CNF users with a Cornell GuestID (username begins with gid- will not be able to authenticate to CNF AFS unless connected to the Cornell VPN. To connect to the Cornell VPN, please follow the "CNF Group VPN - for users with a Cornell GuestID" instructions on our Coral from Off Campus webpage.
OpenAFS is not currently compatible with Linux kernel 4.4 or higher – you will experience data corruption. Debian/Ubuntu/Mint based distros have backported the kernel patch breaking AFS to 3.x kernels.
Linux installations vary by distribution. Some distributions may include versions of OpenAFS either stock or as an add-on. Downloads are also available from the main www.openafs.org website.
For linux, be sure to use 1.6.17 or greater.
If you need to build your own OpenAFS RPMs from the OpenAFS git source tree, see this page.
The best source of RPMs for RHEL and for Fedora are the jsbillings Copr repositories. There are two repositories, and you will need both. First is the main OpenAFS client Copr repository and second is the OpenAFS kernel module repository . You should install both repositories on your system as the main repo depends on the kernel modules in the kmod repo. For the kernel modules, CNF recommends using dkms (and the dkms-openafs RPM) instead of individual kernel version specific modules.
Note that the JSBillings Copr repositories change from the old Transarc paths for OpenAFS binaries, config files, and cache partition locations to Linux Standard Base compatible locations.
You will want to install the following RPMs:
After installing AFS, make sure to set the cellname in your ThisCell file to cnf.cornell.edu . The location of the ThisCell file varies depending on your linux distribution. You should also consider increasing the cache size in the cacheinfo file from the default.
With each upgrade to your linux kernel, you will need a new OpenAFS kernel module. CNF recommends the use of DKMS to auto build new kernel modules. If using an RPM based distribution, openafs.org provides a dkms-openafs RPM.
Kerberos is also required on Linux and must be configured with a krb5.conf file. The exact format of your Kerberos configuration file may vary depending on if you are using MIT Kerberos or Heimdal Kerberos. Regardless, the following must be defined in your Kerberos config file:
[libdefaults] allow_weak_crypto = true ticket_lifetime = 30d renew_lifetime = 30d forwardable = true renewable = true [realms] CIT.CORNELL.EDU = { kdc = kerberos.cit.cornell.edu:88 kdc = kerberos2.cit.cornell.edu:88 admin_server = kerberos.cit.cornell.edu:749 default_domain = cit.cornell.edu } CNF.CORNELL.EDU = { kdc = hole.cnf.cornell.edu:88 kdc = smoke.cnf.cornell.edu:88 kdc = mist.cnf.cornell.edu:88 admin_server = hole.cnf.cornell.edu:749 default_domain = cnf.cornell.edu } CORNELL.EDU = { kdc = ad7.cornell.edu kdc = ad8.cornell.edu default_domain = cornell.edu } GUEST.CORNELL.EDU = { kdc = obsidian1.cit.cornell.edu:88 kdc = obsidian2.cit.cornell.edu:88 admin_server = obsidian1.cit.cornell.edu default_domain = guest.cornell.edu } [domain_realm] .cit.cornell.edu = CIT.CORNELL.EDU cit.cornell.edu = CIT.CORNELL.EDU .mail.cornell.edu = CIT.CORNELL.EDU mail.cornell.edu = CIT.CORNELL.EDU .cnf.cornell.edu = CNF.CORNELL.EDU cnf.cornell.edu = CNF.CORNELL.EDU |
If using MIT Kerberos, you must also set the following in your krb5.conf (Heimdal uses a different syntax for the capaths section):
[capaths] CIT.CORNELL.EDU = { CNF.CORNELL.EDU = . } GUEST.CORNELL.EDU = { CNF.CORNELL.EDU = . } CORNELL.EDU = { CNF.CORNELL.EDU = . } |
To destroy AFS credentials, open the Terminal and enter the following two commands:
unlog kdestroy |
To renew or obtain new credentials, you must either use the AFSLog gui application or the commandline (Terminal.app) to obtain AFS Tokens.
For AFSLog, double click the application.
The Kerberos Ticket viewer will open
If necessary, add a new identity of username@KERBEROS.REALM
Login to this identity in the Kerberos Ticket Viewer.
Exit the Kerberos Ticket Viewer.
After approximately 5 seconds, the AFSLog application will ask for your attention (bounce) or simply pop up a new window displaying your AFS Tokens.
From the Terminal.app commandline:
kinit username@KERBEROS.REALM aklog |
You can view your AFS tokens by, from the commandline (Terminal.app) typing in:
tokens |
Make sure you have AFS Tokens before attempting to browse AFS space in the Finder. Otherwise, the Finder will become confused, hang, and not properly display files and folders.
A native AFS client, iYFS, for iOS can be purchased from the iOS App Store. If you experience issues with the client, please contact CNF IT support – we will reproduce the problem and then contact the vendor to have the problem resolved.