[OpenAFS] Evaluating AFS for in house use, RFCs...

Gordon Bowersox gbowerso@sbgnet.com
Thu, 02 Feb 2006 17:14:46 -0500 

I hope this is not an abuse of the list...

I am at the early stages of examining AFS for use in our company.  I 
have my pipe-dream model and have started reading up on everything I 
need to understand before I dive into proof of concept.  The list of 
things I need to understand is growing faster than the list of things I 
understand.  I need solid POC for budget approval May 2006.  I am often 
accused of terse email and would be happy to continue this with more 
description offline or online.

Currently I have identified these components in my speculations.  Many 
of these are new systems to me and my understanding at this point is 
based on reading only and not always up-to-date material.

Kerberos - Kerberos The Definitive Guide (O'REILLY)
openAFS - Managing AFS The Andrew File System by Richard Campbell

samba (we have some 2.x)
MS Active Directory (we have one, not integrated to ldap or samba)
openLDAP (in use as address book, md5 hash auth for in house applications)

----
Kerberos.
I am leaning towards MIT version.  Reason it seems to offer better 
password aging and strength rules.  This will be the first component I 
install since it provide immediate benefits to the MIS department beyond 
openAFS.

The problem.
We have 36 distributed offices across the United States.  T1 or dual T1 
access.  Our current File Sharing system is distributed Novell 4.11 
servers.  36 (old) servers 36 tape backup jobs 36 people who forget to 
change tapes at least once a week.

Dream model ala carte.
New files server at each location running openAFS with samba on CentOS.
My goal is samba as the openAFS client, not the actual client PC.
Linking the afs root to /samba/data/...
Remote data is mirrored back to HQ via RO replica.
All backup jobs of remote RO replicas and local HQ RW replicas to run at 
HQ nightly, possibly a few incremental jobs during the day.

The extras
Role based rights to files and folders
ldap based pointers to 'My Documents' and 'Local Folder' for email
single admin point for all AD/samba UID
Kerberos authentication for users to samba, Citrix, web apps, Internet 
proxy (Kerberos will likely be a continuous evolution)

Any hidden gotchas on my path?  Any obvious mistakes on my part?

Gordon Bowersox