[OpenAFS] LDAP searches for AFS-services via ancient names

Garance A Drosehn drosih@rpi.edu
Wed, 01 Feb 2017 18:48:54 -0500


Just a trivial observation we noticed here at RPI.  This is just
for your amusement.  There is nothing important about it.

This past weekend we (RPI) had some odd problem pop up.  The problem
itself has no connection to OpenAFS, but while investigating that
problem the guy who runs our LDAP servers noticed ldap queries of:

    (&(objectClass=ipService)(cn=afskauth))
or  (&(objectClass=ipService)(cn=afsprot))

We were often seeing about 30 of those in a second.  It wasn't every
second, but these bursts happened many times per hour.  And on rare
occasions we'd also see a lot of:

   (&(objectClass=ipService)(cn=afsvldb))

Like maybe 60/second for 30-45 minutes, and then none of these afsvldb
searches will show up for days.

None of this is a problem for us or our LDAP servers (and they have
nothing to do with the problem we actually care about), but we got
to wondering where these requests might be coming from.  It turns
out the culprits were two very old linux machines we have, running
a very old (2004!) version of OpenAFS.  And someone on our staff
had an automatic process which monitored those machines by doing
many 'ssh' commands into them. 10-15 different commands, done via
separate 'ssh' connections, and all done at once.  And then repeated
every 5-10 minutes.

Apparently this ancient version of OpenAFS will first search for AFS
services via the original names of afskauth and afsprot, even though
/etc/services on those machines had the newer and official names of
afs3-kaserver and afs3-prserver.  Those ancient names are so old that
I didn't even recognize them!  I eventually found them in listed in:
http://www.mit.edu/afs.new/athena/system/pmax_ul4/srvd/etc/services
along with afscb and afsvol.

And to top it off, these ancient linux machines had /etc/nsswitch.conf
configured so that "services" would be looked up in both "files" and
"ldap".  I have no idea why /etc/nsswitch.conf was set up that way
on these machines.  I deleted "ldap" from that line, rebooted, and it
seems like everything is still working fine.  So openafs must just
look for the new service names after failing on the ancient names.
(note that our LDAP server certainly never had the ancient names!)

And based on https://tools.ietf.org/html/rfc1340 , it looks like the
"new" service names were officially added between 1990 and 1992.

I have no "to-do" request here.  I just thought this was amusing.

And the final irony is that these two ancient linux machines are
already scheduled to be replaced this month, or maybe March at the
latest.  So these LDAP searches have been going on for 13 years
without anyone noticing them, and then they were finally noticed
just weeks before the problem would have disappeared.

I'm hoping that this writeup might help someone in the future who
comes across LDAP queries like these at their own site, and tries to
google for "ipService" and "afskauth" to figure out what is going on!

-- 
Garance Alistair Drosehn                =     drosih@rpi.edu
Senior Systems Programmer               or   gad@FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA