Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: OpenAFS fileserver cluster (new ebuilds /kernel 2.6)
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
@zr@el
n00b
n00b


Joined: 11 May 2005
Posts: 4

PostPosted: Tue Aug 16, 2005 9:18 am    Post subject: Reply with quote

Thanks for the quick answer.

The authentication is done via the pam_krb5 against a Windows 2003 Active Directory Server, because our admins want a centralized user administration with Active Directory Services. So there is no Kerberos on the linux side. :(
But authentication works and AFS uses the token obtained from the pam_krb5 module to grant the user 'xyz' access to his home directory /afs/cellname/home/xyz. However the user 'root' can't authenticate against AFS, which is ok for security reasons. But the graphical login managers are executed as 'root' and have no permissions to write on the home directory of user 'xyz'.

Quote:

So I emerged it, changed DISPLAYMANAGER in /etc/rc.conf from kdm to wdm and everything worked fine.


Did you try to run KDE or GNOME with wdm?
Back to top
View user's profile Send private message
heini
n00b
n00b


Joined: 20 Sep 2002
Posts: 32

PostPosted: Tue Aug 16, 2005 9:54 am    Post subject: Reply with quote

@zr@el wrote:

The authentication is done via the pam_krb5 against a Windows 2003 Active Directory Server, because our admins want a centralized user administration with Active Directory Services. So there is no Kerberos on the linux side. :(


Kerberos 5 is Kerberos 5, no matter if served from Windows or Linux (well, sort of :-) ). But that may be the cause of the problem. I also use pam_krb5 module for authentication, but it cannot get afs tokens from krb5 tickets. It still needs krb4 tickets!!!

This is the reason I use pam_openafs_session in addition to pam_krb5.

Quote:
But authentication works and AFS uses the token obtained from the pam_krb5 module to grant the user 'xyz' access to his home directory /afs/cellname/home/xyz.

Did you verify this by logging in on a text console and issue a "tokens" command right after login?

Quote:
However the user 'root' can't authenticate against AFS, which is ok for security reasons. But the graphical login managers are executed as 'root' and have no permissions to write on the home directory of user 'xyz'.

I doubt that any display manager would write to $HOME as user root. It may run as root, that's correct. But it changes identity to the user who is logging in right after successful authentification.

You can verify this by by doing
Code:
find $HOME -uid 0

It should find nothing.

Quote:
Quote:

So I emerged it, changed DISPLAYMANAGER in /etc/rc.conf from kdm to wdm and everything worked fine.


Did you try to run KDE or GNOME with wdm?


Yes, with KDE. It works just fine.

Bye...

Dirk
Back to top
View user's profile Send private message
heini
n00b
n00b


Joined: 20 Sep 2002
Posts: 32

PostPosted: Tue Aug 23, 2005 7:00 am    Post subject: Reply with quote

A quick update on the pam_krb5 issue:

I tried version 2.1.8 from Fedora and this one seems to work fine in my setup (MIT KerberosV 1.4.1, Krb 4 disabled, users homedirs in AFS, OpenAFS 1.3.85), which means it gets AFS tokens from the Kerberos V tickets.

I have submitted an ebuild to bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=103406.

This also means I don't need pam_openafs_session anymore and I could switch back from wdm to kdm.

Bye...

Dirk
Back to top
View user's profile Send private message
mr-simon
Guru
Guru


Joined: 22 Nov 2002
Posts: 364
Location: Leamington Spa, Warks, UK

PostPosted: Wed Aug 24, 2005 12:23 pm    Post subject: Reply with quote

There are ebuilds for openafs 1.3.85 in portage. How do these compare to the ones here? I tried to use them but everything turned out very... er... different... and not working.
_________________
"Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey."
Back to top
View user's profile Send private message
heini
n00b
n00b


Joined: 20 Sep 2002
Posts: 32

PostPosted: Wed Aug 24, 2005 2:01 pm    Post subject: Reply with quote

mr-simon wrote:
There are ebuilds for openafs 1.3.85 in portage. How do these compare to the ones here? I tried to use them but everything turned out very... er... different... and not working.


They work fine for me. Could you tell us what is not working?

Bye...

Dirk
Back to top
View user's profile Send private message
stefaan
Retired Dev
Retired Dev


Joined: 31 Aug 2005
Posts: 35

PostPosted: Mon Sep 05, 2005 1:32 pm    Post subject: Reply with quote

mr-simon: they are different, but i like thinking it's not a bad thing at all.

The main difference is the adoption of FHS-paths, as is usually done throughout all of Gentoo. The ebuild should normally take care of most of the transition, but it could be there's bugs. Also, the transition code doesn't delete the old files (for safety reasons), so you may want to clean up afterwards (yes, this should be in the documentation, but as the ebuilds are still a moving target, documentation isn't quite underway yet). So from now on everything in /usr/bin, /usr/sbin, /var/lib/openafs, ...
Other changes include splitting the init-script into a client and a server one, not checking whether your cache-fs is on ext2 (for various reasons), not checking whether your /vicepx dirs are ext2-mounted (for like reasons), ...

Let me know how they work out for you, or if you need any help. Every comment brings us one step closer to a stable 1.4-ebuild!!

stefaan


Last edited by stefaan on Tue Oct 04, 2005 1:11 pm; edited 1 time in total
Back to top
View user's profile Send private message
fnjordy
n00b
n00b


Joined: 17 Feb 2005
Posts: 13

PostPosted: Tue Oct 04, 2005 12:12 pm    Post subject: Reply with quote

Needs to be updated for the new path layout, and the ebuild to 1.4.0 rc5. And please split /etc/init.d/afs into two scripts, one for the client, and one for the server, the binaries are different, and nfs is split into two scripts so whats up with afs (apart from upstream issues).
Back to top
View user's profile Send private message
heini
n00b
n00b


Joined: 20 Sep 2002
Posts: 32

PostPosted: Tue Oct 04, 2005 12:30 pm    Post subject: Reply with quote

fnjordy wrote:
Needs to be updated for the new path layout, and the ebuild to 1.4.0 rc5.

RC6, please :-)

Quote:
And please split /etc/init.d/afs into two scripts, one for the client, and one for the server.

Has been done long time ago.

Bye...

Dirk
Back to top
View user's profile Send private message
stefaan
Retired Dev
Retired Dev


Joined: 31 Aug 2005
Posts: 35

PostPosted: Tue Oct 04, 2005 1:16 pm    Post subject: Reply with quote

I'm waiting to push out a new ebuild, because I'm working on updated documentation. It is really needed, as the upgrade procedure is currently undocumented, and the paths in the old documentation are wrong now. Writing documentation proves to be a difficult task however, and I'm currently on a very constrained time-budget :(

I hope to get something ready soon, in the meantime, you can just bump locally (to rc5 at least, haven't tried rc6 yet).
Cheers all!
Stefaan
Back to top
View user's profile Send private message
stefaan
Retired Dev
Retired Dev


Joined: 31 Aug 2005
Posts: 35

PostPosted: Tue Oct 04, 2005 1:30 pm    Post subject: Reply with quote

I've put a preliminary version of the newer documentation at
http://dev.gentoo.org/~stefaan/prerelease/openafs-guide/guide.html

Only the chapter about upgrading from pre-1.4 is worth considering. It explains different changes in the setup since the old 1.2.10 (though I'm not stating version numbers where the changes occurred, maybe that should be on my todo list). In case you think you may have missed some details about the upgrade, it might be worth reading. Any feedback is appreciated :)

Stefaan
Back to top
View user's profile Send private message
KermitTheFragger
n00b
n00b


Joined: 20 Aug 2004
Posts: 41
Location: Netherlands

PostPosted: Wed Oct 05, 2005 5:13 pm    Post subject: Reply with quote

stefaan wrote:
I've put a preliminary version of the newer documentation at
http://dev.gentoo.org/~stefaan/prerelease/openafs-guide/guide.html

Only the chapter about upgrading from pre-1.4 is worth considering. It explains different changes in the setup since the old 1.2.10 (though I'm not stating version numbers where the changes occurred, maybe that should be on my todo list). In case you think you may have missed some details about the upgrade, it might be worth reading. Any feedback is appreciated :)

Stefaan


Looking good :)

Are you going to include a chapter on how to use Heimdal or MIT Kerberos 5 instead of the krb4 daemon (kaserver) shipping with AFS?
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3406

PostPosted: Wed Oct 05, 2005 7:16 pm    Post subject: Reply with quote

stefaan wrote:
I've put a preliminary version of the newer documentation at
http://dev.gentoo.org/~stefaan/prerelease/openafs-guide/guide.html

Only the chapter about upgrading from pre-1.4 is worth considering. It explains different changes in the setup since the old 1.2.10 (though I'm not stating version numbers where the changes occurred, maybe that should be on my todo list). In case you think you may have missed some details about the upgrade, it might be worth reading. Any feedback is appreciated :)

Stefaan


I like it. I wish I'd had it the first time I tried a 1.3.85 install. (Too many years of the Transarc way.)
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
rwallace
Tux's lil' helper
Tux's lil' helper


Joined: 22 May 2003
Posts: 107
Location: Phoenix, AZ US

PostPosted: Sun Oct 09, 2005 6:27 am    Post subject: Reply with quote

Some documentation on setting it up with mit-krb5 would be absolutely awesome. So here's my vote for that!
Back to top
View user's profile Send private message
fnjordy
n00b
n00b


Joined: 17 Feb 2005
Posts: 13

PostPosted: Thu Oct 13, 2005 9:38 am    Post subject: Reply with quote

I've updated Amanda 2.4.5-r1 and Amanda AFS 0.0.4. I guess need some better docs on them.
Back to top
View user's profile Send private message
brenden
l33t
l33t


Joined: 09 Mar 2004
Posts: 710
Location: Calgary, AB

PostPosted: Sun Oct 23, 2005 12:06 am    Post subject: Reply with quote

Cool. Thanks for this. Should be updated to reflect the new ebuilds in portage however.
Back to top
View user's profile Send private message
stefaan
Retired Dev
Retired Dev


Joined: 31 Aug 2005
Posts: 35

PostPosted: Thu Nov 10, 2005 7:34 am    Post subject: Gentoo OpenAFS documentation for 1.4 now available Reply with quote

The new Gentoo OpenAFS documentation has been put online, not too many changes since my last proposal though (busy busy busy). The 1.4.0-ebuild will follow shortly.

KermitTheFragger wrote:
Are you going to include a chapter on how to use Heimdal or MIT Kerberos 5 instead of the krb4 daemon (kaserver) shipping with AFS?

I would like to. I'll see next week if I can spare some time to do that.

If you see errors in the documentation, please do report. It'd be nice to have the clearest possible manual online when 1.4.0 hits stable on gentoo.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3
Page 3 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum