Skip to content

Instantly share code, notes, and snippets.

@danifr
Last active September 9, 2020 21:52
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save danifr/773d7b049454390d1e51 to your computer and use it in GitHub Desktop.
Save danifr/773d7b049454390d1e51 to your computer and use it in GitHub Desktop.
Install and configure CERN OpenAFS on Fedora 20/21/22 Centos 7/7.1 and RHEL

Before you start...

I wrote a small script to automate all this process.

Also...

**********************************************************************************************************
  BUGS, COMMENTS, SUGGESTIONS, PLEASE OPEN AN ISSUE --> https://github.com/danifr/miscellaneous/issues
**********************************************************************************************************

Install and configure CERN OpenAFS on Fedora 20/21/22../30 Centos 7/7.X and RHEL

Prerequisites

Please notice that to avoid any kind of issue, you should execute the following commands as root.

  • su -

Installing Dependencies

  • yum install rpm-build bison flex kernel-devel kernel-devel-x86_64 krb5-devel ncurses-devel pam-devel perl-ExtUtils-Embed perl-devel swig

  • yum groupinstall 'Development Tools'

Installing & configuring Kerberos + OpenAFS

Kerberos Client

Installation

  • yum install krb5-workstation

Configuration

  • wget http://linux.web.cern.ch/linux/docs/krb5.conf -O /etc/krb5.conf

OpenAFS Client

Installation

Go to the OpenAfs official website and download the latest 'src.rpm' package.

  • wget https://www.openafs.org/dl/openafs/1.6.11.1/openafs-1.6.11.1-1.src.rpm

Once downloaded:

  • rpmbuild --rebuild openafs-1.6.11.1-1.src.rpm

Depending on your hardware this step might take a long time. Sit back and relax :)

...

At this point we will basically need to install ALL the generated packages except openafs-kpasswd (because of conflicts issues with krb5-workstation) and openafs-server (not needed):

  • cd ~/rpmbuild/RPMS/x86_64/

  • yum install dkms-openafs-1.6.11.1-1.fc22.x86_64.rpm kmod-openafs-1.6.11.1-1.4.0.4_301.fc22.x86_64.rpm openafs-1.6.11.1-1.fc22.x86_64.rpm openafs-authlibs-1.6.11.1-1.fc22.x86_64.rpm openafs-authlibs-devel-1.6.11.1-1.fc22.x86_64.rpm openafs-client-1.6.11.1-1.fc22.x86_64.rpm openafs-compat-1.6.11.1-1.fc22.x86_64.rpm openafs-debuginfo-1.6.11.1-1.fc22.x86_64.rpm openafs-devel-1.6.11.1-1.fc22.x86_64.rpm openafs-docs-1.6.11.1-1.fc22.x86_64.rpm openafs-kernel-source-1.6.11.1-1.fc22.x86_64.rpm openafs-krb5-1.6.11.1-1.fc22.x86_64.rpm

Configuration

Edit '/usr/vice/etc/ThisCell'...

  • echo "cern.ch" > /usr/vice/etc/ThisCell

... and add the following lines to '/etc/krb5.conf':

[realms]
  CERN.CH = {
    default_domain = cern.ch
    kpasswd_server = afskrb5m.cern.ch
    admin_server = afskrb5m.cern.ch
    kdc = afsdb1.cern.ch        # ADD THIS LINE
    kdc = afsdb2.cern.ch        # ADD THIS LINE
    kdc = afsdb3.cern.ch        # ADD THIS LINE
  }

[domain_realm]
  cern.ch = CERN.CH             # ADD THIS LINE
  .cern.ch = CERN.CH

Finally, start and enable the service.

  • systemctl start openafs-client.service

  • systemctl enable openafs-client.service

Usage

To start using it, you will need valid kerberos ticket:

  • kinit <username>@CERN.CH

And also mount the afs share on the our system:

  • aklog

After doing it, you will be able to access your personal share from:

/afs/cern.ch/user/<first_letter_username>/<username>

@piotrskowronski
Copy link

Hi,

Just tried on FC22. rpm rebuilt ended with this error

CC [M] /root/rpmbuild/BUILD/openafs-1.6.11.1/src/libafs/MODLOAD-4.2.8-200.fc22.x86_64-SP/rx_kmutex.o
In file included from /root/rpmbuild/BUILD/openafs-1.6.11.1/src/afs/sysincludes.h:131:0,
from /root/rpmbuild/BUILD/openafs-1.6.11.1/src/rx/rx_kcommon.h:156,
from /root/rpmbuild/BUILD/openafs-1.6.11.1/src/libafs/MODLOAD-4.2.8-200.fc22.x86_64-SP/rx_kmutex.c:20:
include/linux/backing-dev.h:25:3: warning: 'printk' is an unrecognized format function type [-Wformat=]
const char *fmt, ...);
^
In file included from /root/rpmbuild/BUILD/openafs-1.6.11.1/src/libafs/MODLOAD-4.2.8-200.fc22.x86_64-SP/rx_kmutex.c:24:0:
/root/rpmbuild/BUILD/openafs-1.6.11.1/src/afs/LINUX/osi_compat.h: In function 'do_sync_read':
/root/rpmbuild/BUILD/openafs-1.6.11.1/src/afs/LINUX/osi_compat.h:53:12: error: implicit declaration of function 'generic_file_read' [-Werror=implicit-function-declaration]
return generic_file_read(fp, buf, count, offp);

@danifr
Copy link
Author

danifr commented Jun 4, 2016

Sorry for the late response, I just saw your message o_O :/

I think this error was caused because your kernel version (4.2.8) was not supported by the version of openafs you were trying to compile (v1.6.11.1)

You should have picked a newer version from https://www.openafs.org/release/index.html

Anyway, as today (Jun 2016) the latest version of openafs only supports up to kernel 4.4...

@dcsouthwick
Copy link

dcsouthwick commented Jun 14, 2016

Yep - tried with latest public release (1.6.18) on fc23 since fc24 is scheduled for release in a few days - does not pass the recompile against 4.5.6-200.fc23

error: unknown field 'follow_link' specified in initializer
error: unknown field 'put_link' specified in initializer
error: implicit declaration of function 'nd_set_link'
make[6] leaving /usr/src/kernels/4.5.6.-200.fc23.x86_64 FAILURE: make exit code 2

Hmm any advice for those of us that want to try with 4.5.x kernel, or the 4.6x kernel next week?

@eparadas
Copy link

eparadas commented Jun 23, 2016

Instructions are working fine on Fedora 23.
Just a small addition for the aklog command. In my case I had to do:
aklog -c cern.ch -k CERN.CH

Thanks!

@dcsouthwick
Copy link

dcsouthwick commented Jul 5, 2016

Looks like they just added support for 4.5.x kernel! Hopefully they will continue on this pace and add support for 4.6.x kernel that fc24 supports.
@eparadas - I tried explicitly declaring the cell / krb_realm but it still returns Using Kerberos V5 ticket natively. Identical tokens already exist; skipping.

afs so far works as expected with 4.5.x

sidenote: kernel 4.5.5.fc24 cannot install openafs-kpasswd alongside krb5-workstation

@danifr
Copy link
Author

danifr commented Jul 26, 2016

Hi all @dcsouthwick, @eparadas, @piotrskowronski,

sorry, I don't get any notification when new comments are posted here...

I've created this script (https://github.com/danifr/miscellaneous/blob/devel/CERN_OpenAFS/openafs_update.sh) to automate the building and installation process of the newer versions of openAFS.
I tested it on several machines (Fedora 22, Fedora 23 and Fedora 24) and it works great.

I'm very happy with it and I think more people can benefit from it.
Feedback would be highly appreciated!!

@dinojugosloven
Copy link

dinojugosloven commented Sep 7, 2016

This is not working on CentOS 7.2 .
It seems that the fields in krb5.conf file should not be changed.
` CERN.CH = {
default_domain = cern.ch
kpasswd_server = cerndc.cern.ch
admin_server = cerndc.cern.ch
kdc = cerndc.cern.ch

v4_name_convert = {
host = {
rcmd = host
}
}
}`

@danifr
Copy link
Author

danifr commented Sep 22, 2016

Hi @dinojugosloven

This is not working on CentOS 7.2

I updated the script (https://github.com/danifr/miscellaneous/blob/devel/CERN_OpenAFS/openafs_update.sh), tried it, and it works like a charm. Now both Fedora (23,24) and CentOS (7.1 / 7.2) are supported.

Check it out and let me know!

@dinojugosloven
Copy link

Hi Dani,

I confirm that the downloading and installation of OpenAFS with your script works on CENTOS 7.3 out-of-the box. Thank you very much for this!
Dino

@Pigueiras
Copy link

@danifr we love you (L)

@flg
Copy link

flg commented Apr 11, 2017

Successfully installed Openafs 1.6.18.2-1 with kernel 4.4.60-1 (from elrepo) on CentOS 7. Thank you for this, quite useful.

@abunimeh
Copy link

abunimeh commented Sep 27, 2017

On Fedora 26 and CentOS 7 Epel, after installing krb5, do

# dnf copr enable jsbillings/openafs 
# dnf install openafs openafs-client openafs-krb5

enjoy

@stealex
Copy link

stealex commented Dec 21, 2017

Hello! I have tried this by hand and by using your script on CentOS 7.3 and it only works inside a CERN network. When outside CERN I receive :
$ kinit <myname>@CERN.CH
kinit: Cannot contact any KDC for realm
Has anyone encountered this? Is it a network problem? Thank you in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment