[OpenAFS-port-darwin] disktool -r in OpenAFS StartupItems script

Bruce Carter bcarter@nd.edu
Wed, 23 Apr 2003 09:48:13 -0500 

Greetings all,

I've downloaded the documents referenced in this thread and will be 
reading through them with interest.  We also are using AFS for remote 
home directories without the intervention of a Mac OS X server.  Our 
main issue right now is that whenever anyone with a remote home 
directory in AFS tries to mount an AppleShare volume (SMB and WebDAV 
work fine) the Finder crashes and reloads at the point where the volume 
list would normally appear (after entering your user name and 
password).  Our Apple SE is working with Apple Engineering on this, and 
I've sent them several logs and dumps.  Anybody else see anything like 
this?  It happens on all of our Mac OS X pilot machines.  I even 
rebuilt one from scratch to see if that would help and it still did it.

We're authenticating remotely (no local accounts except 1 admin for 
maintenance and 1 local user for if the network is hosed so people can 
still do stuff locally) and pulling the home directory location from an 
iPlanet LDAP 3 server, and we are also using the Amazing Alexei's aklog 
plug-in.  Alexei has also been kind enough to engage in some bonehead 
level (on my end) email exchanges to help get us going.  We get tickets 
and tokens and everything works fairly well (I still have to get the 
ByHosts fix into our loginhook script, as well as adding the disktool 
trick mentioned here and a few other duct tape issues) except for that 
darn Finder crash.

We did build the indexes mentioned below, and that helped greatly with 
the login speed.  It looks like we may need to increase the default AFS 
quota as well since some of the students are starting to hit the wall 
with that.

On Tuesday, April 22, 2003, at 06:04  PM, Steve Lidie wrote:

>
> On Tuesday, April 22, 2003, at 05:44 PM, John C. Welch wrote:
>
>> On 04/22/2003 17:37, "Jonathan Z. Simon" <jzsimon@eng.umd.edu> wrote:
>>
>>> Following Alexei Kosut's suggestion (appending disktool -r to the
>>> OpenAFS StartupItems script) has made my world a better place.
>>
>> Just as a follow up for some folks who were asking, and because 
>> Alexei's
>> most excellent work made it possible, I have a PDF at:
>>
>> <http://web.mit.edu/jwelch/www/AFS_homedirs_and_Mac_OS_X.pdf>
>>
>> Which is the procedure we've tested at MIT for using AFS home 
>> directories as
>> OS X Home directories. It works pretty well for us, and although it's 
>> pretty
>> MIT - Centric, it should (hopefully) help others along the path.
>>
>> I'm working on OS X Server docs that do a bit more, but that's going 
>> to take
>> longer.
>>
>> On a side note, most of the Mac OS X folks at MIT would like to thank 
>> Alexei
>> for his aklog plugin, as without it, we wouldn't have been able to do
>> anything with AFS home directories, and Alexei, if you're ever in 
>> Boston,
>> let us know, we'll make sure you get at least a couple free beers.
>>
>
> Ditto on the thanks to Alexei.  As well, many thanks to Ragnar 
> Sundblad for his Kerberos plugin - they've both spent many hours 
> helping me debug my Kerberos ticket -> AFS token problem.  John, 
> thanks for your summary.
>
> I, too, have created a PowerMac OS X 10.2.5 image that uses Kerberos 
> authentication and AFS home directories.  I've taken a slightly 
> different tack and used Directory Services tied to our LDAP (v2) 
> server so that a user's home directory is automatically mapped to 
> AFS-land - no local account required. That parallels how we've dealt 
> with previous AIX and IRIX operating systems, where NIS specifies home 
> directories in AFS space. So, at Lehigh, every Unix-based machine does 
> krb authentication and uses a consistent home directory.
>
> Does it work very, very well?  No );  Does it work well?  Yes!  The 
> biggest problem here at Lehigh is that we use kaserver for  
> authentication, and so far neither of the krb plugins can get me an 
> AFS token.  That's a big problem during login, since Mac OS X wants to 
> read/write ~/Library.  My current kludge is a Perl/Tk program that 
> runs as a LoginHook to re-authenticate (e.g. does a klog).  Until a 
> token is acquired, login proceeds very slowly (i.e. ~= 60 seconds).  
> If a token already exists from a prior login, login happens as fast as 
> a login using a local account.
>
> I wasn't aware that anyone else was using AFS as a home directory, so 
> I'd like to hear all war stories.  I can say that IE's default cache 
> size of 10 MB can cause login to fail if you only have a 10 MB quota.  
> I can verify that you'd better have indexed you LDAP data or logins 
> will do a sequential lookup of uidNumber/gidNumer/NSFHomeDirectory, 
> and delay login for a long time (;
>
> Comments welcomed, thanks,
>
> Steve

-- 
Bruce Carter, ACTC, MacCSE, MCP              http://www.nd.edu/~bcarter/
Senior Educational Technologist                    mailto:bcarter@nd.edu
Information Technology Center 359                        AIM:bcarteratnd
University of Notre Dame                           +1 574 631 9191 Voice
Notre Dame, IN  46556-0539                         +1 574 631 8201   FAX