[OpenAFS] afsd dying on win2k

Rodney M Dyer rmdyer@uncc.edu
Tue, 29 Oct 2002 19:32:28 -0500 

At 11:57 AM 10/29/2002 -0500, you wrote:
>On Tue, 29 Oct 2002, Rodney M Dyer wrote:
>
> >  From the looks of it, I don't think anything is going to be done about 
> the
> > problem since no one on the OpenAFS group cares anything about
> > Windoz...
>
>I don't think that's clear, but I can tell you I certainly don't have the
>time to care.

Just on the side, my colleagues and I think it's funny that you say 
this.  Are you paid as an OpenAFS help desk person?  You seem to have 
enough time to respond to just about everything that hits this list.  Do 
you ever have time for anything else?  ;)

I can only hope my sting was "mostly harmless", but it was intended to draw 
out comments on just what is going on in the group relative to Windows 
support.  Yes, I am VERY appreciative of the support I'm getting out of 
this list.  On at least a couple of occasions I've gotten good help.  I'm 
sorry if I offended anyone.  Believe me, the last time we had to get a very 
small problem debugged in the Transarc client, it ended up costing us a few 
thousand dollars to get fixed.

I'm glad to hear from Mr. Phil Moore at Morgan Stanley.  I'm glad to hear 
that someone is pony'ing up for support.  But, is the version that Morgan 
Stanley using available as open source?  Can anyone get a copy of it?  Is 
it a forked version of OpenAFS?  What is different about it?  How much 
would it cost us?

We've been in a real push now for over a year to get a single-sign-on 
system developed between our Windows/UNIX/Mac machines.  Using Kerberos V 
as the authentication mechanism and AFS as the filesystem, we've managed to 
glue everything together as a working unit.  It all works great except now 
we are having trouble weaning ourselves away from the kaserver.  Seems the 
Transarc/OpenAFS "klog.exe" can't be forwarded to the "fakeka" 
daemon.  This wouldn't be a problem except that it is a real annoyance for 
our users to "kinit" then "aklog" at the command line by hand.  And, we're 
having problems with "aklog" behind a NAT router for some reason I can't 
fathom (yes, we've tried addressless tickets).

BTW, for anyone who cares, if you setup cross-realm authentication for an 
AD domain to a Kerberos V realm, you may have trouble with AD domain file 
share access.  This seems to be caused by a bug/feature/design flaw in the 
Kerberos V replay packet detection.  Microsoft and MIT are currently 
working the issue out.  We still need AD domain shares because we store 
files and databases there that AFS cannot support because it doesn't have 
complete record locking capability.

Rodney

>  I know a couple of people who probably care, but I'm not
>going to out them; They're welcome to comment themselves or not, and I
>have no idea if they can, or have the time, to look into this.
>
>I don't suppose anyone has an actual recipe for reproducing this, or is
>this one of those deals where someone should pray that their network is
>the same as yours?
>
>(Yes, now I'm being sarcastic. How about attaching a hub and a machine
>with tcpdump next to a dying client and seeing what's going on as close to
>when it dies as possible?)
>
>
>
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info