NOTE: THIS INFORMATION IS LIKELY DEPRECATED AND HAS NOT BEEN UPDATED SINCE UBUNTU EDGY!
Setting Up Umich AFS On Ubuntu is surprisingly easy, as long as you have the proper configuration information. I used two resources to assist me in the process: your Ubuntu or Debian Box Athena-ish, which is specific to MIT's Athena environment, and Native AFS Support on OS X, which is specific to Michigan.
There are four main steps:
Disclaimer: This method is not endorsed or supported by the University of Michigan in any manner. This has the potential to botch up your computer seriously, particularly if you decide to alter configuration files related to the Pluggable Authentication Modules (PAM).
We are using MIT Kerberos, as opposed to the Heimdal/KTH Kerberos implementation. Note that Michigan is transitioning from Kerberos 4 to 5. That link is a good resource to keep track of the progress of the transition.
You will need to ensure that the universe repository is enabled in your sources list, either by editing /etc/apt/sources.list manually or in Adept or the other package manager of your choice.
To install Kerberos, download the relevant packages using
apt-get krb5-user krb4-config
You could configure Kerberos by specifying the following information:
- Realm: UMICH.EDU
- Kerberos servers:
- kerberos-1.umich.edu
- kerberos-2.umich.edu
- kerberos-3.umich.edu
- Kerberos admin server (KDC): kerberos-admin.umich.edu
To do this, run the following:
dpkg-reconfigure krb5-config krb4-config
However, my suggestion would be to just copy the files from one of the login service machines to your own machine. After connecting via SSH to the login service, copy the files to your home directory:
cp /etc/krb* ~
Then, from your own computer, copy the files from your AFS space to your computer:
scp uniqname@sftp.itd.umich.edu:~/krb* .
sudo cp krb* /etc
Once you have created or copied the configuration files, there is one small edit you need to make. In the [domain_realm] section of /etc/krb5.conf, add the following:
ifs.umich.edu = UMICH.EDU
.ifs.umich.edu = UMICH.EDU
If you want Kerberos-enabled SSH, download the appropriate package: apt-get install ssh-krb5
N.B.: I have found that authenticating to the Umich login servers using Kerberos-enabled SSH takes too long, as I am one of little patience. If you want to use it, bear that in mind.
To add GSSAPI support for KMail, etc., install the following: apt-get install libsasl2-gssapi-mit
If you'd like Kerberos tickets and AFS tokens to be granted at login, add the requisite packages:
apt-get install libpam-krb5 libpam-openafs-session
You must then edit two configuration files relating to PAM, /etc/pam.d/common-auth and /etc/pam.d/common-session. Edit /etc/pam.d/common-auth to read:
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass forwardable
Edit /etc/pam.d/common-session to read:
session required pam_unix.so
session optional pam_krb5.so
session optional pam_openafs_session.so
N.B.: Editing /etc/pam.d/common-session removes a line that reads:
session required pam_foreground.so
This seems to be mandatory for many KDE applications to work right out of the box. I know that if this is missing this will prevent knetworkmanager and KDE's ACPI support from working properly. I haven't tried to add this again since getting tickets on login isn't a high priority for me. For more information, consult the Ubuntu Wiki page on Network Manager.
Installing OpenAFS on Kubuntu (or any Linux system) requires building kernel modules. If you are using a stock Kubuntu kernel, use the following directions. Otherwise, consult the MIT directions.
First, download the packages required for building the OpenAFS modules:
apt-get install module-assistant build-essential gcc-4.0
apt-get install openafs-modules-source
Then build the kernel modules, install them, and check their dependencies:
module-assistant prepare
module-assistant auto-install openafs-modules
depmod -a
If there are no errors, download the OpenAFS client software:
apt-get install openafs-client openafs-krb5
To configure, run
dpkg-reconfigure openafs-client
The cell name is umich.edu; most other options should be straightforward. You may also want to copy the CellServDB from one of the login service machines. SSH into the login service and copy the file to your AFS home directory:
cp /etc/openafs/CellServDB ~
Then, from your own machine, copy it from your AFS directory:
scp uniqname@sftp.itd.umich.edu:~/CellServDB .
sudo cp CellServDB /etc/openafs
To authenticate to Kerberos:
kinit uniqname@UMICH.EDU
If your uniqname happens to be the same as your username on your machine, you can just use kinit.
Once you've run kinit, you can authenticate to AFS by using:
aklog
N.B.: klog will not work since it is written for Kerberos 4. I have not tested ak5log or any patches to kinit that grant AFS tokens immediately after Kerberos authentication.
To destroy your Kerberos tickets:
kdestroy
To discard your AFS tokens:
unlog