[OpenAFS] Testing OpenAFS with Windows XP Roaming Profiles....

Claudio Prono claudio.prono@atpss.net
Wed, 29 Sep 2010 11:13:11 +0200


This is a multi-part message in MIME format.
--------------000902000104040902030104
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi to all,

Because the thread now is a little long, i try to make a point of my
situation:

I have a working Domain controller with Samba and LDAP. Now, i am trying
to make it write into AFS, with OpenAFS and Kerberos.
I want the profiles and the home directories of the users written into
the AFS. The client is a Windows XP with OpenAFS and Kerberos installed
and working. I have activated the integrated login, to obtain at login
the access to the afs.

So, i have joined the windows xp into the LDAP Domain, created an user
(with home into /home/, so not into the AFS), and tested the roaming
profile. All works perfectly.

Then, i have changed the location of the profile from the LDAP, and set
it into the AFS.

The windows XP starts, creates the .msprofile into the AFS, with right
permissions, and if i write a file into the home dir of the user, it
writes correctly.

But, when i log off the user, the profile is not written on the AFS, and
the client returns me an error like "unable to update the profile on
server".

If you need configuration to analyze better the situation, no problem,
just ask me.

Any help is appreciated, i don't know already how to debug that situation=
...

Cordially,

Claudio Prono.



> omalleys@msu.edu ha scritto:
>  =20
>> I -think- it is stored in the local directory, and it is cached. (iirc
>> there is a command to update the local system cache but I don't know
>> it.) Im really not a windows person, you should probably post your
>> results to the list as there are better people at it then I.  I also
>> think there are a number of people who are interested in the topic.
>>
>>
>> Quoting Claudio Prono <claudio.prono@atpss.net>:
>>
>>    =20
>>> Uhm, good guess...
>>>
>>> I have tried to change the home to the normal filesystem (like
>>> /home/claudio). The dir .msprofile was created correctly, and the
>>> profile unloads correctly after the disconnection.
>>>
>>> After that, i have changed again the entry into the ldap for the home=
 of
>>> claudio into /afs/mediaservice-test.pri/users/claudio. Rebooted the
>>> windows Client, and...surprise! The home is not changed, and it
>>> continues to use the previous one... (/home/claudio). So, i have
>>> rebooted the server but no changes at all.... The client continues to
>>> use the /home/claudio as homedir.... Magic of microsoft i think... it
>>> seems like the client have cached a successiful profile, and continue=
s
>>> to use it... now i try to delete the profile from the client, dejoin =
the
>>> machine from the domain, rejoin into domain and login as user Claudio=
...
>>> dunno what else to do...
>>>
>>> Claudio.
>>>
>>> omalleys@msu.edu ha scritto:
>>>      =20
>>>> Just out of curiosity, and I haven't been completely following the
>>>> thread, but did you try to just give full write access to the client
>>>> machine to afs or a local samba share?
>>>>
>>>> I am wondering if the profile is written by a different user, if it =
is
>>>> trying to write to an incorrect directory, or if the network
>>>> connection is dropping before the write somewhere.
>>>>
>>>> Do the client logs say anything?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Quoting Claudio Prono <claudio.prono@atpss.net>:
>>>>
>>>>        =20
>>>>> Ok, my tests are going well.
>>>>>
>>>>> But...another problem is come out...
>>>>>
>>>>> Now i have an OpenSUSE 11.3 with Samba, LDAP and OpenAFS as domain
>>>>> controller, for the roaming profiles of the users. All seemes to wo=
rk
>>>>> fine but... When i exit for the Client, windows says to me the prof=
ile
>>>>> cannot be written.... I have checked the permissions, and are fine,=
 i
>>>>> have checked the logs of samba, and no errors.... But i don't know =
why
>>>>> when i disconnect the user from the client, the profile can't be
>>>>> written...But the access to the AFS is good, when the Client is log=
ged
>>>>> in....
>>>>>
>>>>> BTW, the option of AFS "LogoffPreserveTokens" is active.
>>>>>
>>>>> Any hint to how to debug that situation?
>>>>>
>>>>> Cordially,
>>>>>
>>>>> Claudio Prono.
>>>>>
>>>>>
>>>>> G=C3=A9mes G=C3=A9za ha scritto:
>>>>>          =20
>>>>>> 2010-09-18 08:16 keltez=C3=A9ssel, G=C3=A9mes G=C3=A9za =C3=ADrta:
>>>>>>
>>>>>>            =20
>>>>>>> 2010-09-17 18:21 keltez=C3=A9ssel, Jeffrey Altman =C3=ADrta:
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>>>> On 9/17/2010 11:06 AM, Claudio Prono wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>                =20
>>>>>>>>>
>>>>>>>>>                  =20
>>>>>>>>>>> Now, the question is: how i can make Windows first write the
>>>>>>>>>>> updated
>>>>>>>>>>> profile, then drop tickets?
>>>>>>>>>>>
>>>>>>>>>>> The ACL system:anyuser all for the profile folder is not a go=
od
>>>>>>>>>>> solution...
>>>>>>>>>>>
>>>>>>>>>>> Any hint?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                      =20
>>>>>>>>>> The afslogon.dll has special code in it that has to detect
>>>>>>>>>> that the
>>>>>>>>>> profile is redirected into AFS.   This is based on the
>>>>>>>>>> assumption that a
>>>>>>>>>> domain is in use.   The additional case for a non-domain profi=
le
>>>>>>>>>> in AFS
>>>>>>>>>> would have to be added.
>>>>>>>>>>
>>>>>>>>>> Jeffrey Altman
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    =20
>>>>>>>>> Just an idea... why don't put an option inside the AFS control
>>>>>>>>> panel to
>>>>>>>>> override the domain detection ? Not all the users using a roami=
ng
>>>>>>>>> profile use a Domain.... Something like "roaming profile active=
"
>>>>>>>>> in the
>>>>>>>>> AFS control panel....
>>>>>>>>>
>>>>>>>>> Anyway, now how i can override that detection of the afslogon.d=
ll
>>>>>>>>> ? Any
>>>>>>>>> trick to cheat the afslogon.dll auto detection?
>>>>>>>>>
>>>>>>>>> Cordially,
>>>>>>>>>
>>>>>>>>> Claudio Prono.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                  =20
>>>>>>>> Claudio:
>>>>>>>>
>>>>>>>> It would be more work to implement a cheat than to do the correc=
t
>>>>>>>> thing
>>>>>>>> for your configuration.   Someone can write a patch for afslogon
>>>>>>>> and
>>>>>>>> submit it to gerrit.openafs.org.
>>>>>>>>
>>>>>>>> What needs to be implemented is the Local Profile in AFS case bo=
th
>>>>>>>> for
>>>>>>>> NPLogonNotify() and AFS_Logoff_Event().   If the profile is not
>>>>>>>> remote,
>>>>>>>> then a search for a profile in AFS should not be queried via AD
>>>>>>>> (LDAP)
>>>>>>>> but instead through the GetUserProfileDirectory() API.
>>>>>>>>
>>>>>>>> If you read the OpenAFS for Windows Release Notes, you can use t=
he
>>>>>>>> LogoffPreserveTokens registry value to force the AFS tokens to b=
e
>>>>>>>> held
>>>>>>>> after logoff.  However, doing so retains the tokens until they
>>>>>>>> expire.
>>>>>>>>
>>>>>>>> Jeffrey Altman
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>                =20
>>>>>>> Sorry if that sounds stupid, but are currently the
>>>>>>> NPLogonNotify() and
>>>>>>> AFS_Logoff_Event() calls querry AD via LDAP? If so I suppose they
>>>>>>> aren't
>>>>>>> discovering a pre-AD (NT4, Samba3) redirected domain profile eith=
er?
>>>>>>> I've just planned to move the user profiles of our Samba3 domain =
to
>>>>>>> AFS :-(.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Geza
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OpenAFS-info mailing list
>>>>>>> OpenAFS-info@openafs.org
>>>>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Ok I've did an experiment: created a user lets call him testuser
>>>>>> redirected his profile (via the ldap backend of samba) to
>>>>>> \\afs\....\profiles\testuser
>>>>>> for that dir gived him rlidwk acl and, l to system:anyuser to the
>>>>>> whole
>>>>>> path to that dir, and the profile seems to load and unload perfect=
ly,
>>>>>> the profile path being updated as it should.
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Geza
>>>>>> _______________________________________________
>>>>>> OpenAFS-info mailing list
>>>>>> OpenAFS-info@openafs.org
>>>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>> --=20
>>>>> -------------------------------------------------------------------=
-------------
>>>>>
>>>>>
>>>>> Claudio Prono                         OPST
>>>>> System Developer
>>>>>                                       Gsm: +39-349-54.33.258
>>>>> @PSS Srl                              Tel: +39-011-32.72.100
>>>>> Via San Bernardino, 17                Fax: +39-011-32.46.497
>>>>> 10141 Torino - ITALY                  http://atpss.net/disclaimer
>>>>> -------------------------------------------------------------------=
-------------
>>>>>
>>>>>
>>>>> PGP Key - http://keys.atpss.net/c_prono.asc
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          =20
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>        =20
>>> --=20
>>> ---------------------------------------------------------------------=
-----------
>>>
>>> Claudio Prono                         OPST
>>> System Developer
>>>                                       Gsm: +39-349-54.33.258
>>> @PSS Srl                              Tel: +39-011-32.72.100
>>> Via San Bernardino, 17                Fax: +39-011-32.46.497
>>> 10141 Torino - ITALY                  http://atpss.net/disclaimer
>>> ---------------------------------------------------------------------=
-----------
>>>
>>> PGP Key - http://keys.atpss.net/c_prono.asc
>>>
>>>
>>>
>>>
>>>
>>>      =20
>>
>>
>>
>>
>>
>>    =20
>
>  =20

--=20
-------------------------------------------------------------------------=
-------
Claudio Prono                         OPST
System Developer              =20
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
-------------------------------------------------------------------------=
-------
PGP Key - http://keys.atpss.net/c_prono.asc





--------------000902000104040902030104
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content=3D"text/html;charset=3DUTF-8" http-equiv=3D"Content-Type"=
>
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
Hi to all,<br>
<br>
Because the thread now is a little long, i try to make a point of my
situation:<br>
<br>
I have a working Domain controller with Samba and LDAP. Now, i am
trying to make it write into AFS, with OpenAFS and Kerberos. <br>
I want the profiles and the home directories of the users written into
the AFS. The client is a Windows XP with OpenAFS and Kerberos installed
and working. I have activated the integrated login, to obtain at login
the access to the afs.<br>
<br>
So, i have joined the windows xp into the LDAP Domain, created an user
(with home into /home/, so not into the AFS), and tested the roaming
profile. All works perfectly.<br>
<br>
Then, i have changed the location of the profile from the LDAP, and set
it into the AFS. <br>
<br>
The windows XP starts, creates the .msprofile into the AFS, with right
permissions, and if i write a file into the home dir of the user, it
writes correctly.<br>
<br>
But, when i log off the user, the profile is not written on the AFS,
and the client returns me an error like "unable to update the profile
on server".<br>
<br>
If you need configuration to analyze better the situation, no problem,
just ask me.<br>
<br>
Any help is appreciated, i don't know already how to debug that
situation...<br>
<br>
Cordially,<br>
<br>
Claudio Prono.<br>
<br>
<br>
<br>
<blockquote cite=3D"mid:4CA20DDC.6030008@atpss.net" type=3D"cite">
  <pre wrap=3D"">
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:omalleys@msu.edu">om=
alleys@msu.edu</a> ha scritto:
  </pre>
  <blockquote type=3D"cite">
    <pre wrap=3D"">I -think- it is stored in the local directory, and it =
is cached. (iirc
there is a command to update the local system cache but I don't know
it.) Im really not a windows person, you should probably post your
results to the list as there are better people at it then I.  I also
think there are a number of people who are interested in the topic.


Quoting Claudio Prono <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:c=
laudio.prono@atpss.net">&lt;claudio.prono@atpss.net&gt;</a>:

    </pre>
    <blockquote type=3D"cite">
      <pre wrap=3D"">Uhm, good guess...

I have tried to change the home to the normal filesystem (like
/home/claudio). The dir .msprofile was created correctly, and the
profile unloads correctly after the disconnection.

After that, i have changed again the entry into the ldap for the home of
claudio into /afs/mediaservice-test.pri/users/claudio. Rebooted the
windows Client, and...surprise! The home is not changed, and it
continues to use the previous one... (/home/claudio). So, i have
rebooted the server but no changes at all.... The client continues to
use the /home/claudio as homedir.... Magic of microsoft i think... it
seems like the client have cached a successiful profile, and continues
to use it... now i try to delete the profile from the client, dejoin the
machine from the domain, rejoin into domain and login as user Claudio...
dunno what else to do...

Claudio.

<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:omalleys@msu.edu">om=
alleys@msu.edu</a> ha scritto:
      </pre>
      <blockquote type=3D"cite">
        <pre wrap=3D"">Just out of curiosity, and I haven't been complete=
ly following the
thread, but did you try to just give full write access to the client
machine to afs or a local samba share?

I am wondering if the profile is written by a different user, if it is
trying to write to an incorrect directory, or if the network
connection is dropping before the write somewhere.

Do the client logs say anything?





Quoting Claudio Prono <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:c=
laudio.prono@atpss.net">&lt;claudio.prono@atpss.net&gt;</a>:

        </pre>
        <blockquote type=3D"cite">
          <pre wrap=3D"">Ok, my tests are going well.

But...another problem is come out...

Now i have an OpenSUSE 11.3 with Samba, LDAP and OpenAFS as domain
controller, for the roaming profiles of the users. All seemes to work
fine but... When i exit for the Client, windows says to me the profile
cannot be written.... I have checked the permissions, and are fine, i
have checked the logs of samba, and no errors.... But i don't know why
when i disconnect the user from the client, the profile can't be
written...But the access to the AFS is good, when the Client is logged
in....

BTW, the option of AFS "LogoffPreserveTokens" is active.

Any hint to how to debug that situation?

Cordially,

Claudio Prono.


G=C3=A9mes G=C3=A9za ha scritto:
          </pre>
          <blockquote type=3D"cite">
            <pre wrap=3D"">2010-09-18 08:16 keltez=C3=A9ssel, G=C3=A9mes =
G=C3=A9za =C3=ADrta:

            </pre>
            <blockquote type=3D"cite">
              <pre wrap=3D"">2010-09-17 18:21 keltez=C3=A9ssel, Jeffrey A=
ltman =C3=ADrta:


              </pre>
              <blockquote type=3D"cite">
                <pre wrap=3D"">On 9/17/2010 11:06 AM, Claudio Prono wrote=
:



                </pre>
                <blockquote type=3D"cite">
                  <pre wrap=3D"">

                  </pre>
                  <blockquote type=3D"cite">
                    <blockquote type=3D"cite">
                      <pre wrap=3D"">Now, the question is: how i can make=
 Windows first write the
updated
profile, then drop tickets?

The ACL system:anyuser all for the profile folder is not a good
solution...

Any hint?




                      </pre>
                    </blockquote>
                    <pre wrap=3D"">The afslogon.dll has special code in i=
t that has to detect
that the
profile is redirected into AFS.   This is based on the
assumption that a
domain is in use.   The additional case for a non-domain profile
in AFS
would have to be added.

Jeffrey Altman





                    </pre>
                  </blockquote>
                  <pre wrap=3D"">Just an idea... why don't put an option =
inside the AFS control
panel to
override the domain detection ? Not all the users using a roaming
profile use a Domain.... Something like "roaming profile active"
in the
AFS control panel....

Anyway, now how i can override that detection of the afslogon.dll
? Any
trick to cheat the afslogon.dll auto detection?

Cordially,

Claudio Prono.



                  </pre>
                </blockquote>
                <pre wrap=3D"">Claudio:

It would be more work to implement a cheat than to do the correct
thing
for your configuration.   Someone can write a patch for afslogon
and
submit it to gerrit.openafs.org.

What needs to be implemented is the Local Profile in AFS case both
for
NPLogonNotify() and AFS_Logoff_Event().   If the profile is not
remote,
then a search for a profile in AFS should not be queried via AD
(LDAP)
but instead through the GetUserProfileDirectory() API.

If you read the OpenAFS for Windows Release Notes, you can use the
LogoffPreserveTokens registry value to force the AFS tokens to be
held
after logoff.  However, doing so retains the tokens until they
expire.

Jeffrey Altman




                </pre>
              </blockquote>
              <pre wrap=3D"">Sorry if that sounds stupid, but are current=
ly the
NPLogonNotify() and
AFS_Logoff_Event() calls querry AD via LDAP? If so I suppose they
aren't
discovering a pre-AD (NT4, Samba3) redirected domain profile either?
I've just planned to move the user profiles of our Samba3 domain to
AFS :-(.

Thanks

Geza


_______________________________________________
OpenAFS-info mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OpenAFS-info@openafs=
.org">OpenAFS-info@openafs.org</a>
<a class=3D"moz-txt-link-freetext" href=3D"https://lists.openafs.org/mail=
man/listinfo/openafs-info">https://lists.openafs.org/mailman/listinfo/ope=
nafs-info</a>


              </pre>
            </blockquote>
            <pre wrap=3D"">Ok I've did an experiment: created a user lets=
 call him testuser
redirected his profile (via the ldap backend of samba) to
\\afs\....\profiles\testuser
for that dir gived him rlidwk acl and, l to system:anyuser to the
whole
path to that dir, and the profile seems to load and unload perfectly,
the profile path being updated as it should.

Cheers

Geza
_______________________________________________
OpenAFS-info mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OpenAFS-info@openafs=
.org">OpenAFS-info@openafs.org</a>
<a class=3D"moz-txt-link-freetext" href=3D"https://lists.openafs.org/mail=
man/listinfo/openafs-info">https://lists.openafs.org/mailman/listinfo/ope=
nafs-info</a>






            </pre>
          </blockquote>
          <pre wrap=3D"">--=20
-------------------------------------------------------------------------=
-------


Claudio Prono                         OPST
System Developer
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  <a class=3D"moz-txt-link-freetext" =
href=3D"http://atpss.net/disclaimer">http://atpss.net/disclaimer</a>
-------------------------------------------------------------------------=
-------


PGP Key - <a class=3D"moz-txt-link-freetext" href=3D"http://keys.atpss.ne=
t/c_prono.asc">http://keys.atpss.net/c_prono.asc</a>





          </pre>
        </blockquote>
        <pre wrap=3D"">





        </pre>
      </blockquote>
      <pre wrap=3D"">--=20
-------------------------------------------------------------------------=
-------

Claudio Prono                         OPST
System Developer
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  <a class=3D"moz-txt-link-freetext" =
href=3D"http://atpss.net/disclaimer">http://atpss.net/disclaimer</a>
-------------------------------------------------------------------------=
-------

PGP Key - <a class=3D"moz-txt-link-freetext" href=3D"http://keys.atpss.ne=
t/c_prono.asc">http://keys.atpss.net/c_prono.asc</a>





      </pre>
    </blockquote>
    <pre wrap=3D"">





    </pre>
  </blockquote>
  <pre wrap=3D""><!---->
  </pre>
</blockquote>
<br>
<pre class=3D"moz-signature" cols=3D"72">--=20
-------------------------------------------------------------------------=
-------
Claudio Prono                         OPST
System Developer              =20
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  <a class=3D"moz-txt-link-freetext" =
href=3D"http://atpss.net/disclaimer">http://atpss.net/disclaimer</a>
-------------------------------------------------------------------------=
-------
PGP Key - <a class=3D"moz-txt-link-freetext" href=3D"http://keys.atpss.ne=
t/c_prono.asc">http://keys.atpss.net/c_prono.asc</a>



</pre>
</body>
</html>

--------------000902000104040902030104--