Test OpenAFS installation

The notes on this page are mainly legacy items. The OpenAFSPilot pages describe how the current DICE OpenAFS pilot service works.

Tiny acorns

AFSInstallationNotes details the steps required to get a minimal OpenAFS service for the inf.ed.ac.uk domain up and running. This is based on the 1.2.11 release from openafs.org, and integrates with our Kerberos V service for user authentication. Note that it requires a running krb524d, which must have access to the AFS server key. With the changes in MIT Kerberos with 1.2.6, this isn't doing 524 conversion, but just helping aklog construct Kerberos tokens.

This is somewhat outdated. As part of the AFS trial effort, we're now running an AFS realm that Craig's installed on symplegades.inf.ed.ac.uk, with duffus.inf.ed.ac.uk as a slave. symplegades is running a release from the 1.3 tree on a vanilla FC3 machine

We currently have two 'useful' AFS realms mounted at the top level, in addition to inf.ed.ac.uk * athena.mit.edu * grand.central.org If anyone would like to see other realms made available, let me know!

The current AFS test machine is duffus.inf.ed.ac.uk. Note that AFS files on dufus are not being backed up. That said, if you'd like an AFS homedirectory please let me know.

AFSUserManagement describes how to create new users in the AFS domain, and how to manage those users.

Notes

• The AFS client needs to be run with the '-nosettime' option on all machines which are already running an NTPd (this is probably all DICE machines). See https://lists.openafs.org/pipermail/openafs-info/2005-February/016780.html for more details.

One step at a time

Next steps:

• Write a component to configure a machine as an AFS client.
• Look at moving the krb524 service local to the AFS server.aklog has been patched to support directly obtaining AFS tokens, without the need for a 524 service.
• Look at adding additional servers.
• Look at opening some firewall holes to duffus, to try AFS from home. duffus (and symplegades) both allow access from outside EdLAN . AFS runs acceptably from home, under both Linux and Windows. Some notes on configuring AFS for windows are available as part of the DiceWindows notes.

Open issues:

• The AFS kernel module appears to not work, or sometimes even build, reliably against later 2.6 kernelsThe 1.3 tree works with 2.6 kernels - symplegades is running AFS under FC3.

Long term questions (if we decided to use AFS in a big way):

• Could AFS account creation be integrated into the Account Management Toolset?
• Could AFS group membership be controlled via LDAP? There's a ptlocal version of the AFS protection server which can use any source that can be listed in nsswitch for protection database information. Note, however, that this won't allow user defined or managed protection groups.

How to BuildOpenAFSKerberosStuff

How to DestroyAFSCell

-- SimonWilkinson - 19 Jul 2004