Skip to content

Instantly share code, notes, and snippets.

Forked from OmeGak/
Created July 25, 2016 13:47
Show Gist options
  • Save nop33/264e261c1fe52bf16fd9177c0f11d8b5 to your computer and use it in GitHub Desktop.
Save nop33/264e261c1fe52bf16fd9177c0f11d8b5 to your computer and use it in GitHub Desktop.
Authentication at CERN made not-an-ordeal (kind of)

AFS Kerberos at CERN

"Kerberos is not the authentication system CERN deserves, but the one we need". - A wise man

This guide aims to ease the pain of setting up Kerberos authentication in your local (Ubuntu) machine and then completely forget about it.

Ready to fight?

First of all, install the following packages if you want to be successful on this journey:

  • openafs-client
  • openafs-modules-dkms
  • openafs-krb5
  • krb5-user
  • krb5-config
  • kstart

Entering the realm

Download the CERN.CH realm configuration for Kerberos from here and copy it all over!

$ sudo cp -f ./krb5.conf /etc/krb5.conf

It's dangerous to go alone! Take your keys!

You need to generate the keytab for your username@CERN.CH in your home folder before proceeding your adventure.

$ ktutil
ktutil: addent -password -p username@CERN.CH -k 1 -e aes256-cts
ktutil: addent -password -p username@CERN.CH -k 1 -e arcfour-hmac-md5
ktutil: wkt .keytab
ktutil: q

Check your file:

$ ktutil
ktutil: rkt .keytab
ktutil: list

You should see something like this:

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1                         username@CERN.CH
   2    1                         username@CERN.CH

Test if your keytab works. If you get no error message it means that everything is OK.

$ kinit -kt .keytab username

Hello AFS

Make sure first is your AFS default cell.

$ cat /etc/openafs/ThisCell

Get openafs client running:

$ sudo /etc/init.d/openafs-client start

You probably want to run openafs-client on boot in case it isn't. You can configure the daemon with:

$ sudo dpkg-reconfigure openafs-client

If you get an 'openafs.ko does not exist':

  1. Locate it with: $ sudo locate openafs.ko
  2. Open the openafs config file with: $ sudo vim /etc/openafs/afs.conf.client
  3. Add the directory in the following entry: MODULEDIR='/lib/modules/3.2.0-88-generic-pae/extra/'

Finally, probe your /afs folder:

$ cd /afs

Authenticate that shit!

List your user directory in AFS and you will see you don't have access to your private folder. That's because you haven't authenticated yet.

$ ll /afs/
ls: cannot access private: Permission denied
total 2.0K
d????????? ? ?     ?       ?            ? private/
drwxr-xr-x 4 38268 2766 2.0K Aug  8  2013 public/

Release the power of authentication:

$ aklog CERN.CH
$ ll /afs/
total 4.0K
drwxr-xr-x 2 38268 2766 2.0K Apr 29  2013 private/
drwxr-xr-x 4 38268 2766 2.0K Aug  8  2013 public/

Forget about Kerberos

Now, this is the final step. We want the Kerberos token to be renewed automatically and the authentication done completely under the hood.

You need to place this two commands in a script that will get executed on startup under your user:

export AKLOG="aklog CERN.CH"
k5start -b -f ~/.keytab -K 10 -l 7d -r CERN.CH -u username -t

And with this, sir, you're good to go!


To my friend and colleague Adrian Mönnich, who spent quite some time helping me get this thing figured out. Also to Ilias Trichopoulos and Andrea Santamaría who pointed out some errors that may arise in the process. To graipher for adding notes on openafs-client configuration.


This guide worked for me on Elementary OS Freya (based on Ubuntu 14.04 distro).


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment