On 6/7/2019 7:20 AM, Måns Nilsson wrote:
> Hi,
>
> I'm a little uncertain how to discuss this, because it is a
> cross-implementation problem, but this problem surely has hit others
> here. I hope.
>
> I have three db servers in my OpenAFS cell. They all have -- for various
> reasons -- v4 and
On 8/7/2019 9:35 PM, xg...@reliancememory.com wrote:
> Hello,
>
> Can someone kindly explain again the possible reasons why Rx is so painfully
> slow for a high latency (~230ms) link?
As Simon Wilkinson said on slide 5 of "RX Performance"
On 8/5/2019 4:37 PM, n...@phobos.ws wrote:
> Hello every1,
>
> a (maybe) minor problem I'm getting with OpenAFS and I'm quite lost, what to
> do. Given are 2 nodes running OpenAFS 1.8.2 on a Linux system.
> [...]
> Doing a "vos release" for "root.vids", I get:
>
> --- SNIP ---
> Failed to
Hi Simon,
response inline ...
On 8/8/2019 2:54 PM, xg...@reliancememory.com wrote:
> To make sure I captured all the explanations correctly, please allow me to
> summarize my understandings:
>
> Flow control over a high-latency, potentially congested link is a fundamental
> challenge that
On 7/25/2019 3:51 PM, Marcio Barbosa wrote:
> Hello,
>
> One of my VMs is running macOS 10.13.6 (including this security update) and
> could not reproduce this problem.
> But I am running the OpenAFS-1.8.2 client with MIT Kerberos.
>
> Best,
> Marcio Barbosa.
10.13.6 is the first version of
On 7/25/2019 5:06 PM, Marcio Barbosa wrote:
>
>> 10.13.6 is the first version of High Sierra to validate notarized kernel
>> extensions.
>
> I believe the first version with this requirement is 10.14.5.
10.14.5 is the first to require notarization to run.
10.13.6 is the first High Sierra
On 2/15/2020 7:55 AM, Måns Nilsson wrote:
> Subject: Re: [OpenAFS] Borderline offtopic: OpenAFS as ~ for Samba AD? Date:
> Mon, Jan 20, 2020 at 04:42:24PM -0500 Quoting Jeffrey E Altman
> (jalt...@auristor.com):
>> No need for cross-realm. Create an afs/cell@SAMBA4.REALM se
AuriStor is proud to once again sponsor the Linux Kernel AFS Hackathon &
BoF and the USENIX Vault '20 conference (co-located with FAST '20 and
NSDI '20). Here are a few schedule highlights
Monday Feb 24th 9:00am to 5:00pm PST
Linux Kernel AFS Hackathon. David Howells, the AuriStor developers,
No need for cross-realm. Create an afs/cell@SAMBA4.REALM service
principal with a kvno
that differs from the afs/cell@HEIMDAL.REALM service principal and add
the key to your
AFS servers as well as adding both realm names to the AFS servers' krb.conf.
On 1/19/2020 4:53 PM, Måns Nilsson wrote:
Hi Giovanni,
The cache manager doesn't know either the contents of the ACL or the PTS
group memberships. The computation of a caller's access rights are
performed entirely by the fileserver. The cache manager makes access
decisions based upon the access rights obtained from the fileserver in
Hi Rainer,
The DES only limitation of the afs/cell@REALM service principal was
removed in the 2013 release of OpenAFS 1.4.15 and 1.6.5. Since those
releases neither the server ticket key nor the session key are
restricted to the des-cbc-crc encryption type. All cells should be
upgraded to
On 10/13/2020 3:05 PM, Giovanni Bracco (giovanni.bra...@enea.it) wrote:
> Thank you for the suggestion, but I have tried to use the command
>
> fs setcrypt -crypt off
>
> on 1.8.x clients
>
> and
>
> fs setcrypt -crypt
>
> on 1.6.x clients
>
> without any effect on performance in both cases,
On 10/13/2020 9:28 AM, Giovanni Bracco (giovanni.bra...@enea.it) wrote:
> I have seen that the first release of OpenAFS 1.9.0 is out and so I
> thought that it was time to try at least 1.8.x and also 1.9 on our
> production Linux x86-64 nodes, where we have used 1.6.x up to now.
>
> Our AFS cell
On 9/8/2020 1:31 PM, Sebby, Brian A. (se...@anl.gov) wrote:
> Hi,
>
> I have a few legacy RHEL 6 servers that are still running an older 1.6.x
> series DKMS client, which were recently patched and rebooted. On a
> couple of them, access to AFS is now just hanging – and I cannot figure
> out why.
This morning at 14 Jan 2021 08:25:36 GMT all restarted or newly started
OpenAFS 1.8 clients and servers began to experience RX communication
failures. The RX Connection ID of all calls initiated by the peer are
the same:
0x8002
Patches to correct the flaw are available from OpenAFS Gerrit
On 1/14/2021 10:55 AM, Jeffrey E Altman (jalt...@auristor.com) wrote:
> This morning at 14 Jan 2021 08:25:36 GMT all restarted or newly started
> OpenAFS 1.8 clients and servers began to experience RX communication
> failures. The RX Connection ID of all calls initiated by the peer are
&
On 1/14/2021 1:20 PM, Jeffrey E Altman (jalt...@auristor.com) wrote:
> On 1/14/2021 10:55 AM, Jeffrey E Altman (jalt...@auristor.com) wrote:
>> This morning at 14 Jan 2021 08:25:36 GMT all restarted or newly started
>> OpenAFS 1.8 clients and servers began to experience R
On 1/18/2021 11:46 AM, Richard Brittain (richard.britt...@dartmouth.edu)
wrote:
> I'm a bit confused about what versions are affected by this bug. I've got
> mostly 1.8.[56] clients, which I'm upgrading now. My servers are still
> running 1.6.22 and appear to be fine for vos operations
Rainer,
OpenAFS UNIX/Linux clients and server only use the IP addresses in the
CellServDB file. The fully qualified domain names are only used by
OpenAFS Windows clients.
Jeffrey Altman
On 1/29/2021 2:38 PM, RL (rainer.laat...@t-online.de) wrote:
> On the relevant clients, are all three with
Following today's AFS Technology Workshop session many participants met
via Zoom to discuss the proposal to dual-license portions of the OpenAFS
source tree required to build the Linux kernel module under both the IBM
Public License 1.0 and GPLv2. The following preliminary conclusions
were
On 5/9/2021 12:35 PM, Giovanni Bracco (giovanni.bra...@enea.it) wrote:
I have tried to compile openafs-1.6.24 on CentOS 8.3, kernel
4.18.0-240.22.1.el8_3.x86_64.
The build terminates with
fatal error: rpc/types.h: No such file or directory
#include "rpc/types.h"
^
Hi Dan,
Since no one from the OpenAFS community has replied I will chime in.
On 5/25/2021 10:21 AM, Daniel Mezhiborsky
(daniel.mezhibor...@cooper.edu) wrote:
Hello all,
We currently have a relatively small (~250 users, 2TB) AFS cell that I
am planning on retiring soon.
If you are willing
On 6/1/2021 10:24 AM, Giovanni Bracco (giovanni.bra...@enea.it) wrote:
But the real strange thing is that there are 1.8.7 clients that are
sending hundreds of rx ping to this server in less that 30s, messages
like this:
15:50:37.414106 IP cresco4cx021.casaccia.enea.it.afs3-callback >
On 3/29/2021 12:23 AM, Ian Wienand (iwien...@redhat.com) wrote:
A new thing I've noticed after we have upgraded everything to 1.8.6
openstack.org also deployed a new database server and this problem is
most likely due to a failure to synchronize the super-user list onto the
new vlserver. If
On 3/8/2021 7:20 PM, Benjamin Kaduk (ka...@mit.edu) wrote:
On Mon, Mar 08, 2021 at 07:35:19PM +, Martin Kelly wrote:
Below is the LKML LSM thread regarding this. Please let me know if you have any
other questions:
https://www.spinics.net/lists/linux-security-module/msg39081.html
On 9/13/2021 11:35 AM, deb...@lewenberg.com wrote:
> On 9/11/2021 8:44 PM, Jeffrey E Altman wrote:
>> On 9/11/2021 10:57 PM, deb...@lewenberg.com wrote:
>>> buster:
>>> Trying 192.168.225.188 (port 7001):
>>> AFS version: OpenAFS 1.8.2-1+deb10u1-debian 2021-07-
On 9/11/2021 10:57 PM, deb...@lewenberg.com wrote:
> buster:
> Trying 192.168.225.188 (port 7001):
> AFS version: OpenAFS 1.8.2-1+deb10u1-debian 2021-07-21 root@buster-server
This is a totally broken client because of the RX CID bug and it cannot
successfully communicate with any AFS location
On 11/11/2021 7:12 AM, Giovanni Bracco (giovanni.bra...@enea.it) wrote:
> Are all OpenAFS versions 1.6.x and 1.8.x affected by the bug described
> in the enclosed mail?
>
Any version of OpenAFS cache manager configured with a disk cache
running on an impacted el7 kernel is affected. All kernels
On 11/11/2021 9:01 AM, Jeffrey E Altman (jalt...@auristor.com) wrote:
> Any version of OpenAFS cache manager configured with a disk cache
> running on an impacted el7 kernel is affected. All kernels from
> 3.10.0_861.el7 through 3.10.0_1160.42.2.el7 are impacted. When a new
>
On 11/10/2021 3:27 PM, Kendrick Hernandez (kendrick.hernan...@umbc.edu)
wrote:
> Hi all,
>
> We host around 240 departmental and campus web sites (individual afs
> volumes) across 6 virtual web servers on AFS storage. The web servers
> are 4 core, 16G VMs, and the 4 file servers are 4 core 32G
On 12/14/2021 12:51 PM, Kendrick Hernandez (kendrick.hernan...@umbc.edu)
wrote:
>
> On Fri, Dec 10, 2021 at 6:25 PM Jeffrey E Altman
> wrote:
>
> Do you know what the issued DNS queries were for?
>
> We believe they were triggered by requests for /afs/.htaccess, as
>
On 11/29/2021 1:11 PM, Kendrick Hernandez (kendrick.hernan...@umbc.edu)
wrote:
> We were able to narrow the problem down to DNS timeouts from an
> internal DNS server that had reached its limit for NF connection
> tracking. Once that limit was increased, the issue went away.
> Along with some
On 11/24/2021 10:41 PM, Jeffrey E Altman (jalt...@auristor.com) wrote:
> On 11/11/2021 9:01 AM, Jeffrey E Altman (jalt...@auristor.com) wrote:
>> Any version of OpenAFS cache manager configured with a disk cache
>> running on an impacted el7 kernel is affected. All kernels from
&g
On 3/23/2022 11:15 AM, Giovanni Bracco (giovanni.bra...@enea.it) wrote:
> In the documentation for the CellServDB file (both client & server)
> https://docs.openafs.org/Reference/5/CellServDB.html
>
> it is declared that is the "fully qualified hostname"
> that must be provided in the line
On 2/2/2022 6:38 AM, Harald Barth (h...@kth.se) wrote:
> I guess your IP provider lives in the IT world of 2022 where "Internet
> service" consists of mostly TCP/HTTPS and definitely not UDP ;-)
It is unlikely that an ISP is blocking UDP traffic. The most likely
causes are a poorly implemented
On 2/3/2022 2:42 AM, Harald Barth (h...@kth.se) wrote:
> Hi Jeff!
>
>> It is unlikely that an ISP is blocking UDP traffic.
> For some value of "ISP". I have been to Karolinska Institutet who did
> supply Internet through the same "eduroam" cooperation as my home
> university. However, the "AFS
Sounds like the version of pam_krb5 you are attempting to build does not
include support for rxkad-kdf.
https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html
The version of pam_krb5 that supports rxkad-kdf contains a
minikafs_kd_derive() function at minikafs.c line
On 7/7/2022 1:04 PM, Dirk Heinrichs (dirk.heinri...@altum.de) wrote:
Benjamin Kaduk:
Are you aware of pam_afs_session
(https://github.com/rra/pam-afs-session)? Without knowing more about
what you're using pam_krb5 for it's hard to make specific suggestions
about what alternatives might exist.
On 6/27/2022 3:18 PM, Richard Brittain (richard.britt...@dartmouth.edu)
wrote:
> I know this is a long shot, but I've got a no-quota volume of approx
> 6TB, and I'm trying to replicate it. It appears to be going fine
> until the packetRead counter reaches 2^64 and then it stops (doesn't
> abort).
reply inline
On 7/11/2022 4:30 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote:
Hi Jeffrey,
Thanks for having a look at the problem.
However, I obviously did not do a very good job detailing exactly
what we did ... so here's my next try. Warning: It is going to be
lengthy :-)
First
The virtual 2022 AFS Tech Workshop will take place Tuesday 14 June 2022,
Wednesday 15 June 2022 and Thursday 16 June 2022 from 10am EDT (UTC-4)
until 4pm EDT (UTC-4) each day. Registration is free for speakers and a
nominal US$50.00 otherwise. Proceeds support the OpenAFS Foundation.
This
On 7/15/2022 6:18 PM, Richard Brittain (richard.britt...@dartmouth.edu)
wrote:
On 2022-07-15, 09:04, "Jeffrey E Altman" wrote:
On 7/13/2022 6:07 PM, Richard Brittain (richard.britt...@dartmouth.edu)
wrote:
> I hope that doesn't lead people to expect 'p
The Protection Service groups fall into two categories. Those with
explicit membership lists and those with implicit membership lists.
For example, the "system:anyuser" and "system:authuser" groups are
implicit whereas "system:administrators", "system:ptsviewers", and
On 7/13/2022 6:07 PM, Richard Brittain (richard.britt...@dartmouth.edu)
wrote:
I hope that doesn't lead people to expect 'pts membership system:authuser' to
show all users.
Richard
I'm curious. Why would it be wrong for users to expect 'pts membership
system:authuser' and 'pts membership
et the "pts" command could filter out the existence of
groups -101 and -102. Although I find such options ugly compared to
ensuring that there is no failure when attempting to remove an explicit
user-group membership that is not present.
thanks.
Thank you all for the feedback.
Jeff
On 8/24/2022 12:53 PM, Ben Huntsman (b...@huntsmans.net) wrote:
Here's some configuration info:
Let's say my cell is going to be mydomain.com. My Active Directory
is ad.mydomain.com, and my AFS service account is srvAFS.
When installing Active Directory for a domain "mydomain.com" it
On 8/26/2022 5:13 PM, Ingo van Lil (ing...@gmx.de) wrote:
Hello OpenAFS experts,
is there any way to run an AFS client with both the -dynroot and -afsdb
options, but still limit the /afs mount point to known cells
(specifically: only my home cell)?
There is no explicit support for this
On 8/27/2022 4:34 AM, Harald Barth (h...@kth.se) wrote:
But wait a moment... Can't we assume that all cell names that we
ask in DNS contain at least one dot "." in the middle? I doubt
that there are AFS cells named without dot that we need to
resolve with DNS. What do you think about that?
On 8/23/2022 9:24 PM, Ben Huntsman (b...@huntsmans.net) wrote:
> Hi guys-
> Does anyone have a working krb5.conf that works with Windows 2012
> R2 or newer?
>
> The docs do show how to set up using the new scheme but assume
> Kerberos, not AD. I've tried a few different things but I can't
On 8/28/2022 3:14 AM, jukka.tuomi...@finndesign.fi wrote:
Hi all,
I wonder if anybody has OpenAFS client working with GDM in Ubuntu
22.04 (or 20.04)? That is, allowing users to log into their homedirs
graphically.
The underlying problem is that GDM heavily relies upon processes
launched as
On 9/12/2022 10:10 AM, Jose M Calhariz
(jose.calha...@tecnico.ulisboa.pt) wrote:
Hi,
I have setup a test cell of OpenAFS 1.6.x, Debian 9. For testing the
upgrade to Debian 11. When I do the initial setup of the cell and do
the first aklog I get the following error:
aklog: unknown RPC error
On 9/12/2022 11:49 AM, Jose M Calhariz
(jose.calha...@tecnico.ulisboa.pt) wrote:
Todo the setup of the cell I was following the instrtuctions from
Debian 9. So I have done:
kadmin.local
addprinc -randkey -e des-cbc-crc:v4 afs
ktadd -k /root/afs.keytab -e des-cbc-crc:v4 afs
getprinc afs
quit
On 9/14/2022 12:57 PM, Jose M Calhariz
(jose.calha...@tecnico.ulisboa.pt) wrote:
My updated instructions are:
kadmin.local
addprinc -randkey -e aes256-cts-hmac-sha1-96 afs
ktadd -k /root/rxkad.keytab afs
getprinc afs
quit
If your cell name is "your-cell-name.com" then these need to be
On 9/14/2022 2:17 PM, Jose M Calhariz (jose.calha...@tecnico.ulisboa.pt)
wrote:
On Wed, Sep 14, 2022 at 02:00:02PM -0400, Jeffrey E Altman wrote:
If your cell name is "your-cell-name.com" then these need to be
addprinc -randkey -e aes256-cts-hmac-sha1-96 afs/your-cell-name.com
ktad
On 9/20/2022 2:45 PM, Christopher D. Clausen (cclau...@acm.org) wrote:
Back when I ran a cell that people other than me cared about, I had
implemented various checks from:
https://www.eyrie.org/~eagle/software/afs-monitor/
I do not know anything about Zabbix, but I assume it is possible to
On 8/12/2022 12:50 PM, Ben Huntsman (b...@huntsmans.net) wrote:
Hi guys-
So I know IBM released the AFS code to the community at the
beginning and that is what became OpenAFS. But from various release
notes on the IBM site, it would seem that IBM continued (and
continues) to develop its
On 8/12/2022 2:01 PM, Ben Huntsman (b...@huntsmans.net) wrote:
That is about what I thought. I guess I ask because for those of
us who work more with AIX than the other platforms, it would be
interesting and valuable to be able to track the IBM code base as
well, even if that were kept in
On 8/13/2022 1:57 AM, Ben Huntsman (b...@huntsmans.net) wrote:
> After a few tweaks to some of the source files (which I will submit
> later), I have all the code for afs.ext.64 compiling, but it fails to
> link due to a missing symbol .vprintf. The AIX man pages show that
> this is included in
On 8/13/2022 12:20 PM, Ben Huntsman (b...@huntsmans.net) wrote:
Ah, yes, that is what I thought. The problem is that AIX's kernel
doesn't have vprintf. Only printf. However, the change set you
linked indicates that previously, osi_Msg used fprintf, and indeed
that goes all the way back to
On 1/26/2023 10:18 AM, Diogo Castro (diogo.cas...@cern.ch) wrote:
In the next week, CERN will turn off the last two original AFS CERN
VLDB servers (or rather, the machines using their IP addresses). For
reasons related to our network structure and IP allocation, we could
not keep the old IPs
On 7 March Andrew Deason submitted a patch to OpenAFS documenting the
existing behavior of the OpenAFS fileserver when computing Anonymous and
Caller Access Rights if the IPv4 address from which the RXAFS RPC was
received matches a PTS host entry and that PTS entry matches an Access
Control
On 3/22/2023 9:34 AM, Ciprian Craciun (ciprian.crac...@gmail.com) wrote:
On Wed, Mar 22, 2023 at 10:30 AM wrote:
OpenAFS implements its own CoW and using CoW below that again has no benefits and
disturbs the fileservers "free-space" assumptions. It knows when it makes
in-place updates and
On 3/22/2023 3:47 PM, spacefrogg-open...@spacefrogg.net wrote:
OpenAFS does not maintain checksums. Checksums are neither transmitted in
the RXAFS_FetchData and RXAFS_StoreData RPCs messages nor are checksums
stored and compared when reading and writing to the vice partition.
Thanks for
Dear Community,
This year's AFS Technologies Workshop is scheduled for Monday June 12th
to Wednesday June 14th and will be held as a virtual conference
beginning each day at 9:30am EDT (UTC-4) and ending at 3pm EDT (UTC-4).
The deadline for the call for presentations which includes Site
On 3/20/2023 4:21 PM, Jeffrey E Altman (jalt...@auristor.com) wrote:
Proposal:
I propose that OpenAFS treat the current behavior as a bug. The use
of negative rights is discouraged because they are hard to analyze.
It is hoped that their use is rare. If negative rights are not in
use
On 5/2/2023 4:42 PM, Ben Huntsman (b...@huntsmans.net) wrote:
Hi Jeffrey-
Thank you for the quick reply! If I understand you correctly, that
essentially means that there's no way to access the /afs filespace
without setting up some sort of authentication infrastrcture, even in
an
On 5/2/2023 12:32 PM, Ben Huntsman (b...@huntsmans.net) wrote:
Hi there!
I'm trying to test a few things without having all the kerberos and
auth stuff in place. I run the following command:
bos setuath off
I'm using Transarc paths, so this creates the NoAuth file in
/usr/afs/local.
On 6/7/2023 5:48 PM, Chad William Seys wrote:
Hi all,
I've been trying to know how to disable PAG, but am having a google
fail. Anyone have pointers.
Thanks!
Chad.
A PAG is something that must be created using pagsh or via a side effect
of a pam module. If you are using pam_afs_session,
On 8/3/2023 9:04 AM, Jan Henrik Sylvester wrote:
... there are now Ubuntu LTS systems without AFS.
Jan,
As a reminder, Ubuntu 22.04 LTS systems include the Linux kernel afs
file system (kafs). As kafs is built as part of the kernel it is always
up-to-date.
To use kafs:
1. apt-get
On 6/16/2023 6:40 AM, Giovanni Bracco wrote:
Dear Tracy, thank you for all the work you have done for this very
interesting workshop!
What about slides and recordings?
As announced at the end of the workshop, the slides and recordings are
available via the Zoom Event Lobby to all attendees
On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote:
On 6/9/23 13:38, Jan Henrik Sylvester wrote:
- you cannot use snap packaged with a home directory outside /home:
use ppa:mozillateam/ppa for Firefox and Google Chrome instead of
Chromium
Correction: This does not seem to be true anymore.
On 6/28/2023 10:18 AM, Jan Henrik Sylvester wrote:
On 6/28/23 15:02, Jeffrey E Altman wrote:
On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote:
On 6/9/23 13:38, Jan Henrik Sylvester wrote:
- you cannot use snap packaged with a home directory outside /home:
use ppa:mozillateam/ppa for Firefox
On 5/11/2023 6:20 AM, Richard Feltstykket (rich...@unixboxen.net) wrote:
Hello Everyone,
Perhaps it is widely known already, but I just wanted to share a
process that I have worked out to get a kerberos ticket and an afs
token at login time on MacOS. It seems to work fine for MacOS Ventura
On 5/13/2023 11:44 AM, Jeffrey E Altman (jalt...@auristor.com) wrote:
On 5/11/2023 6:20 AM, Richard Feltstykket (rich...@unixboxen.net) wrote:
Hello Everyone,
Perhaps it is widely known already, but I just wanted to share a
process that I have worked out to get a kerberos ticket and an afs
On 5/3/2023 11:45 AM, Ben Huntsman (b...@huntsmans.net) wrote:
Setting tokens. adUser @ mydomain.com
aklog: a pioctl failed while setting tokens for cell mydomain.com
pioctl issue usually means no cache manager is running
smime.p7s
Description: S/MIME Cryptographic Signature
On 1/20/2024 3:49 PM, Sebix wrote:
Hi,
On 1/20/24 21:46, Jeffrey E Altman wrote:
On 1/20/2024 3:32 PM, Sebix wrote:
We already replaced the IP address in /etc/openafs/CellServDB and
restarted the server.
Did you update /etc/openafs/server/CellServDB as well?
yes, the two files
On 1/20/2024 3:49 PM, Sebix wrote:
Hi,
On 1/20/24 21:46, Jeffrey E Altman wrote:
On 1/20/2024 3:32 PM, Sebix wrote:
We already replaced the IP address in /etc/openafs/CellServDB and
restarted the server.
Did you update /etc/openafs/server/CellServDB as well?
yes, the two files
On 1/20/2024 3:32 PM, Sebix wrote:
We already replaced the IP address in /etc/openafs/CellServDB and
restarted the server.
Did you update /etc/openafs/server/CellServDB as well?
smime.p7s
Description: S/MIME Cryptographic Signature
Reading the 1.6.24 code more carefully these messages
>Sat Jan 20 16:47:37 2024 ubik: primary address 192.168.1.43 does not
exist
>Sat Jan 20 16:47:37 2024 ubik: No network addresses found, aborting..
are produced from the following actions.
1. 192.168.1.43 is the result of evaluating the
79 matches
Mail list logo