[OpenAFS] Questions about afs and osx
Mon, 5 Feb 2007 16:32:17 -0600
Greetings all, I work at a smallish Art school, and we are going to
(hopefully) sit down this summer to confront our long term storage
needs. AFS is looking like one of the best options, but I'm
realizing how ignorant I am I'm hoping that you can illuminate me.
I'm only going to talk about the academic side of things, if we were
to move to AFS, the administrative (read: windows) and infrastructure
would probably move as well.
Here is what I currently have:
~200 desktop workstations running OSX 10.4 with home directories
mounted via AFP.
Hundreds of apple laptops.
4 G5 Xserves and a G4 Xserve (all running server 10.4)
Two of the G5s are AFP servers for home directories, one is a radmind/
netboot server and the other, along with the G4 host other AFP shares.
For storage, I have the internal drives, an XserveRAID (1.5TB on one
side, 1 TB on the other) and assorted lowly FW drives used for backups.
Here is what I want:
The ability to load balance without downtime (when everyone is
working at the end of the semester, the student server is not able to
To be able to have any one server go down without loss of access to
data (services on that machine would obviously go down)
Users would still need to be able to have a personal website (bonus
if this would survive a server failure) I'm sure it can do the former.
No issues with storing OSX files. I think this has been there for a
while. (the ability to work on Photoshop files off the server would
be a bonus, but not needed. This doesn't work very well with AFP)
It will hopefully work as well of better with Linux serving afs to
osx as osx serving afs to osx. There are some things I love about
osx, even on the server (especially xgrid), but....
The ability to create a Big Red Button that will let laptop users
mount their AFP home directory (and class folders, etc). We control
the build on the laptops, so installation pain isn't an issue, I just
need to be able to make an art student resistant final product.
Still being able to SFTP into one's home directory
Folder quotas would be nice, group quotas would work. The ability to
set quotas through non-interactive command line tools is a must.
Can afs use ldap groups, or would there be two separate sets of
groups? I'm almost positive that it is the latter, which isn't
really worse than having our apple section of the ldap tree.
What do I have to look for to determine whether software will die
when confronted with kerberos? I know that most things that can hit
ldap/sasl will play nicely with ldap with kerberos behind it. I'm
mainly worried about things such as Moodle. We trust our ldap boxes,
so it would be nice if it were possible to fall back to a password
being sent plaintext over ssl to the ldap server, who would then use
it to authenticate with kerberos. (or something much better that I'm
not smart enough to figure out)
In the near term, I'm looking at wanting about 7 TB of storage
space. Right now there is a lot of unusable and underused space in
some areas, while others are nearing their max. The real killer
feature is to be able to repurpose space without downtime.
Initially, I thought that a SAN solution might be better, and easier,
but I cannot think of a good way to have home directory redundancy
with a SAN (other than doing insane automated changes to a live LDAP
How much hardware redundancy do you put in? I understand that there
is redundancy built into AFS, but I'm unclear as to how that affects
the use of hardware redundancy.
I'm also curious about mixing a SAN with AFS. Would it make sense to
have multiple servers have access to a SAN device? (I'm thinking
along the lines of having two servers looking at a giant student
share, and if one goes down, the other can become the RW server
without much pain). I'm really not sure if that makes sense.
I have looked for a good overview at the AFS architecture, and I
haven't really found it. If there is a good source, a link would be
I've played with it a bit, but the main thing that is keeping me from
being able to really test it is that we do not currently user
kerberos (ssha in ldap). It would be absolutely wonderful if
kerberos could import ssha and use it for the backend, but I am
guessing that is impossible. (Why we didn't put up a KDC when we
moved away from netinfo is beyond me. I wasn't there, but if we
decide to do this, it is institutionally possible to have everyone
change their password.)
Does anyone know how AFS performs versus AFP on osx? AFP is pretty
bad, so it is hopefully a lot better. If there are any pages about
osx issues with afs, that would be great is well.
Am I missing something that is better than AFS for these requirements?
Thank you. I'm sorry about having such vague questions and statements.
Academic System Administrator
Minneapolis College of Art & Design