OpenAFS

Purpose

This howto is just a beginning, but it ultimately aims to provide a complete guide on how to properly setup the current versions of OpenAFS with MIT KerberosV (and who knows, maybe I'll figure out how to setup Kerberos to behave nicely with OpenLDAP too... someday).

Subpages

• Installation of OpenAFS with MIT-KRB5

Requirements

You will need a Gentoo system. Other distributions may (and often do) place some files in different places so you would have to look elsewhere.

You will have to set your hostname to something that resolves to your external ip (ie something different from 127.0.0.1 or the ipv6 equivalent - if this works with ipv6 at all). Note that X requires that your hostname never changes during an X session because it is embedded in its magic cookies (that are needed to open new connections - start new clients).

Ideally you would set up a dedicated machine and register it properly in dns to run an afs server. But testing purposes setting up an entry in /etc/hosts should be good enough.

It is necessary to reserve a partittion for AFS (unlike samba the filesystem is only accessible through the server, and uses special on-disk format). For testing a file (at least several GB in size) that can be mounted as loop device should suffice.

Same old, same old... emerge

If you are here, then you are probably using Gentoo, well, that's what I'm going to assume from this point on. As the good gentooer that you are, you know what the next lines are going to be, but it's no reason for me not to say it anyways.

First we tune up our USE flags. For this, as always I recommend using flagedit (emerge flagedit). Here, we need to add the kerberos and afs USE flags.

flagedit +afs +kerberos +ssl +ldap

Now we emerge all that we need. (Now here, if someone tries these steps and find out that I missed something out, please let me know, or better edit this wiki, as I already had a working SSL and Kerberos setups at the time of this writing.)

emerge openafs mit-krb5 openssl

Now get yourself a coffee, go take a shower, watch TV, sleep, eat, sleep again, go to the toilet to empty your colon, and it should be almost over... seriously, except X11 and KDE, gnome and openoffice, very few things take that long to compile.

Now, you should have OpenAFS, MIT KerberosV (for those Hamdal lovers please feel free to complete this guide) and even OpenSSL.

Some more planning

Now you should have everything to start an afs server.

But you can name the cell anything you like (it only has to be lowercase), and the realm anything uppercase.

For the purpose of shortening the examples I will use cell name "acell" and realm name "ACELL".

The kerberos comes with nice documentation that should get you started.

Be sure you got the kerberos setup right. You should be able to authenticate using kinit, and see a ticket with klist. If your administrative user is admin you can test like this:

klog admin@ACELL

klist

However, the default would be typically root/admin or yourusername/admin instead of just admin.

Setting up basic OpenAFS

Let's start with some theory, OpenAFS is the result of IBM branching it's distributed file system and making it open source. It was previously developed by Transarc which was later bought by IBM, and is now being used in Tivoli server systems suite.

The OpenAFS software suite has a neat modular approach. It is comprised of the following services :

1. The Authentication Server (the kaserver process) maintains the Authentication Database
2. The Backup Server (the buserver process) maintains the Backup Database
3. The Protection Server (the ptserver process) maintains the Protection Database
4. The Volume Location (VL) Server (the vlserver process) maintains the Volume Location Database (VLDB)

This is a great feature, since most users/admins will not want to use the integrated authentication server, but rather use an already existing KerberosV setup.

You might have noticed that there is also an article about OpenAFS in the Gentoo Handbook. I felt the need to create this one because the official article is getting old. Since it was written, the official Gentoo OpenAFS package structure has changed and the files, paths and configuration settings specified are mostly outdated and it doesn't accurately explain how to integrate OpenAFS with KerberosV.

First we need to start the Basic OverSeer (BOS) Server, which monitors and controls other AFS server processes on the server machine. The -noauth settings are used to do initial setup since we didn't get the chance to setup authentication and authorization yet. The official documentation states this : "Disabling authorization checking gravely compromises cell security. You must complete all subsequent steps in one uninterrupted pass and must not leave the machine unattended until you restart the BOS Server with authorization checking enabled". All I can say is... good luck with the one step thing... and I beg you to do the initial steps offline, or at least on a screened subnet if this system is to be used seriously/securely (I'll even add, just for the record, that I'd recommend trying this extensively on a development system before moving on to production, now don't say I didn't warned you!).

Now on with the command lines to start our basic services, and remember we do not start kaserver, the authentication server since we want to replace it with our own MIT KerberosV server.

First, let bosserver do the initial setup job (creating directories, services, cell config and such). From this point, I will be using <machine name> and <cell name>, <machine name> being the hostname of the AFS server machine, and <cell name> being... well... the cell name you want to create.

bosserver -noauth

bos setcellname <machine name> <cell name> -noauth

Next, we need the buserver, ptserver and vlserver services. To do so, we need to tell the bos server where to find the required services. That's one place the official OpenAFS documentation and Gentoo documentation doesn't quite match the actual Gentoo package structure. Our services binaries were created in the /usr/libexec/openafs directory by the emerge compile process. Now let's create those services within our current bosserver session.

bos create <machine name> buserver simple /usr/libexec/openafs/buserver -cell <cell name> -noauth

bos create <machine name> ptserver simple /usr/libexec/openafs/ptserver -cell <cell name> -noauth

bos create <machine name> vlserver simple /usr/libexec/openafs/vlserver -cell <cell name> -noauth

Now that you have created the services you can check they are running.

Setting up OpenAFS to communicate securely with MIT KerberosV

It is neccessary to create an user in the afs protection database. The steps as listed at http://www.gentoo.org/doc/en/openafs.xml#doc_chap5_sect5:

# bos adduser <server name> admin -cell <cell name> -noauth

# pts createuser -name admin -cell <cell name> [-id <AFS UID>] -noauth

# pts adduser admin system:administrators -cell <cell name> -noauth

Now add a principal for the afs server into kerberos (kadmin prompt in bold, what follows the prompt are the commands):

Use asetkey to add the key to afs (has to be done on the machine, needs direct access to some files storing the keys). Note the kvno (in italics) which has to be copied from the kadmin output.

asetkey add 3 /etc/afs.keytab afs/acell

Now restart the bos server with authentication, and get a token for admin with kinit.

you should be able to authenticate to afs with aklog.

Storing data in the filesystem

Refer to http://www.gentoo.org/doc/en/openafs.xml#doc_chap5_sect6 for information on starting the fileserver services.

If you start openafs-client as well, and login with aklog you should be able to access /afs.

As you see, there is a volume root.cell mounted at /afs/acell. However, the volume does not exist.

To create the volume you will need the dedicated partition mentioned in the requirements.

Test with touch /afs/acell/test