Installing Kerberos and OpenAFS on Mac OS X 10.4 Tiger

Below you will find instructions on how to install OpenAFS on your Mac OS X box
Note: This guide is intended for people at the Department of Physics, Stockholm Univeristy. It may prove useful for other pepole too, but some topics are clearly site and field specific.

This guide will install some additional Kerberos tools and the AFS implementation OpenAFS. I will in these instructions assume that you want install OpenAFS in such a way that it is automatically started upon booting the machine, but that your home directory is still stored locally on your machine. If you don't want AFS to start automatically on boot, of if you want to get AFS tickets and tokens automatically upon login, instructions for that will be given as special options at then end.

NOTE: These instructions are for Mac OS X Tiger. If you have an earlier version of Mac OS X, go here instead.

If you have any questions, send me an e-mail.

1. Install Kerberos-Extras (optional).
   Kerberos is included with Mac OS 10.4, but these extras will give you some extra nice features, needed for some programs like Eudora or Fetch.
   If you want to have them, download and install Kerberos-Extras from MIT. They can be downloaded from this page.
   
   
2. Install the edu.mit.Kerberos file.
   Install the Fysikum configuration file.The default Fysikum configuration file is available from here (control-click / right-click). However, if you want to aquire AFS tokens automatically upon login, you should instead download this file (see below for more details in this case). Save it as /Library/Preferences/edu.mit.Kerberos.
   Your Kerberos configuration is now complete. In /Applications/Utilities/ you will find a program called Kerberos with which you can aquire the needed tickets. If you don't like graphical user interfaces, you can also get tickets by typing kinit <username>@fysik.su.se in the terminal (or just kinit if your username is the same on your local machine and on the Fysikum cluster).
   
   
3. Install OpenAFS.
   You are now ready to get OpenAFS working. Download the latest binary distribution from the OpenAFS project page and install it. Please note that there is a special version for Mac OS 10.4. As of this writing, the latest version is 1.4.2. If you have problems with it, you can also try later more experimental versions available on the same site.
   
   
4. Configure OpenAFS.
   Change the file /var/db/openafs/etc/ThisCell so that it reads
   

   fysik.su.se

5. Get access to your afs files.
   After a reboot, you are now ready to access your AFS files. To get access to your AFS files you should first of all have obtained a Kerberos ticket with either the Kerberos application or with kinit as described under 2. above.
   You should then get tokens for the fysik.su.se AFS system. Do this either by typing the command aklog in the terminal (fysik.su.se is not needed if you only have OpenAFS configured for one cell). You can now access your AFS home directory in
   /afs/fysik.su.se/home/<first_letter_of_username>/<username>/. In the Finder, choose 'Go->Go to folder...' and enter this address to get there or cd to that path in ther terminal.
   
   
6. Laptop optional setup.
   The setup above works for both stationary computers and laptops. However, on laptops, OpenAFS could be a little bit unstable/unpredictable if you try to access afs disks when you are not connected. If you want to circumvent this, move the folder 'OpenAFS' from '/Library/StartupItems' to a new folder '/Library/StartupItems-disabled'. This means that AFS is not loaded automatically on boot. You then have to start OpenAFS manually by typing:
   
   sudo /Library/StartupItems-disabled/OpenAFS/OpenAFS start
   
   in a terminal window. In the same manner, if you want to stop OpenAFS, you instead type
   
   sudo /Library/StartupItems-disabled/OpenAFS/OpenAFS stop
   
   in a terminal window. If you plan on doing this often, you might want to add an alias for this in your login file (.cshrc e.g.).

Optional installs/configurations

NOTE: The optional installs/configurations below have not been tested with Mac OS X 10.4 Tiger. Please try them out if you want to though.

1. Automatic Kerberos tickets upon login.
   You can configure your machine to automatically give you a Kerberos ticket when you log in. If you want to do this, follow the instructions about Post-Login Kerberos Authentication here. If you have the same username and password on your Mac OS X machine and the Fysikum cluster you will with this method get a Kerberos ticket when logging in.
   

2. Automatic AFS tokens upon login.
   It is possible to also configure your machine to automatically give you an AFS token when logging in (this requires that you have configured your machine for obtaining automatic Kerberos tickets above). It goes as follows:
   a) Download and install kfm_aklog as explained here.
   b) Make sure you have used the correct version of edu.mit.Kerberos above. It should contain the following line in the [libdefaults] area:
   

   login_logout_notification = "aklog"
   

   You will now get AFS tokens automatically when you log in.
   

3. Enabling all AFS users on Fysikum and having their AFS directories as their home directories on the MacOS X machine.
   If you have followed 1. and 2. above, you can make it possible for all users on the Fysikum cluster to login to your machine (this only works from the actual machine, i.e. not via ssh) and have their AFS home directory as their home directory on the MacOS X machine as well. This goes as follows:
   
   a) Download the Perl script nisync and install it as /usr/local/bin/nisync. Make sure it has the correct attributes by executing:
   

   sudo chmod a+x /usr/local/bin/nisync
   

   This little script will update the MacOS X NetInfo database to reflect the users on Fysikum. Execute it as root and your MacOS X machine will contain all Fysikum AFS accounts as users. For convenience, configure to run this script as a cron job once every second hour. To do this, as root type

   setenv EDITOR emacs
   crontab -u root -e

   If the emacs window you see is empty, add a header that looks like

   SHELL=/bin/sh
   #min hour mday month wday command
   

   and below that add a line to the crontab file that looks like

   47     0,2,4,6,8,10,12,14,16,18,20,22    *    *    *    perl /usr/local/bin/nisync
   

   Note: In the last line, the empty spaces betwen the different columns needs to be tabs (except between perl and /usr/local/bin/nisync, where there is a normal space). Currently, there is a problem that a valid AFS token is needed to run this cron job. I will investigate how this can be solved.
   
   For users to be able to login, you have to reconfigure your machine to use Kerberos for authentication. This is done by following the instructions for Kerberos Authentication Required for Login, I. Simpler Configuration here. AFS users should now be able to login to your machine and be brought to their AFS home directory automatically.
   
   Note: In case the network or AFS is down, it is still possible to have a local password for each account. If you set a password with the passwd command, this will be a local password that is only used for authentication if either the network of the AFS servers are down.

Links

• For some information about using permissions and stuff under AFS, click here.

This page was last modified 2007-01-11 .