This page describes steps to get connectivity with DICE AFS on a non-DICE Debian (or derivative, e.g. Ubuntu) system.

Super-quick Summary

This should work for most Debian >=5 and Ubuntu >=10.x machines.

Run the following commands in a terminal. You might be prompted for some of the following:

  • Kerberos Servers:
  • AFS Cell:
  • AFS Cache size: whatever you wish. Try 500000 (500Mb) if you are unsure.
  • On the last line, [u/MA] is the first character(s) of your username/matric.

$ sudo -i
# apt-get install krb5-config krb5-user ntp
# apt-get install openafs-client openafs-krb5 openafs-modules-dkms
# echo "" > /etc/openafs/ThisCell
# /etc/init.d/openafs-client start
# exit
$ kinit [DICE username]
$ aklog
$ cd /afs/[u]/[username]/ (for staff)
$ cd /afs/[MA]/sMATRIC/ (for students)

Get required packages

Install at least the following using # apt-get install ...

krb5-config krb5-user ntp
openafs-client openafs-krb5 openafs-modules-dkms

(if you are using Ubuntu you may need to enable the Universe repository for Kerberos packages.)

These packages will likely request configuration. Depending on the distribution this may configure your system correctly, but some distributions do not modify the configuration sufficiently to work with DICE.

Example dpkg prompts:

AFS Cell
AFS Cache size
not too important. Try 200000 - 2000000, or as appropriate for the size of your dedicated AFS partition.
Kerberos Servers (any prompts)

Try filling in any other prompts using information extracted from the config files below, if you wish. Otherwise just replace the files as shown.

Extended Kerberos Configuration

'kinit' may probably work just by setting the kdc as above. If so, you can skip this step.

If it does not, or for more functionality, you may also set up /etc/krb5.conf to the following (and lose dpkg-managed configuration of the file):

  default = FILE:/var/log/krb5libs.log

  default_realm = INF.ED.AC.UK
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 64800
  forwardable = yes

  default_tkt_enctypes = des3-cbc-sha1 des-cbc-crc
  default_tgs_enctypes = des3-cbc-sha1 des-cbc-crc

  INF.ED.AC.UK = {
    admin_server =
    default_domain =

[domain_realm] = INF.ED.AC.UK

  INF.ED.AC.UK = {
  ED.AC.UK = {

  pam = {
    debug = false
    ticket_lifetime = 64800
    renew_lifetime = 64800
    forwardable = true
    krb4_convert = false

If you are using openafs version 1.4.11 on Ubuntu 10.04, or for any other reason also have Kerberos 1.8 installed, you will also need to add the following to the libdefaults section.

allow_weak_crypto = true

From version 1.4.12 onwards this is not necessary as openafs knows how to ask kerberos 1.8 for the correct configuration.

Configure AFS

The dkms package should have built the openafs kernel module for your installed kernel versions. It will continue to do so whenever a new version becomes available.

First, prepare a partition for OpenAFS. This can be your root partition (no configuration required), if it is formatted using ext2 or ext3.

If you did not set your AFS client as belonging to the '' cell at dpkg configuration-time, configure it now:

# echo "" > /etc/openafs/ThisCell

Now start OpenAFS:

# /etc/init.d/openafs-client start

Establish connection

Get your Kerberos credentials: type

$ kinit [DICE username]

and enter your password. Now establish your AFS credentials using

$ aklog

Your AFS home directory can be found in

/afs/[u]/[username]/ or /afs/[MA]/sMATRIC/

where [u/MA] is the first character(s) of your username/matric.

Further Configuration

SSL Certificates

Installing the EUCS root certificates may be useful (though not required). A prepackaged certificate is available at:

install using # dpkg -i ....

Sorry, the certificates packaged here have expired (but are still installable and remain available to demonstrate how the latest certificates might be installed).

SSH (outbound)

To allow AFS access even when connecting onto DICE machines, set your /etc/ssh/ssh_config file to include the following (before the Host * line):

Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Now you are Kerberised...

Why not add Cosign Single-signon capability to your browsers?


Some Debian packages are compiled with Kerberos / GSSAPI support by default - you might be pleasantly surprised when applications no longer request your password. Other applications may need to be recompiled to take advantage of Kerberos authentication.

-- GrahamDutton - 20 Oct 2008, Feb 2011 -- StephenQuinney - 30 Apr 2010

Edit | Attach | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r8 - 16 Apr 2012 - 15:02:02 - GrahamDutton
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies