...
Kerberos is also required on Linux and must be configured with a krb5.conf file. The exact format of your Kerberos configuration file may vary depending on if you are using MIT Kerberos or Heimdal Kerberos. Regardless, the following must be defined in your Kerberos config file:
| Code Block |
|---|
[libdefaults]
allow_weak_crypto = true
ticket_lifetime = 30d
renew_lifetime = 30d
forwardable = true
renewable = true
[realms]
CIT.CORNELL.EDU = {
kdc = kerberos.cit.cornell.edu:88
kdc = kerberos2.cit.cornell.edu:88
admin_server = kerberos.cit.cornell.edu:749
default_domain = cit.cornell.edu
}
CNF.CORNELL.EDU = {
kdc = hole.cnf.cornell.edu:88
kdc = smoke.cnf.cornell.edu:88
kdc = mist.cnf.cornell.edu:88
admin_server = hole.cnf.cornell.edu:749
default_domain = cnf.cornell.edu
}
CORNELL.EDU = {
kdc = ad2.cornell.edu
kdc = ad1.cornell.edu
default_domain = cornell.edu
}
GUEST.CORNELL.EDU = {
kdc = obsidian1.cit.cornell.edu:88
kdc = obsidian2.cit.cornell.edu:88
admin_server = obsidian1.cit.cornell.edu
default_domain = guest.cornell.edu
}
[domain_realm]
.cit.cornell.edu = CIT.CORNELL.EDU
cit.cornell.edu = CIT.CORNELL.EDU
.mail.cornell.edu = CIT.CORNELL.EDU
mail.cornell.edu = CIT.CORNELL.EDU
.cnf.cornell.edu = CNF.CORNELL.EDU
cnf.cornell.edu = CNF.CORNELL.EDU
|
If using MIT Kerberos, you must also set the following in your krb5.conf (Heimdal uses a different syntax for the capaths section):
| Code Block |
|---|
[capaths]
CIT.CORNELL.EDU = {
CNF.CORNELL.EDU = .
}
GUEST.CORNELL.EDU = {
CNF.CORNELL.EDU = .
}
CORNELL.EDU = {
CIT.CORNELL.EDU = .
CNF.CORNELL.EDU = CIT.CORNELL.EDU
}
|
...
- NOW, REBOOT. After rebooting, your firewall may prompt you to allow the various afs applications access to the network. You should choose to Always Allow these.
- OPTIONAL, set up a drive mapping (must be done AFTER REBOOTING)
- Right click on My Network Places
- Map drive
- To follow the CNF convention, set the drive letter to X
- Set the path to \\afs\cnf.cornell.edu
- Choose to Reconnect the drives
- Done
Mac OS 10.7 (Lion) / 10.8 (Mountain Lion) / 10.9 (Mavericks)
- Install the Mountain Lion krb5.conffile to /private/etc/krb5.conf
- The /private/etc folder is hidden... to get to it from the Finder...
- From the "Go" menu choose "Go to Folder"
- Type in /private/etc
- You can now copy the krb5.conf file over... you will be prompted for administrator credentials
- Install the Mountain Lion edu.mit.Kerberosfile to /Library/Preferences/edu.mit.Kerberos
- You may first have to delete any existing edu.mit.Kerberos file (Finder may not let you overwrite the existing file)
- The deletion operation will require typing in an administrative username and password
- Copying over the new file will require typing in an administrative username and password
- Download OpenAFS 1.6.5 or 9 or greater from the openafs.org website (10.7 / 10.8) OR Download 1.6.5.2 9 for Mavericks from this link (10.9)
- Run the OpenAFS package installer
- Specify cnf.cornell.edu as the cell name and cnf as the cell alias
- No reboot is necessary (unless you are running Mavericks, Mac OS 10.9) - AFS will start running when the installer finishes
- To show the AFS icon on the Desktop...
- Finder - Preferences
- General tab
- Check "Connected Servers"
- Download the gui AFSTokens app for SnowLeopard (afstokens-64bit.zip) from https://forge.cornell.edu/sf/projects/afs_tokens
- File Releases tab
- The AFSTokens app is no longer maintained, but is still the best way to obtain AFS tokens.
- Obtaining tokens works under the latest version of Mac OS X Mavericks. However, deleting tokens crashes the app.
Renewing existing tokens does not work. You must first delete any AFS tokens and Kerberos tickets by running the following two commands from a Terminal prompt commandline:
Code Block unlog kdestroy- Viewing your AFS group membership works under the latest version of OS X Mavericks.
- We are in process of testing the built in AFS control panel under System Preferences.
- To show the AFS icon on your desktop, in Finder Preferences - General, make sure "Connected servers" is checked.