[9fans] Remote auth server

[9fans] Remote auth server

[Paul A. Anokhin]

Hi!

I'm trying to setup my first multi-host Plan 9 system.
I was thinking about running file server/auth server on a VPS so that
I can access it from anywhere.

I configured cpu service on my VPS and I can connect to it via
drawterm. But when I try to boot a terminal that is configured to use
it as auth server, the terminal stops with a message:
mount: auth_proxy: authread: auth protocol not finished.

But is it actually possible to have the auth server and terminal not
on the same LAN? Every configuration example I've seen has all the
resources on the same IP address block.

Thanks!

--
   Paul Anokhin

Re: [9fans] Remote auth server

[Ingo Krabbe]

Yes it is possible and usefull too. All you should have on a fast lan is a fileserver.
But:
	1. the plan9 terminal must configure the network before it connects to the auth server either through dhcp or through a static configuration in the boot configuration
	2. somewhere in the setup of the terminal or the auth server you have to use a hostname that goes into the nvram, that can be reached at boot time. I can't remember where it was, but it was one of my bigger struggles with the plan9 setup.



> Hi!
>
> I'm trying to setup my first multi-host Plan 9 system.
> I was thinking about running file server/auth server on a VPS so that
> I can access it from anywhere.
>
> I configured cpu service on my VPS and I can connect to it via
> drawterm. But when I try to boot a terminal that is configured to use
> it as auth server, the terminal stops with a message:
> mount: auth_proxy: authread: auth protocol not finished.
>
> But is it actually possible to have the auth server and terminal not
> on the same LAN? Every configuration example I've seen has all the
> resources on the same IP address block.
>
> Thanks!
>
> --
>    Paul Anokhin

Re: [9fans] Remote auth server

[erik quanstrom]

> But is it actually possible to have the auth server and terminal not
> on the same LAN? Every configuration example I've seen has all the
> resources on the same IP address block.

yes.  i used to run a single authentication server for 2 sites.
you'll need to make sure the auth server is announcing the
right services on the right ports.  assuming that you're using
net.alt (adjust to /net if not)

	aux/listen -q -t /rc/bin/service.auth -d /rc/bin/service.ext /net.alt/tcp

you'll need tcp567 in that directory.  if you have !tcp567 in that
directory, you can simply rename it.

additionally, it helps to have the following entries in your ndb
files.  here's

authdom=myauthdom auth=myauthserver

if you're using dhcp, it helps to have an entry that looks
like the following.  this will allow cs (through !ipinfo see
ndbipinfo in ndb(2)) to associate the correct auth server
with every machine on this subnet.  (unless overridden in
a specific entry.)

this is an example from 9atom.org

ipnet=labs.9atom.org ip=10.220.0.0 ipmask=/112
	fs=land.9atom.org
	gw=gw.9atom.org
	auth=atta.9atom.org
	dns=10.220.1.10
	dnsdomain=9atom.org
	ipgw=10.220.10.1

- erik

Re: [9fans] Remote auth server

[cinap_lenrek]

authdom isnt a hostname. its just a string. you can supply auth
server ip address in plan9.ini with auth= or send it to the
terminal using plan9 dhcp server (its a plan9 specific dhcp
option field). it does not need to be an ip in ndb,
ip/dhcpd will resolve it to an ip address for the client.

--
cinap

Re: [9fans] Remote auth server

[erik quanstrom]

On Mon Mar 24 10:12:19 EDT 2014, cinap_lenrek@felloff.net wrote:
> authdom isnt a hostname. its just a string. you can supply auth
> server ip address in plan9.ini with auth= or send it to the
> terminal using plan9 dhcp server (its a plan9 specific dhcp
> option field). it does not need to be an ip in ndb,
> ip/dhcpd will resolve it to an ip address for the client.

though, as i think you pointed out recently, a probablly useful
confusion has been brought in:

; g p9auth /sys/src/lib*
/sys/src/libauthsrv/authdial.c:24: 	 * if that didn't work, try p9auth.$dom.  this is very helpful if
/sys/src/libauthsrv/authdial.c:28: 		p = smprint("p9auth.%s", dom);

- erik

Re: [9fans] Remote auth server

[Paul A. Anokhin]

OK, I checked and found out that the auth server seems to announce all
the needed services. In fact i use a recent 9front and it seems to
have reasonable defaults regarding all this stuff.
When I turn off authentication on the server side, I can mount my auth
server's filesystem via 9fs script from my local standalone Plan9
installation.
However if I turn authentication on, I get
mount failed: phase error protocol phase error: read in state SNeedProto

So I guess that the network configuration is fine, but maybe auth
configuration is not.
I have to be missing something important.

On Mon, Mar 24, 2014 at 6:09 PM, erik quanstrom <quanstro@quanstro.net> wrote:
>> But is it actually possible to have the auth server and terminal not
>> on the same LAN? Every configuration example I've seen has all the
>> resources on the same IP address block.
>
> yes.  i used to run a single authentication server for 2 sites.
> you'll need to make sure the auth server is announcing the
> right services on the right ports.  assuming that you're using
> net.alt (adjust to /net if not)
>
>         aux/listen -q -t /rc/bin/service.auth -d /rc/bin/service.ext /net.alt/tcp
>
> you'll need tcp567 in that directory.  if you have !tcp567 in that
> directory, you can simply rename it.
>
> additionally, it helps to have the following entries in your ndb
> files.  here's
>
> authdom=myauthdom auth=myauthserver
>
> if you're using dhcp, it helps to have an entry that looks
> like the following.  this will allow cs (through !ipinfo see
> ndbipinfo in ndb(2)) to associate the correct auth server
> with every machine on this subnet.  (unless overridden in
> a specific entry.)
>
> this is an example from 9atom.org
>
> ipnet=labs.9atom.org ip=10.220.0.0 ipmask=/112
>         fs=land.9atom.org
>         gw=gw.9atom.org
>         auth=atta.9atom.org
>         dns=10.220.1.10
>         dnsdomain=9atom.org
>         ipgw=10.220.10.1
>
> - erik
>



-- 
   Павел Анохин

Re: [9fans] Remote auth server

[erik quanstrom]

On Mon Mar 24 11:42:43 EDT 2014, paul7@paul7.net wrote:
> OK, I checked and found out that the auth server seems to announce all
> the needed services. In fact i use a recent 9front and it seems to
> have reasonable defaults regarding all this stuff.
> When I turn off authentication on the server side, I can mount my auth
> server's filesystem via 9fs script from my local standalone Plan9
> installation.
> However if I turn authentication on, I get
> mount failed: phase error protocol phase error: read in state SNeedProto
>
> So I guess that the network configuration is fine, but maybe auth
> configuration is not.
> I have to be missing something important.

try auth/debug.  if your factotum is trying something other than p9sk1,
it won't work.

- erik