Keytabs are normally not supposed to be shared between multiple
machines, and this approach means that kadmind doesn't need to have the
capability of retrieving keys from the KDC, which is an additional
separation of capability and an additional level of security.
Except that AFS requires a
On Feb 13, 2006, at 11:42 PM, Russ Allbery wrote:
Adam Megacz [EMAIL PROTECTED] writes:
Russ Allbery [EMAIL PROTECTED] writes:
ktadd changes the key.
I am: dumbfounded.
Dare I ask if there was a reason for this decision? Other than
causing
me grief, of course.
Keytabs are
Juha Jäykkä wrote:
Except that AFS requires a shared keytab. Nice. :-) What about
(Heimdal's) ktutil, does it have the same problem as ktadd? And how
would an AFS cell recover from the unfortunate human error of an admin
doing the line in the subject? This sounds like a disaster waiting to
Adam Megacz wrote:
Are the servers not responding at all? If so, fs checkservers
should list them as being down.
Or is the response just slower than you would prefer?
What operations are failing?
What is the connection like? Are the users communicating with
campus over a VPN?
Do some
* Juha Jäykkä [2006-02-14 10:27:30 +0200]:
Keytabs are normally not supposed to be shared between multiple
machines, and this approach means that kadmind doesn't need to have the
capability of retrieving keys from the KDC, which is an additional
separation of capability and an additional
On Feb 14, 2006, at 3:27 , Juha Jäykkä wrote:
Keytabs are normally not supposed to be shared between multiple
machines, and this approach means that kadmind doesn't need to
have the
capability of retrieving keys from the KDC, which is an additional
separation of capability and an additional
Hi,
I am kind of new to AFS installation, trying to install
afs-server,client on the same machine. RedHat EL3 rpms installed on my
system. I can't find afs.rc. Can anyone guide me to a good place. The
Quick beginners guide keep referring to the AFS CDROM which I
don't have at the moment.
Thnks
Heimdal's kt_extract (kadmin command) extracts a key without
generating a new one. (This is generally considered a bad thing; I
could see it being limited to kadmin's local mode in the future.)
Other mechanisms will indeed create a new key.
This last sentence is exactly what I wanted
AFS does not require a shared keytab. AFS requires that the contents
of a keytab be set into the AFS key file which is done by running
'asetkey'.
Ach, my mistake. AFS does not require a shared keytab, it requires a
common KeyFile, which is conceptually the same - it's just not called
keytab.
-Original Message-
From: Juha =?ISO-8859-1?B?SuR5a2vk?= [EMAIL PROTECTED]
Date: Tuesday, Feb 14, 2006 9:06 am
Subject: Re: [OpenAFS] Re: ktadd -k anywhere afs/[EMAIL PROTECTED] breaks
AFS instantly?
Or the Heimdal commands like Brandon Allbery noted. Indeed, there is no program
Juha Jäykkä [EMAIL PROTECTED] writes:
AFS does not require a shared keytab. AFS requires that the contents
of a keytab be set into the AFS key file which is done by running
'asetkey'.
Ach, my mistake. AFS does not require a shared keytab, it requires a
common KeyFile, which is conceptually
ted creedon [EMAIL PROTECTED] writes:
For a client/server combination each behind a firewall:
1. Why does the Linux client timeout fairly rapidly requiring a client
restart?
NAT UDP Timeouts. The firewall/NAT gateway loses the UDP mapping
between the client and the server.. The server
NAT UDP Timeouts. The firewall/NAT gateway loses the UDP mapping
between the client and the server.. The server can no longer talk
to the client.. Callbacks fail.. The server marks the client as
Bad because it can't talk back to the client.
It's not widely known, but the workaround for
Hello,
I observe that one of my fileservers is very busy over long periods of time,
everal days or even a week. tcpdump on the fileservcer only shows the
following traffic;
16:09:12.981900338 server.afs3-fileserver client.afs3-callback: udp 66
16:09:12.982000367 server.afs3-fileserver
It's not a bad idea to rekey one's services from time to time. It's just
temporarily disruptive if one doesn't go through the steps in the right order
(which for AFS would be to distribute the new key to the AFS servers
*before* the KDC starts issuing tickets with it).
I agree in theory you
The windows client stays connected more reliably thru 2 NATTED firewalls
than the Linux client. If the Linux client were upgraded to do whatever the
windows client does the cellname workaround would be acceptable.
Connectionless UDP packets are port forwarded to the Class C server. I
recall
Is there any way to make sure that the cache manager never waits for
more than (say) 5 seconds for a response? By which I mean that if the
server fails to respond after 5 seconds, assume it's never coming back
and return EIO to the caller or something like that.
In the interests of solving the
The keep-alive pings are sent from the client. Only the client can
maintain the NAT's port mapping. Windows clients older than 1.4.1-rc5
ping the servers once every hour; 1.4.1-rc5 and later ping every ten
minutes just like the UNIX/Linux clients.
Jeffrey Altman
ted creedon wrote:
The
Something has gone awry in my installation,
but I'm
not sure where to look.
% ls -al /afs
/afs/.usgs.gov: No such device
/afs/usgs.gov: No such device
% uname -a
SunOS vulcan2 5.10 Generic_118844-26 i86pc i386 i86pc
% fs getcacheparms
AFS using 2 of the cache's available 10 1K byte
blocks.
If there are things you would like Apple to do in order to make
AFS work better on their operating system, find your campus Apple
sales representative and tell them. It is the only way that things
will get better. Apple won't make changes in Tiger but if you tell
them what you need they might
I seem to remember a problem where the Mac Finder would not just stat every
directory, but open it and look for a .DS_Store file. Is that still true?
I also remember there being some command you could run on the Mac that would
prevent the finder from creating .DS_Store files, but I don't know if
Something has gone awry in my installation, but I'm
not sure where to look.
% ls -al /afs
/afs/.usgs.gov: No such device
/afs/usgs.gov: No such device
What does your messages file (I guess it's probably /var/adm/messages) say?
When I've seen this, there was some sort of error in there.
--Ken
Derek Atkins [EMAIL PROTECTED] writes:
Correct, but you can always just scp (or sneakernet) the KeyFile
between your servers. Indeed, you could scp or sneakernet your
keytab, too.
Or use upserver/upclient, which is the way that you're supposed to
distribute a KeyFile between multiple AFS
The probe interval in the windows client GUI is set to 30 which may
explain the difference between the Llinux and Windows clients. However
network connections are still lost, so I'll reduce that.
The windows probe interval needs to have the cell name added to the GUI...
An additional switch
Ken Hornstein wrote:
If there are things you would like Apple to do in order to make
AFS work better on their operating system, find your campus Apple
sales representative and tell them. It is the only way that things
will get better. Apple won't make changes in Tiger but if you tell
them
Something has gone awry in my installation,
but I'm
not sure where to look.
% ls -al /afs
/afs/.usgs.gov: No such device
/afs/usgs.gov: No such device
What does your messages file (I guess it's probably /var/adm/messages)
say?
When I've seen this, there was some sort of error in there.
It's not well documented, but fs checks -interval 0 will return the
current interval.
Also, I'm not sure this does what I thought it did. There is an interval
for down servers and a different one for up servers. It looks like this
sets the one for down servers, which probably won't help for
The gatekeepers have an open channel to Apple on AFS but we really
need issues to be filed via the Apple Sales staff. Other organizations
have gotten Apple's attention by refusing to order new equipment with
Tiger installed until an OpenAFS stable release is available. I'm not
suggesting you do
ted creedon wrote:
The probe interval in the windows client GUI is set to 30 which may
explain the difference between the Llinux and Windows clients. However
network connections are still lost, so I'll reduce that.
The source code reads:
void Config_GetProbeInt (ULONG *pcsecProbe)
{
Russ Allbery [EMAIL PROTECTED] writes:
Derek Atkins [EMAIL PROTECTED] writes:
Correct, but you can always just scp (or sneakernet) the KeyFile
between your servers. Indeed, you could scp or sneakernet your
keytab, too.
Or use upserver/upclient, which is the way that you're supposed to
Ken Hornstein wrote:
The gatekeepers have an open channel to Apple on AFS but we really
need issues to be filed via the Apple Sales staff. Other organizations
have gotten Apple's attention by refusing to order new equipment with
Tiger installed until an OpenAFS stable release is available.
Jeffrey Altman [EMAIL PROTECTED] wrote:
ted creedon wrote:
An additional switch added -getinterval to print the current
interval would be help.
Added to what?
the fs checkserver command.
There is an fs checkserver -interval command to set the interval, but
there isn't one to print the
Derek Atkins [EMAIL PROTECTED] writes:
Russ Allbery [EMAIL PROTECTED] writes:
Or use upserver/upclient, which is the way that you're supposed to
distribute a KeyFile between multiple AFS servers.
That doesn't work for the initial KeyFile distribution, only for key
changes.
True, good
Christopher D. Clausen wrote:
Jeffrey Altman [EMAIL PROTECTED] wrote:
Added to what?
the fs checkserver command.
There is an fs checkserver -interval command to set the interval, but
there isn't one to print the current interval, which is weird b/c fs
checks -interval tells you what the
Are you running 64bit? I had the exact same issue that the clever folks here
fixed in 1.4.1rc?? (I'm running rc3 and it works wonderfully in 64bit mode..)
You can find details in the archives of the list, I don't remember them
offhand..
--Kris
Today at 12:32, David R Boldt [EMAIL
On Tue, 14 Feb 2006, Jim Rees wrote:
I seem to remember a problem where the Mac Finder would not just stat every
directory, but open it and look for a .DS_Store file. Is that still true?
-fakestat-all is intended to deal with this.
___
OpenAFS-info
Jeffrey Altman [EMAIL PROTECTED] wrote:
Christopher D. Clausen wrote:
Jeffrey Altman [EMAIL PROTECTED] wrote:
Added to what?
the fs checkserver command.
There is an fs checkserver -interval command to set the interval, but
there isn't one to print the current interval, which is weird b/c fs
Christopher D. Clausen wrote:
Is there a particular reason it is defined at compile time and isn't
configurable on the fly? (Other than no one having written it yet, of
course.)
No one has written the code. The values are hard coded into the
daemon thread function.
Would it be reasonable
I have informed Apple campus reps at UIUC that we needed OpenAFS to work
before we (being one very small portion of UIUC) could deploy Tiger.
They responded and said they were aware of the issues and are actively
working on them. So its not that campus-level requests are being
ignored.
I am
Hi all,
This is Ernie Prabhakar, the Open Source Product Manager at Apple.
I've just joined this list, but I have been following the thread, and
I want to affirm everything Jeffrey said:
a) We definitely want to help the AFS gatekeepers succeed, and talk
to them on a regular basis
b)
Jeffrey Altman [EMAIL PROTECTED] wrote:
Notice I asked you to file the ADC bug report number in the openafs
RT. The OpenAFS gatekeepers are in contact with Apple on a regular
basis and we can make sure things are followed up. However, we
really need a broad base of users to tell Apple what they
Ken Hornstein wrote:
Something has gone awry in my installation, but I'm
not sure where to look.
% ls -al /afs
/afs/.usgs.gov: No such device
/afs/usgs.gov: No such device
What does your messages file (I guess it's probably /var/adm/messages) say?
When I've seen this, there was some sort
Juha Jäykkä [EMAIL PROTECTED] writes:
Upserver/-client is wonderful, but it (of course!) suffers from chicken
and egg problem: you need to distribute the KeyFile at least once
without it since it cannot distribute the KeyFile without a
KeyFile. From your comment I gather this is *not* true
Jeffrey Altman [EMAIL PROTECTED] writes:
Are the servers not responding at all? If so, fs checkservers
should list them as being down.
They're definately up, but I'm not around when these problems happen,
so I can't debug them. And it's not my place to tell faculty that
they must do some
Are you running 64bit? I had the exact same issue
that the clever folks here
fixed in 1.4.1rc?? (I'm running rc3 and it works wonderfully in 64bit
mode..)
I set off to compile a newer release . . .
alas the configure script did not track the
compiler location.
% CC=/usr/sfw/bin/gcc
I set off to compile a newer release . . .
alas the configure script did not track the
compiler location.
I believe the reason it does that is that under Solaris, the kernel
module needs to be compiled with the Sun compiler.
--Ken
___
OpenAFS-info
Ken Hornstein [EMAIL PROTECTED] writes:
- Using -fakestat or -fakestat-all as an option to afsd
Currently in use.
- Using -dynroot,
Currently in use.
using -afsdb
Currently in use.
and distributing an empty CellServDB and to look up cell info.
Ok, but I don't think that this alone
Adam Megacz [EMAIL PROTECTED] wrote:
Jeffrey Altman [EMAIL PROTECTED] writes:
If there are things you would like Apple to do in order to make AFS
work better on their operating system, find your campus Apple sales
representative and tell them. It is the only way that things will
get better.
Adam Megacz wrote:
Jeffrey Altman [EMAIL PROTECTED] writes:
Are the servers not responding at all? If so, fs checkservers
should list them as being down.
They're definately up, but I'm not around when these problems happen,
so I can't debug them. And it's not my place to tell faculty
Adam Megacz wrote:
It does seem to have something to do with disconnecting from the
network and reconnecting (possibly with a new IP, elsewhere). That
seems to precede more than half of the occurrences of this problem
(these are laptops).
Then you will want to upgrade to 1.4.1-rc7 when it
Christopher D. Clausen wrote:
There is no released client for Tiger, so really end users should expect
to do some level of debugging when using release candidate software.
Thank you for saying this. I can't agree with you more.
However, if Adam would give us additional information and in
Ken Hornstein [EMAIL PROTECTED] writes:
I set off to compile a newer release . . . alas the configure script
did not track the compiler location.
I believe the reason it does that is that under Solaris, the kernel
module needs to be compiled with the Sun compiler.
I don't think this is
There is no released client for Tiger, so really end users should expect to
do some level of debugging when using release candidate software.
Aside from submitting bug reports I expect nothing from the average user.
rc7 tonight is actually hopefully what the final release will be.
During the first week of December 2005 there was a discussion on this
mailing list regarding how Byte Range Locking backed by AFS File Locks
would be released in OpenAFS for Windows (and by proxy, AFS clients on
UNIX/Linux.)
Over the last couple of months the Elder's have considered the issues
Jeffrey Altman wrote:
ted creedon wrote:
The probe interval in the windows client GUI is set to 30 which may
explain the difference between the Llinux and Windows clients. However
network connections are still lost, so I'll reduce that.
The source code reads:
void Config_GetProbeInt
tedc wrote:
Well, if only one server needs this it would eliminate unnecessary
traffic to the others.
the value determines how often a thread is kicked off. It is not
a per server or per cell value.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
Christopher D. Clausen [EMAIL PROTECTED] writes:
From the perspective of the People Making The Decisions, this is a
problem with AFS, not a problem with Mac OS X. You know that's wrong,
I know that's wrong, but we cannot change it.
You could simply revert to Mac OS 10.3. Or are you on
Jeffrey Altman [EMAIL PROTECTED] writes:
However, if Adam would give us additional information
You make it sound like I'm hiding something from you! ;)
No seriously, the reason why I'm so desperate to hack this away with a
kludge is that this particular situation is a debugging nightmare. I
Jeffrey Altman [EMAIL PROTECTED] writes:
Then you will want to upgrade to 1.4.1-rc7 when it is available.
Ok, cool.
BTW, regarding the whole hacking-it-versus-submitting-bugs, under
normal circumstances, and wrt future issues, I totally agree with you.
This was an unusual situation that had
ktadd changes the key.
Dare I ask if there was a reason for this decision?
Keytabs are normally not supposed to be shared between multiple machines,
Since you shouldn't really have multiple copies of the same keytab out
Okay, this makes sense.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770
Adam Megacz wrote:
Jeffrey Altman [EMAIL PROTECTED] writes:
Then you will want to upgrade to 1.4.1-rc7 when it is available.
Ok, cool.
BTW, regarding the whole hacking-it-versus-submitting-bugs, under
normal circumstances, and wrt future issues, I totally agree with you.
This was an
Yes,
I read that in the docs..
So what provisions are needed to keep packets from being dropped..
Tedc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jeffrey Altman
Sent: Tuesday, February 14, 2006 6:51 PM
To: tedc
Cc: openafs-info@openafs.org
Jeffrey Altman [EMAIL PROTECTED] writes:
What were you going to do with a private build that was hacked to
set the Hard Dead Timeout value to 5 seconds instead of 120 seconds?
Were you going to give it to the faculty member to install on her/his
machine? In my opinion that would have been a
63 matches
Mail list logo
