CITI Showcase trip

Things learned at CITI, July 11, 1995
David Lemson


-- General Info

Michigan has 3 campuses: Ann Arbor and satellite campuses at Flint
and Dearborn.  Other campuses don't use AFS.

ITD (Information Technology Division) has budget of $72 million, 600
permanent employees.  Includes Administrative and academic
computing.

----------------------------------------------------------------------

3 "mainframes" (read: IBM) at Michigan: 1) Hospital (has been a
separate unit), 2) Data systems center - administrative computing,
3) Academic computing for experimental systems on north campus (IFS 
used to run there)

32,000 students, 3,000 faculty at Ann Arbor campus.  38 sites, 1400
machines (1050 Mac, 200 Intel, remainder UNIX).  450 applications,
both Mac and PC - 100 are courseware.

Ported AFS to AIX/370, MVS, VM in '90-'92 to create IFS.  Created to
campus network via BTI channel-ethernet attachments.  This was the
bottleneck (not CPU).

Now they run AFS on several RS/6000's.  During lunch, Michael
Stolarchuk told me that they picked RS/6000 over Suns for specific
reasons.  He also told me that AFS clients on Solaris doesn't handle
multiple processors right - it does a global lock so that only one
AFS process talking to a server can happen at a time.  On a
multi-processor system with a lot of AFS activity, may be a real
problem.

AFS translators to convert AFS to AFP for Macintoshes - Desk
Accessory lets Mac get kerberos credentials.  6 translators to
student labs/departmental machines.  Not too loaded down.  Each has
128 MB RAM, models 530 or 560. Bottleneck is the disk because of
cache hits.  C10 is just fine.

PC translators topic: they built one, an NFS-AFS translator.
Abandoning it in favor of Locus PC-I probably.

Novell servers here and there, all separate security domains.  No
connection to AFS yet. (See Andy Adamson's paper)

IPX routing? Yes they do it across the whole campus backbone.

How are apps served in site machines? mostly either local disks or
Apple AppleShare servers.  Some licensed apps come off of AFS disks
in Engineering.

----------------------------------------------------------------------

-- UMCE - U M Computing Environment.  Their push to client-server away
from mainframe-based logins (MVS).  Had to say "can't support less
than Windows, 386 machines" with UMCE.  

Users' email options: 
1) account on login servers - 20 Sparc 20's, some with up to 4
processors.  DNS round-robin.  
2) Read mail using IMAP clients like Pine or Mailstrom.  Both POP
and IMAP supported.  People do get confused.

uniqname system - a unique name that stays with the user while at
U-M.  Used as an identifier in X.500 white pages service.  Have a
mechanism like phquery on the @umich.edu mail server.  Also finger
server.

On-line registration with "CRISP" system.  Done at a terminal in a
specific place somewhere.  Now starting to do by phone system.
Reasoning: not everyone has access to a computer, everyone has
access to a phone.

X.500 clients: UNIX (ud), X, Mac (MAX500), PC (PAX500).  Hacked
servers and clients to use kerberos tokens to change entries, much
like Paul has done to ph lately.

No conferencing software on UMCE besides a proprietary line-mode
UNIX one called confer2.

Not much web expertise in CITI/ITD.  Most applications that could
have used secure Web applications were written with DCE, because
they had DCE expertise.

----------------------------------------------------------------------

-- IFS Info:

Users subscribe to services on-line.  For instance, can request a
larger IFS quota via a web interface.  When asked, they did not know
how it was done, as the author had moved to another department.
They were willing to give us all of the code, though.

5 or 10 MB AFS volume per person.  This volume is expanded to
provide more space.  Presumably this means that there are no quotas,
because each volume is separate.  To add space costs $.09/MB/month.

Oldfiles service on AFS allows people to see yesterday's files in
their home dir.  Backup requests are about 2 per week.

Departments can buy disks and put them on IFS servers for something
like $3000/yr to manage, backup. (maybe less, he wasn't sure)

IFS servers are RS/6000's, AFS-AFP Translators are RS/6000
530,560,570 with 128 MB RAM.  

Backups: 200 GB on-line right now.  500 GB on-line by Sept 1.  6 AFS
servers, each has an Exabyte 10e stacking 8mm tape drive.   Each
server does its own backups using the Transarc backup utility.  Have
32,000 users, each has one volume + 6,000 groups, each has its own
volume.  Twice a week rotate tapes in stackers.  Transarc utilities
label the tapes.  People email for restores and they're done
manually.  

Pointer to IFS info:

IFS Technical Info
IFS Home Page

NetWare was examined as a means to provide this information.  
A study was conducted:

NetWare-AFS comparison study.
Remarks by Andy at meeting: No replication possible in NetWare,
users can't add groups, operations took forever in NDS with 50,000
users.  Basic design problems in NDS for large # of users.


The clients supported in IFS
----------------------------------------------------------------------

-- AFS Info
Session semantics of AFS seems like a problem at first appearance,
but the fact that UNIX doesn't guarantee orders of writes even on local
disks makes app programmers make sure that 2 programs never write to
the same file at the same time anyway.  DFS no longer has session
semantics.  It acts somewhat like Sprite, turns off caching on writes
and makes them act immediately.

Have a Desk Accessory for Mac that throws away token when you put an
AFS volume in the trash.  Have another DA that lets you modify ACL's
(though we didn't see this).

AFS 3.4 needed to handle large volumes, also important for
translator performance.

AFS advantage over DFS:
- AFS from one vendor.  DCE comes from diff. vendors and can only
run lowest version of all DCE versions that are running.

Departmental servers in your cell issue:
- To be in the call, your server must have the cell key.  With the
cell key, you can pretend to be a server for the cell to any
client.  Therefore, you must trust all servers the same way.  You
can't always trust a server that's out in a department, so the
solution is to let departments run their own cells.  Problem of
mutual authentication and unique names.  Must insure that other
cells use the same user names.

No good solution to a user who wants to run procmail.  May have to
run it with administrative ability.

----------------------------------------------------------------------

-- PROJECTS:
Mac-based DCE:
- Joint with Gradient to port DCE to Mac (announced at DCE User's
Group 5/30)
- Based on DCE 1.02
- Works on 8 MB PC, needs 32 MB on RS/6000
- Porting threads, authenitcation layer.
- Current status:
	- unauthenticated RPC running
	- Gradient will implement into full client and server
	implementation for 1996 release

Authenticated PGP:
- Joint with common solutions group
- Make key-signing service - proven by kerberos credentials
- UNIX, Windows, Mac - Mac has minimal kerberos support.  Jim Rees
is principal person.

Big 10 Joint Transcripts:
- Demonstration using DCE to share info across Big 10 Schools in
secure fashion.
- Use DCE intercell communications - standard 3rd party
authentication.  Each school has a DCE cell.
- Info must reside on DFS to be securely transported.

Wolverine Access
- Allows student Mac and Windows users access to administrative
data.  
- Uses: CUSP: proprietary RPC from Cornell, IMS back-end database,
Kerberos
- Status:
	- Mac-based version deployed to campus
	- Allows access to student records (e.g. change address),
	course schedule, registration information
- Next:
	- Full DCE implementation (replace CUSP with DCE) with
	Kerberos v5 security
	- Windows client (Done already using PC DCE)

Kerberos:
- Implemented Kerberized xdm for single IFS/DCE login from RS/6000.
(EWS may want to use this)

----------------------------------------------------------------------

-- PC-I Discussion with Andy

- 8.3 name transation complaint
- The way it sends password from client to PCI translator was not
secure.  Andy has kerberized it and the new secure version will go
into the release product.
- PC-I stats all directories from your current one up to /.  When it
gets to /afs it can take a minute.  Working on fixing that.
- No ACL tooks on PC client.
- Why still have Novell servers for applications in sites? They are
faster for serving PC's.
- Andy compiled most of v4 kerberos utilities for DOS.  Hacked .cfg
file so it has more info so his klogin can get you both a NetWare
login and a kerberos token.