CNF users with a Cornell GuestID (username begins with gid- will not be able to authenticate to CNF AFS unless connected to the Cornell VPN. To connect to the Cornell VPN, please follow the "CNF Group VPN - for users with a Cornell GuestID" instructions on our Coral from Off Campus webpage.
We suggest first checking if an OpenAFS package is available from the OpenAFS.org website. If not, please check the packages distributed for your Linux distribution.
Keep in mind that sometimes the available packages for your linux distribution are several versions behind the current release on the OpenAFS.org website. If this is the case, double check that you are not installing an older version with known data corruption or security bugs.
The linux kernel now includes an in-kernel version of afs called "kafs" . Check with your linux distribution if kafs is enabled and/or available. If you run into problems with kafs, please let the developer know, as kafs is still a work in progress. In addition to the previous links, there is kernel documentation on kafs.
If you need to only rebuild an OpenAFS kernel module manually (eg patch), you will need to install additional devel tool and libraries such as GIT and the kernel devel libraries on your system. The below snippits show cloning openafs from git and building just the kernel module:
git clone git://git.openafs.org/openafs.git cd openafs git checkout <tag_for_the_version_of_afs> # Add any patches sh regen.sh ./configure make libafs |
This will generate: ./src/libafs/`uname -r`/libafs.ko
Find in /lib/modules/`uname -r` the openafs.ko file (this file may be in a subfolder such as extra), and replace it with the above generated libafs.ko (making sure to still call it openafs.ko).
Run depmod -a .
After a reboot, OAFS should now be happy... or you can manually start openafs ( service openafs-client start usually works).
Linux installations vary by distribution. Some distributions may include versions of OpenAFS or kAFS either stock or as an add-on.
The best source of RPMs for RHEL and for Fedora is the OpenAFS website. You will download and rebuild the OpenAFS source rpm (SRPM).
After bulding binary RPMs, you will want to install the following RPMs:
After installing AFS, make sure to set the cellname in your ThisCell file to cnf.cornell.edu . The location of the ThisCell file varies depending on your linux distribution. You should also consider increasing the cache size in the cacheinfo file from the default.
With each upgrade to your linux kernel, you will need a new OpenAFS kernel module. CNF recommends the use of DKMS to auto build new kernel modules. If using an RPM based distribution, openafs.org provides a dkms-openafs RPM.
Kerberos is also required on Linux and must be configured with a krb5.conf file. The exact format of your Kerberos configuration file may vary depending on if you are using MIT Kerberos or Heimdal Kerberos. Regardless, the following must be defined in your Kerberos config file:
[libdefaults] allow_weak_crypto = true ticket_lifetime = 30d renew_lifetime = 30d forwardable = true renewable = true [realms] CIT.CORNELL.EDU = { kdc = kerberos.cit.cornell.edu:88 kdc = kerberos2.cit.cornell.edu:88 admin_server = kerberos.cit.cornell.edu:749 default_domain = cit.cornell.edu } CNF.CORNELL.EDU = { kdc = hole.cnf.cornell.edu:88 kdc = smoke.cnf.cornell.edu:88 kdc = mist.cnf.cornell.edu:88 admin_server = hole.cnf.cornell.edu:749 default_domain = cnf.cornell.edu } CORNELL.EDU = { kdc = ad1.cornell.edu kdc = ad2.cornell.edu kdc = ad3.cornell.edu kdc = ad4.cornell.edu kdc = ad9.cornell.edu kdc = ad19.cornell.edu default_domain = cornell.edu } [domain_realm] .cit.cornell.edu = CIT.CORNELL.EDU cit.cornell.edu = CIT.CORNELL.EDU .mail.cornell.edu = CIT.CORNELL.EDU mail.cornell.edu = CIT.CORNELL.EDU .cnf.cornell.edu = CNF.CORNELL.EDU cnf.cornell.edu = CNF.CORNELL.EDU |
If using MIT Kerberos, you must also set the following in your krb5.conf (Heimdal uses a different syntax for the capaths section):
[capaths] CIT.CORNELL.EDU = { CNF.CORNELL.EDU = . } CORNELL.EDU = { CNF.CORNELL.EDU = . } |
For Macintosh, we recommend the AuristorFS OpenAFS client installers.
Make sure you have AFS Tokens before attempting to browse AFS space in the Finder. Otherwise, the Finder will become confused, hang, and not properly display files and folders.
To destroy AFS credentials from the commandline, open the Terminal and enter the following two commands:
unlog kdestroy |
To renew or obtain new credentials from the commandline,
From the Terminal.app commandline:
kinit username@KERBEROS.REALM aklog |
You can view your AFS tokens by, from the commandline (Terminal.app) typing in:
tokens |
To manage AFS credentials from the GUI, use the Auristor control panel in the System Preferences application.
To get new tokens, in the "tokens" tab click "Get new token"... and make to enter your username as the long capitalized version... eg netid@CIT.CORNELL.EDU or guestid@CORNELL.EDU
If you experience problems with the GUI for obtaining tokens, please use the commandline from Terminal.app as detailed above.
A native AFS client, iYFS, for iOS can be purchased from the iOS App Store. If you experience issues with the client, please contact CNF IT support – we will reproduce the problem and then contact the vendor to have the problem resolved.