Here is described installation of openafs server and client on SUSE linux.
This text is based on AFS Quick Start Guide. The differences are:
- paths are adapted to SUSE installation
- uses Kerberos 5 authentization
Complete OpenAFS documentation is at http://openafs.org
SERVER SETUP
============
# choose an AFS cell name and a Kerberos realm name, the simplest setup is:
# - AFS cell name equal to DNS domain name
# - Kerberos realm name equal to uppercase AFS cell name
# create a partition for AFS filesystem and mount it under /vicepa
# start bosserver
/usr/sbin/bosserver -noauth &
# setup basic cell information
bos setcellname your.afs.server your.cell.name -noauth
# setup database servers processes
bos create your.afs.server ptserver simple /usr/lib/openafs/ptserver -cell your.cell.name -noauth
bos create your.afs.server buserver simple /usr/lib/openafs/buserver -cell your.cell.name -noauth
bos create your.afs.server vlserver simple /usr/lib/openafs/vlserver -cell your.cell.name -noauth
# If you want to use the old afs authentization (not recommended):
# bos addkey your.afs.server -kvno 0 -cell your.cell.name -noauth
# Authentication against heimdal krb5 server
# Here you can set up kerberos realm if you dont have any,
# see documentation in package krb5-doc
# restart kdc
rckrb5kdc restart
rckrb524d restart
# create afs principal in kerberos database
kadmin.local
add_principal afs@YOUR.KERBEROS.REALM # create afs key, use random password
ktremove -k /etc/krb5.keytab afs all # delete old afs key if any
# export the afs key to external keytab
# note the key version number (kvno), you will need it later for asetkey
ktadd -e des-cbc-crc:v4 afs@YOUR.KERBEROS.REALM
add_principal admin@YOUR.KERBEROS.REALM # create admin principal
quit # end kadmin.local
rm /etc/openafs/server/KeyFile # delete the old afs key file if any
# convert the afs key from /etc/krb5.keytab to /etc/openafs/server/KeyFile
# use <kvno> displayed by ktadd
asetkey add <kvno> /etc/krb5.keytab afs
# give admin the permissions to control bosserver
bos adduser your.afs.server admin -cell your.cell.name -noauth
# add admin to group system:administrators
pts createuser -name admin -id <user id> -cell your.cell.name -noauth
pts adduser admin system:administrators -cell your.cell.name -noauth
# restart bos server
bos restart your.afs.server -all -cell your.cell.name -noauth
# create fileserver processes
bos create your.afs.server fs fs /usr/lib/openafs/fileserver /usr/lib/openafs/volserver /usr/lib/openafs/salvager -cell your.cell.name -noauth
# create root volume
vos create your.afs.server /vicepa root.afs -cell your.cell.name -noauth
# restart bosserver with security enabled
rcopenafs-fileserver restart
CLIENT SETUP
============
IMPORTANT: Unfortunately, openafs client for linux kernel 2.6 has not reached
stable state yet. There may be problems.
edit /etc/sysconfig/openafs-client, set at least
REGENERATE_CELL_INFO="yes"
THIS_CELL="your.cell.name"
THIS_CELL_SERVER="your.afs.server"
If you are configuring first afs server and the volume root.cell does not
exist yet, you have to set also DYNROOT=no. After finishing the server
installaton it is better to change DYNROOT back to 'yes' as the client
behaves better on startup with network outage.
# start afs client
rcopenafs-client start
# login as admin
kinit admin
aklog -d # convert Kerberos 5 ticket to AFS token
To enable transparent login via pam, install package pam_krb5
and add 'call_modules=krb5afs' to /etc/security/pam_unix2.conf
For details look at pam_krb5afs(5), pam_krb5afs(8) and pam_unix2(8) manpages.
Now you have working afs server and client. You can continue with chapter
"Configuring the Top Levels of the AFS Filespace" of AFS Quick Start Guide.
