Re: [OpenAFS] Check free space on AFS share before login

2017-02-02 Thread Stephan Wiesand
Hmm, it should work in any case. The message can be suppressed with the -noauth 
option for vos.

> On 2 Feb 2017, at 14:42, Richter, Michael  wrote:
> 
> OK, did so. But: running "vos examine" in a shell works. If I put the same 
> line into a script and call this script on the same shell, it doesn't work 
> and gives me this error:
> 
> vsu_ClientInit: Could not get afs tokens, running unauthenticated.

-- 
Stephan Wiesand
DESY -DV-
Platanenallee 6
15738 Zeuthen, Germany



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Check free space on AFS share before login

2017-02-02 Thread Stephan Wiesand

> On 2 Feb 2017, at 12:43, Richter, Michael  wrote:
> 
> Actually trying... The message comes to the user in LightDM. But I don't have 
> access to the AFS share of the user. I assume it's because pam_exec runs 
> before pam_afs_session:
> 
> -- /etc/pam.d/common-auth
> ~~~
> auth[success=3 default=ignore]  pam_krb5.so minimum_uid=1000
> auth[success=2 default=ignore]  pam_unix.so nullok_secure 
> try_first_pass
> 
> # auth against two domains via LDAP
> auth[success=1 default=ignore]  pam_sss.so use_first_pass 
> 
> authrequisite   pam_deny.so
> authrequiredpam_permit.so
> 
> # mount OwnCloud via webdav
> authoptionalpam_mount.so 
> 
> authoptionalpam_afs_session.so
> authoptionalpam_cap.so
> 
> # check free space in AFS
> authrequisite   pam_exec.so stdout seteuid /opt/check_free.sh
> ~~~
> 
> pam_afs_session is optional because there are users from another domain 
> without an AFS share. The check_free script checks this by itself. I've set 
> it to required too. But still the same. The script doesn't have access to the 
> AFS share. According to the manual of PAM there is no way to set an order.
> 
> Maybe this doesn't work because it's in the PAM process?
> 
> Any hints?

First, let me second Jonathan's objection to produce any output in the common 
pam stack. I'd really really put it into /etc/pam.d/lightdm (right after the 
@include common-auth).

And you don't need read access to the volume root in order to find out. Parsing 
the output of "vos examine -format" should be simple enough.
 
-- 
Stephan Wiesand
DESY -DV-
Platanenallee 6
15738 Zeuthen, Germany



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Check free space on AFS share before login

2017-02-02 Thread Stephan Wiesand

> On 2 Feb 2017, at 08:37, Richter, Michael  wrote:
> 
> And the output will be shown in LightDM? I'll give that a try.

Better yet, something like this just works as one would hope:

echo WARNING: Your home directory is almost full.
echo Hit Enter to try to log in, but it may fail.
echo If it does, press Ctrl-Alt-F2, log in on the
echo text screen and free some space. Then log out
echo and press Alt-F7 to get back here.
exit 0

- Stephan

> -UrsprĂźngliche Nachricht-
> Von: Stephan Wiesand [mailto:stephan.wies...@desy.de] 
> Gesendet: Mittwoch, 1. Februar 2017 13:08
> An: openafs-info@openafs.org
> Cc: Richter, Michael
> Betreff: Re: [OpenAFS] Check free space on AFS share before login
> 
> Hi Michael,
> 
>> On 1 Feb 2017, at 11:08, Richter, Michael  wrote:
>> 
>> Hi,
>> we are using  OpenAFS for the home drive. /home/users is a symlink to the 
>> AFS path with all the home shares. The users home is for example 
>> /home/users/username.
>> 
>> The users only have 1 GB of space available in that share. It often happens 
>> that the quota is reached and they are unable to login. Ubuntu doesn’t 
>> give a meaningful error message. I think, Ubuntu doesn’t know what’s the 
>> problem, because it sees only “/” as mountpoint, which has enough free 
>> space available.
>> 
>> Is there a way to check the free space of the user on login and give the 
>> user a good error message if there is not enough free space available in the 
>> AFS share?
> 
> nice idea... I should probably implement that here. Something like
> 
> auth required pam_exec.so stdout /bin/check_home_space
> 
> should work well enough at least with lightdm. Just make the script print a 
> short message to stdout and exit 1 in the failure case.
> 
> Hth
>   Stephan
> 
>> 
>> I think about using pam-script to run a script that checks it but I can’t 
>> see a way to bring back that message to the user. Also pam-afs-session seems 
>> not to have some option for that. Is there some other solution?
>> 
>> Greetings
>> Michael

-- 
Stephan Wiesand
DESY -DV-
Platanenallee 6
15738 Zeuthen, Germany



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Check free space on AFS share before login

2017-02-01 Thread Jeffrey Altman
On 2/1/2017 5:08 AM, Richter, Michael wrote:
> Hi,
> 
> we are using  OpenAFS for the home drive. /home/users is a symlink to
> the AFS path with all the home shares. The users home is for example
> /home/users/username.
> 
> The users only have 1 GB of space available in that share. It often
> happens that the quota is reached and they are unable to login. Ubuntu
> doesn’t give a meaningful error message. I think, Ubuntu doesn’t know
> what’s the problem, because it sees only “/” as mountpoint, which has
> enough free space available.

The OpenAFS Unix cache manager exposes AFS mount points as directories
not as symlinks and not as mount points.  From the perspective of
applications all of /afs is a single device consisting of every AFS
volume in the world.

In addition, while the file server offers the RXAFS_GetVolumeStatus RPC
which returns

 . the size of the partition
 . the amount of free space on the partition
 . the size of the volume quota (if any)
 . the remaining free volume quota (if any)

the OpenAFS Unix cache manager never queries it.  As a result, the
application only finds out that partition is full or the quota exceeded
during the close() system call.  If the quota is 2MB and an application
opens a file and writes 100MB and then closes the file without checking
the error code, the data is lost and the application believes the data
was written to the file server successfully.

As others have indicated, this is not how the Windows cache manager
works.  The Windows cache manager is aware of how much free space the
volume has and returns an error to the application as soon as the free
space reaches zero.  In addition, because the Windows cache manager
exposes each AFS volume as a separate device, it is possible to:

 . report some volumes as readonly and others as read/write
 . return accurate volume size and free space info for each path
 . report accurate quota information for each path
 . return out of space and out of quota errors on one path without
   causing the VFS to report those same errors on other paths

David Howell's kafs, the Linux in-tree AFS client, behaves in a manner
similar to the Windows client.

  https://www.infradead.org/~dhowells/kafs/

kafs requires testing, it requires that end user organizations inform
their preferred Linux distributions that building and distributing kafs
is important.  AuriStor, Inc. supports David Howells' development of
kafs.  Others should as well.

Jeffrey Altman



<>

smime.p7s
Description: S/MIME Cryptographic Signature


Re: [OpenAFS] Check free space on AFS share before login

2017-02-01 Thread Stephan Wiesand

On Feb 1, 2017, at 15:42 , Jonathan Billings wrote:

> On Wed, Feb 01, 2017 at 01:07:30PM +0100, Stephan Wiesand wrote:
>> nice idea... I should probably implement that here. Something like
>> 
>> auth required pam_exec.so stdout /bin/check_home_space
>> 
>> should work well enough at least with lightdm. Just make the script
>> print a short message to stdout and exit 1 in the failure case. 
> 
> You really shouldn't have PAM generate standard output for successful
> logins. You will break things like SSH's SFTP.

I wasn't suggesting that, sorry for being unclear. I think this should
be added to the lightdm pam config only (will login through ssh or on
a VT even fail if there's no space left in ~ ?). And on success, the
check script clearly shouldn't print anything to stdout and exit 0.

> We do something like this on our RHEL7 workstations, and we have
> zenity pop up with a warning when they log in if their home
> directory's quota is greater than 95% full.  It runs as an script
> launched from a .desktop file in /etc/xdg/autostart/.

Makes sense, but I think none of this will work if ~ is already 100% full.
You'll just be thrown back to the display manager's login screen w/o a
meaningful error message (maybe that "your session was suspiciously short"
dialog, but I'm not sure that's still present in EL7).

> For console logins, I'd probably use a script in /etc/profile.d/ that
> detected that it was a console login and generate all the output to
> stderr, just in case.  But considering that people don't read the MOTD
> I doubt they'd read warnings like that.

-- 
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Check free space on AFS share before login

2017-02-01 Thread Jonathan Billings
On Wed, Feb 01, 2017 at 01:07:30PM +0100, Stephan Wiesand wrote:
> nice idea... I should probably implement that here. Something like
> 
> auth required pam_exec.so stdout /bin/check_home_space
> 
> should work well enough at least with lightdm. Just make the script
> print a short message to stdout and exit 1 in the failure case. 

You really shouldn't have PAM generate standard output for successful
logins. You will break things like SSH's SFTP.

We do something like this on our RHEL7 workstations, and we have
zenity pop up with a warning when they log in if their home
directory's quota is greater than 95% full.  It runs as an script
launched from a .desktop file in /etc/xdg/autostart/.

For console logins, I'd probably use a script in /etc/profile.d/ that
detected that it was a console login and generate all the output to
stderr, just in case.  But considering that people don't read the MOTD
I doubt they'd read warnings like that.

-- 
Jonathan Billings 

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Check free space on AFS share before login

2017-02-01 Thread Stephan Wiesand

> On 1 Feb 2017, at 13:15, Harald Barth  wrote:
> 
> I think the problem is well known and what one would need to do is to
> make (at every travesal of an AFS mount point) the OS aware of that
> the AFS volume in question is a seperate "device". Then make the
> statfs syscall on that path return the quota info from AFS. This has
> of course to happen dynamically as you make your way through the AFS
> space.
> 
> This would make every volume look as a seperate file system. There
> are pros and cons in that approach.

I think this is what the in-kernel client does. It's probably the only
way to make AFS compatible with Linux's firm beliefs regarding filesystems
(like that there's only one path to an object in them).

> I think noone has written the code (for Unix/Linux) yet, but the

Andrew Deason whipped up some proof of concept code a while ago. I have
no idea how close this is to something one would consider using, and it
wasn't pursued further. But it's still available:

https://gerrit.openafs.org/#/q/status:open+project:openafs+branch:openafs-stable-1_6_x+topic:linux-mtpt-bindmount

If anyone wants to take off from there...

> Windows client might do this, but I'm by no means someone who knows
> something about AFS on Windows ;-)
> 
> At our site, so far, is has been cheaper to multiply all quotas by 2
> whenever the problem arose again.

-- 
Stephan Wiesand
DESY -DV-
Platanenallee 6
15738 Zeuthen, Germany



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Check free space on AFS share before login

2017-02-01 Thread Harald Barth


I think the problem is well known and what one would need to do is to
make (at every travesal of an AFS mount point) the OS aware of that
the AFS volume in question is a seperate "device". Then make the
statfs syscall on that path return the quota info from AFS. This has
of course to happen dynamically as you make your way through the AFS
space.

This would make every volume look as a seperate file system. There
are pros and cons in that approach.

I think noone has written the code (for Unix/Linux) yet, but the
Windows client might do this, but I'm by no means someone who knows
something about AFS on Windows ;-)

At our site, so far, is has been cheaper to multiply all quotas by 2
whenever the problem arose again.

Und Tschüß,
Harald.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Check free space on AFS share before login

2017-02-01 Thread Stephan Wiesand
Hi Michael,

> On 1 Feb 2017, at 11:08, Richter, Michael  wrote:
> 
> Hi,
> we are using  OpenAFS for the home drive. /home/users is a symlink to the AFS 
> path with all the home shares. The users home is for example 
> /home/users/username.
>  
> The users only have 1 GB of space available in that share. It often happens 
> that the quota is reached and they are unable to login. Ubuntu doesn’t give a 
> meaningful error message. I think, Ubuntu doesn’t know what’s the problem, 
> because it sees only “/” as mountpoint, which has enough free space available.
>  
> Is there a way to check the free space of the user on login and give the user 
> a good error message if there is not enough free space available in the AFS 
> share?

nice idea... I should probably implement that here. Something like

auth required pam_exec.so stdout /bin/check_home_space

should work well enough at least with lightdm. Just make the script print a 
short message to stdout and exit 1 in the failure case.

Hth
Stephan

>  
> I think about using pam-script to run a script that checks it but I can’t see 
> a way to bring back that message to the user. Also pam-afs-session seems not 
> to have some option for that. Is there some other solution?
>  
> Greetings
> Michael

-- 
Stephan Wiesand
DESY -DV-
Platanenallee 6
15738 Zeuthen, Germany



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info