Re: [OpenAFS] Moving volumes between different cell and different realm names
On Tue, 11 Oct 2016, Andreas Ladanyi wrote: > Am 10.10.2016 um 17:24 schrieb Jeffrey Altman: > >>> And you need to install the keys from Cell B onto the fileserver. > >> The old afs server doesnt support rxkad, only single des. > >> The new afs server works with rxkad. > >> > >> Is this a problem ? > > I believe you meant to say the new afs server uses rxkad-k5+kdf. > Yes, thank you :-) > > > > If you have deployed non-DES keys to Cell B, then you cannot move the > > fileserver from Cell A to Cell B unless you first upgrade the fileserver > > to a version of OpenAFS that supports rxkad-k5+kdf. > Ok, so i have to upgrade the old afs server (now cell A and in future > cell B, realm A) to release minimum of 1.6.5 to use rxkad-k5+kd f > extension and copy the non-des keys from the new afs server (cell B, > realm B) to the old afs server ? > > Or, i have to switch the new afs server back to single des keys mode and > copy the key from the old afs server using single des to the new afs > server, but only for the vos move process ? You will need to either upgrade the software on the old server or add back a DES key to cell B. It should be possible to renerate a random DES key that is not known to Kerberos, and install that key on all the cell B machines as well as the old server; that key would then be used for server-to-server communications from the old server to cell B servers but nothing else. (The other cell B servers would not be able to authenticate to the old server, but I believe they do not need to do so for the volume move operation you wish to undertake.) -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Moving volumes between different cell and different realm names
Am 10.10.2016 um 17:24 schrieb Jeffrey Altman: >>> And you need to install the keys from Cell B onto the fileserver. >> The old afs server doesnt support rxkad, only single des. >> The new afs server works with rxkad. >> >> Is this a problem ? > I believe you meant to say the new afs server uses rxkad-k5+kdf. Yes, thank you :-) > > If you have deployed non-DES keys to Cell B, then you cannot move the > fileserver from Cell A to Cell B unless you first upgrade the fileserver > to a version of OpenAFS that supports rxkad-k5+kdf. Ok, so i have to upgrade the old afs server (now cell A and in future cell B, realm A) to release minimum of 1.6.5 to use rxkad-k5+kd f extension and copy the non-des keys from the new afs server (cell B, realm B) to the old afs server ? Or, i have to switch the new afs server back to single des keys mode and copy the key from the old afs server using single des to the new afs server, but only for the vos move process ? > > Jeffrey Altman > Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Moving volumes between different cell and different realm names
On 10/10/2016 4:51 AM, Andreas Ladanyi wrote: > Am 07.10.2016 um 22:58 schrieb Jeffrey Altman: >> >>> >>> I read the thread: >>> https://lists.openafs.org/pipermail/openafs-info/2009-March/031004.html >>> >>> So if i understand the thread and man pages correctly i could do the >>> following steps: >> Step 0. Shutdown all of the AFS services on the server you want to >> relocate to a new cell. >> >>> 1. change entries CellServDB / ThisCell on the old OpenAFS server >>> (current config is Cell A) to Cell B. >> And you need to install the keys from Cell B onto the fileserver. > The old afs server doesnt support rxkad, only single des. > The new afs server works with rxkad. > > Is this a problem ? I believe you meant to say the new afs server uses rxkad-k5+kdf. If you have deployed non-DES keys to Cell B, then you cannot move the fileserver from Cell A to Cell B unless you first upgrade the fileserver to a version of OpenAFS that supports rxkad-k5+kdf. >> >> AFS servers do not know or care about the realms. The servers within a >> cell all must share the same server configuration (ThisCell, CellServDB, >> and keys). >> >> You cannot move a volume between cells with the OpenAFS vos command. > I know this. This is the reason why i want to relocate the old afs > server cell name to the new cell name and then move the volumes. >> >> With AuriStorFS it is possible to copy volumes between cells. A volume >> once copied can be removed from the source if that is desired. > So this feature wont be implemented in OpenAFS in the future ? There is nothing that prevents someone from implementing this feature in OpenAFS. > Whats up with the release of OpenAFS 1.8 ? The most recent status report on 1.8 was sent to the openafs-devel mailing list on Sept 15th. http://lists.openafs.org/pipermail/openafs-devel/2016-September/020355.html Since then several of the remaining blocking work items have been merged into the source tree. There are still several non-blocking items that require additional review. Gerrit item https://gerrit.openafs.org/#/c/12393/ will be used for development of the NEWS file for the first pre-release. Jeffrey Altman <> smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Moving volumes between different cell and different realm names
Am 07.10.2016 um 22:58 schrieb Jeffrey Altman: > >> >> I read the thread: >> https://lists.openafs.org/pipermail/openafs-info/2009-March/031004.html >> >> So if i understand the thread and man pages correctly i could do the >> following steps: > Step 0. Shutdown all of the AFS services on the server you want to > relocate to a new cell. > >> 1. change entries CellServDB / ThisCell on the old OpenAFS server >> (current config is Cell A) to Cell B. > And you need to install the keys from Cell B onto the fileserver. The old afs server doesnt support rxkad, only single des. The new afs server works with rxkad. Is this a problem ? > > AFS servers do not know or care about the realms. The servers within a > cell all must share the same server configuration (ThisCell, CellServDB, > and keys). > > You cannot move a volume between cells with the OpenAFS vos command. I know this. This is the reason why i want to relocate the old afs server cell name to the new cell name and then move the volumes. > > With AuriStorFS it is possible to copy volumes between cells. A volume > once copied can be removed from the source if that is desired. So this feature wont be implemented in OpenAFS in the future ? Whats up with the release of OpenAFS 1.8 ? > > Jeffrey Altman > > regards, Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Moving volumes between different cell and different realm names
On 10/4/2016 10:28 AM, Andreas Ladanyi wrote: > Hi, > > i have the following situation: > > old server infrastructure: > > > > 1 Server: MIT Kerberos server REALM A, OpenLDAP server (without > principals), OpenAFS 1.6 server cell A > > > new server infrastructure: > > = > > 1. Server: FreeIPA 4 server REALM B > > 2. Server: OpenAFS 1.6 Server cell B > > > old user client system setup: > > = > > Ubuntu 16.04, MIT Kerberos client using REALM A, OpenLDAP client, > OpenAFS 1.6 client, using cell A > > > plan of new user client system infrastructure (the user client hardware > wont change): > > = > > Ubuntu 16.04, FreeIPA client 4 using REALM B, OpenAFS 1.6 client using > cell B > > > I read the thread: > https://lists.openafs.org/pipermail/openafs-info/2009-March/031004.html > > So if i understand the thread and man pages correctly i could do the > following steps: Step 0. Shutdown all of the AFS services on the server you want to relocate to a new cell. > 1. change entries CellServDB / ThisCell on the old OpenAFS server > (current config is Cell A) to Cell B. And you need to install the keys from Cell B onto the fileserver. > 2. restart OpenAFS bos server on the old server of Cell A. When the fileserver starts it will (if properly configured) register itself with the Location Service in Cell B. You will be able to see it listed using vos listaddrs This registration will only register the fileserver's UUID and its IPv4 addresses. It will not register the vice partitions or any of the volumes that are located on those vice partitions. To add the volumes to the Location Service you will have to execute the vos syncvldb -server I suggest you use the -dryrun and -verbose options the first time to execute it so you can confirm the desired behavior. Once the volumes are listed in the Location Service and are visible using vos listvldb you can then move them. > 3. On the old AFS Server ( now Cell B ), do a: > > vos move -localauth (as super user from the old server) volumename from > old OpenAFS server (which is now Cell B) to new OpenAFS server (Cell B) > > > So i have some questions: > > Why to use vos synvldb like mentioned in the thread 031004 ? I think > vos move should change the vldb entries on the old and the new server ? Answered above. > Whats up with the different REALMs (REALM A and B) on the old and the > new server ? I know there are two different afs/cell@REALM service > principals for the bos server to run, on the old server > afs/cell_a@REALM_A and on the new server afs/cell_b@REALM_B. So could i > simply move the volumes as root from the old openafs server changed from > cell A to cell B and realm A to new server system cell B / realm B ? AFS servers do not know or care about the realms. The servers within a cell all must share the same server configuration (ThisCell, CellServDB, and keys). You cannot move a volume between cells with the OpenAFS vos command. With AuriStorFS it is possible to copy volumes between cells. A volume once copied can be removed from the source if that is desired. Jeffrey Altman <> smime.p7s Description: S/MIME Cryptographic Signature