[OpenAFS] Testing OpenAFS with Windows XP Roaming Profiles....

Claudio Prono claudio.prono@atpss.net
Tue, 28 Sep 2010 17:34:05 +0200


This is a multi-part message in MIME format.
--------------070305020005000504020709
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

No David, i use the integrated login of OpenAFS for Windows, so i use
kerberos for autentication on the AFS. LDAP and samba need to me only
for Domain join of the pc and the "home directory" of the user under the
AFS....

Cordially,

Claudio.


David Bear ha scritto:
> I'm not understanding the use of openafs on the samba server. Are you
> trying to store windows profiles through a samba share that actually
> is pointing to storage in AFS? This implies that you must pass
> security info clear text to samba in order to get an afs token for the
> user on the windows box, and then doing some kind of pass through
> samba to store the file in afs. This just sounds way too wrong.=20
>
> On Tue, Sep 28, 2010 at 6:40 AM, Claudio Prono
> <claudio.prono@atpss.net <mailto:claudio.prono@atpss.net>> wrote:
>
>     Ok, my tests are going well.
>
>     But...another problem is come out...
>
>     Now i have an OpenSUSE 11.3 with Samba, LDAP and OpenAFS as domain
>     controller, for the roaming profiles of the users. All seemes to
>     work fine but... When i exit for the Client, windows says to me
>     the profile cannot be written.... I have checked the permissions,
>     and are fine, i have checked the logs of samba, and no errors....
>     But i don't know why when i disconnect the user from the client,
>     the profile can't be written...But the access to the AFS is good,
>     when the Client is logged in....
>
>     BTW, the option of AFS "LogoffPreserveTokens" is active.
>
>     Any hint to how to debug that situation?
>
>     Cordially,
>
>     Claudio Prono.
>
>
>     G=C3=A9mes G=C3=A9za ha scritto:
>>     2010-09-18 08:16 keltez=C3=A9ssel, G=C3=A9mes G=C3=A9za =C3=ADrta:
>>      =20
>>>     2010-09-17 18:21 keltez=C3=A9ssel, Jeffrey Altman =C3=ADrta:
>>>      =20
>>>        =20
>>>>     On 9/17/2010 11:06 AM, Claudio Prono wrote:
>>>>      =20
>>>>        =20
>>>>          =20
>>>>>        =20
>>>>>          =20
>>>>>            =20
>>>>>>>     Now, the question is: how i can make Windows first write the =
updated
>>>>>>>     profile, then drop tickets?
>>>>>>>
>>>>>>>     The ACL system:anyuser all for the profile folder is not a go=
od solution...
>>>>>>>
>>>>>>>     Any hint?
>>>>>>>        =20
>>>>>>>            =20
>>>>>>>              =20
>>>>>>>                =20
>>>>>>     The afslogon.dll has special code in it that has to detect tha=
t the
>>>>>>     profile is redirected into AFS.   This is based on the assumpt=
ion that a
>>>>>>     domain is in use.   The additional case for a non-domain profi=
le in AFS
>>>>>>     would have to be added.
>>>>>>
>>>>>>     Jeffrey Altman
>>>>>>
>>>>>>      =20
>>>>>>          =20
>>>>>>            =20
>>>>>>              =20
>>>>>     Just an idea... why don't put an option inside the AFS control =
panel to
>>>>>     override the domain detection ? Not all the users using a roami=
ng
>>>>>     profile use a Domain.... Something like "roaming profile active=
" in the
>>>>>     AFS control panel....
>>>>>
>>>>>     Anyway, now how i can override that detection of the afslogon.d=
ll ? Any
>>>>>     trick to cheat the afslogon.dll auto detection?
>>>>>
>>>>>     Cordially,
>>>>>
>>>>>     Claudio Prono.
>>>>>        =20
>>>>>          =20
>>>>>            =20
>>>>     Claudio:
>>>>
>>>>     It would be more work to implement a cheat than to do the correc=
t thing
>>>>     for your configuration.   Someone can write a patch for afslogon=
 and
>>>>     submit it to gerrit.openafs.org <http://gerrit.openafs.org>.
>>>>
>>>>     What needs to be implemented is the Local Profile in AFS case bo=
th for
>>>>     NPLogonNotify() and AFS_Logoff_Event().   If the profile is not =
remote,
>>>>     then a search for a profile in AFS should not be queried via AD =
(LDAP)
>>>>     but instead through the GetUserProfileDirectory() API.
>>>>
>>>>     If you read the OpenAFS for Windows Release Notes, you can use t=
he
>>>>     LogoffPreserveTokens registry value to force the AFS tokens to b=
e held
>>>>     after logoff.  However, doing so retains the tokens until they e=
xpire.
>>>>
>>>>     Jeffrey Altman
>>>>
>>>>      =20
>>>>        =20
>>>>          =20
>>>     Sorry if that sounds stupid, but are currently the NPLogonNotify(=
) and
>>>     AFS_Logoff_Event() calls querry AD via LDAP? If so I suppose they=
 aren't
>>>     discovering a pre-AD (NT4, Samba3) redirected domain profile eith=
er?
>>>     I've just planned to move the user profiles of our Samba3 domain =
to AFS :-(.
>>>
>>>     Thanks
>>>
>>>     Geza
>>>
>>>
>>>     _______________________________________________
>>>     OpenAFS-info mailing list
>>>     OpenAFS-info@openafs.org <mailto:OpenAFS-info@openafs.org>
>>>     https://lists.openafs.org/mailman/listinfo/openafs-info
>>>      =20
>>>        =20
>>     Ok I've did an experiment: created a user lets call him testuser
>>     redirected his profile (via the ldap backend of samba) to
>>     \\afs\....\profiles\testuser for that dir gived him rlidwk acl
>>     and, l to system:anyuser to the whole path to that dir, and the
>>     profile seems to load and unload perfectly, the profile path
>>     being updated as it should. Cheers Geza
>>     _______________________________________________ OpenAFS-info
>>     mailing list OpenAFS-info@openafs.org
>>     <mailto:OpenAFS-info@openafs.org>
>>     https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>>
>>
>>
>>
>>      =20
>
>     --=20
>     -------------------------------------------------------------------=
-------------
>     Claudio Prono                         OPST
>     System Developer              =20
>                                           Gsm: +39-349-54.33.258
>     @PSS Srl                              Tel: +39-011-32.72.100
>     Via San Bernardino, 17                Fax: +39-011-32.46.497
>     10141 Torino - ITALY                  http://atpss.net/disclaimer
>     -------------------------------------------------------------------=
-------------
>     PGP Key - http://keys.atpss.net/c_prono.asc
>
>
>
>        =20
>
>
>
>
> --=20
> David Bear
> College of Public Programs at ASU
> 602-494-0424
> !DSPAM:1,4ca20857310381402743310!=20

--=20
-------------------------------------------------------------------------=
-------
Claudio Prono                         OPST
System Developer              =20
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
-------------------------------------------------------------------------=
-------
PGP Key - http://keys.atpss.net/c_prono.asc





--------------070305020005000504020709
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content=3D"text/html;charset=3DUTF-8" http-equiv=3D"Content-Type"=
>
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
No David, i use the integrated login of OpenAFS for Windows, so i use
kerberos for autentication on the AFS. LDAP and samba need to me only
for Domain join of the pc and the "home directory" of the user under
the AFS....<br>
<br>
Cordially,<br>
<br>
Claudio.<br>
<br>
<br>
David Bear ha scritto:
<blockquote
 cite=3D"mid:AANLkTimvo3=3DuHBRNZvFHmxLvfSKstVpgQ_O9s62PhxQ+@mail.gmail.c=
om"
 type=3D"cite">I'm not understanding the use of openafs on the samba
server. Are you trying to store windows profiles through a samba share
that actually is pointing to storage in AFS? This implies that you must
pass security info clear text to samba in order to get an afs token for
the user on the windows box, and then doing some kind of pass through
samba to store the file in afs. This just sounds way too wrong.=C2=A0<br>
  <br>
  <div class=3D"gmail_quote">On Tue, Sep 28, 2010 at 6:40 AM, Claudio
Prono <span dir=3D"ltr">&lt;<a moz-do-not-send=3D"true"
 href=3D"mailto:claudio.prono@atpss.net">claudio.prono@atpss.net</a>&gt;<=
/span>
wrote:<br>
  <blockquote class=3D"gmail_quote"
 style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt =
0.8ex; padding-left: 1ex;">
    <div bgcolor=3D"#ffffff" text=3D"#000000">Ok, my tests are going well=
. <br>
    <br>
But...another problem is come out...<br>
    <br>
Now i have an OpenSUSE 11.3 with Samba, LDAP and OpenAFS as domain
controller, for the roaming profiles of the users. All seemes to work
fine but... When i exit for the Client, windows says to me the profile
cannot be written.... I have checked the permissions, and are fine, i
have checked the logs of samba, and no errors.... But i don't know why
when i disconnect the user from the client, the profile can't be
written...But the access to the AFS is good, when the Client is logged
in....<br>
    <br>
BTW, the option of AFS "LogoffPreserveTokens" is active.<br>
    <br>
Any hint to how to debug that situation?<br>
    <br>
Cordially,<br>
    <br>
Claudio Prono.<br>
    <br>
    <br>
G=C3=A9mes G=C3=A9za ha scritto:
    <blockquote type=3D"cite">
      <div>
      <div class=3D"h5">
      <pre>2010-09-18 08:16 keltez=C3=A9ssel, G=C3=A9mes G=C3=A9za =C3=AD=
rta:
  </pre>
      <blockquote type=3D"cite">
        <pre>2010-09-17 18:21 keltez=C3=A9ssel, Jeffrey Altman =C3=ADrta:
 =20
    </pre>
        <blockquote type=3D"cite">
          <pre>On 9/17/2010 11:06 AM, Claudio Prono wrote:
 =20
   =20
      </pre>
          <blockquote type=3D"cite">
            <pre>   =20
     =20
        </pre>
            <blockquote type=3D"cite">
              <blockquote type=3D"cite">
                <pre>Now, the question is: how i can make Windows first w=
rite the updated
profile, then drop tickets?

The ACL system:anyuser all for the profile folder is not a good solution.=
..

Any hint?
   =20
       =20
         =20
            </pre>
              </blockquote>
              <pre>The afslogon.dll has special code in it that has to de=
tect that the
profile is redirected into AFS.   This is based on the assumption that a
domain is in use.   The additional case for a non-domain profile in AFS
would have to be added.

Jeffrey Altman

 =20
     =20
       =20
          </pre>
            </blockquote>
            <pre>Just an idea... why don't put an option inside the AFS c=
ontrol panel to
override the domain detection ? Not all the users using a roaming
profile use a Domain.... Something like "roaming profile active" in the
AFS control panel....

Anyway, now how i can override that detection of the afslogon.dll ? Any
trick to cheat the afslogon.dll auto detection?

Cordially,

Claudio Prono.
   =20
     =20
        </pre>
          </blockquote>
          <pre>Claudio:

It would be more work to implement a cheat than to do the correct thing
for your configuration.   Someone can write a patch for afslogon and
submit it to <a moz-do-not-send=3D"true" href=3D"http://gerrit.openafs.or=
g"
 target=3D"_blank">gerrit.openafs.org</a>.

What needs to be implemented is the Local Profile in AFS case both for
NPLogonNotify() and AFS_Logoff_Event().   If the profile is not remote,
then a search for a profile in AFS should not be queried via AD (LDAP)
but instead through the GetUserProfileDirectory() API.

If you read the OpenAFS for Windows Release Notes, you can use the
LogoffPreserveTokens registry value to force the AFS tokens to be held
after logoff.  However, doing so retains the tokens until they expire.

Jeffrey Altman

 =20
   =20
      </pre>
        </blockquote>
        <pre>Sorry if that sounds stupid, but are currently the NPLogonNo=
tify() and
AFS_Logoff_Event() calls querry AD via LDAP? If so I suppose they aren't
discovering a pre-AD (NT4, Samba3) redirected domain profile either?
I've just planned to move the user profiles of our Samba3 domain to AFS :=
-(.

Thanks

Geza


_______________________________________________
OpenAFS-info mailing list
<a moz-do-not-send=3D"true" href=3D"mailto:OpenAFS-info@openafs.org"
 target=3D"_blank">OpenAFS-info@openafs.org</a>
<a moz-do-not-send=3D"true"
 href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info"
 target=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-inf=
o</a>
 =20
    </pre>
      </blockquote>
      </div>
      </div>
      <pre><div><div class=3D"h5">Ok I've did an experiment: created a us=
er lets call him testuser
redirected his profile (via the ldap backend of samba) to
\\afs\....\profiles\testuser
for that dir gived him rlidwk acl and, l to system:anyuser to the whole
path to that dir, and the profile seems to load and unload perfectly,
the profile path being updated as it should.

Cheers

Geza
_______________________________________________
OpenAFS-info mailing list
<a moz-do-not-send=3D"true" href=3D"mailto:OpenAFS-info@openafs.org"
 target=3D"_blank">OpenAFS-info@openafs.org</a>
<a moz-do-not-send=3D"true"
 href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info"
 target=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-inf=
o</a></div></div>





  </pre>
    </blockquote>
    <div class=3D"im"><br>
    <pre cols=3D"72">--=20
-------------------------------------------------------------------------=
-------
Claudio Prono                         OPST
System Developer              =20
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  <a moz-do-not-send=3D"true"
 href=3D"http://atpss.net/disclaimer" target=3D"_blank">http://atpss.net/=
disclaimer</a>
-------------------------------------------------------------------------=
-------
PGP Key - <a moz-do-not-send=3D"true"
 href=3D"http://keys.atpss.net/c_prono.asc" target=3D"_blank">http://keys=
.atpss.net/c_prono.asc</a>



    </pre>
    </div>
    </div>
  </blockquote>
  </div>
  <br>
  <br clear=3D"all">
  <br>
-- <br>
David Bear<br>
College of Public Programs at ASU<br>
602-494-0424<br>
!DSPAM:1,4ca20857310381402743310!
</blockquote>
<br>
<pre class=3D"moz-signature" cols=3D"72">--=20
-------------------------------------------------------------------------=
-------
Claudio Prono                         OPST
System Developer              =20
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  <a class=3D"moz-txt-link-freetext" =
href=3D"http://atpss.net/disclaimer">http://atpss.net/disclaimer</a>
-------------------------------------------------------------------------=
-------
PGP Key - <a class=3D"moz-txt-link-freetext" href=3D"http://keys.atpss.ne=
t/c_prono.asc">http://keys.atpss.net/c_prono.asc</a>



</pre>
</body>
</html>

--------------070305020005000504020709--