OpenAFS

This guide is designed to aid the installation of OpenAFS onto Linux systems on the CMU Computer Science Network.

Terms


Steps

  1. Download/Install the OpenAFS distribution - Grab it here. Note that if you can avoid it, you should not compile this yourself. If you're on RedHat, use the RPMs. You will need all the RPMs apart from the source rpms, the server package, and the devel packages. After installing, use ntsysv to cause the afs service to start on boot.
  2. Enable AFS in PAM - On Redhat9, I replaced /etc/pam.d/system-auth with this (saving a copy of the old-version). You will likely need to find an equivalent for your system...:
    auth        required      /lib/security/pam_env.so
    auth        sufficient    /lib/security/pam_unix.so likeauth nullok
    auth        sufficient    /lib/security/pam_krb5.so use_first_pass
    auth        required      /lib/security/pam_deny.so
    
    account     required      /lib/security/pam_unix.so
    account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5.so
    
    password    required      /lib/security/pam_cracklib.so retry=3 type=
    password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
    password    sufficient    /lib/security/pam_krb5.so use_authtok
    password    required      /lib/security/pam_deny.so
    
    session     required      /lib/security/pam_limits.so
    session     required      /lib/security/pam_unix.so
    session     optional      /lib/security/pam_krb5.so
    
    beneath pam_nologin.so (line 3 on a stock file). You can make additional entries for other pam services you want to be Kerberos/AFS authentication aware.
  3. Set the Cell - Edit /usr/vice/etc/ThisCell, replacing the contents with cs.cmu.edu
  4. Set up Kerby - Install the following files in /etc: krb.conf krb5.conf.
  5. Trim the AFS Servers (optional) - Install the following file in /usr/vice/etc: CellServDB. This will instruct the AFS module not to mount most of the AFS servers outside of CMU/Pitt. Naturally, if you're using these instructions and arn't at CMU or Pitt, you'll probably won't want to do this.
  6. Set up users - For each user you want to be able to access your system, make an entry in /etc/passwd with the same userid and username they have on afs (Use pts examine on them on a facilitized system to get this info). Make an entry for them in /etc/shadow with the password field set to !!, and all of the rest of the fields (apart from username, of course) the default. If their home directory is on afs, set it appropriately in passwd. If there's a reason they'd want to login locally, use the passwd utility to give them a real password, and they'll be able to login without the network using username:local. This is, of course, useless if their home directory is on AFS. The afs_allow_user script in the smallbutuseful module might be helpful (if you're in the auton group and have all that set up on another machine)
  7. Reboot. It should just work. If it doesn't, feel free to drop me a mail.
  8. Post-install - Once it's working, make symlinks as appropriate. This is useful if you want to mimic the facilitized environment to any degree (perhaps you want to run Mathematica or Matlab)

Notes

OpenAFS differs slightly from the facilitized AFS/Kerberos suite. There is no kauthd -- you'll need to run klog once a day. "su" does not support alternate principals (such as root), so there's just system root (I'm working on making a usable source bundle and binaries from the facilities "su" sources, but I'm not done yet). Finally, passwords that are too long or that have strange characters will prevent klog from working (but you will be able to log in with them).