Installing Kerberos and OpenAFS on Mac OS X

Below you will find instructions on how to install OpenAFS on your Mac OS X box
Note: This guide is intended for people at the Department of Physics, Stockholm Univeristy. It may prove useful for other pepole too, but some topics are clearly site and field specific.

This guide will install some additional Kerberos tools and the AFS implementation OpenAFS. An alternative to OpenAFS is Arla. If you prefer that, see this page. I will in these instructions assume that you want to set up your machine to automatically get both Kerberos tickets and AFS tokens for you upon login. Some steps in the instructions below are not necessary if you don't want that.

NOTE: These instructions are for Mac OSX 10.3 or 10.2. If you have Mac OS X 10.4 (Tiger), you should go here instead.

If you have any questions, send me an e-mail.

1. Get your account kerberized.
   To be able to connect to AFS disks using Kerberos, your account needs to be kerberized. If this is not already done, ask Iouri to fix this for your account.
   
   
2. Install Kerberos-Extras.
   Kerberos is included with Mac OS 10.2, but these extras will give you some extra nice features.
   Download and install Kerberos-Extras from MIT. They can be downloaded from this page.
   
   
3. Install the mit.edu.Kerberos file.
   Install the Fysikum configuration file.The default Fysikum configuration file is available from here (control-click / right-click). However, if you want to aquire AFS tokens automatically upon login, you should instead download this file. Save it as /Library/Preferences/edu.mit.Kerberos.
   Your Kerberos configuration is now complete. In /Applications/Utilities/ you will find a program called Kerberos with which you can aquire the needed tickets. If you don't like graphical user interfaces, you can also get tickets by typing kinit <username>@fysik.su.se in the terminal.
   
   
4. Install OpenAFS.
   You are now ready to get OpenAFS working. Download the latest binary distribution from the OpenAFS project page and install it. Please note that there is a special version for Mac OS 10.3.
   
   
5. Configure OpenAFS.
   If the realm fysik.su.se is not included in /private/var/db/openafs/etc/CellServDB , add the following lines to the end of /private/var/db/openafs/etc/CellServDB
   

   >fysik.su.se # Physics Department Stockholm University
   130.237.205.36 # sysafs1.fysik.su.se
   130.237.205.72 # sysafs2.fysik.su.se
   130.237.205.57 # sysafs3.fysik.su.se
         

   Change the file /var/db/openafs/etc/ThisCell so that it reads
   

   fysik.su.se
   
   

6. Install aklog.
   You need a program to get AFS tokens. That is done by aklog which you can download from here. Save it as /Library/OpenAFS/Tools/bin/aklog and change the attributes so that you can run it:
   

   sudo chmod a+x /Library/OpenAFS/Tools/bin/aklog
   sudo ln -s /Library/OpenAFS/Tools/bin/aklog /usr/bin/aklog

7. Get access to your afs files.
   After a reboot, you are now ready to access your AFS files. To get access to your AFS files you should first of all have obtained a Kerberos ticket with either the Kerberos application or with kinit as described under 3. above.
   You should then get tokens for the fysik.su.se AFS system. Do this either by typing the command aklog in the terminal (fysik.su.se is not needed if you only have OpenAFS configured for one cell). You can now access your AFS home directory in
   /afs/fysik.su.se/home/<first_letter_of_username>/<username>/. In the Finder, choose 'Go->Go to folder...' and enter this address to get there or cd to that path in ther terminal.
   
8. Laptop optional setup.
   The setup above works for both stationary computers and laptops. However, on laptops, OpenAFS is a little bit unstable/unpredictable if you try to access afs disks when you are not connected. If you want to circumvent this, move the folder 'OpenAFS' from '/Library/StartupItems' to a new folder '/Library/StartupItems-disabled'. This means that AFS is not loaded automatically on boot. You then have to start OpenAFS manually by typing:
   sudo startafs
   in a terminal window. The script startafs can be downloaded here. Put it wherever you like, e.g. in /usr/local/bin and make it executable (by typing sudo chmod a+x /usr/local/bin/startafs). There is also a corresponing script stopafs to stop the AFS client (it is not 100% perfect, but works reasonably well). Install in the same way as startafs.
   

Optional installs/configurations

1. Automatic Kerberos tickets upon login.
   You can configure your machine to automatically give you a Kerberos ticket when you log in. If you want to do this, follow the instructions about Post-Login Kerberos Authentication here.If you have the same username and password on your Mac OS X machine and the Fysikum cluster you will with this method get a Kerberos ticket when logging in.
   

2. Automatic AFS tokens upon login.
   It is possible to also configure your machine to automatically give you an AFS token when logging in (this requires that you have configured your machine for obtaining automatic Kerberos tickets above). It goes as follows:
   a) Download and install kfm_aklog as explained here.
   b) Make sure you have used the correct version of edu.mit.Kerberos above. It should contain the following line in the [libdefaults] area:
   

   login_logout_notification = "aklog"
   

   You will now get AFS tokens automatically when you log in.
   

3. Enabling all AFS users on Fysikum and having their AFS directories as their home directories on the MacOS X machine.
   If you have followed 1. and 2. above, you can make it possible for all users on the Fysikum cluster to login to your machine (this only works from the actual machine, i.e. not via ssh) and have their AFS home directory as their home directory on the MacOS X machine as well. This goes as follows:
   
   a) Download the Perl script nisync and install it as /usr/local/bin/nisync. Make sure it has the correct attributes by executing:
   

   sudo chmod a+x /usr/local/bin/nisync
   

   This little script will update the MacOS X NetInfo database to reflect the users on Fysikum. Execute it as root and your MacOS X machine will contain all Fysikum AFS accounts as users. For convenience, configure to run this script as a cron job once every second hour. To do this, as root type

   setenv EDITOR emacs
   crontab -u root -e

   If the emacs window you see is empty, add a header that looks like

   SHELL=/bin/sh
   #min hour mday month wday command
   

   and below that add a line to the crontab file that looks like

   47     0,2,4,6,8,10,12,14,16,18,20,22    *    *    *    perl /usr/local/bin/nisync
   

   Note: In the last line, the empty spaces betwen the different columns needs to be tabs (except between perl and /usr/local/bin/nisync, where there is a normal space). Currently, there is a problem that a valid AFS token is needed to run this cron job. I will investigate how this can be solved.
   
   For users to be able to login, you have to reconfigure your machine to use Kerberos for authentication. This is done by following the instructions for Kerberos Authentication Required for Login, I. Simpler Configuration here. AFS users should now be able to login to your machine and be brought to their AFS home directory automatically.
   
   Note: In case the network or AFS is down, it is still possible to have a local password for each account. If you set a password with the passwd command, this will be a local password that is only used for authentication if either the network of the AFS servers are down.

Links

• For some information about using permissions and stuff under AFS, click here.

This page was last modified 2005-10-25 .