openafs/README.SUSE.openafs

Here is described installation of openafs server and client on SUSE linux.

This text is based on AFS Quick Start Guide. The differences are:
  - paths are adapted to SUSE installation
  - uses Kerberos 5 authentization

Complete OpenAFS documentation is at http://openafs.org

SERVER SETUP
============

# choose an AFS cell name and a Kerberos realm name, the simplest setup is:
# - AFS cell name equal to DNS domain name
# - Kerberos realm name equal to uppercase AFS cell name 

# create a partition for AFS filesystem and mount it under /vicepa

# start bosserver
/usr/sbin/bosserver -noauth &

# setup basic cell information
bos setcellname your.afs.server your.cell.name -noauth 

# setup database servers processes
bos create your.afs.server ptserver simple /usr/lib/openafs/ptserver -cell your.cell.name -noauth
bos create your.afs.server buserver simple /usr/lib/openafs/buserver -cell your.cell.name -noauth
bos create your.afs.server vlserver simple /usr/lib/openafs/vlserver -cell your.cell.name -noauth

# If you want to use the old afs authentization (not recommended):
# bos addkey your.afs.server -kvno 0 -cell your.cell.name -noauth

# Authentication against heimdal krb5 server

# Here you can set up kerberos realm if you dont have any, 
# see documentation in package krb5-doc

# restart kdc
rckrb5kdc restart
rckrb524d restart

# create afs principal in kerberos database
kadmin.local
  add_principal afs@YOUR.KERBEROS.REALM     # create afs key, use random password
  ktremove -k /etc/krb5.keytab afs all      # delete old afs key if any
  
  # export the afs key to external keytab
  # note the key version number (kvno), you will need it later for asetkey
  ktadd -e des-cbc-crc:v4 afs@YOUR.KERBEROS.REALM 
  
  add_principal admin@YOUR.KERBEROS.REALM   # create admin principal
  
  quit # end kadmin.local
  
rm /etc/openafs/server/KeyFile # delete the old afs key file if any

# convert the afs key from /etc/krb5.keytab to /etc/openafs/server/KeyFile
# use <kvno> displayed by ktadd
asetkey add <kvno> /etc/krb5.keytab afs

# give admin the permissions to control bosserver
bos adduser your.afs.server admin -cell your.cell.name -noauth

# add admin to group system:administrators
pts createuser -name admin -id <user id> -cell your.cell.name -noauth
pts adduser admin system:administrators -cell your.cell.name -noauth

# restart bos server
bos restart your.afs.server -all -cell your.cell.name -noauth

# create fileserver processes
bos create your.afs.server fs fs /usr/lib/openafs/fileserver /usr/lib/openafs/volserver /usr/lib/openafs/salvager -cell your.cell.name -noauth

# create root volume
vos create your.afs.server /vicepa root.afs -cell your.cell.name -noauth

# restart bosserver with security enabled
rcopenafs-fileserver restart


CLIENT SETUP
============

IMPORTANT: Unfortunately, openafs client for linux kernel 2.6 has not reached 
stable state yet. There may be problems.

edit /etc/sysconfig/openafs-client, set at least
  REGENERATE_CELL_INFO="yes"
  THIS_CELL="your.cell.name"
  THIS_CELL_SERVER="your.afs.server"

  If you are configuring first afs server and the volume root.cell does not
  exist yet, you have to set also DYNROOT=no. After finishing the server 
  installaton it is better to change DYNROOT back to 'yes' as the client
  behaves better on startup with network outage.

# start afs client
rcopenafs-client start

# login as admin
kinit admin
aklog -d # convert Kerberos 5 ticket to AFS token

To enable transparent login via pam, install package pam_krb5
and add 'call_modules=krb5afs' to /etc/security/pam_unix2.conf
For details look at pam_krb5afs(5), pam_krb5afs(8) and pam_unix2(8) manpages.

Now you have working afs server and client. You can continue with chapter
"Configuring the Top Levels of the AFS Filespace" of AFS Quick Start Guide.