Page tree
Skip to end of metadata
Go to start of metadata

Off Campus Access for Cornell GuestID Users

CNF users with a Cornell GuestID (username begins with gid- will not be able to authenticate to CNF AFS unless connected to the Cornell VPN. To connect to the Cornell VPN, please follow the "CNF Group VPN - for users with a Cornell GuestID" instructions on our Coral from Off Campus webpage.

Installing

Linux

Kernel 4.4 (3.x for Debian/Ubuntu/Mint based distros)

OpenAFS is not currently compatible with Linux kernel 4.4 or higher – you will experience data corruption. Debian/Ubuntu/Mint based distros have backported the kernel patch breaking AFS to 3.x kernels.

Build an OpenAFS kernel module containing a workaround using the following instructions (you may need to install additional devel tools and libraries such as GIT and the Kernel devel libraries on your system):


git clone git://git.openafs.org/openafs.git

cd openafs

git checkout --track -b origin/openafs-stable-1_6_x

git fetch http://gerrit.openafs.org/openafs refs/changes/17/12217/1 && git cherry-pick FETCH_HEAD
git fetch http://gerrit.openafs.org/openafs refs/changes/70/12170/3 && git cherry-pick FETCH_HEAD
git fetch http://gerrit.openafs.org/openafs refs/changes/69/12169/2 && git cherry-pick FETCH_HEAD

sh regen.sh

./configure

make libafs

This will generate: ./src/libafs/`uname -r`/libafs.ko

Find in /lib/modules/`uname -r` the openafs.ko file (this file may be in a subfolder such as extra), and replace it with the above generated libafs.ko (making sure to still call it openafs.ko).

Run depmod -a .

After a reboot, OAFS should now be happy... or you can manually start openafs ( service openafs-client start usually works).

Overview

Linux installations vary by distribution. Some distributions may include versions of OpenAFS either stock or as an add-on. Downloads are also available from the main www.openafs.org website.

For linux, be sure to use 1.6.17 or greater.

If you need to build your own OpenAFS RPMs from the OpenAFS git source tree, see this page.

Redhat Enterprise Linux and Fedora

The best source of RPMs for RHEL and for Fedora are the jsbillings Copr repositories. There are two repositories, and you will need both. First is the main OpenAFS client Copr repository and second is the OpenAFS kernel module repository . You should install both repositories on your system as the main repo depends on the kernel modules in the kmod repo. For the kernel modules, CNF recommends using dkms (and the dkms-openafs RPM) instead of individual kernel version specific modules.

Note that the JSBillings Copr repositories change from the old Transarc paths for OpenAFS binaries, config files, and cache partition locations to Linux Standard Base compatible locations.

  • openafs-compat
  • openafs-authlibs
  • openafs-server (if running an openafs server)
  • openafs-devel (if you want the devel libs)
  • openafs
  • dkms-openafs (if you want to dynamically build kernel modules ... you will also need the dkms rpm, available from multiple sources)
  • openafs-authlibs-devel (again, if you want the devel libs)
  • openafs-client (for running the openafs client)
  • openafs-docs
  • openafs-krb5
  • openafs-kernel-source (again, for devel purposes)

General Linux Configuration

After installing AFS, make sure to set the cellname in your ThisCell file to cnf.cornell.edu . The location of the ThisCell file varies depending on your linux distribution. You should also consider increasing the cache size in the cacheinfo file from the default.

With each upgrade to your linux kernel, you will need a new OpenAFS kernel module. CNF recommends the use of DKMS to auto build new kernel modules. If using an RPM based distribution, openafs.org provides a dkms-openafs RPM.

Kerberos is also required on Linux and must be configured with a krb5.conf file. The exact format of your Kerberos configuration file may vary depending on if you are using MIT Kerberos or Heimdal Kerberos. Regardless, the following must be defined in your Kerberos config file:

[libdefaults]
allow_weak_crypto = true
 ticket_lifetime = 30d
 renew_lifetime = 30d
 forwardable = true
 renewable = true

[realms]
 CIT.CORNELL.EDU = {
  kdc = kerberos.cit.cornell.edu:88
  kdc = kerberos2.cit.cornell.edu:88
  admin_server = kerberos.cit.cornell.edu:749
  default_domain = cit.cornell.edu
 }

CNF.CORNELL.EDU = {
        kdc = hole.cnf.cornell.edu:88
        kdc = smoke.cnf.cornell.edu:88
        kdc = mist.cnf.cornell.edu:88
        admin_server = hole.cnf.cornell.edu:749
        default_domain = cnf.cornell.edu
}

CORNELL.EDU = {
  kdc = ad7.cornell.edu
  kdc = ad8.cornell.edu
  default_domain = cornell.edu
 }    

GUEST.CORNELL.EDU = {
    kdc = obsidian1.cit.cornell.edu:88
        kdc = obsidian2.cit.cornell.edu:88
    admin_server = obsidian1.cit.cornell.edu
    default_domain = guest.cornell.edu
}

[domain_realm]
 .cit.cornell.edu = CIT.CORNELL.EDU
 cit.cornell.edu = CIT.CORNELL.EDU
 .mail.cornell.edu = CIT.CORNELL.EDU
 mail.cornell.edu = CIT.CORNELL.EDU
.cnf.cornell.edu = CNF.CORNELL.EDU
 cnf.cornell.edu = CNF.CORNELL.EDU

If using MIT Kerberos, you must also set the following in your krb5.conf (Heimdal uses a different syntax for the capaths section):

[capaths]
CIT.CORNELL.EDU = {
    CNF.CORNELL.EDU = .
}

GUEST.CORNELL.EDU = {
    CNF.CORNELL.EDU = .
}

CORNELL.EDU = {
    CNF.CORNELL.EDU = .
}

Windows

  1. If you are upgrading from a 1.5.x or earlier version of OpenAFS, first remove any AFS drive mappings.
  2. d/l MIT Kerberos for Windows (32-bit or 64-bit, depending on your windows os install) 3.2.2 from the links earlier in this sentence (Note: this step is not needed if you already have a version of Kerberos installed)
    1. Do a Typical install
  3. d/l 1.7.x MSI client installer from http://www.openafs.org/windows.html 
    1. If installing on 64-bit Windows, you will also need the 32-bit tools package. Install this doing a "Typical" install.
  4. run the Openafs installer
    1. Select a Custom install
    2. Accept the defaults for which components to install unless...
      1. You will need to install the "Authentication" component -- not enabled by default in 1.7.x.
    3. Change the cell name from openafs.org to cnf.cornell.edu
    4. Accept defaults on the rest of the screens
    5. Don't yet reboot (when prompted by the installer)
  5. Run the 32-bit tools installer if on a 64-bit Windows OS
  6. Run the attached .reg files to set OpenAFS registry settings
  7. Copy the attached krb5.ini to c:\windows overwriting the krb5.ini file that may be already there
    • NOTE: If your organization also uses Kerberos, you will instead want to merge in the CNF krb5.ini with your organization's krb5.ini .
    • Your local tech support or CNF Computing support can help you with this.
  8. If you are using a firewall other than the built in Windows firewall, you will need to open incoming UDP port 7001. 
  1. NOW, REBOOT. After rebooting, your firewall may prompt you to allow the various afs applications access to the network. You should choose to Always Allow these.
  2. OPTIONAL, set up a drive mapping (must be done AFTER REBOOTING)
    1. Right click on My Network Places
    2. Map drive
    3. To follow the CNF convention, set the drive letter to X
    4. Set the path to \\afs\cnf.cornell.edu
    5. Choose to Reconnect the drives
    6. Done

MacOS

For Macintosh, we recommend the AuristorFS OpenAFS client installers.

  1. Download the installer for your version of MacOS from the Auristor OpenAFS Client Installers web page.
    1. If you visit the page on an operating system other than MacOS, you will need to click the link to "view all available installers".
    2. Download the installer requires registering.
  2. Run the OpenAFS package installer
    1. Specify cnf.cornell.edu as the cell name and cnf as the cell alias
    2. If AFS does not appear to be running after installing, reboot your system.
  3. To show the AFS icon on the Desktop...
    1. Finder - Preferences
    2. General tab
    3. Check "Connected Servers"
  4. Periodically check for new versions of the AuristorFS OpenAFS client which will fix bugs.

How to destroy, renew, and obtain new credentials:

Make sure you have AFS Tokens before attempting to browse AFS space in the Finder. Otherwise, the Finder will become confused, hang, and not properly display files and folders.

To destroy AFS credentials from the commandline, open the Terminal and enter the following two commands:

 unlog

 kdestroy



To renew or obtain new credentials from the commandline,

  1. From the Terminal.app commandline:

    kinit username@KERBEROS.REALM
    
    aklog
  2. You can view your AFS tokens by, from the commandline (Terminal.app) typing in:

    tokens

To manage AFS credentials from the GUI, use the Auristor control panel in the System Preferences application.

  1. In the "Tokens" tab, check "Auristor Menu", check "Backgrounder" and check "Use aklog"
  2. In the "Option" tab check "Enable auto-renew"

To get new tokens, in the "tokens" tab click "Get new token"... and make to enter your username as the long capitalized version... eg netid@CIT.CORNELL.EDU or guestid@CORNELL.EDU

If you experience problems with the GUI for obtaining tokens, please use the commandline from Terminal.app as detailed above.

iOS

A native AFS client, iYFS, for iOS can be purchased from the iOS App Store. If you experience issues with the client, please contact CNF IT support – we will reproduce the problem and then contact the vendor to have the problem resolved.

  • No labels