pacl update

| 1 Comment | 0 TrackBacks

This morning, the PASS Access Control List (pacl) program, which is the permissions program used by PASS Explorer, was altered to implement the following policy:

  • For each Access Control Entry (ACE) in the NFSv4 level ACL:
    • Set the Read Named Attributes permission to match the Read File permission for files or the List Folder permission for folders.
    • Set the Write Named Attributes permission to match the Write File permission for files or the inclusive OR of ( Add File OR Add Subfolder ) permission on folders.
  • Perform this change on every ALLOW ACE in an ACL during any other change to the ACL. DENY ACEs are ignored.
  • A new -correct switch has been added to force this behavior in lieu of other changes.

The reasoning for this includes:

  • The Read Named Attributes and Write Named Attributes permissions are not used by GPFS (thus not used by PASS) to alter the behavior of access control. They can be stored and retrieved later. Previously, they were always left off (cleared).
  • Some clients, in particular Windows 7, check this permission and alter their behavior based on the setting. When attempting to copy a folder from PASS to a local Windows 7 folder, and Read Named Attributes is not granted, a "Folder Access Denied" message appears. Other platforms including Macintosh, Linux and other versions of Windows (except Windows Server 2008r2) do not see this same behavior. Copying individual files or copying a folder in the reverse direction do not meet this issue. When Read Named Attributes are set on the folder, copying a folder from PASS to the local computer do not hit this problem.

In addition, other fixes went in this morning, including:

  • Listing folder permissions will now correctly identify when new files created in the folder will have execute permission.

Penn State full time faculty and staff may read the full technical details of this update on:

Our group may proactively correct ACLs in users' spaces prior to the Fall semester to avoid further complications from the copy-folder-from-PASS issue on Windows 7.

2 configuration changes due for this Thursday:

  • Address issue with Windows 7 and Windows Server 2008 R2 clients mapping \\\pass
  • Address permissions issue with Macintosh clients accessing shared folders

See the announcement for full detail:

Kerberos encryption types augmented

| 0 Comments | 0 TrackBacks
On Wednesday, January 6, 2010, we augmented the list of encryption types supported by the Access Account realm,, to support AES (256 and 128-bit key lengths) and RC4 (128-bit).  This is in addition to the pre-existing support of DES (56-bit) and 3DES (168-bit).

More: alert-1350

Full time faculty/staff may read the technical detail on:

Database behind Blogs (and other things) upgraded today

| 0 Comments | 0 TrackBacks ran without a hitch.  Yes, this post is part of the verification. ;-)

Samba server upgrade

| 0 Comments | 0 TrackBacks
Starting October 20th, and ending this morning, we upgraded each of the 6 Samba (SMB/CIFS) PASS Gateways.  They now have more CPUs, faster CPUs, more memory, use a 64-bit instead of 32-bit version of the OS, and a slightly newer version of Samba.  This may yield some better performance for some operations and negate some performance problems we've seen lately.

Also on the 20th, we switched to a more intelligent load balancer probe.  Instead of a simple ping, the load balancer now also performs an HTTP request for a custom CGI program that runs on each gateway server.  This CGI performs a number of health checks, including number of smbd processes (too many or too few?), swap usage, system load, and answer the implicit question, "is there enough user space time available to answer the probe?" which would imply there is enough time for smbd processes to respond to requests.  There was one incident during the trouble described in alert-1213 where this too was a problem.

As for alert-1213, we expect that the LDAP upgrade slated for the 15th, as described in alert-1279 will address it with faster LDAP servers.

Departmental PASS ACL Reset

| 0 Comments | 0 TrackBacks
This morning around 5am, we updated the ACL reset function of PASS Explorer's File Access Control Manager to properly handle files in departmental file storage housed under /pass/depts. 

The master UMG given to each space with FULL CONTROL will now remain in the ACL after a reset.  Also, the "everyone" permission is set to default deny mode, so others will need to be granted access by separate permissions after a reset. This should make management of departmental space easier for IT staff.

Inquiries about purchasing departmental file space may be directed to the ITS Computer Accounts office and inquiries about usage may be directed to the ITS Help Desk.

Fall Semester 2009 Changes

| 2 Comments | 0 TrackBacks
Several changes occurred with AIT provided services in the past few weeks/months, including:

  1. - upgraded Aug 14, now supports bulk add/remove features

  2. - upgraded Aug 17, now supports protected blogs

  3. PASS Personal quota - upgraded today (Aug 24) to support self increases to 10 GB via

  4. - added new "Permissions" button on Aug 22 to replace the "File Sharing" button obsoleted by the 2008 PASS Migration

  5. - security fix added Aug 23; symbolic links are no longer supported

  6. The cost for leased PASS just dropped at the start of this fiscal year.  Effective July 1, 2009, the cost dropped from $0.02 / MB / year to $0.08 / GB / month.
  • Note, there is now a required minimum of 15 GB for new departmental space and all space increase requests.

32 group limitation corrected - PASS CIFS Gateway

| 0 Comments | 0 TrackBacks
As of 6:26 a.m. this morning (2009/July/09), we have fully eradicated the 32 group limitation (documentation to be updated shortly) with the PASS CIFS Gateway service.  The new limit is at least 1,024 groups, well beyond the 128 group limit that affects most other PASS services (NFS, Explorer, SFTP, etc.).

(Update 2009/July/11)
See also IBM GPFS FAQ #5.7:What is the limit on the maximum number of groups a user can be a member of when accessing a GPFS file system?

Custom 404 for you

| 0 Comments | 0 TrackBacks
Since 6 a.m. this morning, any attempts to use a custom 404 File Not Found error for your Penn State Personal Web site for URL requests like:

will now work.  Previous to this change, they would fall through to the server-wide default 404 error page.

In contrast, requests for URLs like:

didn't have a problem and will continue to work.

An example of how to set a custom 404 File Not Found error page is to create the page you want visitors to see at a page like, then add the following line to .htaccess:

ErrorDocument 404 /xyz123/404error.html

The error page filename can be anything you want. Change the userid to match yours.

The problem was that the RewriteRules had to determine if a file or folder matching the short (trie-less) URL belonged to a userid that matched the pattern.  It did this through a "does the file exist?" (-f) test.  This would prevent mismatches for hits that should be local to the DocumentRoot such as /users/i/m/images/lion.gif.  However, this precluded the ability for a user to use a custom 404 error for the the short URL version of their space.  The new way performs a folder exists (-d) RewriteCond test on the user's home folder, allowing that user to claim any URL requests for that space (custom 404 or not).  Prior to Feb 21, 2006, this was never a problem, since we used to force an external [R] redirect before the 404 condition would be reconsiled.

In retrospect, I am tempted to declare my old RewriteRules for sloppy, since there were other inefficiencies corrected this morning, but I guess such judgment comes with experience using them.  They certainly are "D*** cool voodoo".

Added Wordle @banner

| 0 Comments | 0 TrackBacks
Yesterday, I learned about from H. Morrow Long of Yale University during his presentation at the Penn State Security Conference 2009.

Today, I applied the lesson on how to add a banner image to a Penn State blog to attach a wordle image generated from the RSS feed of this blog.

Maybe it's a real simple thing, but it feels neat to me.

Search This Blog

Full Text  Tag

Recent Assets

  • pass_blog_image2b.jpg
  • pass_blog_image2.jpg