Skip to content

Instantly share code, notes, and snippets.

@anarchivist

anarchivist/gist:672139

Created November 11, 2010 07:09
Show Gist options
  • Save anarchivist/672139 to your computer and use it in GitHub Desktop.
Save anarchivist/672139 to your computer and use it in GitHub Desktop.
Download ZIP
Setting Up Umich AFS On Ubuntu
Raw
gistfile1.mkd

NOTE: THIS INFORMATION IS LIKELY DEPRECATED AND HAS NOT BEEN UPDATED SINCE UBUNTU EDGY!

Setting Up Umich AFS On Ubuntu is surprisingly easy, as long as you have the proper configuration information. I used two resources to assist me in the process: your Ubuntu or Debian Box Athena-ish, which is specific to MIT's Athena environment, and Native AFS Support on OS X, which is specific to Michigan.

There are four main steps:

  1. Install Kerberos
  2. Configure Kerberos
  3. Install and configure OpenAFS
  4. Authenticate to Kerberos and AFS

Disclaimer: This method is not endorsed or supported by the University of Michigan in any manner. This has the potential to botch up your computer seriously, particularly if you decide to alter configuration files related to the Pluggable Authentication Modules (PAM).

Install Kerberos

We are using MIT Kerberos, as opposed to the Heimdal/KTH Kerberos implementation. Note that Michigan is transitioning from Kerberos 4 to 5. That link is a good resource to keep track of the progress of the transition.

You will need to ensure that the universe repository is enabled in your sources list, either by editing /etc/apt/sources.list manually or in Adept or the other package manager of your choice.

To install Kerberos, download the relevant packages using

apt-get krb5-user krb4-config

Configure Kerberos

Basic Configuration

You could configure Kerberos by specifying the following information:

  • Realm: UMICH.EDU
  • Kerberos servers:
    • kerberos-1.umich.edu
    • kerberos-2.umich.edu
    • kerberos-3.umich.edu
  • Kerberos admin server (KDC): kerberos-admin.umich.edu

To do this, run the following:

dpkg-reconfigure krb5-config krb4-config

However, my suggestion would be to just copy the files from one of the login service machines to your own machine. After connecting via SSH to the login service, copy the files to your home directory:

cp /etc/krb* ~

Then, from your own computer, copy the files from your AFS space to your computer:

scp uniqname@sftp.itd.umich.edu:~/krb* .
sudo cp krb* /etc

Once you have created or copied the configuration files, there is one small edit you need to make. In the [domain_realm] section of /etc/krb5.conf, add the following:

ifs.umich.edu = UMICH.EDU
.ifs.umich.edu = UMICH.EDU

SSH with Kerberos authentication

If you want Kerberos-enabled SSH, download the appropriate package: apt-get install ssh-krb5

N.B.: I have found that authenticating to the Umich login servers using Kerberos-enabled SSH takes too long, as I am one of little patience. If you want to use it, bear that in mind.

Adding GSSAPI support

To add GSSAPI support for KMail, etc., install the following: apt-get install libsasl2-gssapi-mit

Granting Kerberos tickets and AFS tokens at login using Pluggable Authentication Modules

If you'd like Kerberos tickets and AFS tokens to be granted at login, add the requisite packages:

apt-get install libpam-krb5 libpam-openafs-session

You must then edit two configuration files relating to PAM, /etc/pam.d/common-auth and /etc/pam.d/common-session. Edit /etc/pam.d/common-auth to read:

auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_krb5.so use_first_pass forwardable

Edit /etc/pam.d/common-session to read:

session         required        pam_unix.so
session         optional        pam_krb5.so
session         optional        pam_openafs_session.so

N.B.: Editing /etc/pam.d/common-session removes a line that reads:

session         required        pam_foreground.so

This seems to be mandatory for many KDE applications to work right out of the box. I know that if this is missing this will prevent knetworkmanager and KDE's ACPI support from working properly. I haven't tried to add this again since getting tickets on login isn't a high priority for me. For more information, consult the Ubuntu Wiki page on Network Manager.

Install and Configure OpenAFS

Installing OpenAFS on Kubuntu (or any Linux system) requires building kernel modules. If you are using a stock Kubuntu kernel, use the following directions. Otherwise, consult the MIT directions.

First, download the packages required for building the OpenAFS modules:

apt-get install module-assistant build-essential gcc-4.0
apt-get install openafs-modules-source

Then build the kernel modules, install them, and check their dependencies:

module-assistant prepare
module-assistant auto-install openafs-modules
depmod -a

If there are no errors, download the OpenAFS client software:

apt-get install openafs-client openafs-krb5

To configure, run

dpkg-reconfigure openafs-client

The cell name is umich.edu; most other options should be straightforward. You may also want to copy the CellServDB from one of the login service machines. SSH into the login service and copy the file to your AFS home directory:

cp /etc/openafs/CellServDB ~

Then, from your own machine, copy it from your AFS directory:

scp uniqname@sftp.itd.umich.edu:~/CellServDB .
sudo cp CellServDB /etc/openafs

Authenticate to Kerberos and AFS

To authenticate to Kerberos:

kinit uniqname@UMICH.EDU

If your uniqname happens to be the same as your username on your machine, you can just use kinit.

Once you've run kinit, you can authenticate to AFS by using:

aklog

N.B.: klog will not work since it is written for Kerberos 4. I have not tested ak5log or any patches to kinit that grant AFS tokens immediately after Kerberos authentication.

To destroy your Kerberos tickets:

kdestroy

To discard your AFS tokens:

unlog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment