[OpenAFS] What changed with 1.3.74?
Charles McIntyre
mcintyre@ucsc.edu
Fri, 12 Aug 2005 06:33:18 -0700
This is strange, since I'm not using the 524=20
registry entry. I'm not sure how this is functioning at all now...
Charles
At 06:06 AM 8/12/2005, Jeffrey Altman wrote:
>Charles McIntyre wrote:
>
> > Thanks for the response, Jeffrey.
> >
> > I'm mostly concerned with the change between 1.3.73 and 1.3.74 since
> > anything after 1.3.73 breaks in our environment.
> >
> > Our servers are TransArc v3.6 and the admins are too overwhelmed with
> > other priorities to update it, which is very unfortunate. I don't
> > believe it supports K5.
>
>It does not support Kerberos 5. This means that you can't use the
>Kerberos 5 based tokens that OpenAFS 1.3.xx obtains by default. You
>must obtain Kerberos 4 based tokens.
>
> > I've poured through afs-install-notes and have found some gems, but also
> > found some confusing points:
> > "If KFW is installed, the Integrated Logon will use Kerberos 5 to obtain
> > tokens. Otherwise, Kerberos 4 is used."
>
>This is true. When KFW is installed, tokens will be obtained using
>Kerberos 5 and perhaps converted to Kerberos 4 format with the krb524d.
> Kerberos 4 will never be used.
>
> > This is confusing, since our installation uses Integrated Logon and KFW,
> > but I believe we can only get tokens with K4 tickets because of the
> > TransArc server. I did a couple days of testing NOT using Integrated
> > logon because this verbage led me to believe it would be requesting a
> > token with a K5 ticket from our servers. When I finally did install
> > using the Int. Logon option, I was very surprised when 1.3.73 worked.
>
>Are you using the registry entry to use the 524 daemon?
>
> > In terms of what is not working:
> > Any version past 1.3.73 (even on a clean bare XP SP2 box), will hang
> > Explorer when I attempt to map an afs path using the afscreds GUI or cmd
> > line "net use x: //afs/cats.ucsc.edu/users/t/mcintyre". We have a
> > cross-realm authentication scheme, so KFW gets the tickets
> > automatically. I disable AFS tokens within KFW, because I found that it
> > confuses the AFS client (this might have been fixed, dunno). THe
> > workstations are used in general access labs, so we run a script that
> > runs afscreds -a -q, finds their AFS path via LDAP, creates a submount
> > (I know you're against this now), and maps the X: drive to //afs/home.
> > For testing, I've disabled the logon script and ran it all by hand.
> > Everything works like a charm until I actually try to mount an AFS path.
> >
> > 1.3.73 seems to be working well now, but we're very concerned about it
> > and we've put it on "probation". During the summer, we've had about 10%
> > of the lab machines hang at login when the AFS script runs. Since this
> > failure rate is unacceptable, and we're very concerned that some new
> > hotfix will break the version of the AFS client that we're stuck at,
> > we're starting to research other methods of accessing the user's home
> > directory, like Explorer integrated SFTP clients (MKS, Hummingbird, Web
> > Drive, etc). It's currently contentious, since I'm advocating for the
> > SSO aspects of AFS, but others in our group are concerned about
> > stability and reliability... I wish I could wave my magic wand and have
> > our AFS servers updated, but that's not going to happen any time soon.
>
>Can you provide remote access to a machine that is experiencing the=
problem?
>
>Can you provide such a machine with a debug version of 1.3.87 and the
>Microsoft Debugging Tools for Windows?
>
>Jeffrey Altman
>
> > Charles
> >
> >
> >
> >
> > At 02:37 PM 8/10/2005, Jeffrey Altman wrote:
> >
> >> Charles McIntyre wrote:
> >> > We've been able to get OpenAFS 1.3.73 with KfW 2.6.5 to work with our
> >> > cross-realm Kerberos login, but any version after that breaks=
Windows.
> >> >
> >> > What changed from 1.3.73 to 1.3.74 and subsequent versions? I
> >> looked at
> >> > the changes doc, but nothing rang out...
> >> >
> >> > We've even tried installing 1.3.74+ on a base XP Pro SP2 system and=
it
> >> > still hangs explorer. I'm wondering if it has something to do with=
our
> >> > server software.
> >> >
> >> > Any ideas?
> >> >
> >> > Thanks!
> >> > Charles
> >>
> >> Lots of things have changed since 1.3.73.
> >>
> >> What is the version of the servers in your cell? Does it support
> >> Kerberos 5? (aka OpenAFS 1.2.8 or higher?)
> >>
> >> Have you followed the debugging instructions in the
> >> afs-install-notes.txt file?
> >>
> >> What is not working? Integrated Login? Obtaining tokens with the
> >> AFS System Tray tool?
> >>
> >> Jeffrey Altman
> >>
> >
> >
> >
> > =BA=B0`=B0=BA=A4=F8=A4=BA=B0`=B0=BA=A4=F8=F8=A4=BA=B0`=B0=BA=A4=F8=A4=BA=
=B0`=B0=BA=A4=F8=F8=A4=BA=B0`=B0=BA=A4
> >
> > Charles McIntyre
> > PC/UNIX Systems Engineer
> > Instructional Computing
> > Information Technology Services, UCSC
> > ph: 831/459-5746
> > fx: 831/459-2914
> >
> > got a question? see http://ic.ucsc.edu/help
>
=BA=B0`=B0=BA=A4=F8=A4=BA=B0`=B0=BA=A4=F8=F8=A4=BA=B0`=B0=BA=A4=F8=A4=BA=B0`=
=B0=BA=A4=F8=F8=A4=BA=B0`=B0=BA=A4
Charles McIntyre
PC/UNIX Systems Engineer
Instructional Computing
Information Technology Services, UCSC
ph: 831/459-5746
fx: 831/459-2914
got a question? see http://ic.ucsc.edu/help =20