Off Campus Access for Cornell GuestID Users

CNF users with a Cornell GuestID (username begins with gid- will not be able to authenticate to CNF AFS unless connected to the Cornell VPN. To connect to the Cornell VPN, please follow the "CNF Group VPN - for users with a Cornell GuestID" instructions on our Coral from Off Campus webpage.

Installing

Linux

OpenAFS or kAFS

We suggest first checking if an OpenAFS package is available from the OpenAFS.org website. If not, please check the packages distributed for your Linux distribution.

Keep in mind that sometimes the available packages for your linux distribution are several versions behind the current release on the OpenAFS.org website. If this is the case, double check that you are not installing an older version with known data corruption or security bugs. 

The linux kernel now includes an in-kernel version of afs called "kafs" . Check with your linux distribution if kafs is enabled and/or available. If you run into problems with kafs, please let the developer know, as kafs is still a work in progress. In addition to the previous links, there is kernel documentation on kafs. 

OpenAFS Kernel Module Patching

If you need to only rebuild an OpenAFS kernel module manually (eg patch), you will need to install additional devel tool and libraries such as GIT and the kernel devel libraries on your system. The below snippits show cloning openafs from git and building just the kernel module:

git clone git://git.openafs.org/openafs.git

cd openafs

git checkout <tag_for_the_version_of_afs>

# Add any patches

sh regen.sh

./configure

make libafs

This will generate: ./src/libafs/`uname -r`/libafs.ko

Find in /lib/modules/`uname -r` the openafs.ko file (this file may be in a subfolder such as extra), and replace it with the above generated libafs.ko (making sure to still call it openafs.ko).

Run depmod -a .

After a reboot, OAFS should now be happy... or you can manually start openafs ( service openafs-client start usually works).

Overview

Linux installations vary by distribution. Some distributions may include versions of OpenAFS or kAFS either stock or as an add-on.

Redhat Enterprise Linux and Fedora

The best source of RPMs for RHEL and for Fedora is the OpenAFS website. You will download and rebuild the OpenAFS source rpm (SRPM). 

After bulding binary RPMs, you will want to install the following RPMs:

• openafs-compat
• openafs-authlibs
• openafs-server (if running an openafs server)
• openafs-devel (if you want the devel libs)
• openafs
• dkms-openafs (if you want to dynamically build kernel modules ... you will also need the dkms rpm, available from multiple sources)
• openafs-authlibs-devel (again, if you want the devel libs)
• openafs-client (for running the openafs client)
• openafs-docs
• openafs-krb5
• openafs-kernel-source (again, for devel purposes)
  
  

General Linux Configuration

After installing AFS, make sure to set the cellname in your ThisCell file to cnf.cornell.edu . The location of the ThisCell file varies depending on your linux distribution. You should also consider increasing the cache size in the cacheinfo file from the default.

With each upgrade to your linux kernel, you will need a new OpenAFS kernel module. CNF recommends the use of DKMS to auto build new kernel modules. If using an RPM based distribution, openafs.org provides a dkms-openafs RPM.

Kerberos is also required on Linux and must be configured with a krb5.conf file. The exact format of your Kerberos configuration file may vary depending on if you are using MIT Kerberos or Heimdal Kerberos. Regardless, the following must be defined in your Kerberos config file:

[libdefaults]
allow_weak_crypto = true
 ticket_lifetime = 30d
 renew_lifetime = 30d
 forwardable = true
 renewable = true

[realms]
 CIT.CORNELL.EDU = {
  kdc = kerberos.cit.cornell.edu:88
  kdc = kerberos2.cit.cornell.edu:88
  admin_server = kerberos.cit.cornell.edu:749
  default_domain = cit.cornell.edu
 }

CNF.CORNELL.EDU = {
        kdc = hole.cnf.cornell.edu:88
        kdc = smoke.cnf.cornell.edu:88
        kdc = mist.cnf.cornell.edu:88
        admin_server = hole.cnf.cornell.edu:749
        default_domain = cnf.cornell.edu
}

CORNELL.EDU = {
  kdc = ad1.cornell.edu
  kdc = ad2.cornell.edu
  kdc = ad3.cornell.edu
  kdc = ad4.cornell.edu
  kdc = ad9.cornell.edu
  kdc = ad19.cornell.edu
  default_domain = cornell.edu
 }    


[domain_realm]
 .cit.cornell.edu = CIT.CORNELL.EDU
 cit.cornell.edu = CIT.CORNELL.EDU
 .mail.cornell.edu = CIT.CORNELL.EDU
 mail.cornell.edu = CIT.CORNELL.EDU
.cnf.cornell.edu = CNF.CORNELL.EDU
 cnf.cornell.edu = CNF.CORNELL.EDU

If using MIT Kerberos, you must also set the following in your krb5.conf (Heimdal uses a different syntax for the capaths section):

[capaths]
CIT.CORNELL.EDU = {
    CNF.CORNELL.EDU = .
}

CORNELL.EDU = {
    CNF.CORNELL.EDU = .
}

Windows

1. If you are upgrading from a 1.5.x or earlier version of OpenAFS, first remove any AFS drive mappings.
2. d/l MIT Kerberos for Windows (32-bit or 64-bit, depending on your windows os install) 3.2.2 from the links earlier in this sentence (Note: this step is not needed if you already have a version of Kerberos installed)
   
   1. Do a Typical install
3. d/l 1.7.x MSI client installer from http://www.openafs.org/windows.html 
   1. If installing on 64-bit Windows, you will also need the 32-bit tools package. Install this doing a "Typical" install.
4. run the Openafs installer
   
   1. Select a Custom install
   2. Accept the defaults for which components to install unless...
      1. You will need to install the "Authentication" component -- not enabled by default in 1.7.x.
   3. Change the cell name from openafs.org to cnf.cornell.edu
   4. Accept defaults on the rest of the screens
   5. Don't yet reboot (when prompted by the installer)
5. Run the 32-bit tools installer if on a 64-bit Windows OS
6. Run the attached .reg files to set OpenAFS registry settings
7. Copy the attached krb5.ini to c:\windows overwriting the krb5.ini file that may be already there
   • NOTE: If your organization also uses Kerberos, you will instead want to merge in the CNF krb5.ini with your organization's krb5.ini .
   • Your local tech support or CNF Computing support can help you with this.
8. If you are using a firewall other than the built in Windows firewall, you will need to open incoming UDP port 7001. 

1. NOW, REBOOT. After rebooting, your firewall may prompt you to allow the various afs applications access to the network. You should choose to Always Allow these.
2. OPTIONAL, set up a drive mapping (must be done AFTER REBOOTING)
   1. Right click on My Network Places
   2. Map drive
   3. To follow the CNF convention, set the drive letter to X
   4. Set the path to \\afs\cnf.cornell.edu
   5. Choose to Reconnect the drives
   6. Done

MacOS

For Macintosh, we recommend the AuristorFS OpenAFS client installers.

1. Download the installer for your version of MacOS from the Auristor OpenAFS Client Installers web page.
   1. If you visit the page on an operating system other than MacOS, you will need to click the link to "view all available installers".
   2. Download the installer requires registering.
2. Run the OpenAFS package installer
   1. Specify cnf.cornell.edu as the cell name and cnf as the cell alias
   2. If AFS does not appear to be running after installing, reboot your system.
3. To show the AFS icon on the Desktop...
   1. Finder - Preferences
   2. General tab
   3. Check "Connected Servers"
4. Periodically check for new versions of the AuristorFS OpenAFS client which will fix bugs.

How to destroy, renew, and obtain new credentials:

Make sure you have AFS Tokens before attempting to browse AFS space in the Finder. Otherwise, the Finder will become confused, hang, and not properly display files and folders.

To destroy AFS credentials from the commandline, open the Terminal and enter the following two commands:

 unlog

 kdestroy

To renew or obtain new credentials from the commandline,

1. From the Terminal.app commandline:

   kinit username@KERBEROS.REALM aklog

   
   

2. You can view your AFS tokens by, from the commandline (Terminal.app) typing in:

   tokens

   
   

To manage AFS credentials from the GUI, use the Auristor control panel in the System Preferences application.

1. In the "Tokens" tab, check "Auristor Menu", check "Backgrounder" and check "Use aklog"
2. In the "Option" tab check "Enable auto-renew"

To get new tokens, in the "tokens" tab click "Get new token"... and make to enter your username as the long capitalized version... eg netid@CIT.CORNELL.EDU or guestid@CORNELL.EDU

If you experience problems with the GUI for obtaining tokens, please use the commandline from Terminal.app as detailed above.

iOS

A native AFS client, iYFS, for iOS can be purchased from the iOS App Store. If you experience issues with the client, please contact CNF IT support – we will reproduce the problem and then contact the vendor to have the problem resolved.