Joining the PASS Beta Test
Download
Report
Transcript Joining the PASS Beta Test
PASS Migration – Update V
A Retrospective
Current Issues
Future Directions
with Jeff D’Angelo
NWOP 2008/08/18
PASS Migration – A Retrospective
Need arose: Replace DCE/DFS with
Kerberos/LDAP/GPFS
Replacement authentication & directory
services ran in parallel for years
PASS Beta launched December 2007
Early migration to new PASS June 2008
Final migration July 3-4 2008
PASS Migration – A Retrospective
What went well:
Completed data migration on time
Most critical functionality preserved
Internal and external communication
processes improved
Not so well:
3rd party software incompatibilities
PASS Migration – A Retrospective
Major Changes:
CIFS/NFS require kerberos
Quota behavior
Permissions (ACLs) NFSv4 based
UNIX system changes
php.scripts.psu.edu major changes
SSH host key changes (sftp / UNIX)
Path changes (e.g. /pass)
MIT KDCs: Longer Kerberos ticket lifetimes
LDAP schema / attribute usage for PASS
http://www.personal.psu.edu/jcd/blogs/NextPass/
2008/07/pass-migration-complete.html
PASS Migration – Current Issues
Documentation still in development, e.g.:
Mounting NFS Gateway from Mac
Known issues KB articles
PASS Migration – Current Issues
PASS Gateway server issues
32 group limit for CIFS
PASS Migration – Current Issues
PASS Gateway client issues
Windows AD domain w/ dce.psu.edu trust
Works automatically
Windows (w/o AD) requires for Kerberos:
Must specify user
User must include domain
PASS Migration – Current Issues
PASS Gateway client issues
Mac OS X
Ticket problem while authenticated to AD
Leopard’s Finder misinterprets CIFS ACLs
Kerberos requirement precludes Tiger NFS
NFSv3 requires multiple mounts
PASS Migration – Current Issues
PASS Gateway client issues
Linux
mount.cifs has no kerberos support yet
NFSv4 performance less than peers
Ticket renewal (beyond 14 days)
“nfs” service principal required for NFS client
PASS Migration – Current Issues
PASS Gateway client issues
Solaris NFSv4
ls / stat() issue
AIX NFS
Executable error “Cannot open or remove a
file containing a running program”
PASS Migration – Current Issues
Secure Shell / Secure File Transfer
Host key changes
sftp.pass.psu.edu, sftp.personal.psul.edu
rs6klab.aset.psu.edu
Fugu may hang kb.its.psu.edu/psu-all/hd/fuguhangs
PASS Migration – Current Issues
Web services
www.courses.psu.edu
now uses SSL for all content, WebAccess for
protected content
PHP content no longer automatic
Apache 2: Server Side Includes (SSI)
Old MIME type activation no longer supported
despite docs
PHP users may need to update/remove
default .htaccess
PASS Migration – FIXED Issues
FIXED Issues:
PASS Explorer Browse-To list auto groups
CIFS READ-ONLY attribute falsely set
PHP SQLite2 driver missing
Cbs UNIX cluster back after hiatus
PASS Migration – New Directions
Where are we now?
Beta / Early migration systems down: today
Fixing / Documenting known issues
Web permissions tools further development
Add new features to File Permissions
Manager
Create Web Services based command line
tool
Mac mount PASS tool update for NFS
PASS Migration – New Directions
Where are we going?
GPFS data redundancy
New quota limit – mid semester
DCE/DFS shut down December 2008
Enhanced quota system – expected
summer 2009
Permissions tools integration (web/file)
Kerberized sftp/ssh login
Self-serve kerberos keytabs
UMG updates
PASS Migration Timeline
Date
Milestone
March 17, 2008
Open Beta period
begins
May 30, 2008
Begin Internal ITS
Migration
May 30-June 30, 2008
Open Penn State Early
Migration
July 3, 5 p.m.
Through
July 7, 7 a.m.
December 2008
How this is defined
Estimated Impact
Completed
Enrollment for the
All the current
testing environment is functionality in PASS
YES
announced for all of
space is available to the
Penn State.
testers.
All Production services
are operational. The Pre- All ITS Units under
YES
tag will remain until the /dept/its space
Final Cutover.
We will offer the option
to perform a timely
Announcement to ITS
migration in advance
staff targeted for mid- YES
before the final move on May.
July 4th.
Complete Data
Migration, PASS goes
read-only for the 3 day
weekend
DFS is locked into a readonly state. All systems
All our dependent
and data remaining in
systems
DFS are moved into
GPFS. No turning back.
YES
Decommission
DCE/DFS
Shut off existing
systems. Repurpose
Hopefully None
Hardware. Plan for next
hardware/power issues.
No
PASS Migration Resources:
Kerberos Authentication
For Kerberos auth to the Penn State Kerberos realm (dce.psu.edu) for
either Mac, Windows or Linux clients.
Mac OS X: CLC has documented setting up Kerberos auth on OSX
http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/default.aspx
http://clc.its.psu.edu/Labs/Mac/help/privatefilespace/macpass.aspx
LINUX: For discussion of Kerberos auth and SSO see:
https://wikispaces.psu.edu/display/access/Kerberos
WINDOWS: For discussion of Kerberos auth and SSO see:
https://wikispaces.psu.edu/display/access/Kerberos+on+Windows
Note: The registry key that must be installed on the windows clients is
called "psuksetup.reg" and is available here:
http://aset.its.psu.edu/docs/windows/active_directory/kdcrecords.html
PASS Migration Resources:
Online Learning Materials
Publishing: The Infrastructure at Penn State
http://portfolio.psu.edu/files/eportfolio/PASS_blogs_viewlet_swf.html
The Files in Your PASS Space: A Guided Tour
http://portfolio.psu.edu/files/eportfolio/PASS_tour_viewlet_swf.html
Publishing in your Penn State Web Space
http://portfolio.psu.edu/files/eportfolio/Publishing_in_PASS.pdf
PASS Migration Resources:
Online Documentation
1.
2.
3.
4.
The MIT Kerberos tools for various OS
http://web.mit.edu/Kerberos/dist/index.html
New Public Online Documentation for PASS
http://its.psu.edu/PASS/
Wikispaces – for Penn State affiliated Faculty and Staff
http://wikispaces.psu.edu/display/PASS
Next PASS Blog by Jeff D’Angelo
http://www.personal.psu.edu/jcd/blogs/NextPass/
Active Directory Update
ACCESS.PSU.EDU forest
Exchange 2007 support introduced
Search Engine Update
Upgrade expected Fall 2008
New hardware
Out: 1 x GB-5005
In: 2 x GB-1001
New software
GSA 4.x -> 5.x