[OpenAFS] Questions, vol 1.

Stephen Bosch posting@vodacomm.ca
Wed, 21 Jan 2004 11:56:14 -0700 

Noel Burton-Krahn wrote:
> Hi Stephen,
> 
> Hang in there, I remember facing the same pain setting up and understanding
> OpenAFS.  I also remember the same reasons for going there: we needed a
> distributed file system and AFS beats NFS, Samba, and Coda.  You still have
> a bunch of pain to go through I think, but once you're done, I think you'll
> find this is the way networks should be.

Well, thanks for all this help. It is *most* appreciated. I am already 
learning that there *are* places where the documentation has holes, so 
I'm less inclined to beat up on myself.

> Our setup is OpenAFS, KerberosV, LDAP, on Debian.  Everyone has an OpenAFS
> home directory where their mail, calendar, and web space is, and their home
> is available on Windows or Linux clients.  Life is pretty good.  On the
> other hand, OpenAFS has its quirks, and its Windows integration is not as
> smooth as Samba.

Yeah, we're not quite ready to move people's home directories to 
OpenAFS. I'd like to be a lot more comfortable before we make that leap. 
Also, there is the chance (though slim) that some machines would have to 
be moved off-site, and I'd want those workstations to work properly if 
that were necessary.

What sort of Windows quirks have you encountered? We have one Windows 
machine that will need access to the cell.

> First, about your tokens.  Are you running KerberosV + OpenAFS?  I recommend
> it.

No, we're not -- this is just the stock OpenAFS. I suppose I'm going to 
have to learn Kerberos also? How difficult/easy is it to integrate a 
stand-alone Kerberos implementation with OpenAFS?

> Last year I found that none of the stock pam_afs, pam_openafs, or
> pam_krb5 modules ever succeeded in getting AFS tokens.  I ended up using
> pam_krb5 to get Kerberos tickets and pam_run to run 'aklog' to get AFS
> tokens.

Can you explain the difference between Kerberos tickets and AFS tokens 
to me? Doesn't one contain the other?

> I have since heard claims that pam_krb5 on sourceforge
> (http://sourceforge.net/projects/pam-krb5/) works.  I found "strace" very
> useful in debugging pam logins.

Sadly, I am not a programmer... can I still get something out of using 
strace?

> I don't use USS, I wrote my own scripts because user accounts have to exist
> in Krb5, LDAP and OpenAFS.

Well, this doesn't surprise me. USS is ugly, and unfortunately it 
doesn't maintain sync between /etc/passwd and AFS automatically, as I 
have just discovered.

> Treat the files in your /vicepX partitions as totally opaque and don't touch
> them.  Yes, you have to use the OpenAFS utilities for backups.  The docs say
> that the partitions must be named /vicepX.

As long as I can be assured that the data is safe, I can live with that.

-Stephen-