[OpenAFS] Changes for Mosaic's AFS cell...
Rodney M Dyer
Thu, 06 Apr 2006 11:22:31 -0400
Thanks to everyone who responded. I thoroughly appreciate it.
To clarify a few points...
1. We currently have three cell servers. We are shutting down one of the
cell servers and moving it (creating a new one) to/in another building
under a new name and IP. I believe the process outlined by Jeffrey
Hutzelman and Marcus Watts should be sufficient for this change. Thanks.
2. I'm curious as to why no one responded to the problem with xlock and
xscreensavers relating to PAM, K5 tickets, and tokens. Is this some kind
of state secret, or are we the only ones with the problem? To summarize
On Linux the xscreensaver runs as the user but appears to be started
by init. When the screen is locked, then unlocked, the PAM module
generates a new Kerberos 5 ticket, but doesn't use the correct ticket
cache. It seems to always create a new ticket cache. Curious as to why
this was happening, we killed xscreensaver and set the KRB5CCNAME variable,
then restarted xscreensaver thinking it would then use the correct
KRB5CCNAME, but again, it generated a new ticket cache. At this point
xlock and screensaver is just broken. Note: I'm a Windows guy, so I'm
getting all this from our Linux sysadmin.
3. At least one of you suggested that version 1.4.xx (pre-rc10) has
problems and that we should not use it on the cell servers, or for that
matter the file servers either. Here I must say that we are in no good
mood to use any "betas" or "release candidates". If I had emailed my
questions a few weeks later, someone may have responded that pre-rc44
(sarcasm) might have problems too. It sounds to me like we should just
stay with 1.2.13 for the immediate future. Does anyone have any words on
when "the" true production copy of OpenAFS beyond 1.2.13 will see the light
4. I gather from the responses that we need a "special" AKLOG to remove
the need for the 5 to 4 daemon in a pure K5 environment. I'm unsure what
is meant here by "special". I mean the OpenAFS Windows client ships with
AKLOG. Is it special? Is the Linux version "special"? This is cause for
concern, and leads me to believe that getting rid of the 5 to 4 service is
literally never going to happen, so using pure K5 tickets is just more or
less techno-fluff experimentation for now. The issues seem to be...
a. We need a special AKLOG. Ok, is there one for
Windows? Linux? Solaris?, OSX?, etc?
b. Do all the PAMs for various OSs support this "special"
feature? Or do the PAMs just system out to an existing AKLOG?