[OpenAFS] Evaluating AFS for in house use, RFCs...
Thu, 02 Feb 2006 17:14:46 -0500
I hope this is not an abuse of the list...
I am at the early stages of examining AFS for use in our company. I
have my pipe-dream model and have started reading up on everything I
need to understand before I dive into proof of concept. The list of
things I need to understand is growing faster than the list of things I
understand. I need solid POC for budget approval May 2006. I am often
accused of terse email and would be happy to continue this with more
description offline or online.
Currently I have identified these components in my speculations. Many
of these are new systems to me and my understanding at this point is
based on reading only and not always up-to-date material.
Kerberos - Kerberos The Definitive Guide (O'REILLY)
openAFS - Managing AFS The Andrew File System by Richard Campbell
samba (we have some 2.x)
MS Active Directory (we have one, not integrated to ldap or samba)
openLDAP (in use as address book, md5 hash auth for in house applications)
I am leaning towards MIT version. Reason it seems to offer better
password aging and strength rules. This will be the first component I
install since it provide immediate benefits to the MIS department beyond
We have 36 distributed offices across the United States. T1 or dual T1
access. Our current File Sharing system is distributed Novell 4.11
servers. 36 (old) servers 36 tape backup jobs 36 people who forget to
change tapes at least once a week.
Dream model ala carte.
New files server at each location running openAFS with samba on CentOS.
My goal is samba as the openAFS client, not the actual client PC.
Linking the afs root to /samba/data/...
Remote data is mirrored back to HQ via RO replica.
All backup jobs of remote RO replicas and local HQ RW replicas to run at
HQ nightly, possibly a few incremental jobs during the day.
Role based rights to files and folders
ldap based pointers to 'My Documents' and 'Local Folder' for email
single admin point for all AD/samba UID
Kerberos authentication for users to samba, Citrix, web apps, Internet
proxy (Kerberos will likely be a continuous evolution)
Any hidden gotchas on my path? Any obvious mistakes on my part?