View
31
Download
0
Category
Preview:
DESCRIPTION
A Retrospective Current Issues Future Directions with Jeff D’Angelo NWOP 2008/08/18. PASS Migration – Update V. PASS Migration – A Retrospective. Need arose: Replace DCE/DFS with Kerberos/LDAP/GPFS Replacement authentication & directory services ran in parallel for years - PowerPoint PPT Presentation
Citation preview
PASS Migration – Update V
A Retrospective
Current Issues
Future Directions
with Jeff D’AngeloNWOP 2008/08/18
PASS Migration – A Retrospective
Need arose: Replace DCE/DFS with Kerberos/LDAP/GPFS
Replacement authentication & directory services ran in parallel for years
PASS Beta launched December 2007
Early migration to new PASS June 2008
Final migration July 3-4 2008
PASS Migration – A Retrospective
What went well: Completed data migration on time Most critical functionality preserved Internal and external communication
processes improved
Not so well: 3rd party software incompatibilities
PASS Migration – A Retrospective
Major Changes: CIFS/NFS require kerberos Quota behavior Permissions (ACLs) NFSv4 based UNIX system changes php.scripts.psu.edu major changes SSH host key changes (sftp / UNIX) Path changes (e.g. /pass) MIT KDCs: Longer Kerberos ticket lifetimes LDAP schema / attribute usage for PASS
http://www.personal.psu.edu/jcd/blogs/NextPass/2008/07/pass-migration-complete.html
PASS Migration – Current Issues
Documentation still in development, e.g.: Mounting NFS Gateway from Mac Known issues KB articles
PASS Migration – Current Issues
PASS Gateway server issues 32 group limit for CIFS
PASS Migration – Current Issues
PASS Gateway client issues Windows AD domain w/ dce.psu.edu trust
Works automatically Windows (w/o AD) requires for Kerberos:
Must specify user User must include domain
PASS Migration – Current Issues
PASS Gateway client issues Mac OS X
Ticket problem while authenticated to AD Leopard’s Finder misinterprets CIFS ACLs Kerberos requirement precludes Tiger NFS NFSv3 requires multiple mounts
PASS Migration – Current Issues
PASS Gateway client issues Linux
mount.cifs has no kerberos support yet NFSv4 performance less than peers Ticket renewal (beyond 14 days) “nfs” service principal required for NFS client
PASS Migration – Current Issues
PASS Gateway client issues Solaris NFSv4
ls / stat() issue AIX NFS
Executable error “Cannot open or remove a file containing a running program”
PASS Migration – Current Issues
Secure Shell / Secure File Transfer Host key changes
sftp.pass.psu.edu, sftp.personal.psul.edu rs6klab.aset.psu.edu Fugu may hang kb.its.psu.edu/psu-all/hd/fuguhangs
PASS Migration – Current Issues
Web services www.courses.psu.edu
now uses SSL for all content, WebAccess for protected content
PHP content no longer automatic Apache 2: Server Side Includes (SSI)
Old MIME type activation no longer supported despite docs
PHP users may need to update/remove default .htaccess
PASS Migration – FIXED Issues
FIXED Issues: PASS Explorer Browse-To list auto groups CIFS READ-ONLY attribute falsely set PHP SQLite2 driver missing Cbs UNIX cluster back after hiatus
PASS Migration – New Directions
Where are we now? Beta / Early migration systems down: today Fixing / Documenting known issues Web permissions tools further development
Add new features to File Permissions Manager
Create Web Services based command line tool
Mac mount PASS tool update for NFS
PASS Migration – New Directions
Where are we going? GPFS data redundancy New quota limit – mid semester DCE/DFS shut down December 2008 Enhanced quota system – expected
summer 2009 Permissions tools integration (web/file) Kerberized sftp/ssh login Self-serve kerberos keytabs UMG updates
PASS Migration TimelineDate Milestone How this is defined Estimated Impact Completed
March 17, 2008 Open Beta period begins
Enrollment for the testing environment is announced for all of Penn State.
All the current functionality in PASS space is available to the testers.
YES
May 30, 2008 Begin Internal ITS Migration
All Production services are operational. The Pre- tag will remain until the Final Cutover.
All ITS Units under /dept/its space
YES
May 30-June 30, 2008Open Penn State Early Migration
We will offer the option to perform a timely migration in advance before the final move on July 4th.
Announcement to ITS staff targeted for mid-May.
YES
July 3, 5 p.m.
Through
July 7, 7 a.m.
Complete Data Migration, PASS goes read-only for the 3 day weekend
DFS is locked into a read-only state. All systems and data remaining in DFS are moved into GPFS. No turning back.
All our dependent systems
YES
December 2008 Decommission DCE/DFS
Shut off existing systems. Repurpose Hardware. Plan for next hardware/power issues.
Hopefully None No
PASS Migration Resources:Kerberos Authentication
For Kerberos auth to the Penn State Kerberos realm (dce.psu.edu) for either Mac, Windows or Linux clients.
Mac OS X: CLC has documented setting up Kerberos auth on OSXhttp://clc.its.psu.edu/Labs/Mac/Resources/authdoc/default.aspx http://clc.its.psu.edu/Labs/Mac/help/privatefilespace/macpass.aspx
LINUX: For discussion of Kerberos auth and SSO see:https://wikispaces.psu.edu/display/access/Kerberos
WINDOWS: For discussion of Kerberos auth and SSO see:https://wikispaces.psu.edu/display/access/Kerberos+on+Windows
Note: The registry key that must be installed on the windows clients is called "psuksetup.reg" and is available here: http://aset.its.psu.edu/docs/windows/active_directory/kdcrecords.html
PASS Migration Resources:Online Learning Materials
Publishing: The Infrastructure at Penn Statehttp://portfolio.psu.edu/files/eportfolio/PASS_blogs_viewlet_swf.html
The Files in Your PASS Space: A Guided Tourhttp://portfolio.psu.edu/files/eportfolio/PASS_tour_viewlet_swf.html
Publishing in your Penn State Web Spacehttp://portfolio.psu.edu/files/eportfolio/Publishing_in_PASS.pdf
PASS Migration Resources:Online Documentation
1. The MIT Kerberos tools for various OShttp://web.mit.edu/Kerberos/dist/index.html
2. New Public Online Documentation for PASS http://its.psu.edu/PASS/
3. Wikispaces – for Penn State affiliated Faculty and Staffhttp://wikispaces.psu.edu/display/PASS
4. Next PASS Blog by Jeff D’Angelo http://www.personal.psu.edu/jcd/blogs/NextPass/
Active Directory Update
ACCESS.PSU.EDU forest Exchange 2007 support introduced
Search Engine Update
Upgrade expected Fall 2008 New hardware
Out: 1 x GB-5005 In: 2 x GB-1001
New software GSA 4.x -> 5.x
Recommended