[9fans] problem logging into a combined auth/cpu/fileserver

[9fans] problem logging into a combined auth/cpu/fileserver

[James Chapman]

Hi,

I have set up a combined auth/cpu/fileserver (using fossil) under
parallels.

The hostowner is bootes and I created an ordinary user called james.

I can connect with drawterm with either user.

I can also boot a plan 9 terminal in a parallels instance from the
server. If I do this as bootes I can also:

term% cpu -h (server ip)

from my freshly booted terminal. However if I boot the plan 9 terminal
as james then executing the above command gives the error:

"cpu: can't authenticate: (server ip): auth_proxy rpc write: bootes:
cs: can't translate address: dns: resource does not exist"

If I type:

term% cpu -h (server ip) -u bootes

whilst logged in as james it connects successfully. Which (to me)
implies that the terminal is working properly.

I'm rather baffled by the error. Surely it can't have anything to do
with dns?

James

Re: [9fans] problem logging into a combined auth/cpu/fileserver

[James Chapman]

Hi,

I guess my question wasn't very well specified so I'm having another
go. I presume the problem I previously posted was because my network
configuration was broken so now I'm asking how to set it up properly.

The wiki page "Configuring a Standalone CPU Server" gives two simple
possibilites:
1. A simple example for a combined cpu/auth server, the 192.168.1.100
machine, could be:

ipnet=mynet ip=192.168.1.0 ipmask=255.255.255.0
	auth=bouncer
	cpu=cycles
	dns=lookup
	dnsdom=9fans.net

authdom=9fans.net auth=bouncer

ip=192.168.1.100 sys=bouncer dom=bouncer.9fans.net
ip=192.168.1.101 sys=cycles dom=cycles.9fans.net
ip=192.168.1.102 sys=lookup dom=lookup.9fans.net
2. If you're not setting up a whole network and just want drawterm
access to the combined cpu and auth server you're configuring, addding
the single line

authdom=some.domain auth=cycles
to /lib/ndb/local will suffice if you also add the line

sysname=cycles
I would like something in between. I would like the configuration in 1
but without specifying the ip addresses. I want more than just
drawterm; I would like some real plan 9 terminals. I want both the
server (combined cpu/auth/fossil) and the terminals to get ip
addresses from dhcp (from my wireless router). I tried option 2 and
also this:
ipnet=mynet ip=192.168.1.0 ipmask=255.255.255.0
	auth=cycles
	cpu=cycles
	dns=192.168.1.254
	dnsdom=lan

sys=cycles dom=cycles.home.net
sys=bouncer dom=bouncer.home.het

authdom=home.net auth=cycles
with sysname=cycles/bouncer in their respective plan9.inis
But I still get the same problem as before: I can drawterm (as
hostowner or other user) and boot bouncer using the root of cycles (as
hostowner or other user). However having booted the terminal in this
way I can only cpu to bouncer if I booted as bootes (the host owner)
otherwise I get the following error message:
> "cpu: can't authenticate: (server ip): auth_proxy rpc write: bootes:
> cs: can't translate address: dns: resource does not exist"


Firstly, is what I'm trying to do possible or do cpu/auth/file servers
have to have static ips?

Secondly, can anybody suggest what I'm doing wrong? Or can you tell me
where to look to try to fix it.

Or am I barking up the wrong tree completely?

James Chapman

Re: [9fans] problem logging into a combined auth/cpu/fileserver

[erik quanstrom]

> 1. A simple example for a combined cpu/auth server, the 192.168.1.100
> machine, could be:
>
> ipnet=mynet ip=192.168.1.0 ipmask=255.255.255.0
> 	auth=bouncer
> 	cpu=cycles
> 	dns=lookup
> 	dnsdom=9fans.net
>
> authdom=9fans.net auth=bouncer

assuming that you mean authdom=myauthdom here,
and that "lookup" is actually an ip address, or
you have an entry for lookup like so
sys=lookup dom=lookup ip=ipaddress
i would think that you would also want to add
	authdom=myauthdom
to your ipnet.  this helps ipquery(8) and ndbipinfo(2)
find your auth domain correctly based on ip.

the example on the wiki may need updating.

> hostowner or other user). However having booted the terminal in this
> way I can only cpu to bouncer if I booted as bootes (the host owner)
> otherwise I get the following error message:

are you running auth/factotum (factotum(4))?

- erik

Re: [9fans] problem logging into a combined auth/cpu/fileserver

[James Chapman]

Hi Erik,

Thanks for the reply. I added the authdom and this is what I have now
in /lib/ndb/local:

[snip]

ipnet=mynet ip=192.168.1.0 ipmask=255.255.255.0
	auth=carp
	cpu=carp
	authdom=home.net
	dns=192.168.1.254
	dnsdom=lan

authdom=home.net auth=carp

ip=192.168.1.68 sys=carp dom=carp.lan
#sys=carpet dom=carpet.lan

If I remove the ip address for carp I get the same error as before.

With these settings the terminal (carpet) knows carp's address (which
it didn't before):

term% ndb/csquery
 > net!carp!9fs
/net/tcp/clone 192.168.1.68!564

and I can cpu to carp by:

term% cpu -h carp

or

term% cpu -h 192.168.1.68

If I remove carp's ip from /lib/ndb/local I get the weird error when I
try to

term% cpu -h 192.168.1.68

But I can still do this:

term% cpu -h 192.168.1.68 -u bootes

This works for now, but as carp's ip is from dhcp it might change. I'd
like this to be more robust so that I can use it on other networks
which serve dhcp without changing anything. A bit of zeroconf/
rendezvous would be nice but I'm happy to look up the address on the
cpu server console and then type it in manually on the terminal.

> are you running auth/factotum (factotum(4))?

I think so. ps | grep factotum returns two entries and /mnt/factotum
is populated.

James

Re: [9fans] problem logging into a combined auth/cpu/fileserver

[erik quanstrom]

> ipnet=mynet ip=192.168.1.0 ipmask=255.255.255.0
> 	auth=carp
> 	cpu=carp
> 	authdom=home.net
> 	dns=192.168.1.254
> 	dnsdom=lan
>
> authdom=home.net auth=carp
>
> ip=192.168.1.68 sys=carp dom=carp.lan
> #sys=carpet dom=carpet.lan
>
> If I remove the ip address for carp I get the same error as before.
>
> With these settings the terminal (carpet) knows carp's address (which
> it didn't before):
>
> term% ndb/csquery
>  > net!carp!9fs
> /net/tcp/clone 192.168.1.68!564

and if you have cpu and auth set to carp.lan?

- erik

Re: [9fans] problem logging into a combined auth/cpu/fileserver

[James Chapman]

On 8 Sep 2009, at 01:13, erik quanstrom wrote:
> and if you have cpu and auth set to carp.lan?

Doesn't seem to change anything.

Re: [9fans] problem logging into a combined auth/cpu/fileserver

[erik quanstrom]

On Mon Sep  7 18:37:15 EDT 2009, james@cs.ioc.ee wrote:
> On 8 Sep 2009, at 01:13, erik quanstrom wrote:
> > and if you have cpu and auth set to carp.lan?
>
> Doesn't seem to change anything.

rather than me playing battleship, perhaps it would make sense
for you to start enabling debugging.  i don't think you should
have any trouble with your setup, but i certainly could have
missed something.  for example, i didn't verify if anyone will
insist on a valid tld.  and i think i was sloppy about verifying
the sys= and dom= entries.  you need both for servers with
dns names.  also beware whitespace in your ndb files.  ndb
is not forgiving of spaces around '=', etc.

make sure that you have the /sys/log/cs /sys/log/cs.paranoia.
they should be append-only (chmod +a) and user, group and
other writable.  it also make sense to enable dns logging.
the man page is ndb(8).

hope this is helpful!

- erik