openafs/README.SUSE.openafs

110 lines
3.7 KiB
Plaintext
Raw Normal View History

Here is described installation of openafs server and client on SUSE linux.
This text is based on AFS Quick Start Guide. The differences are:
- paths are adapted to SUSE installation
- uses Kerberos 5 authentization
Complete OpenAFS documentation is at http://openafs.org
SERVER SETUP
============
# choose an AFS cell name and a Kerberos realm name, the simplest setup is:
# - AFS cell name equal to DNS domain name
# - Kerberos realm name equal to uppercase AFS cell name
# create a partition for AFS filesystem and mount it under /vicepa
# start bosserver
/usr/sbin/bosserver -noauth &
# setup basic cell information
bos setcellname your.afs.server your.cell.name -noauth
# setup database servers processes
bos create your.afs.server ptserver simple /usr/lib/openafs/ptserver -cell your.cell.name -noauth
bos create your.afs.server buserver simple /usr/lib/openafs/buserver -cell your.cell.name -noauth
bos create your.afs.server vlserver simple /usr/lib/openafs/vlserver -cell your.cell.name -noauth
# If you want to use the old afs authentization (not recommended):
# bos addkey your.afs.server -kvno 0 -cell your.cell.name -noauth
# Authentication against heimdal krb5 server
# Here you can set up kerberos realm if you dont have any,
# see documentation in package krb5-doc
# restart kdc
rckrb5kdc restart
rckrb524d restart
# create afs principal in kerberos database
kadmin.local
add_principal afs@YOUR.KERBEROS.REALM # create afs key, use random password
ktremove -k /etc/krb5.keytab afs all # delete old afs key if any
# export the afs key to external keytab
# note the key version number (kvno), you will need it later for asetkey
ktadd -e des-cbc-crc:v4 afs@YOUR.KERBEROS.REALM
add_principal admin@YOUR.KERBEROS.REALM # create admin principal
quit # end kadmin.local
rm /etc/openafs/server/KeyFile # delete the old afs key file if any
# convert the afs key from /etc/krb5.keytab to /etc/openafs/server/KeyFile
# use <kvno> displayed by ktadd
asetkey add <kvno> /etc/krb5.keytab afs
# give admin the permissions to control bosserver
bos adduser your.afs.server admin -cell your.cell.name -noauth
# add admin to group system:administrators
pts createuser -name admin -id <user id> -cell your.cell.name -noauth
pts adduser admin system:administrators -cell your.cell.name -noauth
# restart bos server
bos restart your.afs.server -all -cell your.cell.name -noauth
# create fileserver processes
bos create your.afs.server fs fs /usr/lib/openafs/fileserver /usr/lib/openafs/volserver /usr/lib/openafs/salvager -cell your.cell.name -noauth
# create root volume
vos create your.afs.server /vicepa root.afs -cell your.cell.name -noauth
# restart bosserver with security enabled
rcopenafs-fileserver restart
CLIENT SETUP
============
IMPORTANT: Unfortunately, openafs client for linux kernel 2.6 has not reached
stable state yet. There may be problems.
edit /etc/sysconfig/openafs-client, set at least
REGENERATE_CELL_INFO="yes"
THIS_CELL="your.cell.name"
THIS_CELL_SERVER="your.afs.server"
If you are configuring first afs server and the volume root.cell does not
exist yet, you have to set also DYNROOT=no. After finishing the server
installaton it is better to change DYNROOT back to 'yes' as the client
behaves better on startup with network outage.
# start afs client
rcopenafs-client start
# login as admin
kinit admin
aklog -d # convert Kerberos 5 ticket to AFS token
To enable transparent login via pam, install package pam_krb5
and add 'call_modules=krb5afs' to /etc/security/pam_unix2.conf
For details look at pam_krb5afs(5), pam_krb5afs(8) and pam_unix2(8) manpages.
Now you have working afs server and client. You can continue with chapter
"Configuring the Top Levels of the AFS Filespace" of AFS Quick Start Guide.