Test OpenAFS installation
The notes on this page are mainly legacy items. The
OpenAFSPilot pages describe how the current DICE OpenAFS
pilot service works.
Tiny acorns
AFSInstallationNotes details the steps required to get a minimal
OpenAFS service for the inf.ed.ac.uk
domain up and running. This is based on the 1.2.11 release from openafs.org, and integrates with our
Kerberos V service for user authentication. Note that it requires a running krb524d, which must have
access to the AFS server key. With the changes in MIT Kerberos with 1.2.6, this isn't doing 524 conversion,
but just helping aklog construct Kerberos tokens.
This is somewhat outdated. As part of the AFS trial effort, we're now running an AFS realm that Craig's installed on symplegades.inf.ed.ac.uk, with duffus.inf.ed.ac.uk as a slave. symplegades is running a release from the 1.3 tree on a vanilla FC3 machine
We currently have two 'useful' AFS realms mounted at the top level, in addition to
inf.ed.ac.uk
* athena.mit.edu
* grand.central.org
If anyone would like to see other realms made available, let me know!
The current AFS test machine is
duffus.inf.ed.ac.uk
. Note that AFS files on dufus are
not being
backed up. That said, if you'd like an AFS homedirectory please let me know.
AFSUserManagement describes how to create new users in the AFS domain, and how to manage those users.
Notes
One step at a time
Next steps:
- Write a component to configure a machine as an AFS client.
-
Look at moving the krb524 service local to the AFS server.aklog has been patched to support directly obtaining AFS tokens, without the need for a 524 service.
- Look at adding additional servers.
-
Look at opening some firewall holes to duffus, to try AFS from home. duffus (and symplegades) both allow access from outside EdLAN . AFS runs acceptably from home, under both Linux and Windows. Some notes on configuring AFS for windows are available as part of the DiceWindows notes.
Open issues:
-
The AFS kernel module appears to not work, or sometimes even build, reliably against later 2.6 kernelsThe 1.3 tree works with 2.6 kernels - symplegades is running AFS under FC3.
Long term questions (if we decided to use AFS in a big way):
- Could AFS account creation be integrated into the Account Management Toolset?
- Could AFS group membership be controlled via LDAP? There's a ptlocal version of the AFS protection server which can use any source that can be listed in nsswitch for protection database information. Note, however, that this won't allow user defined or managed protection groups.
How to
BuildOpenAFSKerberosStuff
How to
DestroyAFSCell
--
SimonWilkinson - 19 Jul 2004