ARMv6 (Pi). Support for further family revisions in NetBSD is controlled
by the presence of src/config/param.armv$_nbsd$$.h to set the CPU family version
and major OS version number.
- Add description to most patches
User-Visible OpenAFS Changes
OpenAFS 1.6.21
All platforms
* Avoid a possible 100ms transmit delay in the RX protocol when a peer's
receive window transitions from closed to open (12627)
* Documentation improvements (12476 12477 12559[RT #133339])
All server platforms
* When bosserver is started with an unknown option, print an error message
and exit with a non-zero value rather than failing silently (12631)
All DB server platforms
* Hold the DB lock while checking for an aborted write transaction (12516)
All file server platforms
* On demand attach fileservers, don't save or restore a client's host
state if CPS ("Current Protection Subdomain") recalculation for it is
in progress, to avoid fileserver thread exhaustion (12568)
* On demand attach fileservers, avoid flooding the log with error messages,
which could happen when the fileserver was restarted while a volume was
offline (12569)
* Update a volume's "Last Update" time when its content is modified by
the salvager, to make the change visible in the output of "vos examine"
and to backup services (12633)
All client platforms
* Corrected the DCentries bucket counts for very large and zero length
files in the output of "fs getcacheparms -excessive" (12604 12605)
* Fixed a bug that prevented users with GID 2748 and 2750 from executing
the "fs sysname" command on clients running afsd with -rmtsys (12607)
* Provide a new -inumcalc switch for afsd to allow enabling the alternative
MD5 method of inode number calculation, which was previously only
possible on Linux and through the sysctl interface (12608 12632)
Linux clients
* Support for mainline kernel 4.12 and distribution kernels with backports
from it (12624 12626)
* Re-added the improved algorithm for freeing unused vcaches to reduce
memory consumption first introduced with the 1.6.18 release, together
with a fix for the issue leading to its removal in 1.6.18.2 (12448..12451)
macOS clients
* Fixed a crash while stopping the client on macOS 10.12 "Sierra" (12602)
Hopefully NetBSD/x86 -current also works.
Should merely be a build fix, but bump PKGREVISION anyway.
This commit allocates sysname numbers that have not yet been submitted
upstream.
User-Visible OpenAFS Changes
OpenAFS 1.6.17 (Security Release)
All server platforms
* Fix for OPENAFS-SA-2016-001: foreign users can create groups as
if they were an administrator (RT #132822) (CVE-2016-2860)
All client platforms
* Fix for OPENAFS-SA-2016-002: information leakage from sending
uninitialized memory over the network. Multiple call sites
were vulnerable, with potential for leaking both kernel and
userland stack data (RT #132847)
* Update to the GCO CellServDB update from 01 January 2016 (12188)
Linux clients
* Fix a crash when the root volume is not found and dynroot is not
in use, a regression introduced in 1.6.14.1 (12166)
* Avoid introducing a dependency on the kernel-devel package corresponding
to the currently running system while building the srpm (12195)
* Create systemd unit files with mode 0644 instead of 0755
(12196) (RT #132662)
OpenAFS 1.6.16
All platforms
* Documentation improvements (11932 12096 12100 12112 12120)
* Improved diagnostics and error messages (11586 11587)
* Distribute the contributor code of conduct with the stable release (12056)
All server platforms
* Create PID files in the right location when bosserver is started with
the "-pidfiles" argument and transarc paths are not being used (12086)
* Several fixes regarding volume dump creation and restore (11433 11553
11825 11826 12082)
* Avoid a reported bosserver crash, and potentially others, by replacing
fixed size buffers with dynamically allocated ones in some user handling
functions (11436) (RT #130719)
* Obey the "-toname" parameter in "vos clone" operations (11434)
* Avoid writing a loopback address into the server CellServDB - search
for a non-loopback one, and fail if none is found (12083 12105)
* Rebuild the vldb free list with "vldb_check -fix" (12084)
* Fixed and improved the "check_sysid" utility (12090)
* Fixed and improved the "prdb_check" utility (12101..04)
All client platforms
* Avoid a potential denial of service issue, by fixing a bug in pioctl
logic that allowed a local user to overrun a kernel buffer with a single
NUL byte (commit 2ef86372) (RT #132256) (CVE-2015-8312)
* Refuse to change multi-homed server entries with "vos changeaddr",
unless "-force" is given, to avoid corruption of those entries (12087)
* Provide a new vos subcommand "remaddrs" for removing server entries, to
replace the slightly confusing "vos changeaddr -remove" (12092 12094)
* Make "fs flushall" actually invalidate all cached data (11894)
* Prevent spurious call aborts due to erroneous idle timeouts (11594)
* Provide a "--disable-gtx" configure switch to avoid building and
installing libgtx and its header files as well as the depending
"scout" and "afsmonitor" applications (12095)
* Fixed building the gtx applications against newer ncurses (12125)
* Allow pioctls to work in environments where the syscall emulation
pseudo file is created in a read-only pseudo filesystem, like in
containers under recent versions of docker (12124)
Linux clients
* In Red Hat packaging, avoid following a symbolic link when writing
the client CellServDB, which could overwrite the server CellServDB,
by removing an existing symlink before writing the file (12081)
* In Red Hat packaging, avoid a conflict of openafs-debuginfo with
krb5-debuginfo by excluding our kpasswd executable from debuginfo
processing (12128) (RT #131771)
Existing SHA1 digests verified, all found to be the same on the
machine holding the existing distfiles (morden). Existing SHA1
digests retained for now as an audit trail.
OpenAFS 1.6.15 (Security Release)
All client and server platforms
* Fix for OPENAFS-SA-2015-007 "Tattletale"
When constructing an Rx acknowledgment (ACK) packet, Andrew-derived
Rx implementations do not initialize three octets of data that are
padding in the C language structure and were inadvertently included
in the wire protocol (CVE-2015-7762). Additionally, OpenAFS Rx in
versions 1.5.75 through 1.5.78, 1.6.0 through 1.6.14, and 1.7.0
through 1.7.32 include a variable-length padding at the end of the
ACK packet, in an attempt to detect the path MTU, but only four octets
of the additional padding are initialized (CVE-2015-7763).
User-Visible OpenAFS Changes
OpenAFS 1.6.10
All platforms
* Don't hide the "version" subcommand in help output (11214)
* Documentation improvements (11126 11216 11222 11223 11225 11226)
* Improved diagnostics and error messages (11154 11246 11247 11249 11181
11182 11183)
* Build system improvements (11158 11221 11224 11225 11227..11241 11282
11342 11350 11353 11242 11367 11392)
* Avoid potentially erratic behaviour under certain error conditions by
either avoiding or at least not ignoring them, in various places (11008
11010..11065 11112 11148 11196 11530)
FreeBSD
* Support releases 9.3 and 10.1 (11368 11369 11402 11403 11404)
* Makes a disk cache more likely to work on FreeBSD, though such
configurations remain not very tested (11448)
All server platforms
* Added volscan(8) (11252..11280 11387 11388)
* Fixed a bug causing subgroups not to function correctly if their
ptdb entry had more than one continuation entry (11352)
* Logging improvements (10946 11153)
* Allow log rotation via copy and truncate (11193)
* Avoid a server crash during startup only observed on a single platform
and when using a 3rd party library under certain circumstances, which is
a collateral effect of the security improvements introduced in OpenAFS
release 1.6.5 (11075) (RT #131852)
All client platforms
* Raised the free space reported for /afs to the maximum possible value of
just under 2 TiB - the old value was 9 GiB on most platforms (10984)
* Reduced the amount of stack space used (11162 11163 11203 11164..11167
11338 11339 11364..11366 11381)
* Sped up a periodic client task which could be problematically slow
on systems with a large number of PAGs and files in use (11307)
* Fixed failure of the up command with large ACLs (11111)
* Avoid a potential crash of aklog (11218)
* Avoid potential crashes of scout and xstat_fs_test (11155)
Linux clients
* Support kernels up to 3.16 (11308 11309)
* Fixed a regression introduced in OpenAFS release 1.6.6 that made
checking for existing write locks incorrectly fail on readonly volumes
(11361)
* Fixed a regression introduced in OpenAFS release 1.6.8 that could
cause VFS cache inconsistencies when a previously-accessed directory
entry was removed and recreated with the same name but pointing to a
different file on another client (11358)
* Use the right path to depmod in Red Hat packaging to avoid dependency
calculation incorrectly failing unless a link /sbin -> /usr/sbin is
present on the system performing it (11171) (RT #131860)
* Do not ignore kernel module build errors (11205)
User-Visible OpenAFS Changes
OpenAFS 1.6.11
All platforms
* Allow aklog to succeed creating native K5 tokens even when mapping
the K5 principal to a K4 one fails (11538)
* Build fixes (11435 11636)
All client platforms
* Avoid a potential kernel panic due to connection reference overcounts
(11645) (RT #131885)
* Avoid potential corruption of files written using memory mapped I/O
when the file is larger than the cache (11656) (RT #131976)
Linux clients
* Support kernels at least up to 3.19 (11549 11550 11569 11570 11595
11658..11662 11694 11752)
Note: By default this excludes kernels 3.17 to 3.17.2, which will leak
an inode reference when an error occurs in d_splice_alias(). The
module will build and work, but leak kernel memory, leading to
performance degradation and eventually system failure due to
memory exhaustion. Since it's impossible to detect this condition
automatically, the switch --enable-linux-d_splice_alias-extra-iput
must be passed to configure when building the module for those
kernels. The same would be necessary for any kernel with backports
of commit 908790fa3b779d37365e6b28e3aa0f6e833020c3 or commit
95ad5c291313b66a98a44dc92b57e0b37c1dd589 but not the fix in commit
51486b900ee92856b977eacfc5bfbe6565028070 in the linux-stable repo
(git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git) or
the corresponding changes on other branches.
* Fixed a regression introduced in OpenAFS release 1.6.10 which could
make the spurious "getcwd: cannot access parent directories" problem
return (11558 11568) (RT #131780)
* Avoid leaking memory when scanning a corrupt directory (11707)
OS X clients
* Support OS X 10.10 "Yosemite" (11571 11572 11611) (RT #131946)
Solaris clients
* Avoid reading random data rather than correct cache content when using
ZFS as the cache file system on Solaris >= 11, and fix potential similar
problems on other platforms (11713 11714)
FreeBSD
* Build fix for releases >= 11.0 (11610)
OpenBSD
* Support release 5.4 (11700)
User-Visible OpenAFS Changes
OpenAFS 1.6.11.1
Linux clients
* Support kernels up to 4.0 (11760 11761)
FreeBSD clients
* Fixed kernel module build on systems with an updated clang which no
longer accepts the -mno-align-long-strings as a no-op (11809)
User-Visible OpenAFS Changes
OpenAFS 1.6.12
All server platforms
* Avoid database corruption if a database server is shut down and then
brought up again quickly with an altered database (11773 11774)
(RT #131997)
All client platforms
* Fixed a potential buffer overflow in aklog (11808)
* Avoid a bogus warning regarding the checkserver daemon, which could be
logged during startup when the cache initialization was very fast (11680)
* Added documentation of the inaccuracy of the 'partition' field in
'fs listquota' output for partitions larger than 2 TiB (11626)
Linux clients
* Support kernels up to 4.1 (11872 11873)
* Avoid spurious EIO errors when writing large chunks of data to
mmapped files (11877)
OS X
* Build fixes required at least on OS X 10.10 Yosemite with the latest
XCode (11859 11876 11842..11845 11863 11878 11879)
User-Visible OpenAFS Changes
OpenAFS 1.6.13
All server platforms
* Fix for CVE-2015-3282: vos leaks stack data onto the wire in the
clear when creating vldb entries
* Workaround for CVE-2015-3283: bos commands can be spoofed, including
some which alter server state
* Disabled searching the VLDB by volume name regular expression to avoid
possible buffer overruns in the volume location server
All client platforms
* Fix for CVE-2015-3284: pioctls leak kernel memory
* Fix for CVE-2015-3285: kernel pioctl support for OSD command passing
can trigger a panic
Solaris clients
* Fix for CVE-2015-3286: Solaris grouplist modifications for PAGs can
panic or overwrite memory
User-Visible OpenAFS Changes
OpenAFS 1.6.14
All server platforms
* Prior to the OpenAFS security release 1.6.13, the Volume Location
Server (vlserver) RPC VL_ListAttributesN2() supported wildcard volume
name lookups via regular expression (regex) pattern matching. This
support was completely disabled in 1.6.13 because it was judged to be
a security risk due to buffer overruns in the implementation, as well
as the possibility of denial of service attacks where certain regular
expressions could cause excessive CPU usage in some regex
implementations.
Unfortunately, after 1.6.13 was released, it was discovered that
the native OpenAFS 'backup' system uses the VL_ListAttributesN2()
regex support to evaluate configured volume sets. If you use the
OpenAFS 'backup' system (or another backup system which relies on it,
such as Tivoli Storage Manager (TSM, aka Tivoli ADSM)), and are using
volume sets which require regular expressions for the volume name,
then those volume sets cannot be resolved by OpenAFS 1.6.13. The next
paragraph provides details on how to identify any affected volume sets.
OpenAFS backup volume sets may be described by fileserver, partition
name, and volume name. The fileserver and partition specifications
never require regular expression support. The volume name specification
always requires regular expression support except for when specifying
_all_ volumes via two special cases: the universal wildcard ".*", or "".
For example, volume name "proj" or "*.backup" or "homevol.*" all
require regex support - even if the specification contains no wildcard
characters and/or exactly matches an existing volume name.
As a result of this issue, OpenAFS 1.6.14 replaces the 1.6.13 changes
to VL_ListAttributesN2. 1.6.14 prevents the buffer overruns and
reenables the regex support, but restricts it to OpenAFS super-users
and -localauth only. This is sufficient to restore the OpenAFS 'backup'
system's ability to work correctly with any previously supported volume
set. The OpenAFS 'backup' commands are already documented to require
super-user authorization, so this restriction is moot for the backup
system.
There are no other direct consumers of the VL_ListAttributesN2() regex
support in the OpenAFS tree. However, the VL_ListAttributesN2 RPC is
publicly accessible and might be used by third party tools directly or
indirectly via OpenAFS's libadmin. Any such tools that issue
VL_ListAttributesN2 RPCs must now be executed using super-user or
-localauth tokens.
None of the other security fixes in OpenAFS 1.6.13 are known to have
any issues, and are still included unchanged in OpenAFS 1.6.14.
If there are any questions concerning the possible impact of OpenAFS
1.6.13 or 1.6.14 at your site, please contact your OpenAFS support
provider or the openafs-info@openafs.org mailing list for further
assistance.
OpenAFS 1.6.9
All server platforms
* Fix for OPENAFS-SA-2014-002
OpenAFS 1.6.8
All platforms
* Documentation improvements (10751 10875 10931 10897 10883 10954 10955)
* Improved diagnostics and error messages (10756 10814 10949)
* Fixed a bug in RX that could make errors during packet reception go
unnoticed. (10733)
* Fixed a bug that made "vos size -dump" display the wrong size for
large volumes. (10933) (RT #131819)
All server platforms
* Change the default fileserver sync behavior from "delayed" to "onclose".
This means that explicit syncing only happens when a volume is detached.
(10809)
* Added the -offline-timeout and -offline-shutdown-timeout options to the
fileserver, to implement interrupting clients accessing volumes we are
trying to take offline. (6266 10799)
Remove unused options bos-new-config, fast-restart, & largefile.
Remove patches fixed upstream.
OpenAFS 1.6.6
All platforms
* As of this release, OpenAFS no longer ships uncompressed source tarballs.
Tarballs are still shipped with both compression formats, gzip and bzip2.
(10131)
* Documentation improvements (10136 10314 10601)
* Improved diagnostics and error messages (9412 10085 10274)
* Avoid redefining "assert" in our public header files, which could
cause failures when building some applications using them. (10096)
* Fixes for parallel builds (10005 10309 10337)
* Added a -s switch to afscp (not installed by default) to help simulate
a slow client. (9416 9417)
* Added a -probe switch to vlclient test program (not installed by default)
to ping all vlservers in a cell in parallel. (9570)
All server platforms
* The fileserver now ignores any vice partitions with a NeverAttach flag
file present in the root directory. (RT #130561) (9470 9471)
* Restrict forcing CPS ("Current Protection Subdomain") recalculation in
the fileserver to administrators. Also fixed a bug that could cause this
operation to be incomplete. (9485 9487)
* Allow non-DAFS fileservers to attach unusable volumes, restoring pre-1.6
behaviour. (RT #131505) (9499)
* Restored the pre-1.6 behaviour when running vos examine for a volume
currently in a transaction, showing the volume as busy again rather than
offline. (9685 9915 9916)
* Reduced the minimum time a bos salvage takes from 5 seconds to 1. (9476)
* Fixed buserver to not segfault when started with the -servers option.
(RT #131706) (10166)
* Salvager fixes, addressing a wide variety of possible problems from
unnecessary salvaging to aborts (9282 9283 9457 9458 9459 9461 9462 9480
9481 10165 10167)
* Fixed a bug that could cause saved state information to be discarded
when restarting a large or busy fileserver, which negatively impacted
performance. (9683)
* Fixed a bug that could have caused undefined behaviour in the vlserver
in rare cases when a fileserver registered its addresses in the VLDB.
(9429)
* Added the -preserve-vol-stats switch to volserver, allowing it to keep
the access statistics across volume restore and reclone operations
instead of resetting them. (9477)
* Inserted an exponential delay between retries when bosserver attempts to
restart a server process. (9571 10199)
* Improved vldb_check (not installed by default) to cope with broken
vlentry names and volids, and provide more output to aid debugging.
(10268)
* Releasing a volume after adding a new RO site no longer touches any of
the existing RO sites, if the RW data hasn't changed since the last
release. (10174)
* Make the copyDate field for RO clones have the same meaning as for
remote RO volumes. Previously, the copyDate field for clones was updated
every time we released. (9451)
* Fixed potentially undefined behaviour in ptserver when too many pts
ids are allocated. (10124)
* Note that the server side NAT pings feature present in the prereleases
was removed before the final release, since no positive feedback
was provided during prerelease testing. (9420 10135)
Linux servers
* Start bosserver with -nofork in the systemd unit file, to allow systemd
to track its state (10093)
All client platforms
* No longer track file locks on read-only volumes. Write locks can't
succeed, read locks always will. Avoids log messages about this kind
of lock. (8910)
* Added the "fs flushall" subcommand, which makes the client discard all
cached data. This was previously available on Windows only. (9065 9388
9389 9390)
* Fixed a bug that could make the client incorrectly believe its cache
is up to date. This change could negatively impact AFS <-> DFS
translators, should those still be running anywhere. (8898)
* Several changes to avoid panicing in certain error conditions.
(9131 9287 10354 10355 10356 10357) (partially addressing RT #131747)
* Added the -rxmaxfrags switch to afsd, allowing to limit the number
of UDP fragments sent or received per RX packet. (9430)
* Build fixes for aklog on several platforms (RT #131716) (9917 10107 10275)
* Require that the AFS mountpoint specified in the cacheinfo file is
an absolute path. Relative paths result in a client that basically
works but is not fully functional. (10253)
* Fixed a bug that could cause one of the afsd threads to enter an infinite
loop (10431 .. 10436)
Linux clients
* Support Linux kernels up to 3.13 (10241)
* Fixed a bug that made readv/writev calls in AFS space fail with Linux
kernels where generic_file_aio_read exists but those operations have
not been switched to using aio_read/aio_write. This was a regression
introduced with release 1.6.3 and affected at least RHEL 5.9 kernels.
(10248)
* Fixed a similar bug making core dumps fail in AFS space, affecting
a much wider range of kernels including the most recent ones.
(RT #131729) (10254)
* Enhanced the keyring code to make PAGs work correctly on kernels with a
distribution specific change to the Linux keyring code. This affected at
least SLES 11 SP3 kernels. (10252)
* Fixed a bug that could make failures during PAG instantiation go
unnoticed. (10255)
* Fixed a bug that made compilation fail for Linux kernels without
keyring support. This affected at least the SLE 10 SDK and an
OEM version of SLES 11 SP1. (10325)
* Fixed build for kernels with user namespace support enabled. Likely
to be required for Ubuntu 14.04 and eventually other distributions.
(10456 10457 10458 10518 10472)
* Support RHEL 6.5 kernels, and possibly others with changes backported
from recent mainline kernels that touch getname/putname, by no longer
using those functions. Previously, the client could cause a kernel
panic when syscall auditing was enabled. (10578)
* Make tmpfs usable as the cache filesystem again. This had been broken
since kernel 3.1 (9950 10193)
* When starting the client fails, clean up the backing device information
created in sysfs, to avoid error messages during a subsequent start
and possible system instability later on (10454)
* Update Red Hat packaging to support Fedora >= 20, RHEL >= 7 and
ELrepo kernels (10597 10619 10622 10703 10704)
OS X Clients
* Support OS X 10.9 "Mavericks" (10519 10541 10542 10543 10548 10549)
AIX clients
* Fixed a bug that caused the 1.6 AIX client to never receive any RX
packets in the kernel. (RT #131725)
FUSE client
* Support Solaris 11 (9454 9455)
* Allow other users to access filesystems mounted by root. (9452)
FreeBSD
* Build tvolser and dvolser on this platform (10122)
* Several fixes to catch up with newer releases (10374 .. 10381)
NetBSD
* Build tsalvaged, tvolser and dvolser on this platform (10121)
* Fixed build on NetBSD 5 and newer. (10138)
Changes since 1.6.2:
OpenAFS 1.6.5
commit 5f5b02a57102af1a85fb9bdaaec31b6094d0c9c4
Author: Michael Meffie <mmeffie@sinenomine.net>
Date: Wed Jul 17 23:10:42 2013 +0100
ubik: Fix encryption selection in ugen
Make sure that we encrypt when requested to by the application
Change-Id: If4c2ba2257bf060d3e9169ccdbcae54f54dfe5d7
commit 0e41558190a5190dee3037c08e8df31e61e5134e
Author: Simon Wilkinson <sxw@your-file-system.com>
Date: Tue Jul 16 19:37:00 2013 +0100
Make OpenAFS 1.6.5
Change-Id: I693297ef6e20358966930cb29116d45b9151811f
commit 9e1c24a583634e6102091388dedc47745efce78a
Author: Ben Kaduk <kaduk@mit.edu>
Date: Sat Jul 13 10:49:27 2013 +0100
Add support for deriving DES keys to klog.krb5
(cherry picked from commit e79102e7918ce5196e870a806879135743ec3abb)
Change-Id: Ia7ebfdd10dcfd6cd164b10275016147630748bac
commit 4b7553600a7659d117df0bde7b1c1dfde031deb8
Author: Andrew Deason <adeason@sinenomine.net>
Date: Wed Jul 10 12:52:28 2013 -0500
Reload rxkad.keytab on CellServDB modification
Make the reloading of rxkad.keytab keys occur in the same way that
KeyFile keys are reloaded. That is, we only try to reload them if the
CellServDB mtime has changed. This is intended to have exactly the
same reloading behavior as KeyFile reloads.
I would have triggered this from afsconf_Check, but that approach
has annoyances. (Calling ticket5_keytab functions directly from
cellconfig pulls in libkrb5 dependencies for everything that uses
cellconfig, and we'd have to trigger an afsconf_Check call by calling
some other cellconfig function.)
9102f49a3bdc67ed74e254349eb55b529472f45c
commit d2024c158e3a879305ff17cf726d3958f20677f4
Author: Andrew Deason <adeason@sinenomine.net>
Date: Mon Jun 10 17:49:12 2013 -0500
Avoid calling afsconf_GetLatestKey directly
Don't call afsconf_GetLatestKey to determine whether we can print our
own local tokens, since we may have keytab 'local' keys, but no DES
keys. Just try to construct them and see if it fails, using
afsconf_PickClientSecObj or afsconf_ClientAuth{,Secure} as
appropriate.
commit d4788f6e283b79a1b974dda1e8fae213efd34930
Author: Andrew Deason <adeason@sinenomine.net>
Date: Mon Jun 10 17:15:27 2013 -0500
auth: Do not always fallback to noauth
Make afsconf_PickClientSecObj error out if we can't construct
localauth tokens (unless the caller explicitly requested rxnull
fallback). afsconf_ClientAuth{,Secure} still falls back, as always.
commit 95d57c74476c5a02ce6d9ca913dcbf88ac5c1143
Author: Ben Kaduk <kaduk@mit.edu>
Date: Tue May 14 19:37:59 2013 -0400
Clean up akimpersonate and use for server-to-server
Since a6d7cacfd, aklog has been able to print a krb5 ticket to
itself for an arbitrary client principal, allowing a user with
access to the cell's krb5 key to get tokens as an arbitrary user.
Now that it is possible to use native krb5 tickets with non-DES
enctypes for authentication, and akimpersonate is available from libauth,
use printed native krb5 tickets for server-to-server communication (as well
as the -localauth versions of the client utilities).
Remove the early call to afsconf_GetLatestKey() in
afsconf_PickClientSecObj() so that we do not end up picking an old DES
key before we try to find a better key to use.
Before doing so, refactor the akimpersonate code to be more usable
and readable, and eliminate some dead code. For example, we always printed
addressless tickets, so that code could be removed. Other code had excessive
stack usage for a library routine, which is eliminated. Use a start time
of 0 instead of 300 so that the printed ticket will always be
detected as infinite-lifetime.
In order to ensure usability on all platforms (in particular Solaris),
provide a couple more compat shims to implement routines which are not
always available from the krb5 library, in particular encode_krb5_ticket
and encode_krb5_enc_tkt_part. Thanks to Andrew Deason for implementing
these compatability routines.
UKERNEL doesn't need this stuff.
commit 15b77552b22e3ff3e7478008673775a45047f600
Author: Alexander Chernyakhovsky <achernya@mit.edu>
Date: Tue May 14 18:12:08 2013 -0400
Move akimpersonate to libauth
Give it its own source file and header, install the header at
depinstall time, and have aklog get the akimpersonate functionality
from libauth.
Keep the linux box copyright from aklog_main.c (but strip the trailing
whitespace), as that block was added with the akimpersonate code.
Remove all calls to afs_com_err() as is fitting for library code,
to let it build. Do not bother removing curly braces which are
no longer needed; a future cleanup commit will catch that.
commit 1c7fa1405940a136a992d65023cc690b1111ab3e
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sun Mar 17 21:58:47 2013 -0400
Derive DES/fcrypt session key from other key types
If a kerberos 5 ticket has a session key with a non-DES enctype,
use the NIST SP800-108 KDF in counter mode with HMAC_MD5 as the PRF to
construct a DES key to be used by rxkad.
To satisfy the requirements of the KDF, DES3 keys are first compressed into a
168 bit form by reversing the RFC3961 random-to-key algorithm
Change-Id: I4dc8e83a641f9892b31c109fb9025251de3dcb27
commit 33eecea7db14d06c59e1081b970d4caf0af773ca
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sun Feb 10 13:27:03 2013 -0500
Integrate keytab-based decryption into afsconf_BuildServerSecurityObjects
Now all servers can have it.
authcon.o grows a krb5 dependency and needs to get KRB5_CPPFLAGS.
Change-Id: I95fecb3f88c19b3d5193ea8200fa20c86ec08ad7
commit 14db1a40e5be3b7325951d002885bbf288d570c1
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sat Feb 9 12:42:20 2013 -0500
New optional rxkad functionality for decypting krb5 tokens
An additional, optional mechanism for decrypting krb5-format tokens
is provided that uses the krb5 api with a key from a keytab
instead of using libdes and the AFS KeyFile.
The AIX compat stub for krb5_c_decrypt is contributed by Andrew Deason.
Change-Id: I97c08122c60482b84d602d6fa6482f1d5deef142
commit 5e0cbc930508a697331bad07cc201c1e1985ff84
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sat Feb 9 12:01:37 2013 -0500
Add rxkad server hook function to decrypt more types of tokens
Allow tokens to be encrypted with algorithms other than DES.
The security object owner must provide an implementation
by calling rxkad_SetAltDecryptProc.
Make sure plainsiz is initialized before calling the alternate decrypt
proc.
User-Visible OpenAFS Changes
OpenAFS 1.6.4
All platforms
* Obey the jumbo/nojumbo settings for ubik servers (the DB servers)
too. In previous releases, those servers may have used jumbograms
even if they were not configured to do so. This change corrects
the actual behaviour, and will improve performance and reliability
for sites where jumbograms are problematic. It could cause a decrease
in performance for sites where jumbograms work, but those can turn
them back on manually.
* Dozens of fixes for common coding problems like use after free,
use of possibly uninitialised memory, reading or writing past the
end of arrays and potential NULL pointer derefences. Spotted by
code analysis tools or human inspection.
* Documentation improvements.
* Fixes and improvements to the diagnostic or log messages printed by
vos, the fileserver and others.
* Build fixes, making parallel builds more reliable with certain
configuration options and helping various platforms including
recent releases of IRIX, Solaris and several flavours of Linux.
* Avoid sending a small amount of data over the wire unencrypted
under certain conditions, and emit the correct error message in
this case.
All server platforms
* Avoid generating duplicate IDs for readonly and backup volumes,
which could happen under certain conditions.
* Allow the fileserver to return volume data like quota or free space,
which is available publicly elsewhere, without the additional access
check for read permissions on a volume's root directory the fileserver
performed before.
* The fileserver now emits a log message when it ran out of memory for
callbacks.
* Avoid several potential fileserver problems, including memory
corruption and segmentation faults, due to client bookkeeping.
* Avoid known cases of silent data corruption due to background syncs
on the fileserver, especially during Copy on Write.
* Make the fileserver sync behaviour runtime configurable. Up to 1.4.5,
we had synchronous syncs which were safe but really slow. Since 1.4.5,
we've had asynchronous syncs which are much faster but believed to
be the cause of rare data corruption issues, and while all known cases
of these happening are believed to be fixed in the 1.6.3 release, doubts
remain. This change allows choosing between those, and in addition allows
to turn syncs by the fileserver off altogether, thus relying on the vice
partition's backend filesystem and the operating system, or to just
execute them when a volume is detached. The default behaviour is
unchanged from releases since 1.4.5, but it's highly recommended to
consider the additional options this change provides. Future OpenAFS
releases will default to "-sync=none".
* For dbservers, avoid a situation where misinterpreting transient
network errors causes long-term issues with achieving ubik quorum.
All UNIX client platforms
* Improvements to the detection of an aklog-specific krb5 configuration
file, for the purposes of turning on "weak crypto" for aklog.
* Fixed a regression introduced in release 1.6.2 which caused the
supposedly persistent disk cache to be discarded upon client start.
(RT #131655)
Linux clients
* Support Linux kernels up to 3.10
* Fixed two bugs making it impossible to unmount a disk cache filesystem
after it has been used by the client. (RT #131613)
* Fixed a bug that could cause an oops with kernels 3.6 and later
OpenBSD
* Improved support for OpenBSD 4.9 to 5.3
OpenAFS 1.6.3
This release number had to be skipped for technical reasons.
Upstream release notes:
User-Visible OpenAFS Changes
OpenAFS 1.6.2
All platforms
* Fix buffer overflows in fileserver and ptserver.
* Abort an rx connection when given an unknown service (Gerrit 7593).
* "idle dead" behavior improvements.
* Documentation updates.
All server platforms
* Fix rare file corruption during background sync (Gerrit 8796).
* Fix corrupting clients' metadata cache during certain errors (Gerrit
6957).
* Avoid saying a volume doesn't exist when accessed as the volume is
going offline (Gerrit 7488).
* Fix fileservers to properly report >2 TiB partitions.
* Fix stale volume info from vos examine on non-DAFS filservers.
* Fix possible volume corruption with vos convertROtoRW.
* Fix bosserver to preserve all command-line options over restart.
* Fix bosserver to properly kill hung processes during shutdown.
All UNIX client platforms
* Fixes for memcache, especially on Solaris.
* Increase the size of the DNS resolver answer buffer to allow sites
with a long response list to use SRV and AFSDB records.
* Fix a crash when a server appears to run out of addresses (Gerrit
7487).
* Fix cache corruption when reading from a file another client is
simultaneously writing to (Gerrit 7994).
* Improve handling of disk cache disk errors.
Linux
* fix DKMS configuration for DKMS 2.2.
* Avoid generating inode number 0 with md5 inodes (Gerrit 7276).
* Fix a crash when reading /proc/fs/openafs/unixusers (Gerrit 7914).
* Make PAG-less access use the real UID of the calling process
instead of the effective UID, when determining what credentials to
use (Gerrit 7931).
* Fix possible abuse of fs mkmount.
Prior to 1.6.2, users could crash a client by nesting volume mounts.
* Fix fileserver memory corruption on RHEL 6
Prior to 1.6.2, fileservers on RHEL 6 may crash under heavy load.
* Fix client page cache corruption on Linux
When multiple clients read and write to a file, the reading client
may see first page (4096 bytes) of a file as nulls.
* Support Linux kernels up to 3.7.
* Support newer glibc versions.
* Improve client systemd unit file.
* Update Red Hat packaging.
OS X
* Fix crashes on shutdown.
* Prevent unloading the module before shutdown completes.
* Security improvement for the OpenAFS preference pane.
Solaris
* Support newer versions of the Sun Studio compiler software.
* Support compiling on newer versions of Solaris 11 and Solaris 10.
Upstream release notes for 1.6.0 and 1.6.1:
OpenAFS Release Notes - Version 1.6.1
_________________________________________________________________
All server platforms: Critical bugfixes.
All systems: Major bugfixes.
_________________________________________________________________
Sites running 1.6.0 fileserver are urged to update immediately to
avoid data loss.
Sites running 1.6.0 UNIX clients are urged to update immediately to
avoid excess network traffic.
All platforms:
- Updated idle dead handling to avoid issues with retrying
calls which could succeed but error and then error on a retry.
- libafscp updates.
- uafs userspace cache manager updates.
All server platforms:
- A bug which can lose data on a fileserver for volumes which are
replicated or backed up has been fixed. Sites running 1.6.0 are urged to
upgrade immediately! (130295)
- Fix salvaging of volumes with large numeric IDs.
- Further correct tracking of alternate and changed addresses in
the fileserver.
- Do not perform Rx keepalives during disk IO to allow timeouts
to occur in event IO cannot complete.
- Properly associate link tables recreated during salvage with the volume
group ID.
- Demand attach: better error handling during volume attachment.
- Confirm vnode lengths are as expected during fileserver operations.
- Demand attach: better handling of volumes being passed for salvage
and being returned from salvage.
- Conditions which cause a restored volume to immediately need salvage
are now properly tracked.
- Bosserver properly honors rxbind mode.
- Ensure salvager returns volumes to fileserver even when
no applicable vnodes are found.
- DAFS: perform additional verification of data restored about
clients and callbacks.
All UNIX platforms:
- Correct handling of server NAT pings to avoid unnecessary growth of
NAT ping traffic.
- Fix hard mount retry behavior to retry all servers.
- Several lock order inversions which could deadlock fixed.
- Handle issues updating mtab.
- Fix fs setserverprefs to work again for DB servers.
FreeBSD:
- Track kernel API changes for 9.0
Linux:
- Support for kernel versions through 3.4.
- Avoid potential panic due to an error being returned as a positive
number when doing inode operations.
- Fix vcache lock ordering during readdir.
- Updated RPM packaging.
- Updated dkms support.
- Updated systemd support.
MacOS:
- Fix panic at shutdown due to not stopping network listener.
- Updated Kerberos support for additional issues in Lion.
NetBSD:
- Updated support for 5.0 userspace binaries.
- Add support for 6.0.
Solaris:
- Avoid panic on shutdown when mount failed.
- Disable SSE instructions when compiling to avoid panics on non-SSE hosts.
Windows:
- Properly handle VNOSERVICE, which indicates a fileserver has
done an idle timeout of a call.
- Improved tracking of volume groups.
- Do not recycle buffers in the current file if they are in the active chunk
and up to date.
- Support Windows 7 Advanced Firewall.
- Default to maximum 2 CPUs unless registry overrides.
- Failover and retry for VBUSY.
- Properly fetch unix mode when requested.
OpenAFS Release Notes - Version 1.6.0
_________________________________________________________________
All UNIX systems: Security bugfixes.
All systems: Major bugfixes.
_________________________________________________________________
All platforms:
- Rx NAT pings are not enabled until peer has answered.
- Numerous fixes to command argument parsing.
All server platforms:
- Avoid crashing on host table exhaustion. Instead, defer clients.
All UNIX platforms:
- Rx connection reference counting is enabled.
- An Rx connection reference count leak is fixed in bulkstat.
- Handle unparsable directory objects.
- Handle Kerberos cred cache errors in aklog.
Linux:
- Init script properly returns status as exit code.
- RPM packaging fixes (executable libraries, no postinstall message)
- Kill i386 from RPM packaging.
MacOS:
- Fix 32 bit Lion client support.
- Avoid panic when doing FSEvent synthesis.
- Fix bug when using non-dynroot.
- Update Kerberos support in PreferencesPane.
Solaris:
- Avoid panic on shutdown when mount failed.
Windows:
- Add shutdown message to event log.
- Check offline volume status by policy rather than on each daemon thread
run.
- Return error on directory object not found instead of crashing.
- Improve error message output.
- afslogin.dll can start afsd_service if it's not starting or started.
- Optimize away release lock RPCs for deleted files.
- Background Daemon will not perform operations on deleted files.
- Resort recently used directories to the top of the LRU if the directory
is larger than the stat cache.
- Resort deleted objects to the bottom of the LRU.
- Use interlocked operations for state and queue fields to allow safe
bit set and clear on multiprocessor systems.
CHANGES IN 1.6.0PRE7
All platforms:
- Substantial Rx updates to correct erroneous behavior.
- Salvager tries harder to detect linktable issues.
- Additional documentation.
- xstat tools now cope with differing timeval structures between endpoints.
All UNIX platforms:
- New build targets to make distribution tarfiles (make dist) and
srpms (srpm).
Demand Attach Fileserver platforms:
- Don't attach volumes with special status set.
FreeBSD:
- Avoid panic at shutdown due to vcache flushing.
- Support virtual network stacks.
Linux:
- Treat Linux 3.0 as Linux 2.6 for sysname purposes.
- Attempt to properly handle SELinux in packaging.
MacOS:
- MacOS 10.7 support.
Solaris:
- Try harder to avoid deadlocks on file-larger-than-cache operations.
Windows:
- Add support for NTFS symlinks.
- Handle file search requests for virtual syscall ioctl file.
- Process SyncOps properly to enforce ordered operations.
- Avoid recursing during NewServer operations.
- Correct lock acquisition order during SMB locking.
CHANGES IN 1.6.0PRE6
All UNIX platforms:
- Fall back to afs3-vlserver SRV record values when afs3-ptserver SRV
record is not available.
- Avoid holding unneeded locks when probing server capabilties.
- Do not attempt page flushes for directories.
Demand Attach Fileserver platforms:
- Unlink fileserver state file on standalone salvage.
FreeBSD:
- Support for virtual network stacks.
Linux:
- Further corrections to Redhat packaging.
- Avoid showing files larger than one cache chunk size as full of NULLs.
(129880) This bug was in unissued pre5 only, not in pre4.
- Fix lockup in 2.6.38 due to erroneous kernel feature configure test.
MacOS:
- Rework logic for bulk status operations to avoid a potential hang.
Solaris:
- Don't leave dangling function references if kernel extension fails to load.
Windows:
- aklog supports dotted Kerberos v5 principal names.
- afskfw library always attempts afs/cell@USER-REALM
- afskfw library must test return code from
krb5_cc_start_seq_get() or will trigger a null
pointer exception when using Heimdal.
- lock protected fields must be 32-bit in order
to avoid memory overwrite races.
CHANGES IN 1.6.0PRE5
All server platforms:
- Avoid leaking references to hosts during callback break multi-Rx
operations. (129376)
All UNIX platforms:
- Avoid a potential deadlock (which times out) when we need to allocate more
callback returns and must flush some already in use.
- Deal with libcom_err conflicts with other packages using it (e.g. krb5)
(128640)
AIX:
- Fix PAG usage to track by PAG identifier, not group list.
Irix:
- Properly create new vnodes to avoid crashing in the client.
Linux:
- Support 2.6.39.
- Avoid attempting to free stat cache entries when we are below user-specified
number of entries in use.
- Properly track user-specified number of stat cache entries to use as a
desired usage target.
- Don't read pages beyond EOF in the cache. (128452)
MacOS:
- Properly shut down AFS, closing the Rx socket in the upcall handler to
avoid attempting to process data after we can no longer do so.
NetBSD:
- Updates for platform support.
Windows:
- Fix caching of non-existent volumes. The test to
trigger an immediate CM_ERROR_NOSUCHVOLUME in
cm_UpdateVolumeLocation() was backwards.
- Prevent the background daemon from checking the
status of non-existent volumes. cm_CheckOfflineVolumes()
should skip volume groups with the CM_VOLUMEFLAG_NOEXIST
flag set.
- The afskfw library should return an error immediately
if the krb5_32.dll library cannot be loaded. Affects
afslogon.dll and afscreds.exe.
- No longer depend on leashw32.dll in afskfw library.
- NPLogonNotify must provide the user password in all
calls to KFW_AFS_get_cred(). It cannot count on a
credential cache being preserved between calls. Permits
tokens to be acquired for all cells listed in the
TheseCells registry value for a domain.
- Improve the trace logging from NPLogonNotify().
- Avoid a race when writing the cm_scache_t mountPointString
when acquiring mount point or symlink target data via
cm_GetData(). The race could result in bogus target
data being cached.
- Permit the use of des-cbc-md5 and des-cbc-md4 enctypes
as DES keys in asetkey.exe.
CHANGES IN 1.6.0PRE4
All server platforms:
- A file descriptor leak which could result in corrupted files
in the fileserver was fixed. An IMMEDIATE upgrade from previous
1.6 release candidates as well as 1.5 release fileserver is
SUGGESTED!
- Properly support large volume numbers (larger than 2147483647).
All platforms:
- Documentation updates.
Demand Attach Fileserver platforms:
- Allow salvager to be run manually again when DAFS is being used. (129458)
FreeBSD:
- New RC script, updated packaging.
Linux:
- Improve RPM building tools.
- setpag() errors are now properly reported.
MacOS:
- Preferences Pane behavior fixed for 1.6 series (version detection
is used to select default behavior).
- A potential kernel panic during bulkstat operations is fixed. (128511)
- 64-bit MacOS kernel performance is greatly improved. (128934)
Solaris:
- Properly report errors for AFS system call callers.
Windows:
- Properly create new cell mount points in freelance mode.
- Avoid recursive offline volume checks.
CHANGES IN 1.6.0PRE3
All platforms:
- Revert UUID support in vos.
- pt_util fixed to properly create new databases.
- Rx busy call channel error handling improved.
- MTU discovery now properly shut down on call reset.
- FUSE client support fixed for non-/afs mounts.
All server platforms:
- A deleted volume can now be recreated properly.
- Callbacks are again not broken during whole partition salvages.
- Positional vectored IO fixed for largefile (>2GB) capable systems.
- Fileserver per-client thread usage again properly enforced.
- Anonymous dropbox support improved and drawbacks documented.
Demand Attach Fileserver platforms:
- Ensure vnodes are not reallocated while in use due to volume
bitmap errors.
Linux:
- Perform vcache eviction via a fast path before visiting vcaches
where sleep is needed.
MacOS:
- aklog AuthorizationPlugin now provided.
Solaris:
- Corrected Solaris 11 startup script.
- vcache mappings freed on shutdown to avoid panic.
Windows:
- icon tray state now conditionally set (128591)
CHANGES IN 1.6.0PRE2
All platforms:
- Documentation updates.
- Don't stop Rx keepalives after an ackall is received, avoiding
spurious connection timeouts. (128848)
- Don't retry Rx calls on channels returning busy errors. (128671)
- vos will not die with a double free error at command completion.
- Properly enable Rx connection hard timeouts.
- Initialize rx_multi lock before use.
- Avoid spurious crashes when initializing in "backup" client.
All unix platforms:
- Check for /afs existance before starting, unless -nomount is specified.
- Avoid a potential panic when using /afs/.:mount syntax.
- Avoid a panic in memcache mode due to missing CellItems file.
All server platforms:
- Attempt to recovery more quickly from timed out volume release
transactions.
- Auditing now properly byte order swaps IP addresses when printing.
- vos split now has improved error handling.
- Many changes to again support Windows fileservers.
- During volume removal, data removal speed improved.
- Improve CPU utilization during volume attaching by DAFS.
- In salvager check-only mode, avoid potentially fixing a vnode.
- Fix support for large (greater than 2gb) volume special files.
- Salvager will not crash if multiple or bad volume link tables
are encountered.
- Avoid erroneous full dump by remembering which sites were out of date
at the start of the release.
FreeBSD:
- Remove support for "Giant" lock as we no longer need to use it.
- Don't sleep with AFS GLOCK.
- Properly enable 64 bit long long support.
- Restore support for FreeBSD 7 (128612)
- Fix locking issues at shutdown.
Linux:
- support through kernel 2.6.38.
- RedHat packaging now properly supports RHEL6.
- Use rx_Readv in cache bypass to improve performance.
- Properly handle 0-length replies during cache bypass operations.
- Properly handle non-contiguous readpage cache bypass operations.
- Do proper locking when transitioning to or from cache bypass.
- Avoid extra runs of vcache freeing routine. (128756)
MacOS:
- Check for unloaded kernel extensions when decoding AFS panics.
- Properly handle setpag errors. PAGs are not supported.
- Disable "get tokens at login" in prefs pane if AD authentication
plugin is configured.
OpenBSD:
- support through OpenBSD 4.8.
Solaris:
- Fix support for Solaris pre-10.
Windows:
- afs_config will not longer set the Tray Icon State
in the registry if the checkbox is not present in
the dialog. (128591)
- AFS Explorer Shell Extension now works from folder
backgrounds. Overlays for mount points and symlinks
are present in the dll, but are not registered at present
by the installers.
- Do not use RankServerInterval registry value as the value for
PerformanceTuningInterval.
- When the data version of a mountpoint or symlink changes,
the target string in the cm_scache_t object must be cleared.
- "fs checkservers" now includes vldb servers in the output
and only lists multi-homed servers once. A multi-homed
server that has at least one up interface is no longer
considered to be down.
- When asynchronously storing dirty data buffers to the
file server ensure that (a) the cm_scache_t object and
the cm_buf_t object are for the same File ID so that
locking and signalling work properly; and (b) if the
FID no longer exists on the file server, do not panic,
just discard the buffer.
- When processing VNOVOL, VMOVED and VOFFLINE errors perform
server comparisons by UUID or address and not simply by
cm_server_t pointer. Otherwise, server failover may not
succeed.
- Do not preserve status information for cm_scache_t objects
when the issuing server is multi-homed.
- Giving up all callbacks when shutting down or suspending
the machine is now significantly faster due to the use
of an rx_multi implementation. (This functionality is
still off by default and must be activated by a registry
value.)
- Race conditions were possible when updating the state
of the cm_volume_t flags and when moving the volumes
within the least recently used list.
- Ensure that the lanahelper library does not perform a
NCBRESET of each lan adapter when enumerating the
current network bindings. Correcting this permits OpenAFS
to work on Windows 7 when the network adapter settings
change.
- Fix creation of mount points and symlinks as \\AFS\xxxx
PREVIOUS CHANGES:
All platforms:
- vos now properly deals with matching sites when servers are multihomed.
All Unix platforms:
- Servers now marked down when GetCapabilities returns error.
- In-use vcache count is now properly tracked.
All server platforms:
- Fix ptserver supergroups support on 64 bit platforms.
- Demand attach salvaging doesn't use freed volume pointers.
- Properly hold host lock during host enumeration in fileserver.
FreeBSD:
- Fix socket termination on shutdown.
- Support for 7.2, 7.3, 7.4 and 8.2 included.
- References to vcaches are no longer leaked during root or reclaim.
Linux:
- Define llseek handler to avoid ESPIPE error in 2.6.37.
- Mount interface replaces get_sb (new for 2.6.37, not yet required).
- RedHat init script allows deferring for a new binary restart.
- DEFINE_MUTEX replaces DECLARE_MUTEX for 2.6.37.
MacOS:
- Correct return value from setpag syscall.
OpenBSD:
- Bug fixes for issues introduced previously in 1.5 series.
Solaris:
- Switch to ioctl() syscall replacement for Solaris 11 since syscall 65
is not safe.
sevan
jakllsch
agc
gendalia