[OpenAFS] Changes for Mosaic's AFS cell...

Rodney M Dyer rmdyer@uncc.edu
Wed, 05 Apr 2006 22:52:04 -0400


We are finally in a position to consider making some changes (very soon 
now) to our Mosaic Computing OpenAFS setup here in the College of 
Engineering at UNC Charlotte.  As some of you may already know, I've been 
working with OpenAFS and Kerberos 5 for quite some time so some of the 
questions I'm asking below are just for verification that I understand the 
whole process as well as to get some "don't forget this" answers from 
others.  Over time, my memory of some of the issues "degrades" (I hate 
getting old).

1.  We need to upgrade our file servers, and cell servers to 1.4xx (version 
we use will be determined by what is available at the time we make the 
changes)  We are currently at 1.2.13.

For issue 1, we've been running a test file server on 1.4.0 for a while 
without issues and we are prepared to upgrade the file servers 
already.  Does it matter whether the cell servers are upgraded 
first?  Obviously not, since our existing test server already works.  I've 
never upgraded a cell server myself, and the person who last upgraded our 
cell servers has "left the building".  Our current back-end systems guy 
just wanted some indication about the sequence of events in which things 
should take place.  Because of issues with the UBIK quorum, if no accounts, 
or volumes are being added, removed, or replicated during an upgrade, is 
the sequence of cell server upgrades important?  I mean our cell is fairly 
small so can we just upgrade each one without worry right?

2.  We need to shut down an older cell server and bring up a new one in 
another building.

For issue 2, we have set the vlserver prefs on each client so that the 
clients won't select the cell server we want to move to another building 
(or it will be last in the pref list).  Can we just shut down the old cell 
server and bring up another (in another building) without much worry about 
UBIK issues?  This is somewhat similar to issue 1.

3.  We'd like to turn off the old KAS from Transarc and rely totally on 
Kerb 5 (finally).  We are already using Kerb 5 everywhere and none of our 
AFS clients use KAS anymore, but we've never actually disabled it.

For issue 3, we are currently already using Kerb5 with AKLOG basically 
everywhere, and most of the PAM modules we have work with the exception of 
the xscreensaver.  We were wondering what others did about xlock and 
getting tokens at unlock since the PAM module for the xlock process doesn't 
seem to use the KRB5CCNAME variable.  Eg, a new ticket cache is created 
every time you unlock the workstation...why?

4.  We'd like to try real K5 AFS service tickets without using the 5 to 4 

For issue 4, I am under the impression (from my conversation at the last 
BPW) that we can disable our 5 to 4 daemon that AKLOG uses and AKLOG will 
just take the K5 encrypted part and just stuff it into the AFS cred 
manager.  The only thing we need to do is update our key files on the file 
servers right?  Can AKLOG do what it needs to do without having access to a 
5 to 4 daemon?



Rodney M. Dyer
Windows Systems Programmer
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmdyer@uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office:  Cameron Applied Research Center, Room 232