Since the introduction of rxkad-k5 in response to OPENAFS-SA-2013-003,
it is not strictly necessary to configure libkrb5 to allow weak crypto
in order to obtain an AFS token. A sufficient amount of time has passed
since then that it is safe to assume that the default behavior is the
more-secure one, and require opt-in for the insecure behavior.
To indicate that the use of single-DES is quite risky, add the
"-insecure_des" argument to both klog and aklog, to gate the
preexisting calls that enable weak crypto/single-DES.
These calls, and the -insecure_des option, may be removed entirely
in a future commit.
Change-Id: If175d0f95f0ede0f252844086a2a023da5580732
Reviewed-on: https://gerrit.openafs.org/13689
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Add a new command, 'add-random', to allow the creation of a new key
with random data. This is helpful for certain rxgk keys, which only
need to exist in KeyFileExt and not in any other database (like a krb5
KDC), and so aren't derived from a krb5 keytab.
Change-Id: I1f3b27e074b0931deb8645f7550e0b315d82e249
Reviewed-on: https://gerrit.openafs.org/12768
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The current 'delete' command from asetkey only lets the user delete
old-style rxkad keys. Add a couple of new variants to allow specifying
the key type and subtype, so the user can delete specific key types
and enctypes if they want.
Change-Id: If0dfaa70ea0b749dadd52a6b7d62fd3ad2b61d18
Reviewed-on: https://gerrit.openafs.org/12767
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
This should fix a build failure reported on the openafs-devel list
today.
Change-Id: I227922f78aaa614b73dd1f5c1c61116168fc0b69
Reviewed-on: https://gerrit.openafs.org/13533
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The klog.krb5 -lifetime option was copied from earlier versions of log
and klog, which had the ability to set the krb4 token lifetime. However,
the -lifetime option is not feasible the krb5 version, and so is not
implemented in klog.krb5.
Update the klog.krb5 man page to document the -lifetime option has no
effect. Remove the code which unnecessarily checks the unused klog.krb5
-lifetime command line argument.
The unused lifetime variable was discovered by Pat Riehecky using the
clang scan-build static analyzer.
Change-Id: I5f459ec46eaff87a69ccdf7de386a671d0944a5a
Reviewed-on: https://gerrit.openafs.org/13309
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: PatRiehecky <jcpunk@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The last valid partition name supported by OpenAFS is /vicepiu, not
/vicepiv. Update the docs and man pages to say so.
Change-Id: I6e1cce775d332d76f605a26f16502c651461994b
Reviewed-on: https://gerrit.openafs.org/13177
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Use the standard routine to pick a client security object, instead of
always assuming rxnull. Respect -localauth as well as being able to
use the current user's tokens, but also provide a -nobutcauth argument
to fall back to the historical rxnull behavior (but only for the connections
to butc; vldb and budb connections are not affected).
Change-Id: Ibf8ebe5521bee8d0f7162527e26bc5541d07910d
The butc -localauth option is available to use the cell-wide key to
authenticate to the vlserver and buserver, which in normal deployments
will require incoming connections to be authenticated as a superuser.
In such cases, the cell-wide key is also available for use in
authenticating incoming connections to the butc, which would otherwise
have been completely unauthenticated.
Because of the security hazards of allowing unauthenticaed inbound
RPCs, especially ones that manipulate backup information and are allowed
to initiate outboud RPCs authenticated as the superuser, default to
not allowing unauthenticated inbound RPCs at all. Provide an opt-out
command-line argument for deployments that require this functionality
and have configured their network environment (firewall/etc.) appropriately.
Change-Id: Ia6349757a4c6d59d1853df1a844e210d32c14feb
Make the actual implementations into helper functions, with the RPC
stubs calling the helpers and doing the auditing on the results, akin
to most other server programs in the tree. This relies on support for
some additional types having been added to the audit framework.
Change-Id: Ic872d6dfc7854fa28bd3dc2277e92c7919d0d0c0
Make a few misc changes to the text for the new -volume-ttl option:
- Minor grammatical/typo fixes
- Emphasize a little more that the default behavior allows for vldb
info to be cached _forever_
- Provide some info on the effects of changing this value
- Provide a suggested "typical" value, to give some clue as to what
should be set here, so a curious user doesn't just set this to the
first value they see (10 minutes)
Change-Id: Ib6b2871b111c392260ea80e26273201b09d4c402
Reviewed-on: https://gerrit.openafs.org/12909
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Commit dfceff1d3a added the
-preserve-vol-stats flag to the volume server. This enabled a change in
the volume server to preserve volume usage statistics during reclone and
restore operations. Otherwise, volume usage counters of read-only
volumes are cleared when volumes are released, making it difficult to
track usage with the volume stats.
Make this feature the default behavior of the volume server and provide
the option -clear-vol-stats to use the old behavior if so desired. This
change makes the -preserve-vol-stats the default, and keeps it as a
hidden flag for sites which may already have that flag set in the
BosConfig.
Since this changes a default behavior of the volume server, this change
is only appropriate on a major or minor release boundary, not in the
middle of a stable series.
Change-Id: I3706ede64b7b18a80b39ebd55f2e1824bb7dbc57
Reviewed-on: https://gerrit.openafs.org/12674
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
What's displayed by fs wscell is not necessarily the current content
of ThisCell, but that at the time of starting the client. Say so.
FIXES 133339
Change-Id: Id3351f1236e5061340eb07041d4ce3e4de69a1a1
Reviewed-on: https://gerrit.openafs.org/12537
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The unix cache manager caches VLDB information for read-only volumes as
long as a volume callback is held for a read-only volume. The volume
callback may be held as long as files in the read-only volume are being
accessed. The cache manager caches VLDB information for read/write
volumes as long as volume level errors (such as VMOVED) are not returned
by a fileserver while accessing files within the volume.
Add a new option to set the maximum amount of time VLDB information will
be cached, even if a callback is still held for a read-only volume, or
no volume errors have been encounted while accessing files in read/write
volumes.
This avoids situations where the vldb information is cached indefinitely
for read-only and read/write volumes. Instead, the VL servers will be
periodically probed for volume information.
Change-Id: I5f2a57cdaf5cbe7b1bc0440ed6408226cc988fed
Reviewed-on: https://gerrit.openafs.org/11898
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Clone the VLLog man page to create a man page for ptserver log as well.
Fix the spelling of the PtLog file and add a link to the new PtLog man
page in the ptserver man page.
Add the missing PtLog log file name to the bos getlog man page.
Change-Id: I95ad4a2cf380077780160ec78fd1f9bdec132ba7
Reviewed-on: https://gerrit.openafs.org/12294
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Fixes this error:
$ git clean -xdf
$ ./regen.sh -q
$ ./configure
$ make
[…]
make[3]: Entering directory '/…/openafs/doc/man-pages'
rm -f man*/*.noinstall
if [ "no" = "no" ] ; then \
for M in man1/klog.1 man1/knfs.1 […] man8/kpwvalid.8 man1/klog.krb.1; do \
touch $M.noinstall; \
done; \
fi
touch: cannot touch 'man1/klog.1.noinstall': No such file or directory
touch: cannot touch 'man1/knfs.1.noinstall': No such file or directory
[…]
touch: cannot touch 'man8/kpwvalid.8.noinstall': No such file or directory
touch: cannot touch 'man1/klog.krb.1.noinstall': No such file or directory
Makefile:34: recipe for target 'prep-noinstall' failed
make[3]: *** [prep-noinstall] Error 1
make[3]: Leaving directory '/…/openafs/doc/man-pages'
Change-Id: I95098fb2b27f1d87fc9769497b225e9f91f72266
Reviewed-on: https://gerrit.openafs.org/12492
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Mention the vlserver -d option can be used to set the initial logging
level.
Thanks to Mark Vitale for the suggestion.
Change-Id: Ia17a2063432343c2cf78e1b01c5897751625aae8
Reviewed-on: https://gerrit.openafs.org/12324
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Commit f085951d39 introduced an error in
the bos getlog helpfile.
Modify the helpfile to describe the actual restrictions imposed by
-restricted mode.
Change-Id: I8d8fedb558a1bdbd55d80046b2011f3aacc71b3f
Reviewed-on: https://gerrit.openafs.org/12454
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
This commit adds the afsd -inumcalc command line switch to specify the
inode number calculation method in a platform neutral way.
Inode numbers reported for files within the AFS filesystem are generated
by the cache manager using a calculation which derives a number from a
FID. Long ago, a new type of calculation was added which generates inode
numbers using a MD5 message digest of the FID. The MD5 inode number
calculation variant is computationally more expensive but greatly
reduces the chances for inode number collisions.
The MD5 calculation can be enabled on the Linux cache manager using the
Linux sysctl interface. Other than the sysctl method of selecting the
inode calculation type, the MD5 inode number calculation method is not
specific to Linux.
This change introduces a command-line option which accepts a value to
indicate the calculation method, instead of a simple flag to enable MD5
inode numbers. This should allow for new inode calculation methods
in the future without the need for additional afsd command-line flags.
Two values are currently accepted for -inumcalc. The value of 'compat'
specifies the legacy inode number calculation. The value 'md5' indicates
that the new MD5 calculation is to be used.
Change-Id: I0257c68ca1a32a7a4c55ca8174a4926ff78ddea4
Reviewed-on: https://gerrit.openafs.org/11855
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Don't mention it in the man pages.
Change-Id: I8a6d706f055545642116af5a98fa8c04f533b990
Reviewed-on: https://gerrit.openafs.org/11529
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The ability to set the size of the volume hash table was added
at the same time that DAFS was introduced, and got caught up
in the same preprocessor conditional. However, -vhashsize can
be useful for the traditional fileserver as well (even though
we recommend DAFS over the traditional fileserver), so let it
be used in that case.
Update the man pages accordingly and fix some grammar while here.
Noted by Mark Vitale.
Change-Id: Ic3282c9d661d60cf36f9ffb197e723a3f71da167
Reviewed-on: https://gerrit.openafs.org/12287
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Add a -s2scrypt option to the volume server, with possible options:
* never -- the existing behavior
* always -- switch to using afsconf_ClientAuthSecure, which uses
rxkad_crypt, for ForwardVolume calls.
* inherit -- encrypt inter-server traffic if the causal client
connection is encrypted. This has the effect of "inheriting" the
"-encrypt" flag given to "vos release", for example.
Thanks to Jeffrey Altman for pointers and to Andrew Deason for noting
the existence of rxkad_GetServerInfo.
[mmeffie@sinenomine.net fix assertion and style update.]
Change-Id: Ia295ba3f29a8494c8250a480fb26594468d2116a
Reviewed-on: https://gerrit.openafs.org/11349
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Thomas Keiser <tkeiser@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Add the ability to specify a range of addresses in both NetInfo and
NetRestrict.
Change-Id: Iecdcca8587aa2e6e7cd56cbbebb63eb41b5d6f40
Reviewed-on: https://gerrit.openafs.org/11313
Reviewed-by: Daria Phoebe Brashear <shadow@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
A simple utility to help with the 1.6-->1.8 upgrade by
bulk-converting keys, with some sanity checking.
Change-Id: Ibae9a1ea3b7c3bbad5ffbc02410fa7a4ff6c4d7f
Reviewed-on: https://gerrit.openafs.org/11786
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Do not create new server log files when servers are restarted by
default. External log rotation tools may be used to rotate the logs by
renaming log files and then signaling server processes to reopen
log files.
Add the -transarc-logs option to each server to provide backward
compatibility with the traditional Transarc-style logging. When
-transarc-logs is given, log files are renamed to an ".old" file
(overwriting the existing ".old" file) and the previous the log file is
truncated.
Change-Id: I2eeb67e3db32b2f75fe685b68dab1159e62061e9
Reviewed-on: https://gerrit.openafs.org/11731
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
The options -logfile and -config should be enclosed
by angle brackets.
Change-Id: I9e5767b7e43753b37dbc8d86c5346c778f8bab8d
Reviewed-on: https://gerrit.openafs.org/12233
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Update the man page to reflect the current access rights required for fs
examine. Historically, fs examine required read access on the root
vnode of the volume housing the directory or file being examined. This
access check was relaxed in commit d2d591caf2,
since the information returned by the file server is already available
anonymously by other means.
Change-Id: If62b625bce8a260b98fb56a6feec49c674f2de53
Reviewed-on: https://gerrit.openafs.org/12223
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Update the afsd man page -settime and -nosettime options, which are obsolete
and no longer have any effect. Use the same wording as the other obsolete
options in the afsd man page. Keep the recommendations to use the time keeping
daemons provided by the operating system to maintain the system time.
Change-Id: I08a1bd5ae0b2d6618b3e212ebcbb98f470e33820
Reviewed-on: http://gerrit.openafs.org/12175
Reviewed-by: Michael Laß <lass@mail.uni-paderborn.de>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Remove the salvagerserver option to print log messages to stdout. This
was a carry over from the stand-alone salvager and is not appropriate for
a daemon.
Change-Id: I55b99112278cdabb3e9911948dbda6a628030951
Reviewed-on: http://gerrit.openafs.org/11815
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
These options were copied from the salvager man page and are not implemented by
the salvageserver.
Change-Id: Ib6c5b3fd494f1662b958442863e5fbfc0755a0c2
Reviewed-on: http://gerrit.openafs.org/11817
Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Add the missing -syslog and -syslogfacility options to
the salvageserver man page.
Change-Id: I1cb057a8085c4aeda32bb003cc4cec5035d00407
Reviewed-on: http://gerrit.openafs.org/11816
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Document the built-in version sub-command which displays
the OpenAFS version string. This sub-command is provided
by the cmd library.
Document the switch style -version option provided by the cmd
library for the initcmd based commands: afsmonitor, scout,
xstat_fs_test, and xstat_cm_test.
Change-Id: Id421d2c68a5c49a2b1a5abb2f3e9ca64ea36cd3e
Reviewed-on: http://gerrit.openafs.org/11161
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Supergroup information is explicitly present in -members
Change-Id: I25527c093858bc0b029417cbf2bb07717c50bb32
Reviewed-on: http://gerrit.openafs.org/11681
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Add a manual page for the KeyFileExt file.
Add cross-references from all places which currently reference
KeyFile(5), and update their body text accordingly.
Change-Id: Iab56847fcb59dda0c8a344a626ddb0ff35b98b26
Reviewed-on: http://gerrit.openafs.org/11770
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Prefer KeyFileExt to KeyFile ~everywhere. Make the main documentation
assume a modern cell with KeyFileExt and rxkad-k5, moving the old
rxkad and KeyFile documentation to a new section,
HISTORICAL COMPATIBILITY.
Note that kaserver is deprecated.
Do not mention the Update Server, which is also disrecommended for
new installations.
Add a copyright statement for the new content.
Change-Id: Idcb4940615a00189b655538a9a190cc35153cc89
Reviewed-on: http://gerrit.openafs.org/11769
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Add a client side check to vos changeaddr -oldaddr -newaddr
to refuse to change multihomed server entries, unless -force
is given.
Change-Id: I1428e94f0c2fc19bb6ba3b2c53468f4587283bbc
Reviewed-on: http://gerrit.openafs.org/11638
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
roll back -stayonline support for volume releases for now.
Change-Id: I5b4de15892f975514ea699994cb7c1da17ac83c2
Reviewed-on: http://gerrit.openafs.org/11787
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Introduce the vos remaddrs sub-command for removing multi-homed server
entries from the vldb. The remaddrs sub-command completes the listaddrs
and setaddrs command suite and allows vos changeaddr to be deprecated
completely.
Change-Id: I98e92e776a153591a617a5b04037c3b6139d4732
Reviewed-on: http://gerrit.openafs.org/11606
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Daria Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
While reviewing gerrit 11678 I noticed the -n flag was
duplicated. Remove the duplicate flag.
Change-Id: I4a63a50199e1564a0b0394445e9dc1569bb08a0c
Reviewed-on: http://gerrit.openafs.org/11688
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Remove sunrpc compatibility from rxgen. It's not tested, and
rpcgen is available from other sources. This will allow changes to be
made to rxgen without worrying about their impact on rpcgen compatibility.
Removals consist of the -l, -m, and -s switches, the source files
rpc_clntout.c and rpc_svcout.c, and the scan tokens 'program' and
'version'. The -R switch ('R compatibility') is also removed, as it's
a noop.
Change-Id: I960fac14faf072d221b8cb166e9388ab4accfa26
Reviewed-on: http://gerrit.openafs.org/10258
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
We have previously documented that volumes over 2TB can result in
inaccuracies, but this documentation does not say how the 'partition'
field in "fs listquota" can be inaccurate. It is confusing to see a
usage of 0% for a partition that you know is being used, so try to
briefly explain in what way this field is inaccurate.
The reason we _under_-report the partition usage is that the
fileserver actually gives back PartBlocksAvail and PartMaxBlocks (not
"blocks used" and "blocks total"). So 1TB used and 4TB total is
truncated to 2TB and given back as 2TB free and 2TB total. One we hit
3TB used we'll report it as 1TB free 2TB total (50%) when the actual
usage is 75%.
Change-Id: I0b3de04ef2bd6cd32fdcb1a82cbac58d5d621e5b
Reviewed-on: http://gerrit.openafs.org/11245
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
It can result only in sadness.
Document this restriction alongside UID 0 as a reserved number.
Change-Id: Ibea2d98bc15a730bc85e84477791ca45a40f2d92
Reviewed-on: http://gerrit.openafs.org/10950
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The krb5_524_conv_principal() function should fail whenever the Kerberos
v5 principal cannot safely be mapped onto a Kerberos v4 principal, and
does fail on some Kerberos v5 principals used in real-world AFS
deployments.
Prior to this patchset a failure was treated as a fatal error that
in turn prevents an AFS token from being generated or set into the
cache manager.
Prior to b1f9b4cb5d the
krb5_524_conv_principal() function wasn't used and a local client
mapping was created. b1f9b4cb5d
replaced the local mapping with the krb5 function because the local
mapping could be wrong and confusing.
The krb5_524_conv_principal() function as applied to AFS tokens is
just a local guess. How the username in the token is interpreted by
the AFS server is up to the server.
krb5_524_conv_principal() is only used for Krb5 native tokens. For Krb4
tokens the krb5_524_convert_creds() function is used to obtain both the
Kerberos v4 ticket and the converted names from the KDC. Many
organizations used the krb524d service to perform name translation. When
the krb524d service is used, the name translation is performed by the KDC,
so there is no local call to krb5_524_conf_principal() which might fail.
As a result, disallowing the use of a native Krb5 token due to a failed
local name translation is a needless loss of functionality; the local name
translation is not an essential part of obtaining a token.
This patchset modifies the behavior such that krb5_524_conv_principal()
errors are non-fatal.
1. If -noprdb is not specified the error message is generated
and a NULL username is used.
2. If the username is NULL the prdb lookup is disabled.
3. If the username is NULL the informational messages do not
include a username.
4. If the username is NULL the username info provided to the
cache manager in the token description is the nul string.
Credit to Ben Kaduk for assistance with the wording of this
commit message.
Change-Id: Ib07131fc0ff4bf5319815213198c3f0adac17b10
Reviewed-on: http://gerrit.openafs.org/11542
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: D Brashear <shadow@your-file-system.com>
Commit 5afe7a882b added a configure
option to disable the installation of the kauth suite, but did not
add any logic to disable the installation of the corresponding man
pages, so those man pages were always installed regardless of the
options to configure.
Add logic to doc/man-pages/Makefile.in to create .noinstall files
for man pages which should not be installed in the current configuration.
Depend on the Makefile (which will be regenerated by configure) in
this target so as to attempt to behave properly if configure is re-run
with different arguments in the same working tree.
Change-Id: I19b77a9f20fe27c49db14f3e800d8c77cda1bb3a
Reviewed-on: http://gerrit.openafs.org/10993
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: D Brashear <shadow@your-file-system.com>
This tool was removed in 2006 in commit
b405868ca0. Also remove mention of
wsadmin, removed at the same time.
Change-Id: I8475b951f576f10ddd2f4b72565354b9fba41d94
Reviewed-on: http://gerrit.openafs.org/11554
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: D Brashear <shadow@your-file-system.com>
It has been unused since the LWP fileserver was removed.
It was used to set the LWP stack size.
Change-Id: I2ffd3a2f02049a307b668a46b62b31dc9bc128a8
Reviewed-on: http://gerrit.openafs.org/11527
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: D Brashear <shadow@your-file-system.com>
These are new files and new content; fix the copyright notice and
license to reflect.
Change-Id: I8d5f00fb7edaf2e3855e2dc2a1af07bba471c0d6
Reviewed-on: http://gerrit.openafs.org/11362
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: Jeffrey Altman <jaltman@your-file-system.com>
Add a new vos release option called -force-reclone to force the
reclone of the release clone and a release to all of the remote
sites, regardless of the state of the VLDB flags on the remote
sites, but does not force full volume dumps when distributing the
volume.
Provide an alias -f for -force for compatibility with the original
IBM vos, in case scripts were written to use the old '-f' option,
and for users with muscle memory.
Change-Id: I0ebebc5e8099299781e8da57579d91848bb2ad19
Reviewed-on: http://gerrit.openafs.org/9020
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Reviewed-by: D Brashear <shadow@your-file-system.com>
Make vlserver and volserver suppport a new command line parameter,
"-restricted_query admin". When this is on, the query RPCs that
are not needed for normal cache manager operations are restricted
to administrators listed in UserList. This is off by default.
Change-Id: I2a23a4e99cabd46b19ed491a6520773731a5994e
Reviewed-on: http://gerrit.openafs.org/10927
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Reviewed-by: D Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
It is not always clear to users whether BosConfig.new is noticed
during an automatic restart, or if it requires stopping and starting
the bosserver. Slightly reword the relevant text and add a small note
that a "general restart" does cause BosConfig.new to be noticed, so
this is explicitly clear.
Change-Id: Iab3eaff176305b0b2991a6636e70204b5072b1b0
Reviewed-on: http://gerrit.openafs.org/11076
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
