OpenAFS is a distributed file system that can share file system resources efficiently across a LAN or WAN. Some of the features that make OpenAFS standout from the crowd, are:

• • Improved security: OpenAFS makes use of Kerberos to authenticate users. User passwords are no longer sent across the network as plain text. The encrypted passwords need not be visible either.
  • Scalability: OpenAFS files are location independent. This means, the users need not know which server contains the files, they just need to know the file path. Location independence makes OpenAFS highly scalable since the files can be spread across multiple servers, and the client need not keep track of which server holds the file.

• Client side caching: Cache manager at the client side stores files retrieved from the server in disk, there by improving response time and reducing network traffic. It communicates with the server and ensures that the cache contains all the latest files.
• Improved system management capability: The administrator can move user volumes from one server to another, without causing any interruption to service. Also, if configured, users can retrieve files from backup, without intervention from the administrator.

In this article, I will demonstrate how to install and configure the OpenAFS server and client in Ubuntu 9.04. Before going ahead with the OpenAFS installation, install and setup Kerberos and OpenLDAP as per steps given in my previous article on integrating Kerberos and OpenLDAP. It is assumed that the OpenAFS, Kerberos, and OpenLDAP servers are installed in the same server – srv.example.com.

IMPLEMENTATION

1. Install and Setup OpenAFS DB server

• • Install the required packages

apt-get install openafs-krb5 openafs-dbserverCopy Code

• • Add principal “

    afs/example.comCopy Code

    ” and import the key to

     /etc/openafs/afs.keytabCopy Code

kadmin: addprinc -randkey afs/example.comCopy Code

kadmin: ktadd -k /etc/openafs/afs.keytab -e des-cbc-crc:afs3 afs/example.comCopy Code

• • Note down the key version number (KVNO).

klist -ke /etc/openafs/afs.keytab  Copy Code

• • Import the secret key into the AFS security system. Replace “” with the key version number from the above step.

 asetkey addCopy Code

 /etc/openafs/afs.keytab afs/example.com Copy Code

• • Start bos server with “-noauth” switch and create server instances. It will create and populate the bos server configuration file,

    /etc/openafs/BosConfigCopy Code

    .

/usr/sbin/bosserver -noauthCopy Code

bos create srv.example.com ptserver simple /usr/lib/openafs/ptserver -noauthCopy Code

bos create srv.example.com vlserver simple /usr/lib/openafs/vlserver -noauthCopy Code

• • Cross check by listing users in the administrators group.

pts membership system:administrators -noauth  Copy Code

• • To list all users and groups, use the following commands.

pts listentries -users -noauth           #lists usersCopy Code

pts listentries -groups -noauth          #lists groups in protection databaseCopy Code

• • Shutdown and restart bos server in auth mode.

$ pkill bosserverCopy Code

$ /etc/init.d/openafs-fileserver startCopy Code

2. Configure file server

• • Install the required packages

apt-get install openafs-fileserverCopy Code

• • Create file server instance

bos create  srv.example.com fs fs -cmd /usr/lib/openafs/fileserver -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauthCopy Code

Note: Required only if file server is in a different machine

The following steps are required only if the file server is to be hosted in a different server, say filesrv.example.com.

apt-get install openafs-fileserver krb5-user  openafs-krb5Copy Code

klist -ke /etc/openafs/afs.keytab  #note down KVNOCopy Code

asetkey add  /etc/openafs/afs.keytab afs/cpiv.comCopy Code

bos adduser filesrv.example.com sysadmin -localauth bos listuser filesrv.example.com -localauthCopy Code

bos create  filesrv.example.com fs fs -cmd /usr/lib/openafs/fileserver -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauthCopy Code

3. Create and mount volumes

Volumes are the logical equivalent of local partitions in the network – a space where files and directories are stored with the appearance of a directory.

At least two volumes are required to manage a cell – root volume and cell volume

root volume – contains all other volumes (may be used to mount other cells)
cell volume – contains volumes and files belonging to the cell.

Volumes are held in partitions such as /vicepa, /vicepb, …., /vicepXY (/vicepaa, /vicepyz, /vicepzz, etc..)

Assuming that the file server is in the same server as that of the OpenAFS DB server srv.example.com and /vicepa partition exists, add the volumes using the following commands:

vos create srv  vicepa root.afs  -localauth
vos create srv vicepa root.cell  -localauth
vos create srv  vicepa  home.user  -localauth Copy Code

If the file server is in a different server, say filesrv.example.com, replace “srv” with “filesrv” in the above commands.

Install OpenAFS client in the server, so that the volumes can be mounted from within the server.

• • Install OpenAFS client in the server, so that the volumes can be mounted from within the server.

 apt-get install openafs-clientCopy Code

• • Build the openafs client module

module-assistant auto-install openafsCopy Code

Remove the unwanted entries from

 /etc/openafs/CellServDBCopy Code

• • Disable AFS_DYNROOT in

    /etc/openafs/afs.conf.client Copy Code

    and forcefully start the openafs client.

/etc/init.d/openafs-client force-startCopy Code

• • Mount volumes and set the access control list (ACL).

kinit sysadmin    Copy Code

aklog    Copy Code

fs listacl /afs  Copy Code

fs setacl /afs system:authuser  rl   Copy Code

fs mkmount /afs/example.com root.cell      Copy Code

fs setacl /afs/example.com system:authuser  rlCopy Code

fs mkmount /afs/example.com/home  home.userCopy Code

fs setacl /afs/example.com/home  system:authuser  rlCopy Code

4. Adding a user

Create a user in kerberos/LDAP and note down the UID and GID and add the user to OpenAFS with the same UID and GID.

pts createuser vishnu -id 1101        Copy Code

pts creategroup systems -id -1100  Copy Code

pts adduser vishnu systems            Copy Code

• • Create user home volume with 3G quota

vos create srv.example.com  vicepa user.vishnu -maxquota 3145728  -localauthCopy Code

• • Mount the user volume to /afs/example.com/home

fs mkmount /afs/example.com/home/vishnu user.vishnuCopy Code

• • Give all permission for user vishnu to the corresponding home directory.

fs setacl  /afs/example.com/home/vishnu vishnu allCopy Code

• • Chown the home directory as administrative user.

chown vishnu.pivusers /afs/example.com/home/vishnuCopy Code

chmod 700 /afs/example.com/home/vishnuCopy Code

5. Setting up the client machine

Test the OpenAFS server by installing OpenAFS client and accessing the mounted folders. Install and configure Kerberos and OpenLDAP clients as per steps given in my previous article on integrating Kerberos and OpenLDAP.

Install OpenAFS client and libpam, required to get tokens upon login.

• • Install OpenAFS client and libpam, required to get tokens upon login.

apt-get install openafs-client libpam-openafs-sessionCopy Code

• • Build openafs client module.

module-assistant auto-install openafsCopy Code

Remove the unwanted entries from

/etc/openafs/CellServDBCopy Code

REFERENCES

Distributed Services with OpenAFS: for Enterprise and Education
http://docs.openafs.org/index.html

About the Author:

Vishnu Ram is an MTech. in Communication Systems from IIT Madras. He joined Bobcares in 2003, and has been working for Poornam since then. He is currently the Information Security Manager of the company. His areas of interest are Performance tuning, Server monitoring, and Security. During his past time, Vishnu practices Karate, or read books or listen to music.