File README.SUSE.openafs of Package openafs
Here is described installation of openafs server and client on SUSE linux. This text is based on AFS Quick Start Guide. The differences are: - paths are adapted to SUSE installation - uses Kerberos 5 authentization Complete OpenAFS documentation is at http://openafs.org SERVER SETUP ============ # choose an AFS cell name and a Kerberos realm name, the simplest setup is: # - AFS cell name equal to DNS domain name # - Kerberos realm name equal to uppercase AFS cell name # create a partition for AFS filesystem and mount it under /vicepa # start bosserver /usr/sbin/bosserver -noauth & # setup basic cell information bos setcellname your.afs.server your.cell.name -noauth # setup database servers processes bos create your.afs.server ptserver simple /usr/lib/openafs/ptserver -cell your.cell.name -noauth bos create your.afs.server buserver simple /usr/lib/openafs/buserver -cell your.cell.name -noauth bos create your.afs.server vlserver simple /usr/lib/openafs/vlserver -cell your.cell.name -noauth # If you want to use the old afs authentization (not recommended): # bos addkey your.afs.server -kvno 0 -cell your.cell.name -noauth # Authentication against heimdal krb5 server # Here you can set up kerberos realm if you dont have any, # see documentation in package krb5-doc # restart kdc rckrb5kdc restart rckrb524d restart # create afs principal in kerberos database kadmin.local add_principal afs@YOUR.KERBEROS.REALM # create afs key, use random password ktremove -k /etc/krb5.keytab afs all # delete old afs key if any # export the afs key to external keytab # note the key version number (kvno), you will need it later for asetkey ktadd -e des-cbc-crc:v4 afs@YOUR.KERBEROS.REALM add_principal admin@YOUR.KERBEROS.REALM # create admin principal quit # end kadmin.local rm /etc/openafs/server/KeyFile # delete the old afs key file if any # convert the afs key from /etc/krb5.keytab to /etc/openafs/server/KeyFile # use <kvno> displayed by ktadd asetkey add <kvno> /etc/krb5.keytab afs # give admin the permissions to control bosserver bos adduser your.afs.server admin -cell your.cell.name -noauth # add admin to group system:administrators pts createuser -name admin -id <user id> -cell your.cell.name -noauth pts adduser admin system:administrators -cell your.cell.name -noauth # restart bos server bos restart your.afs.server -all -cell your.cell.name -noauth # create fileserver processes bos create your.afs.server fs fs /usr/lib/openafs/fileserver /usr/lib/openafs/volserver /usr/lib/openafs/salvager -cell your.cell.name -noauth # create root volume vos create your.afs.server /vicepa root.afs -cell your.cell.name -noauth # restart bosserver with security enabled rcopenafs-fileserver restart CLIENT SETUP ============ IMPORTANT: Unfortunately, openafs client for linux kernel 2.6 has not reached stable state yet. There may be problems. edit /etc/sysconfig/openafs-client, set at least REGENERATE_CELL_INFO="yes" THIS_CELL="your.cell.name" THIS_CELL_SERVER="your.afs.server" If you are configuring first afs server and the volume root.cell does not exist yet, you have to set also DYNROOT=no. After finishing the server installaton it is better to change DYNROOT back to 'yes' as the client behaves better on startup with network outage. # start afs client rcopenafs-client start # login as admin kinit admin aklog -d # convert Kerberos 5 ticket to AFS token To enable transparent login via pam, install package pam_krb5 and add 'call_modules=krb5afs' to /etc/security/pam_unix2.conf For details look at pam_krb5afs(5), pam_krb5afs(8) and pam_unix2(8) manpages. Now you have working afs server and client. You can continue with chapter "Configuring the Top Levels of the AFS Filespace" of AFS Quick Start Guide.
