PASS Migration – Update V

PASS Migration – Update V

A Retrospective

Current Issues

Future Directions

with Jeff D’AngeloNWOP 2008/08/18

PASS Migration – A Retrospective

Need arose: Replace DCE/DFS with Kerberos/LDAP/GPFS

Replacement authentication & directory services ran in parallel for years

PASS Beta launched December 2007

Early migration to new PASS June 2008

Final migration July 3-4 2008


What went well: Completed data migration on time Most critical functionality preserved Internal and external communication

processes improved

Not so well: 3rd party software incompatibilities


Major Changes: CIFS/NFS require kerberos Quota behavior Permissions (ACLs) NFSv4 based UNIX system changes php.scripts.psu.edu major changes SSH host key changes (sftp / UNIX) Path changes (e.g. /pass) MIT KDCs: Longer Kerberos ticket lifetimes LDAP schema / attribute usage for PASS

http://www.personal.psu.edu/jcd/blogs/NextPass/2008/07/pass-migration-complete.html

PASS Migration – Current Issues

Documentation still in development, e.g.: Mounting NFS Gateway from Mac Known issues KB articles


PASS Gateway server issues 32 group limit for CIFS


PASS Gateway client issues Windows AD domain w/ dce.psu.edu trust

Works automatically Windows (w/o AD) requires for Kerberos:

Must specify user User must include domain


PASS Gateway client issues Mac OS X

Ticket problem while authenticated to AD Leopard’s Finder misinterprets CIFS ACLs Kerberos requirement precludes Tiger NFS NFSv3 requires multiple mounts


PASS Gateway client issues Linux

mount.cifs has no kerberos support yet NFSv4 performance less than peers Ticket renewal (beyond 14 days) “nfs” service principal required for NFS client


PASS Gateway client issues Solaris NFSv4

ls / stat() issue AIX NFS

Executable error “Cannot open or remove a file containing a running program”


Secure Shell / Secure File Transfer Host key changes

sftp.pass.psu.edu, sftp.personal.psul.edu rs6klab.aset.psu.edu Fugu may hang kb.its.psu.edu/psu-all/hd/fuguhangs


Web services www.courses.psu.edu

now uses SSL for all content, WebAccess for protected content

PHP content no longer automatic Apache 2: Server Side Includes (SSI)

Old MIME type activation no longer supported despite docs

PHP users may need to update/remove default .htaccess

PASS Migration – FIXED Issues

FIXED Issues: PASS Explorer Browse-To list auto groups CIFS READ-ONLY attribute falsely set PHP SQLite2 driver missing Cbs UNIX cluster back after hiatus

PASS Migration – New Directions

Where are we now? Beta / Early migration systems down: today Fixing / Documenting known issues Web permissions tools further development

Add new features to File Permissions Manager

Create Web Services based command line tool

Mac mount PASS tool update for NFS

PASS Migration – New Directions

Where are we going? GPFS data redundancy New quota limit – mid semester DCE/DFS shut down December 2008 Enhanced quota system – expected

summer 2009 Permissions tools integration (web/file) Kerberized sftp/ssh login Self-serve kerberos keytabs UMG updates

PASS Migration TimelineDate Milestone How this is defined Estimated Impact Completed

March 17, 2008 Open Beta period begins

Enrollment for the testing environment is announced for all of Penn State.

All the current functionality in PASS space is available to the testers.

YES

May 30, 2008 Begin Internal ITS Migration

All Production services are operational. The Pre- tag will remain until the Final Cutover.

All ITS Units under /dept/its space

YES

May 30-June 30, 2008Open Penn State Early Migration

We will offer the option to perform a timely migration in advance before the final move on July 4th.

Announcement to ITS staff targeted for mid-May.

YES

July 3, 5 p.m.

Through

July 7, 7 a.m.

Complete Data Migration, PASS goes read-only for the 3 day weekend

DFS is locked into a read-only state. All systems and data remaining in DFS are moved into GPFS. No turning back.

All our dependent systems

YES

December 2008 Decommission DCE/DFS

Shut off existing systems. Repurpose Hardware. Plan for next hardware/power issues.

Hopefully None No

PASS Migration Resources:Kerberos Authentication

For Kerberos auth to the Penn State Kerberos realm (dce.psu.edu) for either Mac, Windows or Linux clients.

Mac OS X: CLC has documented setting up Kerberos auth on OSXhttp://clc.its.psu.edu/Labs/Mac/Resources/authdoc/default.aspx http://clc.its.psu.edu/Labs/Mac/help/privatefilespace/macpass.aspx

LINUX: For discussion of Kerberos auth and SSO see:https://wikispaces.psu.edu/display/access/Kerberos

WINDOWS: For discussion of Kerberos auth and SSO see:https://wikispaces.psu.edu/display/access/Kerberos+on+Windows

Note: The registry key that must be installed on the windows clients is called "psuksetup.reg" and is available here: http://aset.its.psu.edu/docs/windows/active_directory/kdcrecords.html

PASS Migration Resources:Online Learning Materials

Publishing: The Infrastructure at Penn Statehttp://portfolio.psu.edu/files/eportfolio/PASS_blogs_viewlet_swf.html

The Files in Your PASS Space: A Guided Tourhttp://portfolio.psu.edu/files/eportfolio/PASS_tour_viewlet_swf.html

Publishing in your Penn State Web Spacehttp://portfolio.psu.edu/files/eportfolio/Publishing_in_PASS.pdf

PASS Migration Resources:Online Documentation

1. The MIT Kerberos tools for various OShttp://web.mit.edu/Kerberos/dist/index.html

2. New Public Online Documentation for PASS http://its.psu.edu/PASS/

3. Wikispaces – for Penn State affiliated Faculty and Staffhttp://wikispaces.psu.edu/display/PASS

4. Next PASS Blog by Jeff D’Angelo http://www.personal.psu.edu/jcd/blogs/NextPass/

Active Directory Update

ACCESS.PSU.EDU forest Exchange 2007 support introduced

Search Engine Update

Upgrade expected Fall 2008 New hardware

Out: 1 x GB-5005 In: 2 x GB-1001

New software GSA 4.x -> 5.x

Documents

PASS Migration – Update V