| View previous topic :: View next topic |
| Author |
Message |
Kooky
n00b
Joined: 10 Sep 2005
Posts: 23
Location: Mannheim
|
 Posted: Sat Apr 01, 2006 3:07 pm Post subject: AFS with MIT-Kerberos5 |
 |
|
Hi there,
I've written a howto about setting up OpenAFS with MIT-Kerberos5 in german and just wanna ask if anyone is interessted in a translation?
https://forums.gentoo.org/viewtopic-t-449153.html
Greets Kooky |
|
| Back to top |
|
 |
benster
n00b
Joined: 30 Nov 2005
Posts: 67
Location: Funkytown
|
| Posted: Sat Apr 01, 2006 7:43 pm Post subject: |
|
|
I'd say that a translation would be great. If you can spare the time...  |
|
| Back to top |
|
|
Kooky
n00b
Joined: 10 Sep 2005
Posts: 23
Location: Mannheim
|
| Posted: Sat Apr 01, 2006 8:49 pm Post subject: |
|
|
No problem, I will write it tomorrow (Maybe someone have to review it then)
Greets Kooky |
|
| Back to top |
|
|
benster
n00b
Joined: 30 Nov 2005
Posts: 67
Location: Funkytown
|
| Posted: Sun Apr 02, 2006 4:04 am Post subject: |
|
|
| Cool! While I may not be up on all the small details of AFS/Kerberos, I would volunteer to help polish the translation if you like. |
|
| Back to top |
|
|
Kooky
n00b
Joined: 10 Sep 2005
Posts: 23
Location: Mannheim
|
| Posted: Sun Apr 02, 2006 8:24 am Post subject: |
|
|
Installation:
First we need to install the openafs and mit-krb5 packages
emerge -av openafs openafs-kernel mit-krb5
(Please make sure that you enable krb4 support cause openafs use something diffrent from kerberos 4 tickets)
Configuration:
Kerberos:
Now you have to modify your kdc.conf file (you can find it in /etc/krb5kdc/kdc.conf)
In this howto I use EXAMPLE.COM for my realm (please change that to your domain in uppercase)
| Code: |
#/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = /etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 8d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal de
s:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
|
Now issue the client configuration
| Code: |
#/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = krb.example.com:88
admin_server = krb.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
|
Please also change EXAMPLE.COM to your domain and the kdc/admin-server to your server here
Initialisation of your database:
We will now initialize your kerberos database:
| Code: |
kdb5_util create -s
|
Now we will add the nessary users to kerberos (also called principals). we need one user (i will call him afsadmin) who will also be the administrator of our AFS and one for our AFS (if you don't know how kerberos works please take a look at the MIT website)
For that we will enter the *interactive* kerberos console
Now we add the users
| Code: |
kadmin.local: ank afsadmin
kadmin.local: ank -randkey afs
|
(ank is the shortform for addprinc, which is the shortform for add_principal, the programmers had too much time i think *g*)
Now that we have our two users we have to give AFS his key
I will now not enter the *interactive* mode and extract the key to the file /etc/krb5.keytab.afs. AFS don't understand all keys (please correct me if I wrong) so we have to extract just one
| Code: |
kadmin.local -q "ktadd -e des-cbc-crc:afs3 -k /etc/krb5.keytab.afs afs"
|
The next command will tell AFS that he should use that key
| Code: |
kadmin.local -q "getprinc afs"
asetkey add 3 /etc/krb5.keytab.afs afs
|
The "3" comes from "Key: vno" from "getprinc afs" command, it can also be a diffrent number so please check that
Ok now we are finish with kerberos and can start with OpenAFS configuration
Please first check if there is alread a AFS instance is running (ps ax | grep bos) if yes KILL it!
Configuration:
Set the cellname
| Code: |
echo "example.com" > /etc/openafs/server/ThisCell
|
Add the cell to the celldatabase
| Code: |
echo ">example.com #Example Cell" > /etc/openafs/server/CellServDB
echo "192.168.1.1 #afs.example.com" >> /etc/openafs/server/CellServDB
|
!! "#" is NOT a comment!!
Starting the bosserver:
The -noauth flag runs bosserver without authentification. (For security reasons you should cut all network connections)
| Code: |
bos setcellname afs.example.com example.com -noauth
|
Checking if we are the first database server:
| Code: |
bos listhosts afs.example.com -noauth
|
Starting of all services
| Code: |
bos create server buserver simple /usr/libexec/openafs/buserver -cell example.com -noauth
bos create server ptserver simple /usr/libexec/openafs/ptserver -cell example.com -noauth
bos create server vlserver simple /usr/libexec/openafs/vlserver -cell example.com -noauth
|
I also start the backupserver and I will also explain that later
But now I will first explain the other services for those who had already read the OpenAFS docu maybe they will miss the kasserver. Yes I don't start it cause we are using MIT-Kerberos for that.
The Rest are just the volume location Server (vlserver) who is responsable for the volumes and the protection server (ptserver) who is responsable for the access rules.
Creating the administrator:
| Code: |
pts createuser -name afsadmin -cell texample.com -noauth
pts adduser afsadmin system:administrators -cell example.com -noauth
pts membership afsadmin -cell example.com -noauth
bos adduser afs.example.com afsadmin -noauth
|
this is the user who we had added above to the kerberos databse. Now he is also in the AFS user database and we also add him to the group system:administrators.
Now we start the rest of AFS services:
| Code: |
bos create afs.example.com fs fs /usr/libexec/openafs/fileserver usr/libexec/openafs/volserver /usr/libexec/openafs/salvager -cell example.com -noauth
|
And shutdown the bosserver
| Code: |
bos shutdown afs.example.com -noauth
|
Now we need one (or more) partitions for AFS. The partition should have ext2, if ext3 works I don't know (never testet).
The partition should be mounted to /vicepa (if you use more please mount them to /vicepb,/vicepc and so on)
If the directory /afs don't exist please create it
Ok I hope I didn't miss something and we can make some cofe
Starting the AFS:
Now start the OpenAFS server and client with /etc/init.d/<the name the mantainer gives it today>-server start (same for client)
(Also take care that the kerberos server is running!)
First we have to authentificate to kerberos (cause bosserver is now running without -noauth flag)
| Code: |
kinit afsadmin
aklog
|
Now we will create the directory structure of our afs cell:
| Code: |
vos create afs.example.com /vicepa root.afs -cell example.com
vos create afs.example.com /vicepa root.cell -cell example.com
vos create afs.example.com /vicepa home -cell example.com
|
I call my home-volume "home" and also will use that name in later scripts.
Creating mountpoints and replica:
| Code: |
cd /afs
fs mkm /afs/example.com root.cell
fs mkm /afs/.example.com root.cell -rw
vos addsite afs.example.com /vicepa root.afs
vos release root.afs
vos addsite afs.example.com /vicepa root.cell
fs mkm /afs/.example.com/home home
vos release root.cell
vos addsite afs.example.com /vicepa home
vos release home
fs checkvolumes
fs sa /afs system:anyuser l
fs sa /afs/example.com system:anyuser l
|
So now what we have done here. We have created a mountpoint for root.cell into afs and also created one for read-write access. Then we have created some read-only replica and set the access for every user to "l" (list). But you should issue the "fs help" and "vos help" commands to read more about it.
Now you should be able to access /afs/example.com/home.
Adding Users:
To add a user you have to add him to kerberos and to afs.
| Code: |
kadmin.local -q "addprinc <user>"
pts createuser <user> -id <uid>
pts adduser <user> -group <group>
|
If you don't have a group please create one with "pts creategroup <group>"
!!Notice! Please use the same uid in afs as you have in your normal system or you will have some problem with access.
Maybe use LDAP for that.
Now we will create the users home directory:
| Code: |
vos create afs.example.com /vicepa home.<user> -maxquota 0
fs mkm /afs/.example.com/home/<user> home.<user>
fs sa /afs/.example.com/home/<user> <user> all
vos release home
fs checkvolumes
vos backup home.<user>
fs mkm /afs/example.com/home/<user>/.backup home.<user>.backup
|
Maybe create a bash script for that.
But first I will explain what we have done.
First we have created a user volume and called it home.<user> with maxquota 0 (infinity or till the disc is full *g*) you can also set an exact value for that. Then we mounted it to to home and set the ACL to "all". After that we take over the changes from home into the replica and checked the filesystem. We also created a backup volume for that and mounted it into the director ~/.backup
To make the backup a little bit automatic I use the following realy bad script:
| Code: |
#!/bin/sh
vos listvol afs.example.com -localauth | sed 's/ .*//' | grep -e ^home | grep -v -e home$ -e readonly$ -e backup$ > /root/backupvol
exec < /root/backupvol
while read line
do
echo "Creating Backup of $line"
vos backup $line -localauth
echo "done"
done
|
And start it every night with a cronjob.
Now we will issue the other backup system (you remember the buserver above).
But first we will start the tape controller. Maybe you will now think "what is a tape controller or even a tape and do i have something like that" the answer is maybe "no". But that doesn't matter cause we will put our backups not on tapes we will use our normal discs.
So please go into the directory /var/lib/openafs there you create the directory "backup" and create the following files:
| Code: |
/var/lib/openafs/backup/tapeconfig
1GB 0 /dev/FILE 0
|
The 1GB is the size of your "tape" maybe it should be a little bit bigger (just use the free size of the disc you wanna put your backup)
Now we create our "tape" (Yes I know we don't have a tape but that doesn't matter we just do if we have one)
As you see above we told the tapecontroller that it should use the device /dev/FILE
and here is the configuration for that device:
| Code: |
/var/lib/openafs/backup/CFG_FILE
FILE YES
MOUNT /root/afsbackup
UNMOUNT /root/afsbackup
NAME_CHECK No
ASK No
|
In that configuration I tell that the device is a file "FILE YES" and that the controller should execute the script /root/afsbackup when it tries to mount/unmount the tape also I disable the name check and I also don't wanna be ask for something (cause I will automatically backup later)
Now what is missing, yes the script. I use the one from the OpenAFS docu:
| Code: |
/root/afsbackup
#! /bin/csh -f
set devicefile = $1
set operation = $2
set tries = $3
set tapename = $4
set tapeid = $5
set exit_continue = 0
set exit_abort = 1
set exit_interactive = 2
#--------------------------------------------
if (${tries} > 1) then
echo "Too many tries"
exit ${exit_interactive}
endif
if (${operation} == "labeltape") then
echo "Won't label a tape/file"
exit ${exit_abort}
endif
if ((${operation} == "dump") |\
(${operation} == "appenddump") |\
(${operation} == "restore") |\
(${operation} == "savedb") |\
(${operation} == "restoredb")) then
/bin/rm -f ${devicefile}
/bin/ln -s /path/to/backup/${tapename}_${tapeid} ${devicefile}
if (${status} != 0) exit ${exit_abort}
endif
exit ${exit_continue}
|
Now we can start the tapecontroller:
Maybe start it in a new shell or maybe even use "screen" which should be the best way
After start enter the *interactive* backup console
And create a volumeset
| Code: |
backup> addvolset -name home
backup> addvolentry -name home -server afs.example.com -partition /vicepa -volumes home..*.backup
|
Now add the backup server
| Code: |
backup> addhost -tapehost afs.example.com -portoffset 0
|
And create a dumplevel, I just create one you can create as much as you want:
| Code: |
backup> adddump -dump /week -expires 6d
|
Now you can test it:
| Code: |
backup> dump -volumeset home -dump /week -portoffset 0
|
If you have any questions please post it here or write me an email kooky@madkooky.de
It is not allowed to copy or even link this article to another website.
Spelling and grammar mistakes are licensed under the GPL3 and can be used in other documents. |
|
| Back to top |
|
|
stillman
Apprentice
Joined: 07 Dec 2002
Posts: 223
Location: Vienna, Austria
|
| Posted: Mon May 22, 2006 9:35 am Post subject: |
|
|
just started installing openafs on my testcluster following your tutorial, thanks for writing it, it helps me a lot.
so far i have little knowledge about afs&kerberos(though i read the kerberos dialogue as suggested and searched the openafs-faq as well as google for some info). therefore please excuse me if my question is unqualified.
is there a way to automatically mount a openafs-partition on reboot without manual intervention(providing a password or similar)? i want to implement this for a webserver that should boot and work(with it's data on afs) without having to do anything manually...
one thing in your tutorial didn't work for me so far: asetkey - which package have you installed to get this command? or have you manually installed the openafs-krb5-package? - [edit][SOLVED]: asetkey is installed with the masked openafs-v1.4.1[/edit] |
|
| Back to top |
|
|
schmeggahead
Guru
Joined: 25 Feb 2003
Posts: 314
Location: Columbus, Ohio
|
| Posted: Sun Mar 15, 2009 10:56 pm Post subject: |
|
|
for anyone doing openafs and krb5
make sure you enable keys in the kernel - enable access key retention under security - it breaks the module links in the libafs module
if you are on hardened-sources. |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
