Re: [OpenAFS] Moving volumes between different cell and different realm names

2016-10-11 Thread Benjamin Kaduk
On Tue, 11 Oct 2016, Andreas Ladanyi wrote:

> Am 10.10.2016 um 17:24 schrieb Jeffrey Altman:
> >>> And you need to install the keys from Cell B onto the fileserver.
> >> The old afs server doesnt support rxkad, only single des.
> >> The new afs server works with rxkad.
> >>
> >> Is this a problem ?
> > I believe you meant to say the new afs server uses rxkad-k5+kdf.
> Yes, thank you  :-)
> >
> > If you have deployed non-DES keys to Cell B, then you cannot move the
> > fileserver from Cell A to Cell B unless you first upgrade the fileserver
> > to a version of OpenAFS that supports rxkad-k5+kdf.
> Ok, so i have to upgrade the old afs server (now cell A and in future
> cell B, realm A) to release minimum of 1.6.5 to use rxkad-k5+kd f
> extension and copy the non-des keys from the new afs server (cell B,
> realm B) to the old afs server ?
>
> Or, i have to switch the new afs server back to single des keys mode and
> copy the key from the old afs server using single des to the new afs
> server, but only for the vos move  process ?

You will need to either upgrade the software on the old server or add back
a DES key to cell B.  It should be possible to renerate a random DES key
that is not known to Kerberos, and install that key on all the cell B
machines as well as the old server; that key would then be used for
server-to-server communications from the old server to cell B servers but
nothing else.  (The other cell B servers would not be able to authenticate
to the old server, but I believe they do not need to do so for the volume
move operation you wish to undertake.)

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Moving volumes between different cell and different realm names

2016-10-11 Thread Andreas Ladanyi
Am 10.10.2016 um 17:24 schrieb Jeffrey Altman:
>>> And you need to install the keys from Cell B onto the fileserver.
>> The old afs server doesnt support rxkad, only single des.
>> The new afs server works with rxkad.
>>
>> Is this a problem ?
> I believe you meant to say the new afs server uses rxkad-k5+kdf.
Yes, thank you  :-)
>
> If you have deployed non-DES keys to Cell B, then you cannot move the
> fileserver from Cell A to Cell B unless you first upgrade the fileserver
> to a version of OpenAFS that supports rxkad-k5+kdf.
Ok, so i have to upgrade the old afs server (now cell A and in future
cell B, realm A) to release minimum of 1.6.5 to use rxkad-k5+kd f
extension and copy the non-des keys from the new afs server (cell B,
realm B) to the old afs server ?

Or, i have to switch the new afs server back to single des keys mode and
copy the key from the old afs server using single des to the new afs
server, but only for the vos move  process ?


>
> Jeffrey Altman
>
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature


Re: [OpenAFS] Moving volumes between different cell and different realm names

2016-10-10 Thread Jeffrey Altman
On 10/10/2016 4:51 AM, Andreas Ladanyi wrote:
> Am 07.10.2016 um 22:58 schrieb Jeffrey Altman:
>>
>>>
>>> I read the thread:
>>> https://lists.openafs.org/pipermail/openafs-info/2009-March/031004.html
>>>
>>> So if i understand the thread and man pages correctly i could do the
>>> following steps:
>> Step 0.  Shutdown all of the AFS services on the server you want to
>> relocate to a new cell.
>>
>>> 1. change entries CellServDB / ThisCell on the old OpenAFS server
>>> (current config is Cell A) to Cell B.
>> And you need to install the keys from Cell B onto the fileserver.
> The old afs server doesnt support rxkad, only single des.
> The new afs server works with rxkad.
> 
> Is this a problem ?

I believe you meant to say the new afs server uses rxkad-k5+kdf.

If you have deployed non-DES keys to Cell B, then you cannot move the
fileserver from Cell A to Cell B unless you first upgrade the fileserver
to a version of OpenAFS that supports rxkad-k5+kdf.

>>
>> AFS servers do not know or care about the realms.   The servers within a
>> cell all must share the same server configuration (ThisCell, CellServDB,
>> and keys).
>>
>> You cannot move a volume between cells with the OpenAFS vos command.
> I know this. This is the reason why i want to relocate the old afs
> server cell name to the new cell name and then move the volumes.
>>
>> With AuriStorFS it is possible to copy volumes between cells.  A volume
>> once copied can be removed from the source if that is desired.
> So this feature wont be implemented in OpenAFS in the future ?

There is nothing that prevents someone from implementing this feature in
OpenAFS.

> Whats up with the release of OpenAFS 1.8 ?

The most recent status report on 1.8 was sent to the openafs-devel
mailing list on Sept 15th.


http://lists.openafs.org/pipermail/openafs-devel/2016-September/020355.html

Since then several of the remaining blocking work items have been merged
into the source tree.  There are still several non-blocking items that
require additional review.

Gerrit item https://gerrit.openafs.org/#/c/12393/ will be used for
development of the NEWS file for the first pre-release.

Jeffrey Altman

<>

smime.p7s
Description: S/MIME Cryptographic Signature


Re: [OpenAFS] Moving volumes between different cell and different realm names

2016-10-10 Thread Andreas Ladanyi
Am 07.10.2016 um 22:58 schrieb Jeffrey Altman:
>
>>
>> I read the thread:
>> https://lists.openafs.org/pipermail/openafs-info/2009-March/031004.html
>>
>> So if i understand the thread and man pages correctly i could do the
>> following steps:
> Step 0.  Shutdown all of the AFS services on the server you want to
> relocate to a new cell.
>
>> 1. change entries CellServDB / ThisCell on the old OpenAFS server
>> (current config is Cell A) to Cell B.
> And you need to install the keys from Cell B onto the fileserver.
The old afs server doesnt support rxkad, only single des.
The new afs server works with rxkad.

Is this a problem ?

>
> AFS servers do not know or care about the realms.   The servers within a
> cell all must share the same server configuration (ThisCell, CellServDB,
> and keys).
>
> You cannot move a volume between cells with the OpenAFS vos command.
I know this. This is the reason why i want to relocate the old afs
server cell name to the new cell name and then move the volumes.
>
> With AuriStorFS it is possible to copy volumes between cells.  A volume
> once copied can be removed from the source if that is desired.
So this feature wont be implemented in OpenAFS in the future ?

Whats up with the release of OpenAFS 1.8 ?
>
> Jeffrey Altman
>
>
regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature


Re: [OpenAFS] Moving volumes between different cell and different realm names

2016-10-07 Thread Jeffrey Altman
On 10/4/2016 10:28 AM, Andreas Ladanyi wrote:
> Hi,
> 
> i have the following situation:
> 
> old server infrastructure:
> 
> 
> 
> 1 Server: MIT Kerberos server REALM A, OpenLDAP server (without
> principals), OpenAFS 1.6 server cell A
> 
> 
> new server infrastructure:
> 
> =
> 
> 1. Server: FreeIPA 4 server REALM B
> 
> 2. Server:  OpenAFS 1.6 Server cell B
> 
> 
> old user client system setup:
> 
> =
> 
> Ubuntu 16.04, MIT Kerberos client using REALM A, OpenLDAP client,
> OpenAFS 1.6 client, using cell A
> 
> 
> plan of new user client system infrastructure (the user client hardware
> wont change):
> 
> =
> 
> Ubuntu 16.04, FreeIPA client 4 using REALM B, OpenAFS 1.6 client using
> cell B
> 
> 
> I read the thread:
> https://lists.openafs.org/pipermail/openafs-info/2009-March/031004.html
> 
> So if i understand the thread and man pages correctly i could do the
> following steps:

Step 0.  Shutdown all of the AFS services on the server you want to
relocate to a new cell.

> 1. change entries CellServDB / ThisCell on the old OpenAFS server
> (current config is Cell A) to Cell B.

And you need to install the keys from Cell B onto the fileserver.

> 2. restart OpenAFS bos server on the old server of Cell A.

When the fileserver starts it will (if properly configured) register
itself with the Location Service in Cell B.  You will be able to see it
listed using

  vos listaddrs

This registration will only register the fileserver's UUID and its IPv4
addresses.  It will not register the vice partitions or any of the
volumes that are located on those vice partitions.

To add the volumes to the Location Service you will have to execute the

  vos syncvldb -server 

I suggest you use the -dryrun and -verbose options the first time to
execute it so you can confirm the desired behavior.  Once the volumes
are listed in the Location Service and are visible using

  vos listvldb

you can then move them.

> 3. On the old AFS Server ( now Cell B ), do a:
> 
> vos move -localauth (as super user from the old server) volumename from
> old OpenAFS server (which is now Cell B) to new OpenAFS server (Cell B)
> 
> 
> So i have some questions:
> 
> Why to use vos synvldb like mentioned in the  thread 031004  ? I think
> vos move should change the vldb entries on the old and the new server ?

Answered above.

> Whats up with the different REALMs (REALM A and B) on the old and the
> new server ? I know there are two different afs/cell@REALM service
> principals for the bos server to run, on the old server
> afs/cell_a@REALM_A and on the new server afs/cell_b@REALM_B. So could i
> simply move the volumes as root from the old openafs server changed from
> cell A to cell B and realm A  to new server system cell B / realm B ?

AFS servers do not know or care about the realms.   The servers within a
cell all must share the same server configuration (ThisCell, CellServDB,
and keys).

You cannot move a volume between cells with the OpenAFS vos command.

With AuriStorFS it is possible to copy volumes between cells.  A volume
once copied can be removed from the source if that is desired.

Jeffrey Altman


<>

smime.p7s
Description: S/MIME Cryptographic Signature