFS server services in FreeNAS ? (maybe 
this could be a question for the FreeNAS guys)


Does it make sense / is it a good idea to combine ZFS and OpenAFS ?


Andreas





___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Windows 10, KDC not reachable / AFS integrated login failed

2018-01-30 Thread Andreas Ladanyi

Hi,

Windows 10 Pro , Auristor AFS client package

When starting the device and before login screen appears the messages
appears:


Integrated login failed - unable to reach any KDC in realm ...

or

AFS integrated login failed


before it is possible to enter credentials at windows login box (display
manager).

So there is no access to afs path after first login.

If login / logout / login then there is access to afs path.


So is the kerberos /afs client starting too early before network
settings are set ?

Is it possible to start kerberos client and afs client after entering
the credentials at windows 10 ?


regards,

Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Windows 10, OpenAFS 1.7, heimdal 7.4 kerberos enctype issue

2018-01-22 Thread Andreas Ladanyi

Hi Dirk,

> Am 19.01.2018 um 09:28 schrieb Andreas Ladanyi:
>
>> i try so setup windows 10, heimdal kerberos for windows and network
>> idendity manager.
>
> You don't need all this anymore nowadays. The Auristor installer
> <https://www.auristor.com/openafs/client-installer> should contain all
> you need.
I dont know why and whats the difference but after setting up this
package it works.

Thank you.

cheers,
Andreas
>
> HTH...
>
>     Dirk
> -- 
> Dirk Heinrichs <dirk.heinri...@altum.de>
> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015
> Sichere Internetkommunikation: http://www.retroshare.org
> Privacy Handbuch: https://www.privacy-handbuch.de

[OpenAFS] Windows 10, OpenAFS 1.7, heimdal 7.4 kerberos enctype issue

2018-01-19 Thread Andreas Ladanyi

Hi,

i try so setup windows 10, heimdal kerberos for windows and network
idendity manager.

The network idendity manager log tells me this kerberos error code
-1765328370 which tells me that enctype is not supported.

It seems that i get a kerberos 5 tgt at network idendity manager, but i
never get an afs token.

If i try to get a tgt for my principal with kinit and check it with
klist i get an tgt for my user principal.

aklog -d tells me -1765328370 for the afs service principal and so i
dont get an afs token.


allow_weak_crypto = true is set in the ProgramData/Kerberos/krb5.conf

Any ideas ?

cheers,
Andreas





___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Windows 10 Pro and OpenAFS Client

2017-12-11 Thread Andreas Ladanyi

Hi Anders,

i dont know enough about driver signing / driver verification at windows
and i dont know how you tested.

Did you set the system date to some timestamp in the future at 2018 or
later ?

Is there some other driver verification magic which we couldnt test for
failing today ?


Andreas

> Hello again,
>
> We made this test with secure boot enabled. Could still install the client 
> "in the future".
>
> We tried this on versions 1607, 1703 and 1709.
>
> MVH
> Anders
>
>

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Windows 10 Pro and OpenAFS Client

2017-12-09 Thread Andreas Ladanyi


Hi,


On 2017-12-08 13:20, Anders Nordin wrote:

Hello,

What does this mean exactly? Will it be possible to install the OpenAFS-client 
after 31.12.2017? Is it just an academic problem? We set a computers BIOS to 
the future and, installed the OS (non-networked) and then installed the client 
(non-networked), and it worked fine.

It is a real issue.
Because WIndows 10 compatibility is only signed with secure mode. Also
the new Windows secure settings and anti-malware tools do only work in
secure mode reliable.
Also some companies do have the need to enable secure boot.

And, nevertheless, no one knows what changes MS will do next time
without announcing it.

OpenAFS needs a substainable big contribution into the MS branch with
getting a MS signature and be a valid kernel driver for the next years.
If i understand it correctly Auristor offers a signed AFS client for 
windows ? So when using it after 31.12.2017 it will work ?


To bad my gorup can´t do that (20 people only) and so we do migrate away
from the AFS.




regards,
Andreas
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Windows 10 Pro and OpenAFS Client

2017-12-05 Thread Andreas Ladanyi

Hi,
>
> But take care, depending on the setup of your windows (secure boot,etc.)
> OpenAFS will no more work on windows after 31.12.2017, as the kernel
> module has no more a valid signature (in the def. of MS).
if i understand the facts correctly i have two options:

1. I use the windows client package from auristor which is signed from
microsoft ?
2. I use the UEFI boot option without Secure Boot and switch my windows
10 setup into the test signing mode for using the unsigned driver (after
31.12.2017) in the OpenAFS windows client package.


Andreas
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Windows 10 Pro and OpenAFS Client

2017-11-30 Thread Andreas Ladanyi

Hi Lars,
> On 2017-11-29 17:02, Andreas Ladanyi wrote:
>> Hi,
>>
>> what is your experience with Windows 10 Pro and the latest package
>> OpenAFS for Windows ?
>>
>> Is there any special what i have to consider at OpenAFS for Windows
>> setup and at daily operating on the client ?
> Worked fine over here for years now. Depending on your setup of the cell
> you do/do not need integrated login and some other special options. In
> general you just need to enter your cell name and it works quite well.
>
> But take care, depending on the setup of your windows (secure boot,etc.)
> OpenAFS will no more work on windows after 31.12.2017, as the kernel
> module has no more a valid signature (in the def. of MS).

Ok, so do i have to setup a new Windows 10 on the new system with legacy
Boot and turn off driver verification in future setups ?

cheers and thanks,
Andreas



>
>> Regards,
>>
>> Andreas
>>
>> ___
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>
> MfG,
> Lars Schimmer

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Windows 10 Pro and OpenAFS Client

2017-11-29 Thread Andreas Ladanyi

Hi,

what is your experience with Windows 10 Pro and the latest package
OpenAFS for Windows ?

Is there any special what i have to consider at OpenAFS for Windows
setup and at daily operating on the client ?


Regards,

Andreas

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] mod_waklog question

2017-07-24 Thread Andreas Ladanyi

Hi Jason,

i want to feedback that i found the issue in the past.

The problem was that not all subdirectories were set with the AFS apache
username and rl permission because i was using "fs sa " instead
"find  -type d -exec fs sa  ".

So now it seems to work :-)

thanks and regards,
Andreas

> Andreas,
>
> Try modifying your systemd unit file to add the "-t" parameter as follows:
>> ExecStart=/usr/bin/k5start -o apache -K30 -t -f /etc/httpd.keytab
>> httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND
>
> The "-t" option runs the aklog command to grab tokens. I don't use
> this because my AFS folders are granted via IP ACLs and the kerberos
> credentials are only used for accessing kerberized SMB shares.
i already used the -t option.
>
> Sincerely,
> Jason



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] mod_waklog question

2017-07-13 Thread Andreas Ladanyi

Hi Jason,

i tried out your systemd config as below. I have a CentOS 7 box.

k5start and Apache starts.

pstree:


k5start───httpd───10*[httpd───2*[{httpd}]]


less /proc/fs/openafs/unixusers:
===

UID/PAG Refs States  Cell  ViceID Tok Set 
Tok Begin Tok Expire vno  NFS Client UID/PAG Client UID Sysname(s)
 00 0005cellname  0  1499920292 1499920290
1499963490 256
  10000 0005cellname  1  1499930214 1499930215
1499966212 256
10918604580 0005cellname  29787  1499931869 1499931870
1499967869 256



The VideID 29787 is the afs id of the correct afs username
(afsweb.fqdn_of_the_host) in pts. The keytab which k5start reads
contains the kerberos principal (afsweb/fqdn_of_the_host@REALM).

I set read (rl) permission for the afs username afsweb.fqdn_of_the_host
(29787) on the folder which contain the webfiles and "lookup" permission
to all parent folders of the webfolder. Apache tells me he cant access
to the webfolder (DocumentRoot).

Another problem i found out is apache cant open logfiles in the afs path
and cant start:
(13)Permission denied: AH00091: httpd: could not open error log file
/afs/.

sestatus:
=

SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode:   permissive
Mode from config file:  error (Success)
Policy MLS status:  enabled
Policy deny_unknown status: allowed
Max kernel policy version:  28


regards,
Andreas

> Hi Andreas,
>
> Getting systemd, apache, and kstart to play nice took a little bit of
> work. I have included a sanitized copy of my Apache systemd unit file.
> Be sure to modify the ExecStart line to have the correct keytab
> location and principal name.
>
> I have NOT tested this in selinux enforcing mode, so beware.
>
> I think that kstart does create a new PAG, but I'm not certain. Be
> sure to verify that by running bash via kstart, then running "id" to
> see if an extra high-numbered numeric group appears. If no new PAG is
> created, then you might play with the pagsh command.
>
> Sincerely,
> Jason
>
> cut
> [Unit]
> # customized unit file to start apache with a kerberos keytab
> Description=The Apache HTTP Server
> After=network.target remote-fs.target nss-lookup.target
> Documentation=man:httpd(8)
> Documentation=man:apachectl(8)
>
> [Service]
> Type=notify
> EnvironmentFile=/etc/sysconfig/httpd
> ExecStart=/usr/bin/k5start -o apache -K30 -f /etc/httpd.keytab
> httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND
> ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
> ExecStop=/bin/kill -WINCH ${MAINPID}
> # We want systemd to give httpd some time to finish gracefully, but
> still want
> # it to kill httpd after TimeoutStopSec if something went wrong during the
> # graceful stop. Normally, Systemd sends SIGTERM signal right after the
> # ExecStop, which would kill httpd. We are sending useless SIGCONT
> here to give
> # httpd time to finish.
> KillSignal=SIGCONT
>
> # allow k5start child processes (i.e. apache) to notify system that
> it's up
> NotifyAccess=all
> PrivateTmp=false
>
> [Install]
> WantedBy=multi-user.target
> cut
>



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] mod_waklog question

2017-07-12 Thread Andreas Ladanyi

Hi Ben,

now i only enabled the module in Apache without any directory / location
directive which points to the afs filesystem path. For testing.

I have a look at error_log and mod_waklog renew the token sometimes a day.

> I am far from an expert on mod_waklog (mostly, I just sat through a 
> presentation
> or two on it and never used it), but I had the impression that it was
> normally used to get credentials from the remote user, [by some unspecified
> mechanism populate KRB5CCNAME with a krb5 ccache for that user], and then
> aklog to let apache access AFS as the remote user for servicing that given
> request, then clean up/unlog the acquired token.  
yes, this seems to be the main idea of waklog.
> That doesn't really seem
> consistent with what you describe, which is as if apache has a keytab of
> its own and is using *those* kerberos credentials (not those of the remote
> user) to acquire a token.  
Yes, i configured a kerberos credential and keytab for apache and tell
waklog to use them. As i wrote waklog renew them sometimes.

> If that's the case, then that a token expires
> is not very surpirsing, but I could not comment about whether expecting
> automatic renewal is reasonable, since I don't know about that use case
> at all.
>
> -Ben





smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] mod_waklog question

2017-07-11 Thread Andreas Ladanyi

Hi Jason,
> Hi Andreas,
>
> Getting systemd, apache, and kstart to play nice took a little bit of
> work. I have included a sanitized copy of my Apache systemd unit file.
> Be sure to modify the ExecStart line to have the correct keytab
> location and principal name.
>
> I have NOT tested this in selinux enforcing mode, so beware.
selinux is in permissive mode.
>
> I think that kstart does create a new PAG, but I'm not certain. Be
> sure to verify that by running bash via kstart, then running "id" to
> see if an extra high-numbered numeric group appears. If no new PAG is
> created, then you might play with the pagsh command.
k5start -t -f keytab principal_for_httpd bash
result in a new bash shell with same user id and because the -t switch
it creates new afs service token. A new /tmp/krb5cc file is created.

How could i verify if a new pag is created or not ?

Thx for the systemd snipped.

regards,
Andreas


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] mod_waklog question

2017-07-11 Thread Andreas Ladanyi


> mod_waklog is meant to be used as an .htaccess-style mechanism to
> let users supply credentials via a web browser so that apache can use
> those credentials to access user files. In this case, the apache
> process switches between multiple AFS users and the tokens only need
> to live for the brief life of the http request/session.
>
> Your timeout issues suggest that you are running apache with
> long-running tokens as a single user and those tokens need to be
> automatically renewed. If you're using this "apache needs persistent
> AFS access via a service account" use case, then you need to use
> k5start and a local keytab:
> https://www.eyrie.org/~eagle/software/kstart/k5start.html
> 
Ok. So i have to add k5start [options] .. /usr/bin/httpd . in
the default systemd start script from apache.

Something like:

ExecStart=/usr/bin/k5start -b -t -k /tmp/k5start_httpd -f keytab -K 10
-l 10h principal_from_keytab /usr/sbin/httpd $OPTIONS -DFOREGROUND

I i understand it correctly the k5start will take a new tgt, create a
new pag and call aklog to get a afs token which is put into the pag of
the parent process.

So i have to play with the flags -b, -K, -t

Does kinit/k5start or aklog create a new pag in general ? I would say aklog.

>
> k5start is available in EPEL. I think there are debian packages as well.
>
> Jason
>
>
> ---
> Jason Edgecombe | Linux Administrator
> UNC Charlotte | The William States Lee College of Engineering
> 9201 University City Blvd. | Charlotte, NC 28223-0001
> Phone: 704-687-1943 
> jwedg...@uncc.edu  | http://engr.uncc.edu |
>  Facebook
> ---
> If you are not the intended recipient of this transmission or a person
> responsible for delivering it to the intended recipient, any
> disclosure, copying, distribution, or other use of any of the
> information in this transmission is strictly prohibited. If you have
> received this transmission in error, please notify me immediately by
> reply e-mail or by telephone at
> 704-687-1943 .  Thank you.



smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] mod_waklog question

2017-07-03 Thread Andreas Ladanyi

Hi,

I test Apache2 with mod_waklog.

When will waklog autorenew the ticket/token ?

After a duration of time apache is running i get error messages in the
apache log that apache cant write to afs path. Maybe this could be
because the ticket/token is invalid.

I would expect that waklog will renew this automatically ?!

Or do i have to restart apache all days or increase the ticket lifetime
to an exorbitant number ?

regards,
Andreas







smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] 1.6.20 pam_afs_session bug ?

2017-04-10 Thread Andreas Ladanyi

Hi,

just for info.

The suggestion of Dirk for working around the problem by removing the
dbus-user-session package removes the issue for first test.


Andreas
> On Thu, Apr 06, 2017 at 10:05:19AM +0200, Andreas Ladanyi wrote:
>> Am 31.03.2017 um 22:18 schrieb Benjamin Kaduk:
>>> On Thu, Mar 30, 2017 at 03:53:24PM +0200, Andreas Ladanyi wrote:
>>>> Hi guys,
>>>>
>>>> i tested:
>>>>
>>>> Ubuntu 16.10, Gnome, Kernel 4.8
>>>>
>>>> current OpenAFS 1.6.20 from ppa.
>>>>
>>>> After relogin from screensaver dialog the kerberos tgt and afs service
>>>> ticket are renewed but the afs token isnt renewed. There is no
>>>> "always_aklog" flag at pam_afs_session.so line in pam common-auth file.
>>>>
>>>> If i try this relogin procedure with OpenAFS 1.6.18 from the distri repo
>>>> the afs token is also renewed.
>>> Hmm, to have a new afs service ticket obtained (after the new TGT)
>>> would indicate that pam_afs_session is still running and doing
>>> something, but presumably failing to actually insert the token into
>>> the appropriate PAG.  Unfortunately, pam_afs_session is mostly
>>> unmaintained these days (I don't believe that Russ found anyone to
>>> take it over), so it seems like the most prudent suggestion would be
>>> to see whether always_aklog helps.
>>>
>>> -Ben
>> Now it seems there is the same problem with 1.6.18 and 1.6.20 at Ubuntu
>> 16.10 (kernel 4.8) .
>>
>> In both cases the screensaver calls pam and the pam_afs_session setcred
>> and setcred is running aklog for the correct AFS user ID.
>>
>> If i run aklog manual in the terminal because the afs token time is not
>> updated by pam_afs_session then the token time will be updated.
>>
>> How is it possible to debug the way from calling pam setcred running
>> aklog through the way to PAG ? Could the PAG and content be printed to
>> the terminal ?
>>
>> At Ubuntu 14.04, kernel 4.4 it seems to be no problem with 1.6.20.
> Hmm, this feels more like systemd fallout, the more I think about
> it.  (Ubuntu 16.10 is on systemd now, right?)
> It seems like a usetul debugging step would be to determin the
> process hierarchy when the screensaver is calling into
> pam_afs_session, and also what keyring entry is being used to hold
> tokens.  (That could then be compared to the keyring entry holding
> tokens in the interactive user session.)  IIRC we had reports that
> the problem is flipped from what one might expect, namely that the
> user's terminals could be started from systemd and lose the login
> session, and the screensaver properly updating tokens in the login
> session, which just aren't used.  But that's quite a bit of
> speculation, of course.
>
> (No, I don't know how to get the keyring entry used for tokens from
> the context of a pam module, offhand, sorry.)
>
> -Ben
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] 1.6.20 pam_afs_session bug ?

2017-04-10 Thread Andreas Ladanyi

Am 07.04.2017 um 05:41 schrieb Benjamin Kaduk:
> Hmm, this feels more like systemd fallout, the more I think about
> it.  (Ubuntu 16.10 is on systemd now, right?)
yes.
> It seems like a usetul debugging step would be to determin the
> process hierarchy when the screensaver is calling into
> pam_afs_session, 

Are you talking about the pam debug log output from pam common-auth ?
Output of pstree ?

> and also what keyring entry is being used to hold
> tokens.  (That could then be compared to the keyring entry holding
> tokens in the interactive user session.)  
gnome-keyring


Andreas






smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] 1.6.20 pam_afs_session bug ?

2017-04-07 Thread Andreas Ladanyi

Am 07.04.2017 um 06:26 schrieb Dirk Heinrichs:
> On 07.04.2017 05:41, Benjamin Kaduk wrote:
>
>> Hmm, this feels more like systemd fallout, the more I think about
>> it.  (Ubuntu 16.10 is on systemd now, right?)
>
> Now that you mention it: I've also had some problem with lost tokens
> on Debian Stretch a few months ago, where lot's of messages about
> unwritable files started popping up in KDE (with user's $HOME in AFS).
> Uninstalling dbus-user-session solved it for me.
I dont know the reason and details yet but this solution seems to work
for first test.
>
> Please lookup Debian bug #846377
>  for reference.
ok. Thanks.
>
> HTH...
>
> Dirk
regards,
Andreas


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] 1.6.20 pam_afs_session bug ?

2017-04-06 Thread Andreas Ladanyi

Am 31.03.2017 um 22:18 schrieb Benjamin Kaduk:
> On Thu, Mar 30, 2017 at 03:53:24PM +0200, Andreas Ladanyi wrote:
>> Hi guys,
>>
>> i tested:
>>
>> Ubuntu 16.10, Gnome, Kernel 4.8
>>
>> current OpenAFS 1.6.20 from ppa.
>>
>> After relogin from screensaver dialog the kerberos tgt and afs service
>> ticket are renewed but the afs token isnt renewed. There is no
>> "always_aklog" flag at pam_afs_session.so line in pam common-auth file.
>>
>> If i try this relogin procedure with OpenAFS 1.6.18 from the distri repo
>> the afs token is also renewed.
> Hmm, to have a new afs service ticket obtained (after the new TGT)
> would indicate that pam_afs_session is still running and doing
> something, but presumably failing to actually insert the token into
> the appropriate PAG.  Unfortunately, pam_afs_session is mostly
> unmaintained these days (I don't believe that Russ found anyone to
> take it over), so it seems like the most prudent suggestion would be
> to see whether always_aklog helps.
>
> -Ben
Now it seems there is the same problem with 1.6.18 and 1.6.20 at Ubuntu
16.10 (kernel 4.8) .

In both cases the screensaver calls pam and the pam_afs_session setcred
and setcred is running aklog for the correct AFS user ID.

If i run aklog manual in the terminal because the afs token time is not
updated by pam_afs_session then the token time will be updated.

How is it possible to debug the way from calling pam setcred running
aklog through the way to PAG ? Could the PAG and content be printed to
the terminal ?

At Ubuntu 14.04, kernel 4.4 it seems to be no problem with 1.6.20.

regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] 1.6.20 pam_afs_session bug ?

2017-03-31 Thread Andreas Ladanyi

Hi Dave,
> What does your pam config file for the screensaver look like?
the gnome-screensaver pam config file:

@include common-auth
auth optional pam_gnome_keyring.so

common-auth config file:

auth[success=3 default=ignore]  pam_krb5.so minimum_uid=1000
auth[success=2 default=ignore]  pam_unix.so nullok_secure
try_first_pass
auth[success=1 default=ignore]  pam_sss.so use_first_pass
# here's the fallback if no module succeeds
authrequisite   pam_deny.so debug
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
authrequiredpam_permit.so
# and here are more per-package modules (the "Additional" block)
authoptionalpam_afs_session.so
authoptionalpam_cap.so
# end of pam-auth-update config


pam_afs_session is configured as optional and without always_aklog ...

On Ubuntu 16.04 , AFS 1.6.20 from ppa, kernel 4.4, it is fine. Same pam
config like in this post for ubuntu 16.10.



>
> On Thu, Mar 30, 2017 at 03:53:24PM +0200, Andreas Ladanyi wrote:
>> Hi guys,
>>
>> i tested:
>>
>> Ubuntu 16.10, Gnome, Kernel 4.8
>>
>> current OpenAFS 1.6.20 from ppa.
>>
>> After relogin from screensaver dialog the kerberos tgt and afs service
>> ticket are renewed but the afs token isnt renewed. There is no
>> "always_aklog" flag at pam_afs_session.so line in pam common-auth file.
>>
>> If i try this relogin procedure with OpenAFS 1.6.18 from the distri repo
>> the afs token is also renewed.
>>
>>
>> regards,
>>
>> Andreas
>>
>>
>
>





smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] 1.6.20 pam_afs_session bug ?

2017-03-30 Thread Andreas Ladanyi

Hi guys,

i tested:

Ubuntu 16.10, Gnome, Kernel 4.8

current OpenAFS 1.6.20 from ppa.

After relogin from screensaver dialog the kerberos tgt and afs service
ticket are renewed but the afs token isnt renewed. There is no
"always_aklog" flag at pam_afs_session.so line in pam common-auth file.

If i try this relogin procedure with OpenAFS 1.6.18 from the distri repo
the afs token is also renewed.


regards,

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Connection timed out - problem with cache manager?

2016-11-30 Thread Andreas Ladanyi

Iam not sure. I dont know your kernel version.

Maybe the reason is the old afs client module version. There was a
problem with the splice kernel function since kernel 4.4 and backports.

We are using the openafs ppa repository
(https://launchpad.net/~openafs/+archive/ubuntu/stable) on Ubuntu below
Ubuntu 16.10 because this problem is solved in openafs >= 1.6.18 which
isnt part of Ubuntu repo. below 16.10.

I hope this help you.

regards,
Andreas

> Some users at our site reports problems with downloading files
> directly to AFS (and this problem has existed for years).
>
> I'm now working to try to find the cause. Just to eliminate the
> server, we have moved the user's volume to our YFS server, but we
> experience exactly the same problem.
>
> I can't seem to reproduce it on my own machine (Ubuntu 14.04.1 LTS
> with openafs client 1.6.7-1ubuntu1.1).
>
> However, the machine where I have managed to reproduce the problem is
> a terminal server (with lots of users). It's a Ubuntu 12.04.5 LTS with
> openafs version 1.6.1-1+ubuntu0.7.
>
> The AFS cache is set to:
> > cat /etc/openafs/cacheinfo
> /afs:/cache/openafs:500
>
>
> What happens is this:
> I run a wget (from siemens in this case, but probably not important).
> The wget either aborts at 70% or so, with a "Connection timed out",
> or, as happened for me just now:
>
> HTTP request sent, awaiting response... 200 OK
> Length: 1983588866 (1,8G) [application/zip]
> Saving to: `nx-9.0.3.zip.1'
>
> 100%[>] 1 983 588 866 17,7M/s   in
> 1m 50s
>
> utime(nx-9.0.3.zip.1): Connection timed out
> 2016-11-30 11:33:39 (17,3 MB/s) - `nx-9.0.3.zip.1' saved
> [1983588866/1983588866]
>
> So, the file downloaded 100% (to the AFS cache). Then there was a
> delay for some time before the error popped up (while flushing the
> cache, I would guess).
>
> If I look at the resulting file, I see that it's corrupt.
>
> Downloading to local disk first, and then copy to AFS seems to work
> every time.
>
> Does anyone recognize this problem?
>
> /Staffan
>




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Moving volumes between different cell and different realm names

2016-10-11 Thread Andreas Ladanyi

Am 10.10.2016 um 17:24 schrieb Jeffrey Altman:
>>> And you need to install the keys from Cell B onto the fileserver.
>> The old afs server doesnt support rxkad, only single des.
>> The new afs server works with rxkad.
>>
>> Is this a problem ?
> I believe you meant to say the new afs server uses rxkad-k5+kdf.
Yes, thank you  :-)
>
> If you have deployed non-DES keys to Cell B, then you cannot move the
> fileserver from Cell A to Cell B unless you first upgrade the fileserver
> to a version of OpenAFS that supports rxkad-k5+kdf.
Ok, so i have to upgrade the old afs server (now cell A and in future
cell B, realm A) to release minimum of 1.6.5 to use rxkad-k5+kd f
extension and copy the non-des keys from the new afs server (cell B,
realm B) to the old afs server ?

Or, i have to switch the new afs server back to single des keys mode and
copy the key from the old afs server using single des to the new afs
server, but only for the vos move  process ?


>
> Jeffrey Altman
>
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Moving volumes between different cell and different realm names

2016-10-10 Thread Andreas Ladanyi

Am 07.10.2016 um 22:58 schrieb Jeffrey Altman:
>
>>
>> I read the thread:
>> https://lists.openafs.org/pipermail/openafs-info/2009-March/031004.html
>>
>> So if i understand the thread and man pages correctly i could do the
>> following steps:
> Step 0.  Shutdown all of the AFS services on the server you want to
> relocate to a new cell.
>
>> 1. change entries CellServDB / ThisCell on the old OpenAFS server
>> (current config is Cell A) to Cell B.
> And you need to install the keys from Cell B onto the fileserver.
The old afs server doesnt support rxkad, only single des.
The new afs server works with rxkad.

Is this a problem ?

>
> AFS servers do not know or care about the realms.   The servers within a
> cell all must share the same server configuration (ThisCell, CellServDB,
> and keys).
>
> You cannot move a volume between cells with the OpenAFS vos command.
I know this. This is the reason why i want to relocate the old afs
server cell name to the new cell name and then move the volumes.
>
> With AuriStorFS it is possible to copy volumes between cells.  A volume
> once copied can be removed from the source if that is desired.
So this feature wont be implemented in OpenAFS in the future ?

Whats up with the release of OpenAFS 1.8 ?
>
> Jeffrey Altman
>
>
regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] /afs is empty

2016-10-08 Thread Andreas Ladanyi


On 7 Oct 2016, at 9:48, Andreas Ladanyi wrote:


Hi,

my problem on one afs client is that /afs is empty.

Ubuntu 12.04: 3.2.0-109-generic, OpenAFS 1.6.18.3-1 from PPA

openafs-client restart doesnt help.

ps ax | grep afsd:

  1232 pts/0S+ 0:00 grep afsd
27942 ?Ss 0:00 /sbin/afsd -afsdb -fakestat
27944 ?S  0:00 [afsd]

Do you have the correct cell-name in your ThisCell file?
(make sure it's the same as what you have for ThisCell on the
afs-clients where afs is working)


This is correct.

I found out that the afs client daemon was running with dynroot=false. I 
set them to dynroot=true. Maybe there was a change from the old to the 
new ppa package.


Now i could see  the cell in /afs

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] /afs is empty

2016-10-07 Thread Andreas Ladanyi


Hi,

i rebooted this system and now kernel 3.2.0-110-generic is running. Same 
issue.


Andreas


Hi,

my problem on one afs client is that /afs is empty.

Ubuntu 12.04: 3.2.0-109-generic, OpenAFS 1.6.18.3-1 from PPA

openafs-client restart doesnt help.

ps ax | grep afsd:

 1232 pts/0S+ 0:00 grep afsd
27942 ?Ss 0:00 /sbin/afsd -afsdb -fakestat
27944 ?S  0:00 [afsd]


lsmod:

Module  Size  Used by
openafs   798728  2


vos listvldb / listvol:

lists the volumes


tokens:

shows me my afs tokens after kinit / aklog:


pts listentries:

shows me the afs users


/var/log/syslog shows messages from the kernel which belongs to afs:

afs: WARM shutting down of: vcaches... BkG... CB... afs... CTrunc... 
AFSDB... RxEvent... UnmaskRxkSignals... RxListener... ALL allocated 
tables... done


enabling dynamically allocated vcaches
 Starting AFS cache scan...found 902 non-empty cache files (11%).

afs: WARM shutting down of: vcaches... BkG... CB... afs... CTrunc... 
AFSDB... RxEvent... UnmaskRxkSignals... RxListener... ALL allocated 
tables... done


enabling dynamically allocated vcaches
Starting AFS cache scan...found 870 non-empty cache files (11%).


ls /var/cache/openafs/:

CacheItems  CellItems  D0  D1  D2  D3  VolumeItems


Any ideas for this mysterious behavior ?


regards,

Andreas



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] /afs is empty

2016-10-07 Thread Andreas Ladanyi


Am 07.10.2016 um 15:56 schrieb Stephan Wiesand:

On 7 Oct 2016, at 15:48, Andreas Ladanyi <andreas.lada...@kit.edu> wrote:

my problem on one afs client is that /afs is empty.

Is AFS actually mounted on /afs ?

- Stephan

mount:

AFS on /afs type afs (rw)
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Problem restore / mount volume

2016-06-27 Thread Andreas Ladanyi

Hi,

i want to thank you for answer and feedback that restoring and mounting
works at another system Ubuntu 12.04 , kernel 3.2.0, afs-client 1.6.17.

regards,
Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Problem restore / mount volume

2016-06-21 Thread Andreas Ladanyi

Hi Kostas,
> Hi,
>
> On my site, such behaviour by ls was the result of client AFSd cache
> being trashed, eg by cache partition running out of space. Maybe worth
> checking it out.
fs getcacheparms
AFS using 1187 of the cache's available 10 1K byte blocks.

Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Problem restore / mount volume

2016-06-21 Thread Andreas Ladanyi

Hi,
> By any chance was the mount point created before the "user.test" volume
> was restored or was the volume restored, removed, and restored again?
No.
>
> I'm thinking the client might have cached a volume id for "user.test"
> that is no longer valid.  If that is the case, try
>
>   fs checkvolume
I tried. No success.
>
> The other question that comes to mind is, what are the ACLs on the root
> directory of the user.test volume?   Does the current user have at least
> lookup permission?
yes, i mounted the restored volume to a folder "user.test" in my user
afs home path. I also have a admin token. The user admin is in UserList
of AFS server. So i should could do everything.
>
> Finally, what version of the file server is hosting the volume?
1.6.1 , Solaris 10


Old situation on client:
==

vos examine user.test
user.test 536875364 RW1828930 K  On-line

vos listvldb user.test
user.test
   RWrite: 536875364
number of sites -> 1
   server xyz partition /vicepa RW Site

New situation on client:
==

fs mkmount doesnt work anymore.

fs mkmount -dir user.test -vol user.test
fs:'user.test': No such device



>
> Jeffrey Altman
>
>
regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Problem restore / mount volume

2016-06-21 Thread Andreas Ladanyi


> What does the log of the afs fileserver tell you, on which the volume
> resist?
On afs server:

FileLog:
fssync: breaking all call backs for volume 536875364

VolserLog:
Volser: CreateVolume: volume 536875364 (user.test) created
> Looks like the user.test volume is not online.
vos examine user.test
user.test 536875364 RW1828930 K  On-line


regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Problem restore / mount volume

2016-06-21 Thread Andreas Ladanyi


> Try to salvage that volume/partition.
Ok. No change.




smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] Problem restore / mount volume

2016-06-21 Thread Andreas Ladanyi

Hi,

vos restore -server xyz -partition a -name user.test  -file
/san/xyz_full_backup_volume

vos listvldb user.test:

user.test
RWrite: 536875364
number of sites -> 1
   server .. partition /vicepa RW Site

"fs mkmount -dir user.test -vol user.test" in my directory in afs rw path.

ls -la in the directory:

d??   ? ? ?  ? ? user.test

ls -la user.test:

ls: Could not access to user.test: No such device

Any ideas ?


Thanks and regards,

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] failed to write to cache items off

2016-05-19 Thread Andreas Ladanyi

> What filesystem is used for the disk cache?
We use a diskcache  on ext4 filesystem on SSD drive.
>
> -Ben
>
> On Wed, 18 May 2016, Andreas Ladanyi wrote:
>
>> Hi,
>>
>> i found this error in syslog of an ubuntu 14.04.4 client, openafs-client
>> from ppa archive:
>>
>> afs: failed to write to CacheItems off 1997620 code -4/80
>> openafs: assertion failed: afs_WriteDCache(tdc, 1) == 0, file:
>> /var/lib/dkms/openafs/1.6.17/build/src/libafs/MODLOAD-4.2.0-35-generic-SP/afs_dcache.c,
>> line: 1256
>> kernel: [782621.977138] kernel BUG at
>> /var/lib/dkms/openafs/1.6.17/build/src/libafs/MODLOAD-4.2.0-35-generic-SP/afs_dcache.c:1256!
>>
>> []  []
>> afs_GetDownDSlot.constprop.15+0x154/0x180 [openafs]
>> [] afs_UFSGetDSlot+0x48a/0x5d0 [openafs]
>> [] afs_FindDCache+0xdf/0x240 [openafs]
>> [] afs_linux_readpages+0x2b1/0x890 [openafs]
>> [] afs_GetDownDSlot.constprop.15+0x154/0x180 [openafs]
>>
>> Something seems to be wrong when writing to afs cache.
>>
>> regards,
>> Andreas
>>
>>
>>
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.



smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] failed to write to cache items off

2016-05-18 Thread Andreas Ladanyi

Hi,

i found this error in syslog of an ubuntu 14.04.4 client, openafs-client
from ppa archive:

afs: failed to write to CacheItems off 1997620 code -4/80
openafs: assertion failed: afs_WriteDCache(tdc, 1) == 0, file:
/var/lib/dkms/openafs/1.6.17/build/src/libafs/MODLOAD-4.2.0-35-generic-SP/afs_dcache.c,
line: 1256
kernel: [782621.977138] kernel BUG at
/var/lib/dkms/openafs/1.6.17/build/src/libafs/MODLOAD-4.2.0-35-generic-SP/afs_dcache.c:1256!

[]  []
afs_GetDownDSlot.constprop.15+0x154/0x180 [openafs]
[] afs_UFSGetDSlot+0x48a/0x5d0 [openafs]
[] afs_FindDCache+0xdf/0x240 [openafs]
[] afs_linux_readpages+0x2b1/0x890 [openafs]
[] afs_GetDownDSlot.constprop.15+0x154/0x180 [openafs]

Something seems to be wrong when writing to afs cache.

regards,
Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Support for Mac OSX 10.10 ( El capitan )

2016-04-11 Thread Andreas Ladanyi

Hi,
> Hi all,
>
> since I cannot find a release of openAFS for El Capitan, even not for
> Yosemite. I was wondering whether OS/X is still supported or is it
> abandoned. 
> Can someone give some more insight in this, since it gives some doubt
> in our present idea of transferring the company file sharing
> infrastructure to AFS.

Auristor is compatible with OpenAFS, so i think the Auristor client for
OS/X could help you. I never tried myself.

https://www.auristor.com/openafs/client-installer/ -> click on
"available installers".
>
> Regards,
>
> Tim
regards,
Andreas


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] openafs client crashs after ubuntu kernel update

2016-04-07 Thread Andreas Ladanyi

Hi Ben,
> On Tue, 5 Apr 2016, Andreas Ladanyi wrote:
>
>> Hi,
>>
>> openafs client tells me unable to create file / connection timeout
>> messages.
>>
>> It seems that this behavior appear when installing the latest kernel
>> version of Ubuntu 15.10 and 14.04 LTS and maybe soon in 12.04 LTS (which
>> i didnt upgrade yet).
>>
>> This problem is for example with ubuntu kernel release 4.2.0-35,
>> 3.13.0-77, 3.13.0-83
>> This problem is not for example with ubuntu kernel release 4.2.0-27,
>> 3.13.0-24, 3.19.0-25
> (e.g.) linux (4.2.0-28.33) introduces:
>
>   * vfs: Make sendfile(2) killable even better
> - LP: #1536370
>
> which is known to cause issues for openafs.
> https://gerrit.openafs.org/#/c/12228/ is believed to be a workaround; you
> could try the PPA at https://launchpad.net/~openafs/+archive/ubuntu/stable
> to get packages including that change.

Thank you for advice with the change of sendfile function in the latest
ubuntu kernels.

We use the launchpad packets now.

Short feedback:
The workaround with afs_GenericStoreProc works for the first tests.
Colleges told me that the workaround with afs_GenericStoreProc seems to
result in slower read/write operations.
>
> -Ben
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] openafs client crashs after ubuntu kernel update

2016-04-05 Thread Andreas Ladanyi

Hi,

openafs client tells me unable to create file / connection timeout
messages.

It seems that this behavior appear when installing the latest kernel
version of Ubuntu 15.10 and 14.04 LTS and maybe soon in 12.04 LTS (which
i didnt upgrade yet).

This problem is for example with ubuntu kernel release 4.2.0-35,
3.13.0-77, 3.13.0-83
This problem is not for example with ubuntu kernel release 4.2.0-27,
3.13.0-24, 3.19.0-25


regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Migrating Kerberos/LDAP to Samba DC

2015-11-13 Thread Andreas Ladanyi

Hi Dirk,

you have to install some software packages on windows to get windows
working as an AFS client. You should read this webpage. I think this
will answer your questions for windows and AFS.

http://openafs.org/windows.html

I know that it is possible to get AFS working with an MS AD controller,
so it should be possible to get AFS working with a Samba DC which works
like an MS AD since release samba 4.0

Andreas

> Hi,
>
> I'd need to add some Windows Professional clients to my otherwise Linux
> only setup. So I thought about replacing Kerberos/LDAP with a Samba DC.
> On the Windows clients, would I still need to install a 3rd-party
> Kerberos package to access AFS, or is Windows' own implementation
> sufficient?
>
> Thanks...
>
> Dirk
>




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Apache2 and OpenAFS

2015-10-12 Thread Andreas Ladanyi

Am 10.10.2015 um 02:26 schrieb Måns Nilsson:
> Subject: Re: [OpenAFS] Apache2 and OpenAFS Date: Thu, Oct 08, 2015 at 
> 04:49:16PM +0200 Quoting Andreas Ladanyi (andreas.lada...@kit.edu):
>> I found the possibility in Apache 2 to work with the mod_waklog module
>> which does the kinit / aklog magic:
>>
>> http://www.modwaklog.org/
>>
>> Following the instructions on the following blog works:
>>
>> https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apache-and-mod_waklog
> Yes, that is one option, and it is really attractive for accessing
> data that needs to carry an ACL that is similar regardless of access
> method. I've been meaning to set it up for myself for ages.
>
> However, when you want the server to have more access than both the
> generic AFS user _and_ the web client, the method outlined by Harald
> works better.
What is the generic AFS user ? Are you talking about the AFS user apache
is runnig like wwwrun ?

>
> The best example for this probably is the cgi-bin directory and all those
> places you have to expose PHP code to the world. You want the directory
> to reside in AFS, because files should be in AFS (sortakinda preaching
> to the choir here) but you want to set a fairly restrictive ACL on the
> data, granting only developers, sysadmins and the running web server
> access. 
Iam not sure if i understand you correctly. I think it is possible to
set different AFS user / group entries on a AFS directory (which
contains webcontent) ACL  ? So webserver, developers and sysadmins could
access this directory.
> OTOH, the product of running the code through the web server
> should be accessible to anyone.  
Your are talking about users which are not in the AFS pts database if
you say "anyone" ?
> There of course might be another access
> control system in play, like login in a web app.
>
> Thus, the admittingly much coarser method giving the web server a
> ticket->token context works much better.  The two methods are different
> and have differing uses.
>

regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Apache2 and OpenAFS

2015-10-08 Thread Andreas Ladanyi

I found the possibility in Apache 2 to work with the mod_waklog module
which does the kinit / aklog magic:

http://www.modwaklog.org/

Following the instructions on the following blog works:

https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apache-and-mod_waklog

regards,
Andreas

> Hi,
>
> i have OpenAFS volumes / mounts which contains Apache web content.
>
> My question is which is the easiest way to get tgt/token/PAG for the
> apache user so the apache could access to the web content in the AFS
> volume.
>
> I read that one way is to use pagsh to get an authentification object
> (pag) without login.
>
>
> regards,
> Andreas
>




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Apache2 and OpenAFS

2015-10-08 Thread Andreas Ladanyi

Hi Harald,

thank you for your details.

We use MIT kerberos in FreeIPA. The kinit doesnt have a --afslog option.


> We run our web server authenticated from a keytab. The keytab contains
>
> # /usr/heimdal/sbin/ktutil --keytab=/etc/krb5.keytab.web-daemon list
> Vno  Type Principal
>   0  des3-cbc-sha1web-daemon/scat.pdc.kth...@nada.kth.se
>   0  aes128-cts-hmac-sha1-96  web-daemon/scat.pdc.kth...@nada.kth.se
>   0  arcfour-hmac-md5 web-daemon/scat.pdc.kth...@nada.kth.se
>
> Then the webserver is started with heimdal kinit (which does all the
> pagsh and renew magic) with that keytab:
>
> # ps auxgwww | grep kinit
> root 31751  0.0  0.0  39880  2100 ?SJul04   0:04 
> /usr/heimdal/bin/kinit --no-forward --no-renew 
> --keytab=/etc/krb5.keytab.web-daemon --afslog 
> web-daemon/scat.pdc.kth...@nada.kth.se /usr/sbin/httpd -DNO_DETACH -D 
> DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D CACHE -D 
> MEM_CACHE -D DAV -D STATUS -D AUTH_DIGEST -D PROXY -D USERDIR -D REWRITE -k 
> start
>
> The web-daemon/scat.pdc.kth...@nada.kth.se principal maps to this PTS
> identity (due to historical reasons the "/" is replaced with a "." in
> the OpenAFS pts to pricipal naming mapping, there are folks on this
> list who happen to know exactly why)
>
> $ pts exa web-daemon.scat.pdc.kth.se -c pdc.kth.se
> Name: web-daemon.scat.pdc.kth.se, id: 65531, owner: system:administrators, 
> creator: haba.admin,
>   membership: 4, flags: S, group quota: 20.
>
> Then all web-daemons.x.y.z are member in this group:
>
> $ pts mem web-daemons  -c pdc.kth.se
> Members of web-daemons (id: -32225) are:
>   web-daemon.wrasse.pdc.kth.se
>   web-daemon.schelly.pdc.kth.se
>   web-daemon.scat.pdc.kth.se
>
> Then you give web-daemons the appropriate permissions in the file system.
>
> Harald.




smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] Apache2 and OpenAFS

2015-10-07 Thread Andreas Ladanyi

Hi,

i have OpenAFS volumes / mounts which contains Apache web content.

My question is which is the easiest way to get tgt/token/PAG for the
apache user so the apache could access to the web content in the AFS
volume.

I read that one way is to use pagsh to get an authentification object
(pag) without login.


regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] CellServDB priority of entries

2015-08-12 Thread Andreas Ladanyi

Hi Stephan,
 On 11 Aug 2015, at 09:02, Andreas Ladanyi andreas.lada...@kit.edu wrote:

 i dont know if i remember correctly, but think i red something about
 priorities for DB server entries listed in the file CellServDB in the
 past. I couldnt find something in the manpage cellservdb. I think the
 priority is given by the ip adress, isnt it ?
 Right. See fs_getserverprefs(1)


I had a look at fs_getserverprefs and fs_setserverprefs.

I cant see a text explanation which tells me something about the
relation between the IP addres number and ranking / priority.

For example: 192.168.1.10 and 192.168.1.20,  .20  .10 so higher priority.



smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] CellServDB priority of entries

2015-08-11 Thread Andreas Ladanyi

Hi,

i dont know if i remember correctly, but think i red something about
priorities for DB server entries listed in the file CellServDB in the
past. I couldnt find something in the manpage cellservdb. I think the
priority is given by the ip adress, isnt it ?

cheers,
Andy




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] afsd: Error calling AFSOP_CACHEINODE: not configured

2015-07-02 Thread Andreas Ladanyi

Hi,

i solved the problem. I removed the -dynroot option for the AFSD in the
config file.

bos restart server -all doesnt help
systemd restart openafs-server script doesnt help

After rebooting my system it works. I dont know why. Is this something
with parameters in the kernel space and the openafs kernel module or the
cache ?

Now i could see my cell in /afs and could create volumes and set file
system rights.

Thanks to all,
Andy

 On Thu, 2015-07-02 at 15:42 +0200, Andreas Ladanyi wrote:
 fs la /afs/
 fs: Invalid argument; it is possible that /afs/ is not in AFS.

 fs mkmount /afs/cellname root.cell
 fs: mount points must be created within the AFS file system
 If you're using dynroot, /afs is indeed not in AFS (it's a fake volume
 that only exists in the local cache manager) and can't be used to
 manually create volumes. See
 http://wiki.openafs.org/SolarisQuickStart/#index7h4 for how to create
 volumes in root.afs with -dynroot.

 The -dynroot fake volume should be automatically populated with known
 cells, including dynamic addition of cells as they are accessed via SRV
 or AFSDB DNS records.





smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] afsd: Error calling AFSOP_CACHEINODE: not configured

2015-07-01 Thread Andreas Ladanyi

Hi,

openafs 1.6.11.1 / Centos 7
SELinux=permissive
iptables is empty

bos server runs by systemd script.

bos status server:

Instance vlserver, currently running normally.
Instance ptserver, currently running normally.
Instance dafs, currently running normally.
Auxiliary status is: file server running.


systemctl status openafs-client.service
openafs-client.service - OpenAFS Client Service
   Loaded: loaded (/usr/lib/systemd/system/openafs-client.service; disabled)
   Active: failed (Result: exit-code) since Wed 2015-07-01 11:17:34
CEST; 2min 59s ago
  Process: 3377 ExecStart=/usr/vice/etc/afsd $AFSD_ARGS (code=exited,
status=1/FAILURE)
  Process: 3375 ExecStartPre=/sbin/modprobe openafs (code=exited,
status=0/SUCCESS)
  Process: 3373 ExecStartPre=/bin/chmod 0644 /usr/vice/etc/CellServDB
(code=exited, status=0/SUCCESS)
  Process: 3371 ExecStartPre=/bin/sed -n w/usr/vice/etc/CellServDB
/usr/vice/etc/CellServDB.local /usr/vice/etc/CellServDB.dist
(code=exited, status=0/SUCCESS)

Jul 01 11:17:34 i44fs1.info.uni-karlsruhe.de systemd[1]: Starting
OpenAFS Client Service...
Jul 01 11:17:34 i44fs1.info.uni-karlsruhe.de afsd[3377]: afsd: Error
calling AFSOP_CACHEINODE: not configured
Jul 01 11:17:34 i44fs1.info.uni-karlsruhe.de systemd[1]:
openafs-client.service: control process exited, code=exited status=1
Jul 01 11:17:34 i44fs1.info.uni-karlsruhe.de systemd[1]: Failed to start
OpenAFS Client Service.
Jul 01 11:17:34 i44fs1.info.uni-karlsruhe.de systemd[1]: Unit
openafs-client.service entered failed state.

/etc/sysconfig/openafs:
# OpenAFS Client Configuration
#AFSD_ARGS=-dynroot -fakestat -afsdb
AFSD_ARGS=-fakestat -afsdb

# OpenAFS Server Configuration
BOSSERVER_ARGS=

/usr/vice/etc/cacheinfo:
/afs:/usr/vice/cache:10



regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] bos server instances doesnt come up

2015-06-29 Thread Andreas Ladanyi


Hi,

ok, the problem isnt gone.

If i start  the bos server:

/usr/afs/bin/bosserver -noauth 

bos status tells me the instances are running normally.


If i start the openafs-server with the systemd scripts:
=

enafs-server.service - OpenAFS Server Service
   Loaded: loaded (/usr/lib/systemd/system/openafs-server.service; enabled)
   Active: active (running) since Mon 2015-06-29 18:58:56 CEST; 1min 
37s ago
  Process: 3481 ExecStop=/usr/bin/bos shutdown localhost -wait 
-localauth (code=exited, status=0/SUCCESS)

 Main PID: 3490 (bosserver)
   CGroup: /system.slice/openafs-server.service
   └─3490 /usr/afs/bin/bosserver -nofork

Jun 29 18:58:56 i44fs1.info.uni-karlsruhe.de systemd[1]: Starting 
OpenAFS Server Service...
Jun 29 18:58:56 i44fs1.info.uni-karlsruhe.de systemd[1]: Started OpenAFS 
Server Service.



But bos status tells me:
===

Instance vlserver, temporarily disabled, stopped for too many errors, 
currently starting up.
Instance ptserver, temporarily disabled, stopped for too many errors, 
currently starting up.
Instance dafs, temporarily disabled, stopped for too many errors, 
currently shutdown.

Auxiliary status is: file server shut down.


I get the PtLog and VLLog error messages with the ubik errors:

PtLog:


ptserver: file not found when processing dbase Ubik init failed
ptserver: running unauthenticated


VLLog:
=

vlserver: Ubik init failed: file not found when processing dbase



Andy




Hi Jeffrey,

i use the description  OpenAFS Quick Start Guide for Unix. At this time
i have done the steps at
http://docs.openafs.org/QuickStartUnix/index.html#HDRWQ52.html

I tried to start the bos server with the systemd script. I think at this
state it wasnt a good idea.

On 6/25/2015 5:02 AM, Andreas Ladanyi wrote:


PtLog:


ptserver: file not found when processing dbase Ubik init failed
ptserver: running unauthenticated

VLLog:
=

vlserver: Ubik init failed: file not found when processing dbase


The database file cannot be created or opened.

How was OpenAFS installed and on which OS/version?

with the openafs srpm package from the openafs website. I built my own
binary rpms from this srpm package and installed it. The OS is centos 7.

Jeffrey Altman







___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] bos server instances doesnt come up

2015-06-29 Thread Andreas Ladanyi


Please answer Jeffrey's questions, and we may be able to help.

I answered Jeffreys questions:

 How was OpenAFS installed and on which OS/version?

I use the openafs 1.6.11.1 srpm package from the openafs website. I 
built my own binary rpms from this srpm package and installed it. The OS 
is centos 7.

Alternatively, trust in my intuition and grep my previous mails for SELinux.
I trust you and this problem is solved by setting SELinux=permissive.  
Iam crying.



Thanks a lot,
Andy
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Uninstall OpenAFS after make install

2015-06-29 Thread Andreas Ladanyi




On Centos 7:
yum-builddep openafs.spec works.
rpmbuild -ba openafs.spec exits with 0. I got my rpm packages.

On Fedora 20:
I add a yum repository file which points to the 1.6.10 rpm Fedora 20 packages 
at openafs.org

yum install produce the following output with some errors and bad exit:

Once again: 1.6.10 is too old for the latest F20 kernels. It's not going to 
work.

Do what you did on EL7 but use at least 1.6.11 (and preferably 1.6.12 which was 
released last friday).

The problem was solved in the past. All is fine :-)

Thank you,
Andy
  
Best,

Stephan



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] bos server instances doesnt come up

2015-06-25 Thread Andreas Ladanyi

Hi Jeffrey,

i use the description  OpenAFS Quick Start Guide for Unix. At this time
i have done the steps at
http://docs.openafs.org/QuickStartUnix/index.html#HDRWQ52.html

I tried to start the bos server with the systemd script. I think at this
state it wasnt a good idea.
 On 6/25/2015 5:02 AM, Andreas Ladanyi wrote:

 PtLog:
 

 ptserver: file not found when processing dbase Ubik init failed
 ptserver: running unauthenticated

 VLLog:
 =

 vlserver: Ubik init failed: file not found when processing dbase

 The database file cannot be created or opened.

 How was OpenAFS installed and on which OS/version?
with the openafs srpm package from the openafs website. I built my own
binary rpms from this srpm package and installed it. The OS is centos 7.

 Jeffrey Altman







smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] bos server instances doesnt come up

2015-06-25 Thread Andreas Ladanyi

 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: vlserver started pid 72497: /usr/afs/bin/vlserver
 Thu Jun 25 10:53:09 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: vlserver started pid 72498: /usr/afs/bin/vlserver
 Thu Jun 25 10:53:09 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: vlserver started pid 72499: /usr/afs/bin/vlserver
 Thu Jun 25 10:53:09 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: vlserver started pid 72500: /usr/afs/bin/vlserver
 Thu Jun 25 10:53:09 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: vlserver started pid 72501: /usr/afs/bin/vlserver
 Thu Jun 25 10:53:09 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: vlserver started pid 72502: /usr/afs/bin/vlserver
 Thu Jun 25 10:53:09 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: vlserver started pid 72503: /usr/afs/bin/vlserver
 Thu Jun 25 10:53:09 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: vlserver started pid 72504: /usr/afs/bin/vlserver
 Thu Jun 25 10:53:09 2015: vlserver exited with code 2
 Thu Jun 25 10:53:09 2015: BNODE 'vlserver' repeatedly failed to start,
 perhaps missing executable.

 PtLog:
 

 ptserver: file not found when processing dbase Ubik init failed
 ptserver: running unauthenticated

 VLLog:
 =

 vlserver: Ubik init failed: file not found when processing dbase


 /usr/afs/etc/CellServDB:
 ==

 cellname #Cell name
 IP of the OpenAFS server#FQDN of the OpenAFS server

 /usr/afs/etc/ThisCell:
 =

 cellname



 Any ideas whats going wrong ?

 regards,
 Andy



-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.




smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] bos server instances doesnt come up

2015-06-25 Thread Andreas Ladanyi

Hi,

i installed Openafs 1.6.11.1. The pt / vl / bu instances dont come up.

bos status FQDN server -noauth
bos: running unauthenticated
Instance buserver, temporarily disabled, stopped for too many errors,
currently starting up.
Instance ptserver, temporarily disabled, stopped for too many errors,
currently starting up.
Instance vlserver, temporarily disabled, stopped for too many errors,
currently starting up.

Boslog:


The executables which are missed in the filesystem are available.



Thu Jun 25 10:52:36 2015: BNODE 'vlserver' repeatedly failed to start,
perhaps missing executable.
Thu Jun 25 10:52:36 2015: vlserver will retry start in 32 seconds
Thu Jun 25 10:52:40 2015: buserver started pid 72469: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72470: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72471: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72472: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72473: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72474: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72475: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72476: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72477: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72478: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72479: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: buserver started pid 72480: /usr/afs/bin/buserver
Thu Jun 25 10:52:40 2015: buserver exited with code 255
Thu Jun 25 10:52:40 2015: BNODE 'buserver' repeatedly failed to start,
perhaps missing executable.
Thu Jun 25 10:52:40 2015: buserver will retry start in 60 seconds
Thu Jun 25 10:53:00 2015: ptserver started pid 72481: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72482: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72483: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72484: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72485: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72486: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72487: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72488: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72489: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72490: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72491: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: ptserver started pid 72492: /usr/afs/bin/ptserver
Thu Jun 25 10:53:00 2015: ptserver exited with code 2
Thu Jun 25 10:53:00 2015: BNODE 'ptserver' repeatedly failed to start,
perhaps missing executable.
Thu Jun 25 10:53:00 2015: ptserver will retry start in 60 seconds
Thu Jun 25 10:53:09 2015: vlserver started pid 72493: /usr/afs/bin/vlserver
Thu Jun 25 10:53:09 2015: vlserver exited with code 2
Thu Jun 25 10:53:09 2015: vlserver started pid 72494: /usr/afs/bin/vlserver
Thu Jun 25 10:53:09 2015: vlserver exited with code 2
Thu Jun 25 10:53:09 2015: vlserver started pid 72495: /usr/afs/bin/vlserver
Thu Jun 25 10:53:09 2015: vlserver exited with code 2
Thu Jun 25 10:53:09 2015: vlserver started pid 72496: /usr/afs/bin/vlserver
Thu Jun 25 10:53:09 2015: vlserver exited with code 2
Thu Jun 25 10:53:09 2015: vlserver started pid 72497: /usr/afs/bin/vlserver
Thu Jun 25 10:53:09 2015: vlserver exited with code 2
Thu Jun 25 10:53:09 2015: vlserver started pid 72498: /usr/afs/bin/vlserver
Thu Jun 25 10:53:09 2015: vlserver exited with code 2
Thu Jun 25 10:53:09 2015: vlserver started pid 72499: /usr/afs/bin/vlserver
Thu

Re: [OpenAFS] Uninstall OpenAFS after make install

2015-06-22 Thread Andreas Ladanyi


 On Fedora 20:
 I add a yum repository file which points to the 1.6.10 rpm Fedora 20 
 packages at openafs.org

 yum install produce the following output with some errors and bad exit:
 1.6.10 is too old for that kernel, you need at least 1.6.11. NB F20 is EOL.
ok. Thank you. Iam wondering because on openafs.org i could download
1.6.10 packages  for Fedora 20.


 Best,
   Stephan





smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Uninstall OpenAFS after make install

2015-06-22 Thread Andreas Ladanyi

Hi Ben,
 iam using Centos 7 and openafs 1.6.11.1 from source tarball.
 In general when a packaged version of something is available, it should
 be preferred over a source build, since the packaging system tracks which
 files are installed by the package and should allow for cleaner
 uninstalls.

 http://openafs.org/dl/openafs/1.6.11.1/openafs-1.6.11.1-1.src.rpm is the
 1.6.11 srpm, which ought to be buildable into binary rpms with, e.g.,
 mock.
I used this now, but an yum-builddep of this srpm package tells me that
the package:

kernel-devel-x86_64 = 2.6.18-404.el5 is needed but not found on centos
7. centos 7 ist working with 3.10.

I found out that centos 5 is working with kernel 2.6.18.  But its
interesting to see that for RHEL 7 there are packages on the openafs
webseite for release 1.6.8.

 -Ben Kaduk

regards,
Andy



smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] Uninstall OpenAFS after make install

2015-06-18 Thread Andreas Ladanyi


Hi,

i cant see a make uninstall / remove target to uninstall OpenAFS after 
make install procedure. Is there a script or something other secret how 
the removing of installed files is possible ?


iam using Centos 7 and openafs 1.6.11.1 from source tarball.

Andy
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] vos syncvldb

2015-05-13 Thread Andreas Ladanyi

Hi,

if i call the command on server a (a which isnt the fileserver with the
volumes) as root:

vos syncvldb server b (b which is the filesserver with volumes)

i get the following messages. There are a lot of more volumes listed but
the list was too long so i cut the message text:

Could not create a VLDB entry for the volume 536875231
VLDB: no permission access for call
Could not create a VLDB entry for the volume 536875231
VLDB: no permission access for call
Could not create a VLDB entry for the volume 536875228
VLDB: no permission access for call
Could not create a VLDB entry for the volume 536875228
VLDB: no permission access for call
Could not process entries on server server b partition /vicepa
Could not get the highest allocated volume id from the VLDB
VLDB: no permission access for call
Error in vos syncvldb command.
VLDB: no permission access for call

next time i run again:
=

vos syncvldb server b

i get the short message only:

Could not get the highest allocated volume id from the VLDB
VLDB: no permission access for call
Error in vos syncvldb command.
VLDB: no permission access for call


next time i run again:
=

vos syncvldb server b

i get the message:

VLDB synchronized with state of server i44sun1


next time i run again:
=

vos syncvldb server b

i get the message:

Could not get the highest allocated volume id from the VLDB
VLDB: no permission access for call
Error in vos syncvldb command.
VLDB: no permission access for call


Now iam a bit confusing. The manpage of vos syncvldb says that i have to
execute syncvldb repeatedly. I dont understand the repeated existence of
the error messages. When / How could i be sure that i have a clean vldb ?

cheers,
Andy



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

2014-11-18 Thread Andreas Ladanyi

Hi,

thank you for your efforts.

 In none of the above cases the afs service ticket work correctly
 although In the 1. case i have a des-cbc-crc key.
 I cant access my user directory in afs. I get a permission denied error.
 Yes, and that is expected. I suppose I have not been clear; you have two
 different ways to make this work:

 1. Extract a keytab for afs/cell with just DES, and nothing else, just
 like you originally did (and add it to the KeyFile). Then get the
 FreeIPA KDC and your client machine configured to use DES. If you have
 not correctly configured these to let you use DES, then you get the
 error you originally saw (-1765328370). If you've already set
 allow_weak_crypto on the KDC and the client, then you may need to ask
 the FreeIPA people for additional help.
Now especially the point 1.) is clear :-)

Iam also already talking to the FreeIPA people.

 2. Extract a keytab for afs/cell with non-DES enctypes, and install it
 in rxkad.keytab. Follow the instructions I mentioned in
 http://openafs.org/pages/security/install-rxkad-k5-1.6.txt and
 http://openafs.org/pages/security/how-to-rekey.txt to configure the
 servers to use this keytab. If you have not configured the servers to do
 this, then you will get errors such as permission denied, as you have
 been getting.
In this case we have to update the servers because OpenAFS 1.6.1

 So, follow one of those paths, and you should be able to get
 authentication working. Your current setup I believe is following
 neither of those approaches, and so it doesn't work. I would think
 option 2 is easier, but that's up to you.

Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

2014-11-17 Thread Andreas Ladanyi

 On Tue, 11 Nov 2014 09:28:35 +0100
 Andreas Ladanyi andreas.lada...@kit.edu wrote:

 No the token from aklog doesnt work fine. I could only list the user
 directories (name of the users). I could not enter the user directories.
 I couldnt enter my own directory. The AFS ID of the token is ok and
 matches the owner uid of my user directory.
 Okay, that makes more sense; I wouldn't expect that to work, so I was a
 little confused.

 So the reason that aklog works in that situation is because using the
 IPA tool give you an AES key, amongst others. aklog then tries to use
 that AES key, which the KDC allows (since it's not weak crypto since
 it's not DES). But you don't have your cell configured to use AES keys,
 so the token doesn't actually work.


 On Tue, 11 Nov 2014 11:03:51 +0100
 Andreas Ladanyi andreas.lada...@kit.edu wrote:

 Or change what enctype you request like so:

 $ kvno -e des-cbc-crc afs/CELL
 $ kvno -e aes256-hmac-cts afs/cell # this should _not_ work
 kvno -e des-cbc-crc afs/cellname
 kvno: KDC has no support for encryption type while getting credentials
 for afs/cellname@Realm B (the new Realm on FreeIPA)

 kvno -e aes256-cts-hmac-sha1-96  afs/cellname
 afs/cellname@Realm B: kvno = 1
 Yes, so you need to resolve that before this will work with the KeyFile
 with single DES.
I think i solved this issue now:

1.) 
kinit 
kvno -e des-cbc-crc afs/CELL
afs/cellname@REALM: kvno = 1

klist -e for the afs/cellname service ticket:
des-cbc-crc, aes256-cts-hmac-sha1-96

2.)
kinit .
kvno -e aes256-cts afs/CELL results in:
afs/cellname@REALM: kvno = 1

klist -e for the afs/cellname service ticket:
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

3.)
kinit ...
aklog
klist  -e shows me a afs service ticket without des-cbc-crc:
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

In none of the above cases the afs service ticket work correctly
although In the 1. case i have a des-cbc-crc key.
I cant access my user directory in afs. I get a permission denied error.


cheers,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

2014-11-11 Thread Andreas Ladanyi

 On Mon, 10 Nov 2014 10:09:54 +0100
 Andreas Ladanyi andreas.lada...@kit.edu wrote:

 Now aklog works and i can get a AFS token. Why are all this keys
 important for aklog ? Or which key exeptly the DES key is important ?
 That is indeed a bit puzzling; it's possible ipa-getkeytab does
 something else that makes this work, but I don't know enough about the
 details of what that does. I assume the tokens you get with 'aklog' work
 fine?
I also created a principal afs/cellname@REALM B with kadmin.local in
FreeIPA to test it without ipa-getkeytab FreeIPA tool:
ank -randkey -e des-cbc-crc:v4,aes256-cts:special afs/info.uni-karlsruhe.de

The result is:

Key: vno 1, des-cbc-crc, no salt
Key: vno 1, aes256-cts-hmac-sha1-96, no salt

klist -ef:

Valid starting   Expires  Service principal
11.11.2014 09:02:45  12.11.2014 09:02:42  krbtgt/REALM@REALM B (the
FreeIPA Realm on the new kerberos/LDAP server)
Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
11.11.2014 09:02:51  12.11.2014 09:02:42  afs/cellname@REALM B
Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96


No the token from aklog doesnt work fine. I could only list the user
directories (name of the users). I could not enter the user directories.
I couldnt enter my own directory. The AFS ID of the token is ok and
matches the owner uid of my user directory.

Another thing is:

pts listentries on the Testclient PC:

Name  ID  Owner Creator
pts: ticket contained unknown key version number ; unable to list entries

 What enctype is listed for the afs/cell@REALM principal if you run
 'klist -ef' after you have a token? 
Valid starting   Expires  Service principal
11.11.2014 09:02:45  12.11.2014 09:02:42  krbtgt/REALM@REALM B (the
FreeIPA Realm on the new kerberos/LDAP server)
Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
11.11.2014 09:02:51  12.11.2014 09:02:42  afs/cellname@REALM B
Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96

 What version of openafs is on the
 client where you're running 'aklog'?

Ubuntu 14.04, openafs-client 1.6.7-1

cheers,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

2014-11-11 Thread Andreas Ladanyi

 old server:
 

 MIT Kerberos 5  - Realm A
 What version?
Version 1.9.2 from OpenCSW

 new server:
 

 FreeIPA 3.3
 I don't suppose you know what version of MIT krb5 this is based on?
Version : 1.11.5
Release : 11.fc20


 Service principals:
 afs/FQDN of the old Server with AFS server daemon@Realm B
 I'm a little confused by this; we only use afs/cell.example.com
 principals with the cell name, which is usually not the FQDN of a
 server. Are you planning to migrate to a new cell name based on the
 old-server FQDN? Or did you mean afs/AFS CELL@REALM B here?
On the old server REALM A the AFS cellname is the same like the FQDN. At
the moment i dont plan to migrate to a new AFS cell name.

 new PC Testclient:
 ===

 Ubuntu 14

 I could login as user, get a shell and a tgt. The afs client is running.
 A TGT for which realm? 
REALM B - the new FreeIPA server system.
 Do you know if the client is also using MIT krb5?
yes it is.

 The clients CellServDB points to the AFS CELL and AFS server on the
 old server system.

 An aklog -d shows the message:

 Authenticating to cell AFS CELL (server THE OLD SERVER).
 Trying to authenticate to user's realm REALM B
 Getting tickets: afs/AFS CELL@REALM B
 Kerberos error code returned by get_cred : -1765328370
 aklog: Couldn't get AFS CELL AFS tickets:
 aklog: unknown RPC error (-1765328370) while getting AFS tickets
 This is a little puzzling, since we're trying to use afs/AFS
 CELL@REALM B, but above, it was mentioned the service princ that exists
 is afs/FQDN of the old Server with AFS server daemon@Realm B, unless
 that was a mistake, or they are the same thing.
On the old server system the AFS cell name and the fqdn are the same.

 Anyway, you can kind of test this without using any AFS components,
 which can maybe make this a bit easier (and makes it easier to ask krb5
 or FreeIPA people about it, if you want). Just run this:
Yes. This is a great option.

 $ kinit # if you haven't already
 $ kvno afs/CELL
 $ klist -ef

 (All three of those commands will have realms, if you want to obfuscate
 them.) You'll probably just get the same error that Brandon told you
 about, but it's good to make sure. You can also try 'kinit'ing with a
 principal from REALM A and see if that changes anything, or requesting
 the afs/CELL princ from REALM A vs REALM B, etc.

 Or change what enctype you request like so:

 $ kvno -e des-cbc-crc afs/CELL
 $ kvno -e aes256-hmac-cts afs/cell # this should _not_ work
kvno -e des-cbc-crc afs/cellname
kvno: KDC has no support for encryption type while getting credentials
for afs/cellname@Realm B (the new Realm on FreeIPA)

kvno -e aes256-cts-hmac-sha1-96  afs/cellname
afs/cellname@Realm B: kvno = 1

I think here is a problem with Kerberos.

 Can you get any of those variations to work? If you can see which work
 and which fail, it can point to what's causing it to fail.






smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

2014-11-10 Thread Andreas Ladanyi

Hi,
 On Fri, 07 Nov 2014 16:05:11 +0100
 Andreas Ladanyi andreas.lada...@kit.edu wrote:

 sorry i didnt told that. In FreeIPA you must enable the DES salttype. I
 enabled the des-cbc-crc:normal and des-cbc-crc:v4.
 I'm not too familiar with FreeIPA, but usually you need to enable weak
 enctypes separately from enabling DES specifically. That is, you need
 to turn on those specific enctypes (for the principal, and possibly for
 the whole KDC), but you also need to enable weak crypto in krb5.conf
 like Brandon mentioned.

 Or maybe what you did for this was correct, and something else is the
 problem. I'm sending some other things to try out in a moment.
I solved the problem but im not exactly sure why it works now :-)

In the past i firstly created a principal in FreeIPA Kerberos with
kadmin.local tool named afs/cellname@REALM with one key:

Key: vno 2, des-cbc-crc, no salt

The result was the OpenAFS error message: Kerberos error code returned
by get_cred : -1765328370, KRB5KDC_ERR_ETYPE_NOSUPP

To solve the problem it was enough to use FreeIPA command
ipa-getkeytab. This command generate 7 new keys for the
afs/cellname@REALM principal. The DES key is also generated because i
enabled it in FreeIPA.

Key: vno 2, aes256-cts-hmac-sha1-96, no salt
Key: vno 2, aes128-cts-hmac-sha1-96, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, camellia128-cts-cmac, no salt
Key: vno 2, camellia256-cts-cmac, no salt
Key: vno 2, des-cbc-crc, no salt


Now aklog works and i can get a AFS token. Why are all this keys
important for aklog ? Or which key exeptly the DES key is important ?

cheers,
Andreas





smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] AFS + CrossRealm + FreeIPA + Migration

2014-11-07 Thread Andreas Ladanyi

Hi,

i want to migrate my old Server System to a new environment. The Posix
Users+Groups are migrated from the old LDAP system to the new FreeIPA
LDAP system.

I have the following situation:

old server:


MIT Kerberos 5  - Realm A
OpenLDAP without Kerberos schemata
OpenAFS Server 1.6 - with the AFS CELL

Cross Realm krbtgt`s:
krbtgt/RealmA@RealmB
krbtgt/RealmB@RealmA

new server:


FreeIPA 3.3
Realm B

Cross Realm krbtgt`s:
krbtgt/RealmA@RealmB
krbtgt/RealmB@RealmA

Service principals:
afs/FQDN of the old Server with AFS server daemon@Realm B

Host principals:
FQDN new Server with FreeIPA
FQDN new PC Testclient
FQDN old Server with AFS server daemon



new PC Testclient:
===

Ubuntu 14

I could login as user, get a shell and a tgt. The afs client is running.

The clients CellServDB points to the AFS CELL and AFS server on the
old server system.

An aklog -d shows the message:

Authenticating to cell AFS CELL (server THE OLD SERVER).
Trying to authenticate to user's realm REALM B
Getting tickets: afs/AFS CELL@REALM B
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get AFS CELL AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets


i cant find a information about the RPC error number. I hope you could
help me.

cheers and thx,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature

1 2 >

1 - 100 of 102 matches

Mail list logo