Versions Compared

Old Version 6

changes.mady.by.user David William Botsch

Saved on

compared with

New Version Current

changes.mady.by.user David William Botsch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Off Campus Access for Cornell GuestID Users

CNF users with a Cornell GuestID (username begins with gid- will not be able to authenticate to CNF AFS unless connected to the Cornell VPN. To connect to the Cornell VPN, please follow the "CNF Group VPN - for users with a Cornell GuestID" instructions on our Coral from Off Campus webpage.

Installing

Linux

OpenAFS or kAFS

We suggest first checking if an OpenAFS package is available from the OpenAFS.org website. If not, please check the packages distributed for your Linux distribution.

Keep in mind that sometimes the available packages for your linux distribution are several versions behind the current release on the OpenAFS.org website. If this is the case, double check that you are not installing an older version with known data corruption or security bugs. 

The linux kernel now includes an in-kernel version of afs called "kafs" . Check with your linux distribution if kafs is enabled and/or available. If you run into problems with kafs, please let the developer know, as kafs is still a work in progress. In addition to the previous links, there is kernel documentation on kafs. 

OpenAFS Kernel Module Patching

If you need to only rebuild an OpenAFS kernel module manually (eg patch), you will need to install additional devel tool and libraries such as GIT and the kernel devel libraries on your system. The below snippits show cloning openafs from git and building just the kernel module:


Code Block
languagebash
git clone git://git.openafs.org/openafs.git

cd openafs

git checkout <tag_for_the_version_of_afs>

# Add any patches

sh regen.sh

./configure

make libafs

This will generate: ./src/libafs/`uname -r`/libafs.ko

Find in /lib/modules/`uname -r` the openafs.ko file (this file may be in a subfolder such as extra), and replace it with the above generated libafs.ko (making sure to still call it openafs.ko).

Run depmod -a .

After a reboot, OAFS should now be happy... or you can manually start openafs ( service openafs-client start usually works).

Overview

Linux installations vary by distribution. Some distributions may include versions of OpenAFS or kAFS either stock or as an add-on.

Redhat Enterprise Linux and Fedora

The best source of RPMs for RHEL and for Fedora is the OpenAFS website. You will download and rebuild the OpenAFS source rpm (SRPM). 

After bulding binary RPMs, you will want to install the following RPMs:

  • openafs-compat
  • openafs-authlibs
  • openafs-server (if running an openafs server)
  • openafs-devel (if you want the devel libs)
  • openafs
  • dkms-openafs (if you want to dynamically build kernel modules ... you will also need the dkms rpm, available from multiple sources)
  • openafs-authlibs-devel (again, if you want the devel libs)
  • openafs-client (for running the openafs client)
  • openafs-docs
  • openafs-krb5
  • openafs-kernel-source (again, for devel purposes)

General Linux Configuration

After installing AFS, make sure to set the cellname in your ThisCell file to cnf.cornell.edu . The location of the ThisCell file varies depending on your linux distribution. You should also consider increasing the cache size in the cacheinfo file from the default.

With each upgrade to your linux kernel, you will need a new OpenAFS kernel module. CNF recommends the use of DKMS to auto build new kernel modules. If using an RPM based distribution, openafs.org provides a dkms-openafs RPM.

Kerberos is also required on Linux and must be configured with a krb5.conf file. The exact format of your Kerberos configuration file may vary depending on if you are using MIT Kerberos or Heimdal Kerberos. Regardless, the following must be defined in your Kerberos config file:

Code Block
[libdefaults]
allow_weak_crypto = true
 ticket_lifetime = 30d
 renew_lifetime = 30d
 forwardable = true
 renewable = true

[realms]
 CIT.CORNELL.EDU = {
  kdc = kerberos.cit.cornell.edu:88
  kdc = kerberos2.cit.cornell.edu:88
  admin_server = kerberos.cit.cornell.edu:749
  default_domain = cit.cornell.edu
 }

CNF.CORNELL.EDU = {
        kdc = hole.cnf.cornell.edu:88
        kdc = smoke.cnf.cornell.edu:88
        kdc = mist.cnf.cornell.edu:88
        admin_server = hole.cnf.cornell.edu:749
        default_domain = cnf.cornell.edu
}

CORNELL.EDU = {
  kdc = ad1.cornell.edu
  kdc = ad2.cornell.edu
  kdc = ad3.cornell.edu
  kdc = ad4.cornell.edu
  kdc = ad9.cornell.edu
  kdc = ad19.cornell.edu
  default_domain = cornell.edu
 }    


[domain_realm]
 .cit.cornell.edu = CIT.CORNELL.EDU
 cit.cornell.edu = CIT.CORNELL.EDU
 .mail.cornell.edu = CIT.CORNELL.EDU
 mail.cornell.edu = CIT.CORNELL.EDU
.cnf.cornell.edu = CNF.CORNELL.EDU
 cnf.cornell.edu = CNF.CORNELL.EDU

If using MIT Kerberos, you must also set the following in your krb5.conf (Heimdal uses a different syntax for the capaths section):

Code Block
[capaths]
CIT.CORNELL.EDU = {
    CNF.CORNELL.EDU = .
}

CORNELL.EDU = {
    CNF.CORNELL.EDU = .
}

Windows

  1. If you are upgrading from a 1.5.x or earlier version of OpenAFS, first remove any AFS drive mappings.
  2. d/l MIT Kerberos for Windows (32-bit or 64-bit, depending on your windows os install) 3.2.2 from the links earlier in this sentence (Note: this step is not needed if you already have a version of Kerberos installed)
    1. Do a Typical install
  3. d/l 1.7.x MSI client installer from http://www.openafs.org/windows.html 
    1. If installing on 64-bit Windows, you will also need the 32-bit tools package. Install this doing a "Typical" install.
  4. run the Openafs installer
    1. Select a Custom install
    2. Accept the defaults for which components to install unless...
      1. You will need to install the "Authentication" component -- not enabled by default in 1.7.x.
    3. Change the cell name from openafs.org to cnf.cornell.edu
    4. Accept defaults on the rest of the screens
    5. Don't yet reboot (when prompted by the installer)
  5. Run the 32-bit tools installer if on a 64-bit Windows OS
  6. Run the attached .reg files to set OpenAFS registry settings
  7. Copy the attached krb5.ini to c:\windows overwriting the krb5.ini file that may be already there
    • NOTE: If your organization also uses Kerberos, you will instead want to merge in the CNF krb5.ini with your organization's krb5.ini .
    • Your local tech support or CNF Computing support can help you with this.
  8. If you are using a firewall other than the built in Windows firewall, you will need to open incoming UDP port 7001. 
  1. NOW, REBOOT. After rebooting, your firewall may prompt you to allow the various afs applications access to the network. You should choose to Always Allow these.
  2. OPTIONAL, set up a drive mapping (must be done AFTER REBOOTING)
    1. Right click on My Network Places
    2. Map drive
    3. To follow the CNF convention, set the drive letter to X
    4. Set the path to \\afs\cnf.cornell.edu
    5. Choose to Reconnect the drives
    6. Done

MacOS

For Macintosh, we recommend the AuristorFS OpenAFS client installers.

  1. Download the installer for your version of MacOS from the Auristor OpenAFS Client Installers web page.
    1. If you visit the page on an operating system other than MacOS, you will need to click the link to "view all available installers".
    2. Download the installer requires registering.
  2. Run the OpenAFS package installer
    1. Specify cnf.cornell.edu as the cell name and cnf as the cell alias
    2. If AFS does not appear to be running after installing, reboot your system.
  3. To show the AFS icon on the Desktop...
    1. Finder - Preferences
    2. General tab
    3. Check "Connected Servers"
  4. Periodically check for new versions of the AuristorFS OpenAFS client which will fix bugs.

How to destroy, renew, and obtain new credentials:

Make sure you have AFS Tokens before attempting to browse AFS space in the Finder. Otherwise, the Finder will become confused, hang, and not properly display files and folders.

To destroy AFS credentials from the commandline, open the Terminal and enter the following two commands:

Code Block
 unlog

 kdestroy



To renew or obtain new credentials from the commandline,

  1. From the Terminal.app commandline:

    Code Block
    languagebash
    kinit username@KERBEROS.REALM

aklog


  2. You can view your AFS tokens by, from the commandline (Terminal.app) typing in:

    Code Block
    languagebash
    tokens


To manage AFS credentials from the GUI, use the Auristor control panel in the System Preferences application.

  1. In the "Tokens" tab, check "Auristor Menu", check "Backgrounder" and check "Use aklog"
  2. In the "Option" tab check "Enable auto-renew"

To get new tokens, in the "tokens" tab click "Get new token"... and make to enter your username as the long capitalized version... eg netid@CIT.CORNELL.EDU or guestid@CORNELL.EDU

If you experience problems with the GUI for obtaining tokens, please use the commandline from Terminal.app as detailed above.

iOS

A native AFS client, iYFS, for iOS can be purchased from the iOS App Store. If you experience issues with the client, please contact CNF IT support – we will reproduce the problem and then contact the vendor to have the problem resolved.

 File Sharing Folders

 Home Directory

         there is a public folder. Unless you change the permissions on this
folder, any files or new subfolders are readable and copyable by any other user
of the CNF Fileserver or anyone accessing the fileserver from a computer on the
CNF networks.

CNF Public Share

        Located under the shares folder, public subfolder, cnf subfolder --
anyone on a computer on one of the CNF networks and any user of our fileserver
can read, write, create, modify, and delete files.

CNF Outside Users Share

        Located under the shares folder, public subfolder, outside_users
subfolder. Only staff can place files here. But files placed here can be read
by any user on our fileserver, anyone accessing the fileserver from a computer
on the CNF networks, and any user of AFS (the file system we use) at another
institution.

 CNF Staff Share

         Located under the shares folder, private or CNF_Staff subfolder,
staff_compound subfolder. Any staff member can create, delete, read, write,
modify new files and subfolders.

AFS Access Control Lists (ie permissions)

On a unix machine, fs la directory
On a Mac OS X machine, right or control click on a folder and choose AFS -
Access Control List
On a WIndows machine, right click on a folder and choose AFS - Access Control
Lists

Possible permissions are rlidwka

r - read a file/copy a file (but can't see they're there w/o the l permission)
l - lookup - be able to look through the directories and see that files are
there (but can't actually read/copy them w/o the r permission)
i - insert - create a new file/folder
d - delete - delete an existing file/folder
w - write - write to/modify an existing file/folder
k - lock
a - administer - be able to set the permissions on files/folders here

 Where is the fileserver?

On Windows machines which I have set up, our AFS "cell", cnf.cornell.edu, is
mapped to the X drive. Windows users can also go to the start menu, select run,
and enter the path: \\afs\cnf.cornell.edu

On Mac OS X machines, there will be an icon on the desktop labeled AFS. Double
click it. Under that, you will see a list of cells your machine knows about.
Ours is "cnf.cornell.edu"

On UNIX machines, use the path /afs/cnf.cornell.edu

Some CNF AFS Groups

 cnfhosts - all computers on the main CNF network (CNF offices, CAD room) and
the lab network (eg cleanroom) -- does not include CIT RedRover wireless.

grp_all - everyone who has an account on our fileserver

grp_staff - all CNF staff

grp_users - all CNF users (at present, most users do not yet have accounts)

grp_fellows - the CNF Fellows

grp_finance - Financial staff

grp_it - Your friendly CNF IT staff

 Backups

 Data on the CNF file server is backed up on a daily basis.

Also, a daily snapshop of your home directory is kept in a subfolder named "Yesterday". This daily snapshot folder may also be available for some of the CNF shares.

 Installing

 Windows

 1. d/l 1.5.x client from openafs.org
4. run the openafs installer (dialogs match 1.5.11 install)
   A. For the type of install, if not already selected, choose "AFS Client"
   B. This will select the optional components: AFS Client and MS Loopback
Adapter
   C. CellServDB Configuration - Download from web address
   D. Client Cell Name Configuration
      1. Cell name is: cnf.cornell.edu
      2. Check Enable AFS crypt security, Enable AFS Freelance client, and Use
DNS to Search for Cell Servers
   E. AFS Credentials Configuration
      1. Check Start AFS Credentials at system login
      2. Check Auto initialize AFS Credentials
      3. Check Renew drive maps
      4. Check IP Address change detection
      5. Check Quiet
   F. Install Kerberos for OpenAFS msi package (attached zip file)
5. Edit c:\windows\krb5.ini to include the CNF.CORNELL.EDU realm -- note that
the
CIT.CORNELL.EDU realm should still be the default realm and don't forget the
cross-realm configuration - file won't exist if bear access or kerberos not
installed (see attached krb5.ini)

 10. If the Symantec Client Firewall is installed, you will need to add a rule
allowing all traffic to/from 10.254.254.253
    A. Open Symantec CLient Firewall
    B. Client Firewall - Configure
    C. Advanced Tab
    D. General Button
    E. Add a rule
    F. Permit
    G. Connection to and from other computers
    H. Only the computers and sites listed below: Add 10.254.254.253
    I. TCP and UDP and All types of communication
    J. Don't log anything
    K. Name the rule AFS Loopback Rule
    L. Check All Locations
    M. Finish
    N. FInd the rule in the list of General Rules (it will be at the bottom) and
repeatedly click "Move Up" to get the rule to the top of the list

Mac

1. Download OAFS package (1.4.x) from www.openafs.org
2. Download afsinstall.app.tar.gz from
http://cf.ccmr.cornell.edu/publicdownloads/afs/
3. Run the OAFS package
   A. do NOT reboot when done
4. Run the afsinstall.app
   A. Cellname: cnf.cornell.edu
   B. CellAlias: cnf
   C. Accept defaults for CellServDB
   D. For the AFS Options
      a. change -fakestat to -fakestat-all
5. copy the attached edu.mit.Kerberos file to Mac HD - Library - Preferences
6. Download the gui AFSTokens app (Tiger version) from
https://forge.cornell.edu/sf/projects/afs_tokens
        File Releases tab
7. Download the OpenAFS Contextual Menu Plugin from:
http://www.ncsu.edu/mac/pn/index.php?name=UpDownload&req=viewdownloaddetails&lid=10
8. Copy the Contextual Menu Plugin to Mac HD - Library - Contextual Menu Items
9. Reboot
10. Enjoy

 Using

Windows 

 to login to afs, start menu -> All Programs -> OpenAFS -> Authentication (icon
is a lock icon)

this will put a lock icon w. a red X over it in your system tray. You can
double click on this icon to pop up a window where you can obtain afs tokens.

Tokens are what your afs client presents to the afs file server to authenticate
you.

For your username, you will use:

netid@CIT.CORNELL.EDU

having CIT.CORNELL.EDU in all caps is very important.

and use your netid password.

There will be a delay before you get tokens due to a dns problem on
CNF/Cornell's end -- the delay will go away once we get the problem fixed.

To access afs from windows, you can:

start menu -> run

\\afs\cnf.cornell.edu

 this will bring up the root of the cnf afs cell. You can map this path to a
drive letter

1. rt click on My Network Places

2. Choose Map Network Drive

3. Drive letter X (to match what we've done elsewhere)

4. Path should be //afs/cnf.cornell.edu 

Mac

Linux/Solaris

To get tokens, after logging in to the machine:

kinit netid (gets kerberos tickets)
aklog (converts kerberos tickets to afs tokens)

You can then view your kerberos tickets w.
klist
and your tokens with:
tokens

Remove Kerberos tickets with:
kdestroy

and remove afs tokens with:
unlog

Our afs cell is in the path /afs/cnf.cornell.edu