[OpenAFS] Testing OpenAFS with Windows XP Roaming Profiles....

Claudio Prono claudio.prono@atpss.net
Tue, 28 Sep 2010 17:46:36 +0200 

Oh well, i have dejoined the domain, logged in as local administrator
and deleted the profile manually. Then rejoined the domain and rejoined
user to domain, and now uses the right path.

But the problem of the roaming profile not written when i exit is still
here.

So, the problem is really when i log of from the Client, and OpenAFS
can't write on the home dir into the AFS...

But the permissions are right, as u can see...

fs listacl claudio/
Access list for claudio/ is
Normal rights:
  system:administrators rlidwka
  system:anyuser rlidwka
  claudio rlidwka

fs listacl .msprofile/
Access list for .msprofile/ is
Normal rights:
  system:administrators rlidwka
  system:anyuser rlidwka
  claudio rlidwka

(now are also more than what it needs, but is for test pourpose only....)

If i write a file on the home dir of the user (when i am logged in into
windows), it writes correctly.

But, when i am going to disconnect, the client can't write the
profile.... Now i think can be a problem of OpenAFS, stopping services
too early and makes AFS inaccessible too early... but i don't have the
idea of how to resolve it (if it is the problem)...... I know the
afslogon.dll have a special code can detect if the system is into a
domain or not...  but how i can see if it works also into a samba+ldap
domain?

Mh.... more work to do....

Cordially,

Claudio Prono.



omalleys@msu.edu ha scritto:
> I -think- it is stored in the local directory, and it is cached. (iirc
> there is a command to update the local system cache but I don't know
> it.) Im really not a windows person, you should probably post your
> results to the list as there are better people at it then I.  I also
> think there are a number of people who are interested in the topic.
>
>
> Quoting Claudio Prono <claudio.prono@atpss.net>:
>
>> Uhm, good guess...
>>
>> I have tried to change the home to the normal filesystem (like
>> /home/claudio). The dir .msprofile was created correctly, and the
>> profile unloads correctly after the disconnection.
>>
>> After that, i have changed again the entry into the ldap for the home =
of
>> claudio into /afs/mediaservice-test.pri/users/claudio. Rebooted the
>> windows Client, and...surprise! The home is not changed, and it
>> continues to use the previous one... (/home/claudio). So, i have
>> rebooted the server but no changes at all.... The client continues to
>> use the /home/claudio as homedir.... Magic of microsoft i think... it
>> seems like the client have cached a successiful profile, and continues
>> to use it... now i try to delete the profile from the client, dejoin t=
he
>> machine from the domain, rejoin into domain and login as user Claudio.=
..
>> dunno what else to do...
>>
>> Claudio.
>>
>> omalleys@msu.edu ha scritto:
>>> Just out of curiosity, and I haven't been completely following the
>>> thread, but did you try to just give full write access to the client
>>> machine to afs or a local samba share?
>>>
>>> I am wondering if the profile is written by a different user, if it i=
s
>>> trying to write to an incorrect directory, or if the network
>>> connection is dropping before the write somewhere.
>>>
>>> Do the client logs say anything?
>>>
>>>
>>>
>>>
>>>
>>> Quoting Claudio Prono <claudio.prono@atpss.net>:
>>>
>>>> Ok, my tests are going well.
>>>>
>>>> But...another problem is come out...
>>>>
>>>> Now i have an OpenSUSE 11.3 with Samba, LDAP and OpenAFS as domain
>>>> controller, for the roaming profiles of the users. All seemes to wor=
k
>>>> fine but... When i exit for the Client, windows says to me the profi=
le
>>>> cannot be written.... I have checked the permissions, and are fine, =
i
>>>> have checked the logs of samba, and no errors.... But i don't know w=
hy
>>>> when i disconnect the user from the client, the profile can't be
>>>> written...But the access to the AFS is good, when the Client is logg=
ed
>>>> in....
>>>>
>>>> BTW, the option of AFS "LogoffPreserveTokens" is active.
>>>>
>>>> Any hint to how to debug that situation?
>>>>
>>>> Cordially,
>>>>
>>>> Claudio Prono.
>>>>
>>>>
>>>> G=C3=A9mes G=C3=A9za ha scritto:
>>>>> 2010-09-18 08:16 keltez=C3=A9ssel, G=C3=A9mes G=C3=A9za =C3=ADrta:
>>>>>
>>>>>> 2010-09-17 18:21 keltez=C3=A9ssel, Jeffrey Altman =C3=ADrta:
>>>>>>
>>>>>>
>>>>>>> On 9/17/2010 11:06 AM, Claudio Prono wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>> Now, the question is: how i can make Windows first write the
>>>>>>>>>> updated
>>>>>>>>>> profile, then drop tickets?
>>>>>>>>>>
>>>>>>>>>> The ACL system:anyuser all for the profile folder is not a goo=
d
>>>>>>>>>> solution...
>>>>>>>>>>
>>>>>>>>>> Any hint?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> The afslogon.dll has special code in it that has to detect
>>>>>>>>> that the
>>>>>>>>> profile is redirected into AFS.   This is based on the
>>>>>>>>> assumption that a
>>>>>>>>> domain is in use.   The additional case for a non-domain profil=
e
>>>>>>>>> in AFS
>>>>>>>>> would have to be added.
>>>>>>>>>
>>>>>>>>> Jeffrey Altman
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Just an idea... why don't put an option inside the AFS control
>>>>>>>> panel to
>>>>>>>> override the domain detection ? Not all the users using a roamin=
g
>>>>>>>> profile use a Domain.... Something like "roaming profile active"
>>>>>>>> in the
>>>>>>>> AFS control panel....
>>>>>>>>
>>>>>>>> Anyway, now how i can override that detection of the afslogon.dl=
l
>>>>>>>> ? Any
>>>>>>>> trick to cheat the afslogon.dll auto detection?
>>>>>>>>
>>>>>>>> Cordially,
>>>>>>>>
>>>>>>>> Claudio Prono.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Claudio:
>>>>>>>
>>>>>>> It would be more work to implement a cheat than to do the correct
>>>>>>> thing
>>>>>>> for your configuration.   Someone can write a patch for afslogon
>>>>>>> and
>>>>>>> submit it to gerrit.openafs.org.
>>>>>>>
>>>>>>> What needs to be implemented is the Local Profile in AFS case bot=
h
>>>>>>> for
>>>>>>> NPLogonNotify() and AFS_Logoff_Event().   If the profile is not
>>>>>>> remote,
>>>>>>> then a search for a profile in AFS should not be queried via AD
>>>>>>> (LDAP)
>>>>>>> but instead through the GetUserProfileDirectory() API.
>>>>>>>
>>>>>>> If you read the OpenAFS for Windows Release Notes, you can use th=
e
>>>>>>> LogoffPreserveTokens registry value to force the AFS tokens to be
>>>>>>> held
>>>>>>> after logoff.  However, doing so retains the tokens until they
>>>>>>> expire.
>>>>>>>
>>>>>>> Jeffrey Altman
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Sorry if that sounds stupid, but are currently the
>>>>>> NPLogonNotify() and
>>>>>> AFS_Logoff_Event() calls querry AD via LDAP? If so I suppose they
>>>>>> aren't
>>>>>> discovering a pre-AD (NT4, Samba3) redirected domain profile eithe=
r?
>>>>>> I've just planned to move the user profiles of our Samba3 domain t=
o
>>>>>> AFS :-(.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Geza
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenAFS-info mailing list
>>>>>> OpenAFS-info@openafs.org
>>>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>>>
>>>>>>
>>>>> Ok I've did an experiment: created a user lets call him testuser
>>>>> redirected his profile (via the ldap backend of samba) to
>>>>> \\afs\....\profiles\testuser
>>>>> for that dir gived him rlidwk acl and, l to system:anyuser to the
>>>>> whole
>>>>> path to that dir, and the profile seems to load and unload perfectl=
y,
>>>>> the profile path being updated as it should.
>>>>>
>>>>> Cheers
>>>>>
>>>>> Geza
>>>>> _______________________________________________
>>>>> OpenAFS-info mailing list
>>>>> OpenAFS-info@openafs.org
>>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --=20
>>>> --------------------------------------------------------------------=
------------
>>>>
>>>>
>>>> Claudio Prono                         OPST
>>>> System Developer
>>>>                                       Gsm: +39-349-54.33.258
>>>> @PSS Srl                              Tel: +39-011-32.72.100
>>>> Via San Bernardino, 17                Fax: +39-011-32.46.497
>>>> 10141 Torino - ITALY                  http://atpss.net/disclaimer
>>>> --------------------------------------------------------------------=
------------
>>>>
>>>>
>>>> PGP Key - http://keys.atpss.net/c_prono.asc
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> --=20
>> ----------------------------------------------------------------------=
----------
>>
>> Claudio Prono                         OPST
>> System Developer
>>                                       Gsm: +39-349-54.33.258
>> @PSS Srl                              Tel: +39-011-32.72.100
>> Via San Bernardino, 17                Fax: +39-011-32.46.497
>> 10141 Torino - ITALY                  http://atpss.net/disclaimer
>> ----------------------------------------------------------------------=
----------
>>
>> PGP Key - http://keys.atpss.net/c_prono.asc
>>
>>
>>
>>
>>
>
>
>
> !DSPAM:1,4ca209da324293068120852!
>
>
>

--=20
-------------------------------------------------------------------------=
-------
Claudio Prono                         OPST
System Developer              =20
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
-------------------------------------------------------------------------=
-------
PGP Key - http://keys.atpss.net/c_prono.asc