[OpenAFS] Changes for Mosaic's AFS cell...
Rodney M Dyer
Wed, 05 Apr 2006 22:52:04 -0400
We are finally in a position to consider making some changes (very soon
now) to our Mosaic Computing OpenAFS setup here in the College of
Engineering at UNC Charlotte. As some of you may already know, I've been
working with OpenAFS and Kerberos 5 for quite some time so some of the
questions I'm asking below are just for verification that I understand the
whole process as well as to get some "don't forget this" answers from
others. Over time, my memory of some of the issues "degrades" (I hate
1. We need to upgrade our file servers, and cell servers to 1.4xx (version
we use will be determined by what is available at the time we make the
changes) We are currently at 1.2.13.
For issue 1, we've been running a test file server on 1.4.0 for a while
without issues and we are prepared to upgrade the file servers
already. Does it matter whether the cell servers are upgraded
first? Obviously not, since our existing test server already works. I've
never upgraded a cell server myself, and the person who last upgraded our
cell servers has "left the building". Our current back-end systems guy
just wanted some indication about the sequence of events in which things
should take place. Because of issues with the UBIK quorum, if no accounts,
or volumes are being added, removed, or replicated during an upgrade, is
the sequence of cell server upgrades important? I mean our cell is fairly
small so can we just upgrade each one without worry right?
2. We need to shut down an older cell server and bring up a new one in
For issue 2, we have set the vlserver prefs on each client so that the
clients won't select the cell server we want to move to another building
(or it will be last in the pref list). Can we just shut down the old cell
server and bring up another (in another building) without much worry about
UBIK issues? This is somewhat similar to issue 1.
3. We'd like to turn off the old KAS from Transarc and rely totally on
Kerb 5 (finally). We are already using Kerb 5 everywhere and none of our
AFS clients use KAS anymore, but we've never actually disabled it.
For issue 3, we are currently already using Kerb5 with AKLOG basically
everywhere, and most of the PAM modules we have work with the exception of
the xscreensaver. We were wondering what others did about xlock and
getting tokens at unlock since the PAM module for the xlock process doesn't
seem to use the KRB5CCNAME variable. Eg, a new ticket cache is created
every time you unlock the workstation...why?
4. We'd like to try real K5 AFS service tickets without using the 5 to 4
For issue 4, I am under the impression (from my conversation at the last
BPW) that we can disable our 5 to 4 daemon that AKLOG uses and AKLOG will
just take the K5 encrypted part and just stuff it into the AFS cred
manager. The only thing we need to do is update our key files on the file
servers right? Can AKLOG do what it needs to do without having access to a
5 to 4 daemon?
Rodney M. Dyer
Windows Systems Programmer
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Help Desk Line: (704)687-3150
Office: Cameron Applied Research Center, Room 232