AFS Client Configuration¶
Authentication and Identification¶
We use pam_krb5 and nss LDAP. We also abuse the PAM system to provide afs tokens for the session (as is typical). Installing any kind of PAM LDAP integration is probably unnecessary and unwise. You may in fact need to disable some PAM modules.
Cell Discovery¶
We have all the DNS records for automagic cell discovery inserted, so there’s no
real need to manipulate CellServDB.
AFS Hard Mount Semantics¶
You may find it desirable to engage “hard-mount” semantics (retry forever for
volumes in ThisCell; see this thread_) with something like these lines in
/etc/rc.local:
# AFS hard-mount semantics, on both RO and RW volumes, with retries every 10 seconds.
echo 10 > /proc/sys/afs/hm_retry_int
echo 1 > /proc/sys/afs/hm_retry_RW
echo 1 > /proc/sys/afs/hm_retry_RO
or better, something like this in /etc/openafs/afs.conf on Debian systems:
OPTIONS=AUTOMATIC
afs_post_init_hook() {
# AFS hard-mount semantics, on both RO and RW volumes, with retries every 10 seconds.
sysctl afs.hm_retry_RO=1
sysctl afs.hm_retry_RW=1
sysctl afs.hm_retry_int=10
}
AFS_POST_INIT=afs_post_init_hook
Landing a Keytab¶
We often want hosts to be able to access configuration or store data in afs. In order to do so, you will need to create a kerberos principal for the machine and give it an entry in the pts database, much like you would for a user hat.
Host Principal and Keytab¶
If a machine needs to be able to access configuration from afs, you need to create a keytab and pts entry for it to use and then fiddle with its local afs configuration.
Based on a tutorial identified by nwf, you can do the following to get a proper
keytab for the machine. First, kadmin from an appropriate machine. Then
(replacing HOSTNAME with the name of the machine you’re setting up):
addprinc -randkey host/HOSTNAME.acm.jhu.edu
ktadd -k HOSTNAME.keytab host/HOSTNAME.acm.jhu.edu
This will give you a keytab called HOSTNAME.keytab in the homedir of
whatever machine you were kadmin’ing from. scp (or otherwise transfer) it
over to the machine that actually needs it, then stick that keytab in
/etc/krb5.keytab.
PTS Entry¶
Because afs is old, it uses a somewhat different syntax for host principals.
In any event, the command you want (after putting on your admin hat and running
aklog) is:
pts cu -na rcmd.HOSTNAME