[OpenAFS] What changed with 1.3.74?

Jeffrey Altman jaltman@columbia.edu
Fri, 12 Aug 2005 16:06:15 +0300


This is a cryptographically signed message in MIME format.

--------------ms050802060106020002010001
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

Charles McIntyre wrote:

> Thanks for the response, Jeffrey.
> 
> I'm mostly concerned with the change between 1.3.73 and 1.3.74 since
> anything after 1.3.73 breaks in our environment.
> 
> Our servers are TransArc v3.6 and the admins are too overwhelmed with
> other priorities to update it, which is very unfortunate.  I don't
> believe it supports K5.

It does not support Kerberos 5.   This means that you can't use the
Kerberos 5 based tokens that OpenAFS 1.3.xx obtains by default.   You
must obtain Kerberos 4 based tokens.

> I've poured through afs-install-notes and have found some gems, but also
> found some confusing points:
> "If KFW is installed, the Integrated Logon will use Kerberos 5 to obtain
> tokens.  Otherwise, Kerberos 4 is used."

This is true.   When KFW is installed, tokens will be obtained using
Kerberos 5 and perhaps converted to Kerberos 4 format with the krb524d.
  Kerberos 4 will never be used.

> This is confusing, since our installation uses Integrated Logon and KFW,
> but I believe we can only get tokens with K4 tickets because of the
> TransArc server. I did a couple days of testing NOT using Integrated
> logon because this verbage led me to believe it would be requesting a
> token with a K5 ticket from our servers.  When I finally did install
> using the Int. Logon option, I was very surprised when 1.3.73 worked.

Are you using the registry entry to use the 524 daemon?

> In terms of what is not working:
> Any version past 1.3.73 (even on a clean bare XP SP2 box), will hang
> Explorer when I attempt to map an afs path using the afscreds GUI or cmd
> line "net use x: //afs/cats.ucsc.edu/users/t/mcintyre".  We have a
> cross-realm authentication scheme, so KFW gets the tickets
> automatically.  I disable AFS tokens within KFW, because I found that it
> confuses the AFS client (this might have been fixed, dunno).  THe
> workstations are used in general access labs, so we run a script that
> runs afscreds -a -q, finds their AFS path via LDAP, creates a submount
> (I know you're against this now), and maps the X: drive to //afs/home. 
> For testing, I've disabled the logon script and ran it all by hand. 
> Everything works like a charm until I actually try to mount an AFS path.
> 
> 1.3.73 seems to be working well now, but we're very concerned about it
> and we've put it on "probation".  During the summer, we've had about 10%
> of the lab machines hang at login when the AFS script runs.  Since this
> failure rate is unacceptable, and we're very concerned that some new
> hotfix will break the version of the AFS client that we're stuck at,
> we're starting to research other methods of accessing the user's home
> directory, like Explorer integrated SFTP clients (MKS, Hummingbird, Web
> Drive, etc).  It's currently contentious, since I'm advocating for the
> SSO aspects of AFS, but others in our group are concerned about
> stability and reliability...  I wish I could wave my magic wand and have
> our AFS servers updated, but that's not going to happen any time soon.

Can you provide remote access to a machine that is experiencing the problem?

Can you provide such a machine with a debug version of 1.3.87 and the
Microsoft Debugging Tools for Windows?

Jeffrey Altman

> Charles
> 
> 
> 
> 
> At 02:37 PM 8/10/2005, Jeffrey Altman wrote:
> 
>> Charles McIntyre wrote:
>> > We've been able to get OpenAFS 1.3.73 with KfW 2.6.5 to work with our
>> > cross-realm Kerberos login, but any version after that breaks Windows.
>> >
>> > What changed from 1.3.73 to 1.3.74 and subsequent versions?  I
>> looked at
>> > the changes doc, but nothing rang out...
>> >
>> > We've even tried installing 1.3.74+ on a base XP Pro SP2 system and it
>> > still hangs explorer.  I'm wondering if it has something to do with our
>> > server software.
>> >
>> > Any ideas?
>> >
>> > Thanks!
>> > Charles
>>
>> Lots of things have changed since 1.3.73.
>>
>> What is the version of the servers in your cell?   Does it support
>> Kerberos 5?  (aka OpenAFS 1.2.8 or higher?)
>>
>> Have you followed the debugging instructions in the
>> afs-install-notes.txt file?
>>
>> What is not working?   Integrated Login?   Obtaining tokens with the
>> AFS System Tray tool?
>>
>> Jeffrey Altman
>>
> 
> 
> 
> `````
> 
> Charles McIntyre
> PC/UNIX Systems Engineer
> Instructional Computing
> Information Technology Services, UCSC
> ph: 831/459-5746
> fx: 831/459-2914
> 
> got a question? see http://ic.ucsc.edu/help 

--------------ms050802060106020002010001
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPzCC
AvowggJjoAMCAQICAw7NrDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNTI3MTc0MjQzWhcNMDYwNTI3MTc0MjQz
WjBrMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT
SmVmZnJleSBFcmljIEFsdG1hbjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5l
ZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+LutDu/YyHreNfoYd+ZtOjXsL
h67F2cmcVuBPBz+ZGDA+WpVEHrqXaZZO8acXBR5uAVfiwA1acE/kvD/CN5kAqx1VJuQ8Pvyk
iGHhUYTd27ZTliBIrptC7C/381gVwkS+a8jQFPJPO+OktZDzAYplGRY/MQCV8dIsvXUjucox
7TwTTdoLAJYRvHtfEcaCc6mO4ph6NeXQw8Grlx3IRAlTrkE5fBGyjH6R4fqnFTXRQAh1/bG+
i8hQvE6mud3mXdL2t7NP1Qxd9wW0/F/pnWY12IFP/luc3zEzIPvAe+nJluLuSEj0LZgP16mF
xBj1p+u9HPWcHRVX6q7+MQ0RWOv1AgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29s
dW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAUDUuzxiq8bbI8vq2
swRK513RphZp+fepyKU5mwBI6aF4GcmqITQILtfTG2SXnjSeY99d+bjOdK1DJFvVh9aOy8mh
2NbEnqMnJIZtg5+eEU64DIV5bQdDRpi99H9vA0sRATIquut+3YHba+zArj0VkVof2VI+ToBu
sHdtSrZYo0gwggL6MIICY6ADAgECAgMOzawwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA1MDUyNzE3NDI0M1oXDTA2
MDUyNzE3NDI0M1owazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMx
HDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRtYW5A
Y29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvi7rQ7v2Mh63
jX6GHfmbTo17C4euxdnJnFbgTwc/mRgwPlqVRB66l2mWTvGnFwUebgFX4sANWnBP5Lw/wjeZ
AKsdVSbkPD78pIhh4VGE3du2U5YgSK6bQuwv9/NYFcJEvmvI0BTyTzvjpLWQ8wGKZRkWPzEA
lfHSLL11I7nKMe08E03aCwCWEbx7XxHGgnOpjuKYejXl0MPBq5cdyEQJU65BOXwRsox+keH6
pxU10UAIdf2xvovIULxOprnd5l3S9rezT9UMXfcFtPxf6Z1mNdiBT/5bnN8xMyD7wHvpyZbi
7khI9C2YD9ephcQY9afrvRz1nB0VV+qu/jENEVjr9QIDAQABozEwLzAfBgNVHREEGDAWgRRq
YWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAFA1
Ls8YqvG2yPL6trMESudd0aYWafn3qcilOZsASOmheBnJqiE0CC7X0xtkl540nmPfXfm4znSt
QyRb1YfWjsvJodjWxJ6jJySGbYOfnhFOuAyFeW0HQ0aYvfR/bwNLEQEyKrrrft2B22vswK49
FZFaH9lSPk6AbrB3bUq2WKNIMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENB
MSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcx
NzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnK
mVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8
YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4
oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowg
T2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAzswggM3AgEB
MGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMOzaww
CQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMDUwODEyMTMwNjE1WjAjBgkqhkiG9w0BCQQxFgQUFEmUA8x/vu2RkEuuo4YFe1OOFHIw
UgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAw7NrDB6BgsqhkiG9w0B
CRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AgMOzawwDQYJKoZIhvcNAQEBBQAEggEAsiChQUXSNW4H0ueh4LOdFktZy9MRgP+dtlYNeerR
i4ZjGHZmS6yhXjvZEGSZ2CqH+E4I54wfVtHrw5LEkBCJaJCGSRLSrhZDO4hXDKKgI5VSvZPN
n/2GEfp4netZ4p9QdQr4jyDgEdJAYd/l0sGChu8D5Bn5kWGo+yhojK5DynoISuM+tuFuwr48
5ID4T62iIwCy2XZlk/x7G6h0168flk6DtnoN34bcGwlCKreqnMBNZBr+lkUsa9m5aX9mDg+A
7Q6nCdn26hIbd7hNDdF/ME176OTP5d7YlBgPMFnDRh9eV31jInguwag4JSnV0aKxblUogYc5
sXFbfzpQUyUp0AAAAAAAAA==
--------------ms050802060106020002010001--