Re: [OpenAFS] Check free space on AFS share before login
Hmm, it should work in any case. The message can be suppressed with the -noauth option for vos. > On 2 Feb 2017, at 14:42, Richter, Michael wrote: > > OK, did so. But: running "vos examine" in a shell works. If I put the same > line into a script and call this script on the same shell, it doesn't work > and gives me this error: > > vsu_ClientInit: Could not get afs tokens, running unauthenticated. -- Stephan Wiesand DESY -DV- Platanenallee 6 15738 Zeuthen, Germany ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Check free space on AFS share before login
> On 2 Feb 2017, at 12:43, Richter, Michael wrote: > > Actually trying... The message comes to the user in LightDM. But I don't have > access to the AFS share of the user. I assume it's because pam_exec runs > before pam_afs_session: > > -- /etc/pam.d/common-auth > ~~~ > auth[success=3 default=ignore] pam_krb5.so minimum_uid=1000 > auth[success=2 default=ignore] pam_unix.so nullok_secure > try_first_pass > > # auth against two domains via LDAP > auth[success=1 default=ignore] pam_sss.so use_first_pass > > authrequisite pam_deny.so > authrequiredpam_permit.so > > # mount OwnCloud via webdav > authoptionalpam_mount.so > > authoptionalpam_afs_session.so > authoptionalpam_cap.so > > # check free space in AFS > authrequisite pam_exec.so stdout seteuid /opt/check_free.sh > ~~~ > > pam_afs_session is optional because there are users from another domain > without an AFS share. The check_free script checks this by itself. I've set > it to required too. But still the same. The script doesn't have access to the > AFS share. According to the manual of PAM there is no way to set an order. > > Maybe this doesn't work because it's in the PAM process? > > Any hints? First, let me second Jonathan's objection to produce any output in the common pam stack. I'd really really put it into /etc/pam.d/lightdm (right after the @include common-auth). And you don't need read access to the volume root in order to find out. Parsing the output of "vos examine -format" should be simple enough. -- Stephan Wiesand DESY -DV- Platanenallee 6 15738 Zeuthen, Germany ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Check free space on AFS share before login
> On 2 Feb 2017, at 08:37, Richter, Michael wrote: > > And the output will be shown in LightDM? I'll give that a try. Better yet, something like this just works as one would hope: echo WARNING: Your home directory is almost full. echo Hit Enter to try to log in, but it may fail. echo If it does, press Ctrl-Alt-F2, log in on the echo text screen and free some space. Then log out echo and press Alt-F7 to get back here. exit 0 - Stephan > -UrsprĂźngliche Nachricht- > Von: Stephan Wiesand [mailto:stephan.wies...@desy.de] > Gesendet: Mittwoch, 1. Februar 2017 13:08 > An: openafs-info@openafs.org > Cc: Richter, Michael > Betreff: Re: [OpenAFS] Check free space on AFS share before login > > Hi Michael, > >> On 1 Feb 2017, at 11:08, Richter, Michael wrote: >> >> Hi, >> we are using OpenAFS for the home drive. /home/users is a symlink to the >> AFS path with all the home shares. The users home is for example >> /home/users/username. >> >> The users only have 1 GB of space available in that share. It often happens >> that the quota is reached and they are unable to login. Ubuntu doesnât >> give a meaningful error message. I think, Ubuntu doesnât know whatâs the >> problem, because it sees only â/â as mountpoint, which has enough free >> space available. >> >> Is there a way to check the free space of the user on login and give the >> user a good error message if there is not enough free space available in the >> AFS share? > > nice idea... I should probably implement that here. Something like > > auth required pam_exec.so stdout /bin/check_home_space > > should work well enough at least with lightdm. Just make the script print a > short message to stdout and exit 1 in the failure case. > > Hth > Stephan > >> >> I think about using pam-script to run a script that checks it but I canât >> see a way to bring back that message to the user. Also pam-afs-session seems >> not to have some option for that. Is there some other solution? >> >> Greetings >> Michael -- Stephan Wiesand DESY -DV- Platanenallee 6 15738 Zeuthen, Germany ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Check free space on AFS share before login
On 2/1/2017 5:08 AM, Richter, Michael wrote: > Hi, > > we are using OpenAFS for the home drive. /home/users is a symlink to > the AFS path with all the home shares. The users home is for example > /home/users/username. > > The users only have 1 GB of space available in that share. It often > happens that the quota is reached and they are unable to login. Ubuntu > doesn’t give a meaningful error message. I think, Ubuntu doesn’t know > what’s the problem, because it sees only “/” as mountpoint, which has > enough free space available. The OpenAFS Unix cache manager exposes AFS mount points as directories not as symlinks and not as mount points. From the perspective of applications all of /afs is a single device consisting of every AFS volume in the world. In addition, while the file server offers the RXAFS_GetVolumeStatus RPC which returns . the size of the partition . the amount of free space on the partition . the size of the volume quota (if any) . the remaining free volume quota (if any) the OpenAFS Unix cache manager never queries it. As a result, the application only finds out that partition is full or the quota exceeded during the close() system call. If the quota is 2MB and an application opens a file and writes 100MB and then closes the file without checking the error code, the data is lost and the application believes the data was written to the file server successfully. As others have indicated, this is not how the Windows cache manager works. The Windows cache manager is aware of how much free space the volume has and returns an error to the application as soon as the free space reaches zero. In addition, because the Windows cache manager exposes each AFS volume as a separate device, it is possible to: . report some volumes as readonly and others as read/write . return accurate volume size and free space info for each path . report accurate quota information for each path . return out of space and out of quota errors on one path without causing the VFS to report those same errors on other paths David Howell's kafs, the Linux in-tree AFS client, behaves in a manner similar to the Windows client. https://www.infradead.org/~dhowells/kafs/ kafs requires testing, it requires that end user organizations inform their preferred Linux distributions that building and distributing kafs is important. AuriStor, Inc. supports David Howells' development of kafs. Others should as well. Jeffrey Altman <> smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Check free space on AFS share before login
On Feb 1, 2017, at 15:42 , Jonathan Billings wrote: > On Wed, Feb 01, 2017 at 01:07:30PM +0100, Stephan Wiesand wrote: >> nice idea... I should probably implement that here. Something like >> >> auth required pam_exec.so stdout /bin/check_home_space >> >> should work well enough at least with lightdm. Just make the script >> print a short message to stdout and exit 1 in the failure case. > > You really shouldn't have PAM generate standard output for successful > logins. You will break things like SSH's SFTP. I wasn't suggesting that, sorry for being unclear. I think this should be added to the lightdm pam config only (will login through ssh or on a VT even fail if there's no space left in ~ ?). And on success, the check script clearly shouldn't print anything to stdout and exit 0. > We do something like this on our RHEL7 workstations, and we have > zenity pop up with a warning when they log in if their home > directory's quota is greater than 95% full. It runs as an script > launched from a .desktop file in /etc/xdg/autostart/. Makes sense, but I think none of this will work if ~ is already 100% full. You'll just be thrown back to the display manager's login screen w/o a meaningful error message (maybe that "your session was suspiciously short" dialog, but I'm not sure that's still present in EL7). > For console logins, I'd probably use a script in /etc/profile.d/ that > detected that it was a console login and generate all the output to > stderr, just in case. But considering that people don't read the MOTD > I doubt they'd read warnings like that. -- Stephan Wiesand DESY -DV- Platanenenallee 6 15738 Zeuthen, Germany ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Check free space on AFS share before login
On Wed, Feb 01, 2017 at 01:07:30PM +0100, Stephan Wiesand wrote: > nice idea... I should probably implement that here. Something like > > auth required pam_exec.so stdout /bin/check_home_space > > should work well enough at least with lightdm. Just make the script > print a short message to stdout and exit 1 in the failure case. You really shouldn't have PAM generate standard output for successful logins. You will break things like SSH's SFTP. We do something like this on our RHEL7 workstations, and we have zenity pop up with a warning when they log in if their home directory's quota is greater than 95% full. It runs as an script launched from a .desktop file in /etc/xdg/autostart/. For console logins, I'd probably use a script in /etc/profile.d/ that detected that it was a console login and generate all the output to stderr, just in case. But considering that people don't read the MOTD I doubt they'd read warnings like that. -- Jonathan Billings ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Check free space on AFS share before login
> On 1 Feb 2017, at 13:15, Harald Barth wrote: > > I think the problem is well known and what one would need to do is to > make (at every travesal of an AFS mount point) the OS aware of that > the AFS volume in question is a seperate "device". Then make the > statfs syscall on that path return the quota info from AFS. This has > of course to happen dynamically as you make your way through the AFS > space. > > This would make every volume look as a seperate file system. There > are pros and cons in that approach. I think this is what the in-kernel client does. It's probably the only way to make AFS compatible with Linux's firm beliefs regarding filesystems (like that there's only one path to an object in them). > I think noone has written the code (for Unix/Linux) yet, but the Andrew Deason whipped up some proof of concept code a while ago. I have no idea how close this is to something one would consider using, and it wasn't pursued further. But it's still available: https://gerrit.openafs.org/#/q/status:open+project:openafs+branch:openafs-stable-1_6_x+topic:linux-mtpt-bindmount If anyone wants to take off from there... > Windows client might do this, but I'm by no means someone who knows > something about AFS on Windows ;-) > > At our site, so far, is has been cheaper to multiply all quotas by 2 > whenever the problem arose again. -- Stephan Wiesand DESY -DV- Platanenallee 6 15738 Zeuthen, Germany ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Check free space on AFS share before login
I think the problem is well known and what one would need to do is to make (at every travesal of an AFS mount point) the OS aware of that the AFS volume in question is a seperate "device". Then make the statfs syscall on that path return the quota info from AFS. This has of course to happen dynamically as you make your way through the AFS space. This would make every volume look as a seperate file system. There are pros and cons in that approach. I think noone has written the code (for Unix/Linux) yet, but the Windows client might do this, but I'm by no means someone who knows something about AFS on Windows ;-) At our site, so far, is has been cheaper to multiply all quotas by 2 whenever the problem arose again. Und Tschüß, Harald. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Check free space on AFS share before login
Hi Michael, > On 1 Feb 2017, at 11:08, Richter, Michael wrote: > > Hi, > we are using OpenAFS for the home drive. /home/users is a symlink to the AFS > path with all the home shares. The users home is for example > /home/users/username. > > The users only have 1 GB of space available in that share. It often happens > that the quota is reached and they are unable to login. Ubuntu doesn’t give a > meaningful error message. I think, Ubuntu doesn’t know what’s the problem, > because it sees only “/” as mountpoint, which has enough free space available. > > Is there a way to check the free space of the user on login and give the user > a good error message if there is not enough free space available in the AFS > share? nice idea... I should probably implement that here. Something like auth required pam_exec.so stdout /bin/check_home_space should work well enough at least with lightdm. Just make the script print a short message to stdout and exit 1 in the failure case. Hth Stephan > > I think about using pam-script to run a script that checks it but I can’t see > a way to bring back that message to the user. Also pam-afs-session seems not > to have some option for that. Is there some other solution? > > Greetings > Michael -- Stephan Wiesand DESY -DV- Platanenallee 6 15738 Zeuthen, Germany ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info