[OpenAFS] Changes for Mosaic's AFS cell...

Rodney M Dyer rmdyer@uncc.edu
Thu, 06 Apr 2006 11:22:31 -0400

Thanks to everyone who responded.  I thoroughly appreciate it.

To clarify a few points...

1.  We currently have three cell servers.  We are shutting down one of the 
cell servers and moving it (creating a new one) to/in another building 
under a new name and IP.   I believe the process outlined by Jeffrey 
Hutzelman and Marcus Watts should be sufficient for this change.  Thanks.

2.  I'm curious as to why no one responded to the problem with xlock and 
xscreensavers relating to PAM, K5 tickets, and tokens.  Is this some kind 
of state secret, or are we the only ones with the problem?  To summarize 

      On Linux the xscreensaver runs as the user but appears to be started 
by init.  When the screen is locked, then unlocked, the PAM module 
generates a new Kerberos 5 ticket, but doesn't use the correct ticket 
cache.  It seems to always create a new ticket cache.  Curious as to why 
this was happening, we killed xscreensaver and set the KRB5CCNAME variable, 
then restarted xscreensaver thinking it would then use the correct 
KRB5CCNAME, but again, it generated a new ticket cache.  At this point 
xlock and screensaver is just broken.  Note:  I'm a Windows guy, so I'm 
getting all this from our Linux sysadmin.

3.  At least one of you suggested that version 1.4.xx (pre-rc10) has 
problems and that we should not use it on the cell servers, or for that 
matter the file servers either.  Here I must say that we are in no good 
mood to use any "betas" or "release candidates".  If I had emailed my 
questions a few weeks later, someone may have responded that pre-rc44 
(sarcasm) might have problems too.  It sounds to me like we should just 
stay with 1.2.13 for the immediate future.  Does anyone have any words on 
when "the" true production copy of OpenAFS beyond 1.2.13 will see the light 
of day?

4.  I gather from the responses that we need a "special" AKLOG to remove 
the need for the 5 to 4 daemon in a pure K5 environment.  I'm unsure what 
is meant here by "special".  I mean the OpenAFS Windows client ships with 
AKLOG.  Is it special?  Is the Linux version "special"?  This is cause for 
concern, and leads me to believe that getting rid of the 5 to 4 service is 
literally never going to happen, so using pure K5 tickets is just more or 
less techno-fluff experimentation for now.  The issues seem to be...

      a.  We need a special AKLOG.  Ok, is there one for 
Windows?  Linux?  Solaris?, OSX?, etc?
      b.  Do all the PAMs for various OSs support this "special" 
feature?  Or do the PAMs just system out to an existing AKLOG?

Thanks again,