Difference between revisions of "OpenAFS"

OpenAFS is an open-source implementation of the Andrew File System.

OpenAFS Client Installation on Debian

1. Install the prerequisite packages
   • krb5-user
   • krb5-clients
   • openafs-krb5
   • openafs-client
   • module-assistant
   • openafs-modules-dkms
2. Set the cell name (this should be a FQDN, such as ece.vt.edu)
3. Set the Kerberos realm (generally the same as the cell name, but in all caps, e.g. ECE.VT.EDU)
4. Set the Kerberos authentication and admin servers (e.g. auth.ece.vt.edu for the ECE deparment)
5. Obtain the CellServDB files necessary for your cell. If it is a "public cell", its servers should be published in the CellServDB that openafs-client downloads. If not, you'll need to obtain the database server information from your cell's administrator and append it to /etc/openafs/CellServDB
6. Run the module assistant to compile openafs modules for your kernel
   • sudo m-a prepare
   • sudo m-a auto-install openafs
   • sudo modprobe openafs
7. Restart the client by issuing sudo /etc/init.d/openafs-client restart
8. Assuming you chose to use the -dynroot flag during installation (that is the default), all cells should be accessible in /afs

Client Authentication Instructions

OpenAFS relies on Kerberos for authentication in order to access non-public shares. Follow this procedure to obtain Kerberos tokens for AFS:

1. Authenticate to your Kerberos server by issuing kinit username@YOUR.KERBEROS.REALM.COM
2. (optional) View your Kerberos tokens with klist
3. Login to AFS with aklog
4. (optional) View your AFS tokens with tokens

In order to view permissions on a directory, you can issue the fs la /afs/path/to/directory. All users are part of the system:anyuser group, and all users who have authenticated with your Kerberos server are part of the system:authuser group.