debian-afs 2008 Davor Ocelic DavorOcelic docelic@spinlocksolutions.com SPINLOCK — advanced GNU/Linux and Unix solutions for commercial and education sectors. This documentation is free; you can redistribute it and/or modify it under the terms of the &GNU; General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. The purpose of this article is to give you a straight-forward, Debian-friendly way of installing and configuring OpenAFS 1.4.x, the recommended production version of OpenAFS for UNIX. By the end of this guide, you will have a functional OpenAFS installation that will complete our solution for secure, centralized network logins with shared home directories. This article is part of &SL;'s practical 5-piece introductory series to infrastructure-based Unix networks, containing &DKLAR_DEB;, &DKLAR_KRB;, &DKLAR_LDA;, &DKLAR_AFS; and &DKLAR_RAD;.

AFS distributed filesystem is a service that has been traditionally captivating system administrators' and advanced users' interest, but its high entry barrier and infrastructure requirements have been preventing many from using it. AFS has already been the topic of numerous publications. Here, we will present only the necessary summary; enough information to establish the context and to achieve practical results. You do not need to follow any external links; however, the links have been provided both throughout the article and listed all together at the end, to serve as pointers to more precise technical treatment of individual topics. AFS was started at Carnegie Mellon University in the early 1980s, in order to easily share file data between people and departments. The system became known as the Andrew File System, or AFS, in recognition of Andrew Carnegie and Andrew Mellon, the primary benefactors of CMU. Later, AFS was supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Labs). IBM branched the source of the AFS product, and made a copy of the source available for community development and maintenance. They called the release OpenAFS, which is practically the only "variant" of AFS used today for new installations. The amount of important information related to AFS is magnitudes larger than that of, say, Kerberos or LDAP. It isn't possible to write a practical OpenAFS Guide without simply ignoring the majority of AFS concepts and without taking drastic shortcuts in reaching our final objective. However, this injustice will be compensated by hooking you up with the OpenAFS idea, helping you achieve practical results relatively quickly, and setting you underway to properly expanding your knowledge and network setup. AFS relies on Kerberos for authentication. A working Kerberos environment is the necessary prerequisite, and the instructions on setting it up are found in another article from the series, the &DKLAR_KRB;. Furthermore, in a centralized network login solution, user metadata (Unix user and group IDs, &GECOS; information, home directories, preferred shells, etc.) need to be shared in a network-aware way as well. This metadata can be served using LDAP or libnss-afs. In general, LDAP is standalone and flexible, and covered in another article from the series, the &DKLAR_LDA;. libnss-afs is simple and depends on the use of AFS, and covered in this Guide.

AFS' primary purpose is to serve files over the network in a robust, efficient, reliable and fault-tolerant way. Its secondary purpose may be to serve user meta information through libnss-afs, unless you choose &LDA; for the purpose as explained in another article from the series, the &DKLAR_LDA;. While the idea of a distributed file system is not unique, let's quickly identify some of the AFS specifics: AFS offers a client-server architecture for transparent file access in a common namespace (/afs/) anywhere on the network. This principle has been nicely illustrated by one of the early AFS slogans "Where ever you go, there you are!". AFS uses Kerberos 5 as an authentication mechanism, and without a valid Kerberos ticket and AFS token, it is virtually impossible to gain any privileged access to the AFS data space, even if you happen to be the server or network administrator. User's AFS identity is not in any way related to traditional system usernames or other data; AFS Protection Database (PTS) is a stand-alone database of AFS usernames and groups. However, since Kerberos 5 is used as an authentication mechanism, provision is made to automatically "map" Kerberos principal names onto PTS entries. AFS does not "export" existing data partitions to the network in a way that NFS does. AFS requires partitions to be dedicated to AFS use only. On AFS partitions, one creates "volumes" which represent basic client-accessible units and hold files and directories. Accessing files in a volume directly is a no-go — one must to use the AFS client to read and write files, even locally on the server where they are stored. To become accessible, AFS volumes must be mounted somewhere in the AFS namespace (/afs/). The "mounts" are handled internally in AFS — they are not affected by client or server reboots and they do not correspond to Unix mount points. The only Unix mount point defined in AFS is for the /afs/ directory itself. AFS supports a far more elaborate and convenient permissions system (AFS ACL) than the traditional Unix "rwx" modes. The permissions are more fine-grained and can be defined individually for as many users and groups as necessary. IP-based ACLs are available as well, for the rare cases where you might have no other option. ACLs are set on directories and apply to all contained and newly created files. Sub-directories may, of course, set their own ACLs. As of summer 2008, there have been plans to support file-based ACLs as well, as part of the &GSOC; initiative. AFS is available for a broad range of architectures and software platforms. You can obtain an up-to-date AFS release for IBM AIX, HP/UX, SGI Irix, MacOS X, Sun Solaris, all Linux platforms, and Microsoft Windows. OpenAFS comes in two main releases, 1.4.x and 1.5.x. The 1.4 "maintenance" release is the recommended production version for Unix and MacOS platforms. The 1.5 "features" release is the recommended production version for Microsoft Windows. The versions are completely interoperable and you can freely mix 1.4 and 1.5 releases. The OpenAFS website and documentation seem out of date at first, but they do contain all the information you need. AFS is enterprise-grade and mature. Books about AFS written 10 or 15 years ago are still authoritative today, plus/minus a few inevitable changes and improvements. You can find the complete AFS documentation at the &AFS; website. After grasping the basic concepts, your most helpful resources will be quick help options supported in all commands, such as in fs help, vos help, pts help or bos help.

On all GNU/Linux-based platforms, &PAM; is available for service-specific authentication configuration. &PAM; is an implementation of PAM ("Pluggable Authentication Modules") from &SUN;. Network services, instead of having hard-coded authentication interfaces and decision methods, invoke PAM through a standard, pre-defined interface. It is then up to PAM to perform any and all authentication-related work, and report the result back to the application. Exactly how PAM reaches the decision is none of the service's business. In traditional set-ups, that is most often done by asking and verifying usernames and passwords. In advanced networks, that could be Kerberos tickets and AFS tokens. PAM will allow for inclusion of OpenAFS into the authentication path of all services. After typing in your password, it will be possible to verify the password against the Kerberos database and automatically obtain the Kerberos ticket and AFS token, without having to run kinit and aklog manually. You can find the proper introduction (and complete documentation) on the &PAM; website. Pay special attention to the &PSY; page. Also take a look at the Linux-PAM 7 and pam 7 manual pages.

It's quite disappointing when you are not able to follow the instructions found in the documentation. Let's agree on a few points before going down to work: Our platform of choice, where we will demonstrate a practical setup, will be &DEB;. Install sudo. Sudo is a program that will allow you to carry out system administrator tasks from your normal user account. All the examples in this article requiring root privileges use sudo, so you will be able to copy-paste them to your shell. su -c 'apt-get install sudo' If asked for a password, type in the root user's password. To configure sudo, add the following line to your /etc/sudoers, replacing $USERNAME with your login name: $USERNAME ALL=(ALL) NOPASSWD: ALL Debian packages installed during the procedure will ask us a series of questions through the so-called debconf interface. To configure debconf to a known state, run: sudo dpkg-reconfigure debconf When asked, answer interface=Dialog and priority=low. Monitoring log files is crucial in detecting problems. The straight-forward, catch-all routine to this is opening a terminal and running: cd /var/log; sudo tail -F daemon.log sulog user.log auth.log debug kern.log syslog dmesg messages \ kerberos/{krb5kdc,kadmin,krb5lib}.log openafs/{Bos,File,Pt,Salvage,VL,Volser}Log The command will keep printing log messages to the screen as they arrive. Our test system will be called monarch.spinlock.hr and have an IP address of 192.168.7.12. Both the server and the client will be installed on the same machine. However, to differentiate between client and server roles, the client will be referred to as monarch.spinlock.hr and the server as afs1.spinlock.hr. The following addition will be made to /etc/hosts to completely support this scheme: 192.168.7.12 monarch.spinlock.hr monarch krb1.spinlock.hr krb1 ldap1.spinlock.hr ldap1 afs1.spinlock.hr afs1

The only meaningful way to access data in AFS is through an AFS client. That means you will need the OpenAFS kernel module built and running on all AFS systems, including servers. Building a kernel module through module-assistant is an extremely simple and elegant way to not have to deal with any of the complexities behind the scenes; after the following set of commands executes successfully, you will have the kernel module build as a Debian package and installed onto the system: sudo apt-get install module-assistant sudo m-a prepare openafs sudo m-a a-i openafs

After the kernel module is installed, we can proceed with installing the rest of the OpenAFS server software: sudo apt-get install openafs-{fileserver,dbserver,client,krb5} Debconf answers for reference: AFS cell this workstation belongs to: spinlock.hr # (Your domain name in lowercase, matching the Kerberos realm in uppercase) Size of AFS cache in kB? 4000000 # (Default value is 50000 for 50 MB, but you can greatly increase the # size on modern systems to a few gigabytes, with 20000000 (20 GB) being # the upper reasonable limit) Run Openafs client now and at boot? No # (It is important to say NO at this point, or the client will try to # start without the servers in place) Look up AFS cells in DNS? Yes Encrypt authenticated traffic with AFS fileserver? No # (OpenAFS client can encrypt the communication with the fileserver. The # performance hit is not too great to refrain from using encryption, but # generally, disable it on local and trusted-connection clients, and enable # it on clients using insecure channels) Dynamically generate the contents of /afs? No Use fakestat to avoid hangs when listing /afs? Yes Cell this server serves files for: spinlock.hr DB server host names for your home cell: afs1 # (Before continuing, make sure you've edited your DNS configuration or # /etc/hosts file as mentioned above in the section "Conventions", and that # the command 'ping afs1' really does successfully ping your server)

OpenAFS cache directory on AFS clients is /var/cache/openafs/. (Note that this includes your AFS servers too, as they all have AFS client software installed). The cache directory must be on an Ext2 or Ext3 filesystem partition. In case it is, you just have to ensure there's enough disk space on the partition. In case it is not, in case you're using a different filesystem for /var/ or /var/cache/, then you need to mount an Ext partition or file onto /var/cache/openafs/.

As Kerberos introduces mutual authentication of users and services, we need to create a Kerberos principal for our AFS service. (In general, the way it's done with Kerberos is by creating a separate principal for each of the server machines. But AFS shares the key among all AFS servers, and so we must create just one key). The transcript below assumes you've set up Kerberos and created policy service as explained in the &DKLAR_KRB;; if you did not, do so right now as Kerberos is the necessary prerequisite. sudo rm -f /tmp/afs.keytab sudo kadmin.local Authenticating as principal root/admin@SPINLOCK.HR with password. kadmin.local: addprinc -policy service -randkey -e des-cbc-crc:v4 afs Principal "afs@SPINLOCK.HR" created. kadmin.local: ktadd -k /tmp/afs.keytab -e des-cbc-crc:v4 afs Entry for principal afs with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/afs.keytab. kadmin.local: quit Once the key's been created and exported to file /tmp/afs.keytab as shown, we need to load it into the AFS KeyFile. Note that the number "3" in the following command is the key version number, which has to match KVNO reported in the 'ktadd' step above. sudo asetkey add 3 /tmp/afs.keytab afs To verify the key has been loaded and that there is only one key in the AFS KeyFile, run bos listkeys: sudo bos listkeys afs1 -localauth key 3 has cksum 2035850286 Keys last changed on Tue Jun 24 14:04:02 2008. All done. In case there's something wrong and you want to remove keys from the KeyFile, run bos help for a list of available commands and bos help command for command-specific usage information.

As we've hinted in the introduction, AFS works by using its own dedicated partitions. Each server can have up to 256 partitions which should be mounted to directories named /vicepXX/, where "XX" is the partition "number" going from 'a' to 'z' and from 'aa' to 'iv'. In a simple scenario, we will have only one partition which you should format as Ext3 and mount onto /vicepa/. In case you do not have a separate partition ready, simply creating the directory /vicepa/ in your root partition will do. Creating /vicepa/ in your existing partition is possible because AFS does not use its own low-level format for the partitions — it saves data to vice partitions using normal filesystem calls. (As said, that data is structured in a way meaningful only to AFS, but it is there in the filesystem and you are able to browse around it using cd and ls).

Now that we've installed the software components that make up the OpenAFS server and that we've taken care of the pre-configuration steps, we can create an actual AFS cell. The afs-newcell script, which is used to create a new cell, needs a simple fix in version 1.4.7.dfsg1-2 before it can be used to create a new cell (a bug about it has been open under BTS #488152). Russ Allbery has promptly fixed the problem as usual, but to make sure there is no problem in your script, the following oneliner can be ran on any version of afs-newcell without adverse effects: sudo perl -pi -e 's/(-time never -general)(?! -localauth)/$1 -localauth/' /usr/sbin/afs-newcell Let's run afs-newcell: sudo afs-newcell Prerequisites In order to set up a new AFS cell, you must meet the following: 1) ..... 2) ..... 3) ..... 4) ..... 5) ..... Do you meet these requirements? [y/n] y If the fileserver is not running, this may hang for 30 seconds. /etc/init.d/openafs-fileserver stop What administrative principal should be used? root/admin /etc/openafs/server/CellServDB already exists, renaming to .old /etc/init.d/openafs-fileserver start Starting OpenAFS BOS server: bosserver. bos adduser afs.spinlock.hr root -localauth Creating initial protection database. This will print some errors about an id already existing and a bad ubik magic. These errors can be safely ignored. pt_util: /var/lib/openafs/db/prdb.DB0: Bad UBIK_MAGIC. Is 0 should be 354545 Ubik Version is: 2.0 bos create afs1.spinlock.hr ptserver simple /usr/lib/openafs/ptserver -localauth bos create afs1.spinlock.hr vlserver simple /usr/lib/openafs/vlserver -localauth bos create afs1.spinlock.hr fs fs -cmd '/usr/lib/openafs/fileserver -p 23 -busyat 600 \ -rxpck 400 -s 1200 -l 1200 -cb 65535 -b 240 -vc 1200' -cmd /usr/lib/openafs/volserver \ -cmd /usr/lib/openafs/salvager -localauth bos setrestart afs1.spinlock.hr -time never -general -localauth Waiting for database elections: done. vos create afs1.spinlock.hr a root.afs -localauth Volume 536870915 created on partition /vicepa of afs.spinlock.hr /etc/init.d/openafs-client force-start Starting AFS services: afsd. afsd: All AFS daemons started. Now, get tokens as root in the spinlock.hr cell. Then, run afs-rootvol. Now that our AFS cell is created, remember we've said volumes are the basic units accessible by AFS clients. By convention, each AFS cell creates the first volume called root.afs. So according to the advice printed at the end of afs-newcell run, we need to obtain the AFS administrator token and then run afs-rootvol: kinit root/admin; aklog Password for root/admin@SPINLOCK.HR: PASSWORD afs-rootvol Prerequisites In order to set up the root.afs volume, you must meet the following pre-conditions: 1) ..... 2) ..... 3) ..... 4) The AFS client must be running pointed at the new cell. Do you meet these conditions? (y/n) y You will need to select a server (hostname) and AFS partition on which to create the root volumes. What AFS Server should volumes be placed on? afs1 What partition? [a] a vos create afs1 a root.cell -localauth Volume 536870918 created on partition /vicepa of afs1 fs sa /afs system:anyuser rl fs mkm /afs/spinlock.hr root.cell -cell spinlock.hr -fast || true fs mkm /afs/grand.central.org root.cell -cell grand.central.org -fast || true ..... ..... ..... ..... ..... fs sa /afs/spinlock.hr system:anyuser rl fs mkm /afs/.spinlock.hr root.cell -cell spinlock.hr -rw fs mkm /afs/.root.afs root.afs -rw vos create afs1 a user -localauth Volume 536870921 created on partition /vicepa of afs1 fs mkm /afs/spinlock.hr/user user fs sa /afs/spinlock.hr/user system:anyuser rl vos create afs1 a service -localauth Volume 536870924 created on partition /vicepa of afs1 fs mkm /afs/spinlock.hr/service service fs sa /afs/spinlock.hr/service system:anyuser rl ln -s spinlock.hr /afs/spinlock ln -s .spinlock.hr /afs/.spinlock vos addsite afs1 a root.afs -localauth Added replication site afs /vicepa for volume root.afs1 vos addsite afs1 a root.cell -localauth Added replication site afs1 /vicepa for volume root.cell vos release root.afs -localauth Released volume root.afs successfully vos release root.cell -localauth Released volume root.cell successfully Woohoo! You've got yourself one helluva OpenAFS cell.

If you remember, during the AFS installation phase, we've answered "No" to the question "Run OpenAFS client now and at boot?". AFS init script is such that it just won't run the client as long as the client startup is disabled in the config file — even if you invoke sudo invoke-rc.d openafs-client start manually. Therefore, we now have to enable the client in /etc/openafs/afs.conf.client by replacing AFS_CLIENT=false with AFS_CLIENT=true: sudo perl -pi -e's/AFS_CLIENT=false/AFS_CLIENT=true/' /etc/openafs/afs.conf.client sudo invoke-rc.d openafs-client start Finally, let's drop any tokens or tickets that we may have initialized, to continue with a clean slate: unlog; kdestroy All set. You should now have the basic AFS environment working.

While the whole point of AFS is in accessing files remotely, remember that all AFS servers are also regular AFS clients. So let's explain the AFS directory structure a bit and then use our just-installed server to look at the actual contents of the /afs/ directory. As we've hinted in , AFS uses a global namespace. That means all AFS sites are instantly accessible from /afs/ as if they were local directories, and all files have a unique AFS path. For example, file /afs/spinlock.hr/service/test will always be /afs/spinlock.hr/service/test, no matter the client, operating system, local policy or geographical location. In order to avoid clashes in this global AFS namespace, by convention, each cell's "AFS root" starts in /afs/domain.name/.

Let's list /afs/ directory contents to verify what we've just said about AFS cells and their mount points: cd /afs ls | head 1ts.org acm-csuf.org acm.uiuc.edu ams.cern.ch andrew.cmu.edu anl.gov asu.edu athena.mit.edu atlass01.physik.uni-bonn.de atlas.umich.edu ls | wc -l 189 The 189 directories were automatically created by the afs-rootvol script, but you can create additional and remove existing mount points (AFS mount points) at will. With the above said, we can predict AFS has created our own directory in /afs/spinlock.hr/. This directory is only visible automatically within the local cell and is not seen by the world in ls /afs listing. Now that we're in AFS land, we can quickly get some more AFS-specific information on /afs/spinlock.hr/: fs lsm /afs/spinlock.hr '/afs/spinlock.hr' is a mount point for volume '#spinlock.hr:root.cell' fs lv /afs/spinlock.hr File /afs/spinlock.hr (536870919.1.1) contained in volume 536870919 Volume status for vid = 536870919 named root.cell.readonly Current disk quota is 5000 Current blocks used are 4 The partition has 89573 blocks available out of 94030

Each time you mount a volume, you can mount it read-write or read-only. Read-write mounts are simple — reads and writes are done through the same filesystem path, such as /afs/spinlock.hr/common/testfile, and are serviced by the volume's host server. Read-only mounts make things interesting — volumes may have up to 8 read-only replicas and clients will retrieve files from the "best" source. However, that brings two specifics: First, as the read-only mount is read-only by definition, there exists a different file path (prefixed with a dot) for accessing the data in a read-write fashion. Second, data changes in the read-write tree don't show up in the read-only tree until you "release" volume contents with the vos release command. As said, read-write paths for read-only mounts are prefixed by a leading dot. Let's verify this: lsm /afs/spinlock.hr '/afs/spinlock.hr' is a mount point for volume '#spinlock.hr:root.cell' lsm /afs/.spinlock.hr '/afs/.spinlock.hr' is a mount point for volume '%spinlock.hr:root.cell'

Equipped with the above absolute basics, let's visit /afs/spinlock.hr/, look around, and then try to read and write files. cd /afs/spinlock.hr ls -al total 14 drwxrwxrwx 2 root root 2048 2008-06-25 02:05 . drwxrwxrwx 2 root root 8192 2008-06-25 02:05 .. drwxrwxrwx 2 root root 2048 2008-06-25 02:05 service drwxrwxrwx 2 root root 2048 2008-06-25 02:05 user echo TEST > testfile -bash: testfile: Read-only file system cd ../.spinlock.hr echo TEST > testfile -bash: testfile: Permission denied Good. Let's list access permissions (AFS ACL) for the directory, and then obtain AFS admin privileges that will allow us to write files. Note that we first establish our Kerberos identity using kinit, and then obtain the matching AFS token using aklog. Aklog obtains a token automatically and without further prompts, on the basis of the existing Kerberos ticket. cd /afs/.spinlock.hr fs la . Access list for . is Normal rights: system:administrators rlidwka system:anyuser rl kinit root/admin; aklog Password for root/admin@SPINLOCK.HR: PASSWORD klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root/admin@SPINLOCK.HR Valid starting Expires Service principal 06/29/08 19:38:05 06/30/08 05:38:05 krbtgt/SPINLOCK.HR@SPINLOCK.HR renew until 06/30/08 19:38:05 06/29/08 19:38:12 06/30/08 05:38:05 afs@SPINLOCK.HR renew until 06/30/08 19:38:05 tokens Tokens held by the Cache Manager: User's (AFS ID 1) tokens for afs@spinlock.hr [Expires Jun 30 05:38] --End of list-- At this point, writing the file succeeds: echo TEST > testfile cat testfile TEST Let's list volume data size quota and increase it from the default 5 MB to 100 MB: fs lq Volume Name Quota Used %Used Partition root.cell 5000 28 1% 38% fs sq . 100000 fs lq Volume Name Quota Used %Used Partition root.cell.readonly 100000 28 1% 38%

As seen in the previous chapter, you authenticate to Kerberos using kinit and then to AFS using aklog. We're dealing with two separate authentication databases here — the Kerberos database and the AFS "Protection Database" or PTS. That means all users have to exist in both Kerberos and AFS if they want to access AFS data space in an authenticated fashion. The only reason we did not have to add root/admin user to AFS PTS is because this was done automatically by the virtue of afs-newcell. So let's add a regular AFS user. We're going to add user "mirko", which should already exist in Kerberos if you've followed the &DKLAR_KRB;, section "Creating first unprivileged principal". Make sure you hold the administrator Kerberos ticket and AFS token, and then execute: pts createuser mirko 20000 User mirko has id 20000 You will notice that Kerberos and AFS do not require any use of sudo. (Actually, we do use sudo to invoke Kerberos' sudo kadmin.local, but that's only because we want to access the local Kerberos database directly on a file level). Kerberos and AFS privileges are determined solely by tickets and tokens one has obtained, and have nothing to do with traditional Unix privileges nor are tied to certain usernames or IDs.

Now that we have a regular user "mirko" created in both Kerberos and AFS, we want to create an AFS data volume that will correspond to this user and be "mounted" in the location of the user's home directory in AFS. Make sure you still hold the administrator Kerberos ticket and AFS token, and then execute: vos create afs1 a user.mirko 200000 Volume 536997357 created on partition /vicepa of afs1 vos examine user.mirko user.mirko 536997357 RW 2 K On-line afs1.spinlock.hr /vicepa RWrite 536997357 ROnly 0 Backup 0 MaxQuota 200000 K Creation Sun Jun 29 18:06:43 2008 Copy Sun Jun 29 18:06:43 2008 Backup Never Last Update Never RWrite: 536997357 number of sites -> 1 server afs1.spinlock.hr partition /vicepa RW Site Having the volume, let's mount it to a proper location. We will use a "hashed" directory structure with two sublevels, so that the person's home directory will be in /afs/spinlock.hr/user/p/pe/person/ (instead of directly in user/person/). Follow this AFS convention and you will be able to use libnss-afs and 3rd party management scripts without modification. cd /afs/spinlock.hr/user mkdir -p m/mi fs mkm m/mi/mirko user.mirko -rw Let's view volume and directory information: fs lsm m/mi/mirko 'm/mi/mirko' is a mount point for volume '#user.mirko' fs lv m/mi/mirko File m/mi/mirko (536997357.1.1) contained in volume 536997357 Volume status for vid = 536997357 named user.mirko Current disk quota is 200000 Current blocks used are 2 The partition has 85448567 blocks available out of 140861236

Let's view the permissions on the new directory and allow user full access: fs la m/mi/mirko Access list for m/mi/mirko is Normal rights: system:administrators rlidwka fs sa m/mi/mirko mirko all fs la !:2 Access list for m/mi/mirko is Normal rights: system:administrators rlidwka mirko rlidwka Now switch to user mirko and verify you've got access to the designated home directory: unlog; kdestroy kinit mirko; aklog Password for mirko@SPINLOCK.HR: PASSWORD cd /afs/spinlock.hr/user/m/mi/mirko echo IT WORKS > test cat test IT WORKS

The material covered so far in the &DKLAR_KRB; and this &DKLAR_AFS; has gotten us to a point where we can create users in Kerberos and AFS, create and mount users' data volumes, authenticate using kinit and aklog, and read and write files in the users' volumes with full permissions. In other words, it smells as if we're a step away from our goal — a true networked and secure solution for centralized logins with exported home directories. There's one final thing missing, and it's the support for serving user "metadata". As explained in , metadata will come from either LDAP or libnss-afs. If you've followed and implemented the setup described in the &DKLAR_LDA;, you already have the metadata taken care of. However, let's say a few words about it anyway to broaden our horizons. Metadata is the information traditionally found in system files /etc/passwd, /etc/group and /etc/shadow. Metadata necessary for a successful user login includes four elements: Unix user ID, Unix group ID, home directory and shell. Let's take a look at a complete list of user metadata, with a list of software components that handle them in parentheses: Username (all) Password (Kerberos) User ID (LDAP or libnss-afs) Group ID and group membership (LDAP) &GECOS; information (LDAP) Home directory (LDAP) Preferred shell (LDAP or libnss-afs) Group membership (LDAP) Password aging (Kerberos) You may notice LDAP seems like a "superset" of libnss-afs. And it really is, which can be an advantage or a disadvantage, depending on the situation. LDAP is a standalone solution that can be used to create network infrastructures based on the "magic trio" — Kerberos, LDAP and AFS. It is flexible and can serve arbitrary user and system information besides the necessary metadata. Can you think of a few examples how this would be useful? For example, on a lower level, you could use LDAP to store extra group membership information or per-user host access information; on a higher level, you could use LDAP to store a person's image, birth date, or a shared calendar available to all user applications. However, this flexibility comes at a cost of administering yet another separate database (Kerberos, AFS and LDAP all have their own database, and you have to keep them synchronized). libnss-afs, on the other hand, is an AFS-dependent module that serves the metadata out of the AFS PTS database. It is simple, and limited. Structure of the PTS is such that you can only save certain information in there, and nothing else. For fields that cannot be represented in PTS, libnss-afs outputs a "one size fits all" default value. For example, as there is no space for &GECOS; information in the PTS, everyone's GECOS is set to their username; as there is no group ID, everyone's group ID is set to group 65534 (nogroup), and as there is no home directory, everyone's homedir is set to /afs/cell.name/user/u/us/user/. libnss-afs may suit those who prefer simplified administration over flexibility. In this Guide, both LDAP and libnss-afs approach will be explained. Moving from libnss-afs to LDAP is easy, so if in doubt, pick libnss-afs.

A complete LDAP setup is explained in another article from the series, the &DKLAR_LDA;. If you have followed and implemented the procedure, especially the part about modifying /etc/nsswitch.conf, there's only one thing that should be done here — you should modify users' entries in LDAP to make their home directories point to AFS instead of to /home/. Actually, you can symlink /home/ to AFS, and then no change in LDAP will be necessary. One benefit of this approach is that /home/ looks familiar to everyone. One drawback is that you need to symlink that directory to AFS on all machines where users will be logging in. To create the symlinks, use: sudo mv /home /home,old sudo ln -sf /afs/.spinlock.hr/user /home sudo ln -sf /afs/spinlock.hr/user /rhome To literally change users' home directories in LDAP (to point to /afs/spinlock.hr/user/u/us/user/), construct a LDIF file and use ldapmodify to apply the LDIF file. Here's an example for user mirko (which should already exist in your LDAP directory if you've followed the &DKLAR_LDA; Guide). Save the following as /tmp/homechange.ldif: dn: uid=mirko,ou=people,dc=spinlock,dc=hr changetype: modify replace: homeDirectory homeDirectory: /afs/spinlock.hr/user/m/mi/mirko And apply using: ldapmodify -c -x -D cn=admin,dc=spinlock,dc=hr -W -f /tmp/homechange.ldif

As said, &NSA; is an AFS-dependent approach to serving metadata, so it only makes sense to describe it in the context of the &DKLAR_AFS;. Adam Megacz created libnss-afs on the basis of Frank Burkhardt's libnss-ptdb, which in turn was created on the basis of Todd M. Lewis' nss_pts. The primary motivation for libnss-afs has been the use at &HCP;, the first non-profit corporation offering public AFS hosting and accounts. Good. Let's move onto the technical setup: It is strongly recommended to run libnss-afs in combination with nscd and cache the replies from the AFS ptserver, so let's install nscd first and change one of its config options to work around a known bug in nscd: sudo apt-get install nscd sudo perl -pi -e '/^\s*enable-cache\s+hosts\s+yes\s*/ and $_ = "enable-cache hosts no\n"' /etc/nscd.conf sudo invoke-rc.d nscd restart Now let's install libnss-afs itself, which is — interestingly enough — accessible in AFS, in the cell hcoop.net. You should have a working AFS client by now to access the files. What we've covered so far should be enough to allow you understand what will be going on in the following transcript. In short, we will need to create /afs/hcoop.net/ before we can access the files in the cell, and the procedure will be a bit longer then normal mount because our AFS root is read-only. In any case, our goal here is just accessing the libnss-afs repository, so copy-paste our working example don't spend too much time deciphering the procedure. unlog; kdestroy kinit root/admin; aklog Password for root/admin@SPINLOCK.HR: PASSWORD sudo sh -c 'echo -e ">hcoop.net\n69.90.123.67 # deleuze.hcoop.net" >> /etc/openafs/CellServDB' cd /afs/spinlock.hr/service fs mkm tmp root.afs -rw cd tmp fs mkm hcoop.net root.cell -cell hcoop.net -fast cd .. vos release root.cell fs rmm tmp Now /afs/hcoop.net/ will exist and we can access the libnss-afs package: cd /afs/hcoop.net/user/m/me/megacz/public/libnss-afs sudo dpkg -i libnss-afs*deb The directory contains libnss-afs sources as well. In case you need to recompile them and build Debian packages yourself, here's a guideline: cp -a /afs/hcoop.net/user/m/me/megacz/public/libnss-afs/libnss-afs /tmp cd /tmp/libnss-afs dpkg-buildpackage -uc -us sudo dpkg -i ../libnss-afs*deb After libnss-afs is installed, let's modify the existing lines in /etc/nsswitch.conf to look like the following: passwd: afs files group: afs files shadow: files

We are ready to test metadata retrieval: sudo nscd -i passwd id mirko uid=20000(mirko) gid=65534(nogroup) groups=65534(nogroup) getent passwd mirko mirko:x:20000:65534:mirko:/afs/hcoop.net/user/m/mi/mirko:/bin/bash

The final step in this article pertains to integrating OpenAFS into the system authentication procedure. We want Kerberos ticket and OpenAFS token to be issued for users as they log in, without the need to run kinit and aklog manually after login. Let's install the necessary OpenAFS PAM module: sudo apt-get install libpam-afs-session To minimize the chance of locking yourself out of the system during PAM configuration phase, ensure right now that you have at least one root terminal window open and a copy of the files available before starting on PAM configuration changes. To do so, execute the following in a cleanly started shell and leave the terminal open: sudo su - cd /etc cp -a pam.d pam.d,orig If you break logins with an invalid PAM configuration, the above will allow you to simply revert to a known-good state by using the open root terminal and executing: cp -a pam.d,orig/* pam.d/ After you've edited your PAM configuration as shown below, restart the services you will be connecting to. This isn't strictly necessary, but it ensures that the services will re-read the PAM configuration and not use any cached information.

auth sufficient pam_unix.so nullok_secure auth sufficient pam_krb5.so use_first_pass auth optional pam_afs_session.so program=/usr/bin/aklog auth required pam_deny.so

session required pam_limits.so session optional pam_krb5.so session optional pam_unix.so session optional pam_afs_session.so program=/usr/bin/aklog

At this point, you have a functional AFS site. Users, once created in the system, can log in and access their files anywhere on the network. You can rely on either system login or manually running kinit; aklog in obtaining Kerberos ticket and AFS token. Once the token is obtained, you can access the protected AFS data space. Note that you've just started with OpenAFS. With a good foundation we've built, you're advised to expand your knowledge using other available resources. For commercial consultation and infrastructure-based networks containing AFS, contact &SL;.

Platforms: &GNU; &DEB; AFS: &AFS; &GCO; &GSOC; AFS projects &ARL; Public access AFS accounts: &HCL; Glue layer: &PAM; &PSY; &NSS; &NSA; Related infrastructural technologies: &KRB; &LDA; &RAD; Adduser-ng suite: ∠ Commercial support: &SL; Misc: &DOCBK;