AFS

What is AFS? AFS is a distributed networked filesystem (similar to cloud storage) designed for collaboration.

AFS Client Installation

A very nice guide can be found at Cornell https://confluence.cornell.edu/display/CNF/Installing+AFS

Windows

IMPORTANT: Do NOT install Kerberos for Windows version 4.X. It does not work with AFS

  1. Install the latest version of Network Identity Manager
    1. https://www.secure-endpoints.com/netidmgr/v2/#download
    2. When asked, the kerberos realm is CS.RU.IS Note the uppercase letters
  2. Download the latest OpenAFS version, preferably 1.8 or higher
    1. Auristor (commercial partner) packages them nicely at https://www.auristor.com/openafs/client-installer/
    2. If you wish to get it from OpenaFS, it is IMPORTANT to know: If you install the 64 bit version, you will also need to install the 32 bit tools: http://www.openafs.org/windows.html
    3. The AFS realm is cs.ru.is Note the lowercase letters and that it is NOT rnd.ru.is
  3. Then reboot the computer
  4. You will notice after rebooting a new context menu "AFS" when you right click anywhere. This is how you will interact with AFS to get information and change access control.
  5. You will need to get Kerberos Tickets from the "Network Identity Manager". This will also show up in the little icons in the bottom right. If you can't find it, you can also run it from the start menu
    1. You need to create a new credential. Replace "username" in these instructions with your username
    2. Menubar Credential > New Credentials > Obtain new credentials...
    3. Click on the top bar where it says Kerberos Principal > New Identity
    4. Username: (whatever your username was) and click "Next >"
    5. Realm: CS.RU.IS "Next >"
    6. Keep the default options. click "Next >"
    7. Make sure "Obtain AFS credentials" is clicked. The Cell should be "cs.ru.is". Note that this must be in lowercase and different than your kerberos realm. Click on "Add/Update" then "Next >"
    8. If you are presented with Kerberos 4 options, disable them. Click "Next >"
    9. You should now type in your password and "Finish"
      1. You will have to get new credentials and type in your password every 8 hours.
    10. If all goes well, you will see that the entry will say you have "Kerberos v5 tickets (s) AFS tokens (1)"
  6. To find AFS, goto the "Network" in an windows explorer window. There should be an AFS entry or you can type in "\\AFS\"
    1. Double click on it, then double click on "cs.ru.is"

Linux

Raspberry Pi (Debian)

These instructions are not completely tested.
You will need at least a 4GB card to download all the necessary software and linux kernel

Much of this is taken from http://www.raspberrypi.org/phpBB3/viewtopic.php?f=71&t=17666

Other guides:
  1. Install the latest dist and necessary tools
    sudo bash
    apt-get update
    apt-get -y dist-upgrade
    apt-get -y install gcc make git build-essential dkms
    
  2. Install rpi-update and grab the latest firmware
    cd rpi-update
    apt-get install ca-certificates
    sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update
    
  3. Grab latest kernel
    cd /usr/src
    wget  https://github.com/raspberrypi/linux/tarball/rpi-3.2.27 -O rpi-3.2.27.tgz
    tar xzf rpi-3.2.27.tgz
    
  4. Grab the configs from the kernel
    cd raspberrypi-linux-*
    zcat /proc/config.gz > .config
    make oldconfig
    make modules_prepare
    
  5. Get the
    wget https://github.com/raspberrypi/firmware/raw/master/extra/Module.symvers
  6. Make symlinks for the build system
    KSRC=`pwd`
    pushd /lib/modules/`uname -r`
    ln -s ${KSRC} source
    ln -s ${KSRC} build
    popd
    
    pushd /usr/src
    ln -s ${KSRC} linux-`uname -r`
    ln -s ${KSRC} linux
    popd
  7. Install kerberos packages
    apt-get install krb5-auth-dialog krb5-user krb5-clients libpam-ccreds libpam-krb5
  8. Install the afs client and related modules
    apt-get install  openafs-modules-dkms openafs-{client,krb5}
    1. if it doesn't go successfuly, you can re-run it with:
      dpkg-reconfigure openafs-modules-dkms

Debian/Ubuntu

Note! AFS and Keberos will mostly autoconfig on the client side unless RU's DNS is broken. It is very important that you never let the disk that has the AFS cache fill up. If that happens, bad things may occur. See directions about how to setup a fixed cache if you are concerned about this. In some installations, people put the cache in a separate partition to eliminate the risk.

Kerberos Client

  1. Install packages for Kerberos and AFS
    sudo apt-get install krb5-auth-dialog krb5-user libpam-ccreds libpam-krb5 build-essential dkms linux-headers-`uname -r` libpam-afs-session openafs-modules-dkms openafs-{client,krb5}
  2. The kerberos config will ask you questions, you should answer:
    • realm: RND.RU.IS
    • Kerberos server: ipa2.cs.ru.is
    • Kerberos administrative server: ipa2.cs.ru.is
    • If you need to fix this later, run dpkg-reconfigure krb5-config
  3. Check DNS and hostnames
    • Make sure that the hostname is not listed in /etc/hosts
    • Make sure that the hostname command returns the full hostname e.g. gryla.cs.ru.is
      1. Edit the /etc/krb5.conf
        • search for [domain_realm] and add these lines after
          .cs.ru.is = CS.RU.IS
          cs.ru.is = CS.RU.IS
          
        • After [libdefaults] add
           allow_weak_crypto = true 
      2. if you do not have a Kerberos user name: email csit AT ru.is to give you one
      3. check if it works
        $ kinit YOUR_KERBEROS_USERNAME
        Password for YOUR_KERBEROS_USERNAME@CS.RU.IS:
        $ klist
        Ticket cache: FILE:/tmp/krb5cc_1000
        Default principal: YOUR_KERBEROS_USERNAME@CS.RU.IS
        
        Valid starting     Expires            Service principal
        03/30/12 13:53:15  03/30/12 23:53:15  krbtgt/CS.RU.IS@CS.RU.IS
                renew until 03/31/12 13:53:11
        
      4. if the Kerberos principal and the local username differ
        • create the file ~/.k5login with the content
          MYPRINCIPAL@CS.RU.IS
        • instruct pam-krb5 to read your principal from ~/.k5login by adding the following to /etc/krb5.conf:
          [appdefaults]
                  pam = {
                          search_k5login = true
                  }
          

Now use the Kerberos principal's password when asked for a password on login at your computer and you should automatically get a Kerberos ticket (check with klist after login). If not connected to the Internet, the local password is active/requested again.

AFS Client

  1. Install packages
    sudo apt-get 
    
    1. Cell: cs.ru.is
    2. Cache: 500000 (choose depending on your hard disk space, more cache = less network traffic)
  2. Now setup the cache so it can never overfill (very bad things happen). If you have already setup a partition for the cache then this step is unnecessary.
    cd /var/cache
    sudo dd if=/rnd/zero of=openafs-cache.img bs=10M count=55   # (~550 MB partition)
    sudo mkfs.ext4 openafs-cache.img
    sudo sh -c "echo '/var/cache/openafs-cache.img /var/cache/openafs ext4 defaults,loop 0 2' >> /etc/fstab" 
    sudo tune2fs -c 0 -i 0 -m 0 openafs-cache.img
    
  3. test by mounting the cache
    sudo mount /var/cache/openafs
  4. Add entries to /etc/openafs/CellServDB
    1. Note that the AFS cell MUST be lowercase
      >cs.ru.is         # Reykjavik University Computer Science
      130.208.243.205          #ipa1.cs.ru.is
      130.208.243.201             #ipa2.cs.ru.is
      130.208.243.202          #ipa3.cs.ru.is  
      
  5. enable the AFS client (not always needed)
    sudo perl -pi -e's/AFS_CLIENT=false/AFS_CLIENT=true/' /etc/openafs/afs.conf.client
  6. (re-)start the client
    sudo invoke-rc.d openafs-client restart
  7. Get AFS tokens upon login (from pam-afs)
    1. Note that this will only automatically get tokens if you add this line in /etc/pam.d/common-session after the pam_krb5.so line
      session required                        pam_afs_session.so program=/usr/bin/aklog
  8. have fun at /afs/cs.ru.is/
  9. If you want to make it a little simpler, do a symlink from /afs/cs.ru.is/<.,..>/<username> to /home/username
  10. then you don't have to change /etc/password to start using the homedirectory!
  11. To automatically get Kerberos tickets and AFStokens, grab this auth-client-config file http://afs.cs.ru.is/project/rndnet/Public/Workstation/etc/auth-client-config/profile.d/rndnet and put it into /etc/auth-client-config. You can also grab them via afs:
    cp /afs/cs.ru.is/project/rndnet/Public/Workstation/etc/auth-client-config/profile.d/csnet /etc/auth-client-config/profile.d/.
  12. Then run it to set your machine to configure PAM and NSS for kerberos/afs
    sudo auth-client-config -a -p csnet_workstation

Debian 7 on a KVM/Proxmox VM

The VMs need a fix for a module compile problem with struct dentry, which is fixed in openafs 1.6.11, which is sadly not in the stable distribution.

After you follow the main debian instructions, you need to:

  1. Switch to sid (unstable
    zile /etc/apt/sources.list
    #replace wheezy with sid
    
  2. select 1.6.11
    apt-get update; apt-get install openafs-modules-dkms=1.6.11.1-1
  3. Now the kernel module will build properly.

Redhat Varients

Mageia: https://wiki.mageia.org/en/Installing_OpenAFS_Client

Fedora

Openafs has binary builds for up to Fedora 20. Follow the centos instructions.

For Fedora 21 (or others) you will need to do a source build. Get the src.rpm and follow these instructions on the wiki
http://wiki.openafs.org/HowToBuildOpenAFSFromSource/
Alternatively use the copr packages from jsbillings

Let's get started

  • Grab the appropriate .repo files and put them into /etc/yum.repos.d
  • Update yum
    yum -y update
  • Prerequisites and the packages
    yum install git-core gcc autoconf automake libtool make flex bison glibc-devel krb5-devel perl-devel ncurses-devel pam-devel kernel-devel-$(uname -r) wget perl-devel perl-ExtUtils-Embed rpm-build krb5-libs krb5-workstation dkms rpmbuild kernel-headers dkms openafs-client openafs-krb5 dkms-openafs
    
  • Make sure that the /var/cache/openafs got labeled for selinux
    restorecond -r -v /var/cache/openafs
  • Sometimes dkms does not run for newer kernels, check in /var/lib/dkms/openafs. Check which version e.g. 1.6.11-1.fc21 if you need to force it
    dkms --verbose install -m openafs -v 1.6.11-1.fc21
  • Start it up!
    service openafs-client start
  • Update your /etc/krb5.conf. The stock version is missing a lot of entries.

If you have problems, it is most likely that the cache is the wrong size.

Another problem is if DKMS refuses to build because you don't have the latest kernel-dev installed or an older kernel build in the way

dnf -y install kernel-devel-$(uname -r) --allowerasing
dnf reinstall dkms-openafs

Centos

From http://docs.openafs.org/QuickStartUnix/ch02s09.html

  • Install EPAL repos
    • i386 (32 bit)
      rpm -U http://www.fedora.is/epel/6/i386/epel-release-6-8.noarch.rpm
    • 64(bit)
      rpm -U http://www.fedora.is/epel/6/x86_64/epel-release-6-8.noarch.rpm
  • Grab the openafs repositories file
    wget http://dl.openafs.org/dl/openafs/1.6.6/openafs-repository-rhel-1.6.1-5.noarch.rpm
  • Install the source repositories
    rpm -U openafs-repository*.rpm
  • Make sure that the source repositories are enabled in /etc/yum.repos.d.
  • Edit /etc/yum.conf.d/openafs-rhel.repo
    • change $basearch to $arch in
      baseurl=http://dl.openafs.org/dl/openafs/1.6.6/rhel$releasever/$arch/
    • set
      gpgcheck=0
      because the rpms are currently not signed
  • Install kerberos
    sudo yum -y install krb5-libs krb5-workstation
    
  • Install rndelopment packages
    sudo yum -y groupinstall "Rndelopment Tools"
  • Install the packages
    sudo yum -y install kernel-headers kernel-rndel-`uname -r` dkms openafs-client openafs-krb5 dkms-openafs
  • Now go edit /etc/krb5.conf
    [libdefaults]
     default_realm = CS.RU.IS
     dns_lookup_realm = true
     dns_lookup_kdc = true
     allow_weak_crypto = true
    
  • Edit /etc/vice/etc/ThisCell and put cs.ru.is in it
  • Start the services
    sudo service openafs-client start

OSX

Guides:

Install

  1. Install the client at http://openafs.org/macos.html
  2. Install the MIT Kerberos extras http://web.mit.edu/macdev/www/osx-kerberos-extras.html
  3. Reboot

Where is the krb5.conf?

From: http://support.apple.com/kb/TS3265

Kerberos looks for configuration options in these locations (in this order):
  1. ODbundle (magic DNS)
  2. ~/Library/Preferences/edu.mit.Kerberos
  3. /Library/Preferences/edu.mit.Kerberos
  4. /etc/krb5.conf

If you have not installed the MIT Kerberos extras, the files will not exist.

Testing

  1. Notice the lock icon on the top of the Finder window that allows you to start and stop AFS
  2. To get tickets, you need to open a terminal
    1. Use Spotlight and type "Terminal" or goto Applications > Utilities > Terminal
  3. Use kinit to get tickets. Replace user with your username
    1. kinit user@CS.RU.IS
  4. Use aklog to get AFS tokens
    1. aklog cs.ru.is

Useful stuff

The AFS tools are in /Library/OpenAFS/Tools/bin/ You may want to make a symlink to /usr/bin so that you don't have to type the name in all the time

sudo ln -s /Library/OpenAFS/Tools/bin/* /usr/bin/.

Common

At some point in the install, you will may need to adjust the kerberos configuration file. In the those instructions, you will be referred back to here. You don't need to do so until instructed.

On windows systems, this file is c:\Windows\krb5.ini. On OSX and Linux, it is /etc/krb5.conf. See the OSX instructions for alternatives.
You can grab a copy at http://afs.rnd.ru.is/project/rndnet/Public/Workstation/etc/krb5.conf
Make sure it contains these lines. There will be more entries in the file, don't delete them. Also, don't copy the ... lines

[libdefaults]
default_realm = CS.RU.IS
dns_lookup_realm = true
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
#       ccache_type = 4
        forwardable = true
        proxiable = true
# need this for AFS and MIT
        allow_weak_crypto = yes

#... other stuff ...

[realms]
    CS.RU.IS = {
        kdc = ipa2.cs.ru.is
        kdc = ipa1.cs.ru.is
        kdc = ipa3.cs.ru.is                
        admin_server = ipa2.cs.ru.is
                default_domain = cs.ru.is
    }
#... more stuff ...

[domain_realm]
        .cs.ru.is = CS.RU.IS
        cs.ru.is = CS.RU.IS
        .rnd.ru.is = RND.RU.IS
        rnd.ru.is = RND.RU.IS

#... more stuff ...

Debugging problems in windows

http://webchat.freenode.net and connect to channel #openafs

If you need to adjust the Kerberos or CellSrvDB settings. This is optional and only necessary if you can't see the AFS folders after the above directions.
  • Remember that you need to right-click on your editor first and "Run as administrator" DO NOT OPEN IN NOTEPAD! IT WILL MANGLE THE FILE!!!!
  • CellServDB is in c:\Program Files\OpenAFS\Client
    >rnd.ru.is         # Reykjavik University Computer Science
    130.208.243.205          #ipa1.cs.ru.is
    130.208.243.201             #ipa2.cs.ru.is
    130.208.243.202          #ipa3.cs.ru.is  
    
  • Now edit c:\Windows\krb5.ini. You shouldn't need to do this if DNS is working right. Refer to the Test section above for what should go into that file.

Tools:

Frequently Asked Questions (FAQ)

Lots of issues and suggestions here:

A good place to get help is the #openafs channel at freenode IRC: https://webchat.freenode.net/

How do I calculate the maximum cache size?

See this page: https://wiki.mageia.org/en/Installing_OpenAFS_Client#Check_correct_cache_size_is_defined

Suddenly I can't seem to change the password for local users.

You will need to adjust the minimum UID in the pam settings or it won't let you change the password. In debian, look under /etc/pam.d/common-password

password        [success=2 default=ignore]      pam_krb5.so minimum_uid=2000

Make sure that all of your local (non-kerberos) users have a UID that is lower than the minimum_uid.

AFS's module loaded but there is nothing in /afs. What went wrong?

You might have a cache size issue or something else stopping the client. The most common problem is that the cache size is bigger than 80% of the free space on the partition where the cache is.

Check the logs. On a systemd/journald system

systemctl status openafs-client

I can see the AFS cell, but I can't access my files in my home directory/folder

This probably means you are not getting tokens. make sure you see "AFS tokens(1)" next to your name on the Network Identity Manager.
If you don't:

  1. Menubar: Options > Identities
  2. Click on the entry
  3. Select the AFS tab
  4. Make sure "cs.ru.is" is listed in the table. Make sure that "openafs.org" and "grandcentral.org" are not listed. You can use the "Add/Update" and "Delete" buttons to adjust the list.
  5. Click "Apply"

Another possibility is that AFS has old data in that particular folder. This is where the "flush" commands can be useful. Try these things in this order (it may start working after any of them)

  1. Click on the folder, then right-click AFS > Volume/Partition > Refresh name/ID map
  2. Click on the folder, then right-click AFS > Flush File/Dir
  3. Click on the folder, then right-click AFS > Flush Volume
  4. If that doesn't work, restart AFS through the Control Panel or rebooting

"kinit: KDC has no support for encryption type while getting initial credentials"

This means you need to manually enable weak encryption. This is needed by older AFS in order to get an authentication token. Older Kerberos servers only use the old encryption types. Information at https://bugzilla.redhat.com/show_bug.cgi?id=573968

Solution: Enable weak crypto
  1. Edit /etc/krb5.conf (or equivalent)
    1. Add allow_weak_crypto = yes on the [libdefaults] section

The CS servers use the newer version of AFS (1.8) which supports strong crypto.

While upgrading Kerberos, you get the need to restart the Kerberos Cache RPC SErver

Solution: Find the Process ID and kill it on the terminal
  1. Start Menu > Run > taskkill /F /PID PID-number

AFS appears to be running (windows) but no \\AFS directory

Oh boy, there are many things that can be wrong here. First run a virus checker to look for rootkits.

A problem that we discovered was if the TEMP registry entries are set to a non-absolute path. (e.g. c:\temp is good foo\bar\temp is bad)

  1. open a cmd.exe as administrator
  2. regedit.exe
  3. goto HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
  4. Change the TMP and TEMP entries to a valid path that everyone can access, particularly SYSTEM
  5. Make sure that these (and windir) are all type REG_EXPAND_SZ
    h1. Reference

Kerberos complains about a generic error and seeing e-text

Not sure what causes this. Some google searching implies problems with the directory lookup. Simplest solution is to just delete the user and re-create