OpenAFS is a distributed file system that can share file system resources efficiently across a LAN or WAN. Some of the features that make OpenAFS standout from the crowd, are:

• • Improved security: OpenAFS makes use of Kerberos to authenticate users. User passwords are no longer sent across the network as plain text. The encrypted passwords need not be visible either.
  • Scalability: OpenAFS files are location independent. This means, the users need not know which server contains the files, they just need to know the file path. Location independence makes OpenAFS highly scalable since the files can be spread across multiple servers, and the client need not keep track of which server holds the file.

• Client side caching: Cache manager at the client side stores files retrieved from the server in disk, there by improving response time and reducing network traffic. It communicates with the server and ensures that the cache contains all the latest files.
• Improved system management capability: The administrator can move user volumes from one server to another, without causing any interruption to service. Also, if configured, users can retrieve files from backup, without intervention from the administrator.

 

 

In this article, I will demonstrate how to install and configure the OpenAFS server and client in Ubuntu 9.04. Before going ahead with the OpenAFS installation, install and setup Kerberos and OpenLDAP as per steps given in my previous article on integrating Kerberos and OpenLDAP. It is assumed that the OpenAFS, Kerberos, and OpenLDAP servers are installed in the same server – srv.example.com.

IMPLEMENTATION

1. Install and Setup OpenAFS DB server

• • Install the required packages

apt-get install openafs-krb5 openafs-dbserver

• • Add principal “afs/example.com” and import the key to /etc/openafs/afs.keytab

kadmin: addprinc -randkey afs/example.com
kadmin: ktadd -k /etc/openafs/afs.keytab -e des-cbc-crc:afs3 afs/example.com

• • Note down the key version number (KVNO).

klist -ke /etc/openafs/afs.keytab

• • Import the secret key into the AFS security system. Replace “” with the key version number from the above step.

asetkey add

/etc/openafs/afs.keytab afs/example.com

• • Start bos server with “-noauth” switch and create server instances. It will create and populate the bos server configuration file, /etc/openafs/BosConfig.

/usr/sbin/bosserver -noauth

bos create srv.example.com ptserver simple /usr/lib/openafs/ptserver -noauth
bos create srv.example.com vlserver simple /usr/lib/openafs/vlserver -noauth

• • Cross check by listing users in the administrators group.

pts membership system:administrators -noauth

• • To list all users and groups, use the following commands.

pts listentries -users -noauth #lists users
pts listentries -groups -noauth #lists groups in protection database

• • Shutdown and restart bos server in auth mode.

$ pkill bosserver
$ /etc/init.d/openafs-fileserver start

2. Configure file server

• • Install the required packages

apt-get install openafs-fileserver

• • Create file server instance

bos create srv.example.com fs fs -cmd /usr/lib/openafs/fileserver -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauth

Note: Required only if file server is in a different machine

The following steps are required only if the file server is to be hosted in a different server, say filesrv.example.com.

3. Create and mount volumes

Volumes are the logical equivalent of local partitions in the network – a space where files and directories are stored with the appearance of a directory.

At least two volumes are required to manage a cell – root volume and cell volume

root volume – contains all other volumes (may be used to mount other cells)
cell volume – contains volumes and files belonging to the cell.

Volumes are held in partitions such as /vicepa, /vicepb, …., /vicepXY (/vicepaa, /vicepyz, /vicepzz, etc..)

Assuming that the file server is in the same server as that of the OpenAFS DB server srv.example.com and /vicepa partition exists, add the volumes using the following commands:

vos create srv vicepa root.afs -localauth
vos create srv vicepa root.cell -localauth
vos create srv vicepa home.user -localauth #Create volume to contain user home directories

If the file server is in a different server, say filesrv.example.com, replace “srv” with “filesrv” in the above commands.

Install OpenAFS client in the server, so that the volumes can be mounted from within the server.

• • Install OpenAFS client in the server, so that the volumes can be mounted from within the server.

apt-get install openafs-client

• • Build the openafs client module

module-assistant auto-install openafs

Remove the unwanted entries from /etc/openafs/CellServDB and retain only the servers for example.com realm.

• • Disable AFS_DYNROOT in /etc/openafs/afs.conf.client and forcefully start the openafs client.

/etc/init.d/openafs-client force-start

• • Mount volumes and set the access control list (ACL).

kinit sysadmin #obtain and cache Kerberos ticket-granting ticket
aklog #Obtain tokens for authentication to AFS

fs listacl /afs # List ACL
fs setacl /afs system:authuser rl # Allow read permission for authorized users

fs mkmount /afs/example.com root.cell #mount cell volume to /afs/example.com
fs setacl /afs/example.com system:authuser rl

fs mkmount /afs/example.com/home home.user
fs setacl /afs/example.com/home system:authuser rl

4. Adding a user

Create a user in kerberos/LDAP and note down the UID and GID and add the user to OpenAFS with the same UID and GID.

pts createuser vishnu -id 1101 #Add user vishnu
pts creategroup systems -id -1100 #Create group systems
pts adduser vishnu systems # Add user vishnu to “systems” group

• • Create user home volume with 3G quota

vos create srv.example.com vicepa user.vishnu -maxquota 3145728 -localauth

• • Mount the user volume to /afs/example.com/home

fs mkmount /afs/example.com/home/vishnu user.vishnu

• • Give all permission for user vishnu to the corresponding home directory.

fs setacl /afs/example.com/home/vishnu vishnu all

• • Chown the home directory as administrative user.

chown vishnu.pivusers /afs/example.com/home/vishnu
chmod 700 /afs/example.com/home/vishnu

5. Setting up the client machine

Test the OpenAFS server by installing OpenAFS client and accessing the mounted folders. Install and configure Kerberos and OpenLDAP clients as per steps given in my previous article on integrating Kerberos and OpenLDAP.

Install OpenAFS client and libpam, required to get tokens upon login.

• • Install OpenAFS client and libpam, required to get tokens upon login.

apt-get install openafs-client libpam-openafs-session

• • Build openafs client module.

module-assistant auto-install openafs

Remove the unwanted entries from /etc/openafs/CellServDB, and retain only the servers for example.com realm. Client machine is all set, and the OpenAFS user can now login and access the files in his home directory.

REFERENCES

Distributed Services with OpenAFS: for Enterprise and Education
http://docs.openafs.org/index.html

---

About the Author:

Vishnu Ram is an MTech. in Communication Systems from IIT Madras. He joined Bobcares in 2003, and has been working for Poornam since then. He is currently the Information Security Manager of the company. His areas of interest are Performance tuning, Server monitoring, and Security. During his past time, Vishnu practices Karate, or read books or listen to music.

---