Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
AFS with MIT-Kerberos5
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message

Joined: 10 Sep 2005
Posts: 23
Location: Mannheim

PostPosted: Sat Apr 01, 2006 3:07 pm    Post subject: AFS with MIT-Kerberos5 Reply with quote

Hi there,
I've written a howto about setting up OpenAFS with MIT-Kerberos5 in german and just wanna ask if anyone is interessted in a translation?

Greets Kooky
Back to top
View user's profile Send private message

Joined: 30 Nov 2005
Posts: 67
Location: Funkytown

PostPosted: Sat Apr 01, 2006 7:43 pm    Post subject: Reply with quote

I'd say that a translation would be great. If you can spare the time... :-)
Back to top
View user's profile Send private message

Joined: 10 Sep 2005
Posts: 23
Location: Mannheim

PostPosted: Sat Apr 01, 2006 8:49 pm    Post subject: Reply with quote

No problem, I will write it tomorrow (Maybe someone have to review it then)

Greets Kooky
Back to top
View user's profile Send private message

Joined: 30 Nov 2005
Posts: 67
Location: Funkytown

PostPosted: Sun Apr 02, 2006 4:04 am    Post subject: Reply with quote

Cool! While I may not be up on all the small details of AFS/Kerberos, I would volunteer to help polish the translation if you like.
Back to top
View user's profile Send private message

Joined: 10 Sep 2005
Posts: 23
Location: Mannheim

PostPosted: Sun Apr 02, 2006 8:24 am    Post subject: Reply with quote


First we need to install the openafs and mit-krb5 packages

emerge -av openafs openafs-kernel mit-krb5

(Please make sure that you enable krb4 support cause openafs use something diffrent from kerberos 4 tickets)


Now you have to modify your kdc.conf file (you can find it in /etc/krb5kdc/kdc.conf)
In this howto I use EXAMPLE.COM for my realm (please change that to your domain in uppercase)



kdc_ports = 750,88

database_name = /var/lib/krb5kdc/principal
admin_keytab = /etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 8d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal de
s:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Now issue the client configuration


default_realm = EXAMPLE.COM

kdc =
admin_server =
default_domain =

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

profile = /etc/krb5kdc/kdc.conf

Please also change EXAMPLE.COM to your domain and the kdc/admin-server to your server here

Initialisation of your database:
We will now initialize your kerberos database:

kdb5_util create -s

Now we will add the nessary users to kerberos (also called principals). we need one user (i will call him afsadmin) who will also be the administrator of our AFS and one for our AFS (if you don't know how kerberos works please take a look at the MIT website)

For that we will enter the *interactive* kerberos console


Now we add the users


kadmin.local: ank afsadmin

kadmin.local: ank -randkey afs

(ank is the shortform for addprinc, which is the shortform for add_principal, the programmers had too much time i think *g*)

Now that we have our two users we have to give AFS his key

I will now not enter the *interactive* mode and extract the key to the file /etc/krb5.keytab.afs. AFS don't understand all keys (please correct me if I wrong) so we have to extract just one


kadmin.local -q "ktadd -e des-cbc-crc:afs3 -k /etc/krb5.keytab.afs afs"

The next command will tell AFS that he should use that key


kadmin.local -q "getprinc afs"

asetkey add 3 /etc/krb5.keytab.afs afs

The "3" comes from "Key: vno" from "getprinc afs" command, it can also be a diffrent number so please check that

Ok now we are finish with kerberos and can start with OpenAFS configuration

Please first check if there is alread a AFS instance is running (ps ax | grep bos) if yes KILL it!

Set the cellname


echo "" > /etc/openafs/server/ThisCell

Add the cell to the celldatabase


echo "> #Example Cell" > /etc/openafs/server/CellServDB
echo "" >> /etc/openafs/server/CellServDB

!! "#" is NOT a comment!!

Starting the bosserver:


bosserver -noauth

The -noauth flag runs bosserver without authentification. (For security reasons you should cut all network connections)


bos setcellname -noauth

Checking if we are the first database server:

bos listhosts -noauth

Starting of all services


bos create server buserver simple /usr/libexec/openafs/buserver -cell -noauth

bos create server ptserver simple /usr/libexec/openafs/ptserver -cell -noauth

bos create server vlserver simple /usr/libexec/openafs/vlserver -cell -noauth

I also start the backupserver and I will also explain that later

But now I will first explain the other services for those who had already read the OpenAFS docu maybe they will miss the kasserver. Yes I don't start it cause we are using MIT-Kerberos for that.
The Rest are just the volume location Server (vlserver) who is responsable for the volumes and the protection server (ptserver) who is responsable for the access rules.

Creating the administrator:

pts createuser -name afsadmin -cell -noauth

pts adduser afsadmin system:administrators -cell -noauth

pts membership afsadmin -cell -noauth

bos adduser afsadmin -noauth

this is the user who we had added above to the kerberos databse. Now he is also in the AFS user database and we also add him to the group system:administrators.

Now we start the rest of AFS services:


bos create fs fs /usr/libexec/openafs/fileserver usr/libexec/openafs/volserver /usr/libexec/openafs/salvager -cell -noauth

And shutdown the bosserver


bos shutdown -noauth

Now we need one (or more) partitions for AFS. The partition should have ext2, if ext3 works I don't know (never testet).
The partition should be mounted to /vicepa (if you use more please mount them to /vicepb,/vicepc and so on)

If the directory /afs don't exist please create it

mkdir /afs

Ok I hope I didn't miss something and we can make some cofe

Starting the AFS:
Now start the OpenAFS server and client with /etc/init.d/<the name the mantainer gives it today>-server start (same for client)

(Also take care that the kerberos server is running!)

First we have to authentificate to kerberos (cause bosserver is now running without -noauth flag)


kinit afsadmin


Now we will create the directory structure of our afs cell:


vos create /vicepa root.afs -cell

vos create /vicepa root.cell -cell

vos create /vicepa home -cell

I call my home-volume "home" and also will use that name in later scripts.

Creating mountpoints and replica:


cd /afs

fs mkm /afs/ root.cell

fs mkm /afs/ root.cell -rw

vos addsite /vicepa root.afs

vos release root.afs

vos addsite /vicepa root.cell

fs mkm /afs/ home

vos release root.cell

vos addsite /vicepa home

vos release home

fs checkvolumes

fs sa /afs system:anyuser l

fs sa /afs/ system:anyuser l

So now what we have done here. We have created a mountpoint for root.cell into afs and also created one for read-write access. Then we have created some read-only replica and set the access for every user to "l" (list). But you should issue the "fs help" and "vos help" commands to read more about it.

Now you should be able to access /afs/

Adding Users:
To add a user you have to add him to kerberos and to afs.


kadmin.local -q "addprinc <user>"

pts createuser <user> -id <uid>

pts adduser <user> -group <group>

If you don't have a group please create one with "pts creategroup <group>"

!!Notice! Please use the same uid in afs as you have in your normal system or you will have some problem with access.
Maybe use LDAP for that.

Now we will create the users home directory:

vos create /vicepa home.<user> -maxquota 0

fs mkm /afs/<user> home.<user>

fs sa /afs/<user> <user> all

vos release home

fs checkvolumes

vos backup home.<user>

fs mkm /afs/<user>/.backup home.<user>.backup

Maybe create a bash script for that.
But first I will explain what we have done.
First we have created a user volume and called it home.<user> with maxquota 0 (infinity or till the disc is full *g*) you can also set an exact value for that. Then we mounted it to to home and set the ACL to "all". After that we take over the changes from home into the replica and checked the filesystem. We also created a backup volume for that and mounted it into the director ~/.backup

To make the backup a little bit automatic I use the following realy bad script:


vos listvol -localauth | sed 's/ .*//' | grep -e ^home | grep -v -e home$ -e readonly$ -e backup$ > /root/backupvol
exec < /root/backupvol
while read line
echo "Creating Backup of $line"
vos backup $line -localauth
echo "done"

And start it every night with a cronjob.

Now we will issue the other backup system (you remember the buserver above).
But first we will start the tape controller. Maybe you will now think "what is a tape controller or even a tape and do i have something like that" the answer is maybe "no". But that doesn't matter cause we will put our backups not on tapes we will use our normal discs.

So please go into the directory /var/lib/openafs there you create the directory "backup" and create the following files:



1GB 0 /dev/FILE 0

The 1GB is the size of your "tape" maybe it should be a little bit bigger (just use the free size of the disc you wanna put your backup)

Now we create our "tape" (Yes I know we don't have a tape but that doesn't matter we just do if we have one)
As you see above we told the tapecontroller that it should use the device /dev/FILE
and here is the configuration for that device:


MOUNT /root/afsbackup
UNMOUNT /root/afsbackup

In that configuration I tell that the device is a file "FILE YES" and that the controller should execute the script /root/afsbackup when it tries to mount/unmount the tape also I disable the name check and I also don't wanna be ask for something (cause I will automatically backup later)

Now what is missing, yes the script. I use the one from the OpenAFS docu:


#! /bin/csh -f
set devicefile = $1
set operation = $2
set tries = $3
set tapename = $4
set tapeid = $5
set exit_continue = 0
set exit_abort = 1
set exit_interactive = 2
if (${tries} > 1) then
echo "Too many tries"
exit ${exit_interactive}
if (${operation} == "labeltape") then
echo "Won't label a tape/file"
exit ${exit_abort}
if ((${operation} == "dump") |\
(${operation} == "appenddump") |\
(${operation} == "restore") |\
(${operation} == "savedb") |\
(${operation} == "restoredb")) then
/bin/rm -f ${devicefile}
/bin/ln -s /path/to/backup/${tapename}_${tapeid} ${devicefile}
if (${status} != 0) exit ${exit_abort}

exit ${exit_continue}

Now we can start the tapecontroller:

butc -localauth

Maybe start it in a new shell or maybe even use "screen" which should be the best way

After start enter the *interactive* backup console


And create a volumeset

backup> addvolset -name home
backup> addvolentry -name home -server -partition /vicepa -volumes home..*.backup

Now add the backup server

backup> addhost -tapehost -portoffset 0

And create a dumplevel, I just create one you can create as much as you want:

backup> adddump -dump /week -expires 6d

Now you can test it:


backup> dump -volumeset home -dump /week -portoffset 0

If you have any questions please post it here or write me an email

It is not allowed to copy or even link this article to another website.
Spelling and grammar mistakes are licensed under the GPL3 and can be used in other documents.
Back to top
View user's profile Send private message

Joined: 07 Dec 2002
Posts: 223
Location: Vienna, Austria

PostPosted: Mon May 22, 2006 9:35 am    Post subject: Reply with quote

just started installing openafs on my testcluster following your tutorial, thanks for writing it, it helps me a lot.
so far i have little knowledge about afs&kerberos(though i read the kerberos dialogue as suggested and searched the openafs-faq as well as google for some info). therefore please excuse me if my question is unqualified.

is there a way to automatically mount a openafs-partition on reboot without manual intervention(providing a password or similar)? i want to implement this for a webserver that should boot and work(with it's data on afs) without having to do anything manually...

one thing in your tutorial didn't work for me so far: asetkey - which package have you installed to get this command? or have you manually installed the openafs-krb5-package? - [edit][SOLVED]: asetkey is installed with the masked openafs-v1.4.1[/edit]
Back to top
View user's profile Send private message

Joined: 25 Feb 2003
Posts: 314
Location: Columbus, Ohio

PostPosted: Sun Mar 15, 2009 10:56 pm    Post subject: Reply with quote

for anyone doing openafs and krb5

make sure you enable keys in the kernel - enable access key retention under security - it breaks the module links in the libafs module
if you are on hardened-sources.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum