[OpenAFS] Questions about afs and osx

Jonathan Dobbie jonathan_dobbie@mcad.edu
Mon, 5 Feb 2007 16:32:17 -0600

Greetings all, I work at a smallish Art school, and we are going to  
(hopefully) sit down this summer to confront our long term storage  
needs.  AFS is looking like one of the best options, but I'm  
realizing how ignorant I am I'm hoping that you can illuminate me.

I'm only going to talk about the academic side of things, if we were  
to move to AFS, the administrative (read: windows) and infrastructure  
would probably move as well.

Here is what I currently have:
~200 desktop workstations running OSX 10.4 with home directories  
mounted via AFP.
Hundreds of apple laptops.
4 G5 Xserves and a G4 Xserve (all running server 10.4)
Two of the G5s are AFP servers for home directories, one is a radmind/ 
netboot server and the other, along with the G4 host other AFP shares.
For storage, I have the internal drives, an XserveRAID (1.5TB on one  
side, 1 TB on the other) and assorted lowly FW drives used for backups.

Here is what I want:
The ability to load balance without downtime (when everyone is  
working at the end of the semester, the student server is not able to  
keep up)
To be able to have any one server go down without loss of access to  
data (services on that machine would obviously go down)
Users would still need to be able to have a personal website (bonus  
if this would survive a server failure)  I'm sure it can do the former.
No issues with storing OSX files.  I think this has been there for a  
while. (the ability to work on Photoshop files off the server would  
be a bonus, but not needed.  This doesn't work very well with AFP)
It will hopefully work as well of better with Linux serving afs to  
osx as osx serving afs to osx.  There are some things I love about  
osx, even on the server (especially xgrid), but....
The ability to create a Big Red Button that will let laptop users  
mount their AFP home directory (and class folders, etc).  We control  
the build on the laptops, so installation pain isn't an issue, I just  
need to be able to make an art student resistant final product.
Still being able to SFTP into one's home directory
Folder quotas would be nice, group quotas would work.  The ability to  
set quotas through non-interactive command line tools is a must.

Can afs use ldap groups, or would there be two separate sets of  
groups?  I'm almost positive that it is the latter, which isn't  
really worse than having our apple section of the ldap tree.

What do I have to look for to determine whether software will die  
when confronted with kerberos?  I know that most things that can hit  
ldap/sasl will play nicely with ldap with kerberos behind it.  I'm  
mainly worried about things such as Moodle.  We trust our ldap boxes,  
so it would be nice if it were possible to fall back to a password  
being sent plaintext over ssl to the ldap server, who would then use  
it to authenticate with kerberos.  (or something much better that I'm  
not smart enough to figure out)

In the near term, I'm looking at wanting about 7 TB of storage  
space.  Right now there is a lot of unusable and underused space in  
some areas, while others are nearing their max.  The real killer  
feature is to be able to repurpose space without downtime.   
Initially, I thought that a SAN solution might be better, and easier,  
but I cannot think of a good way to have home directory redundancy  
with a SAN (other than doing insane automated changes to a live LDAP  

How much hardware redundancy do you put in?  I understand that there  
is redundancy built into AFS, but I'm unclear as to how that affects  
the use of hardware redundancy.

I'm also curious about mixing a SAN with AFS.  Would it make sense to  
have multiple servers have access to a SAN device?  (I'm thinking  
along the lines of having two servers looking at a giant student  
share, and if one goes down, the other can become the RW server  
without much pain).  I'm really not sure if that makes sense.

I have looked for a good overview at the AFS architecture, and I  
haven't really found it.  If there is a good source, a link would be  

I've played with it a bit, but the main thing that is keeping me from  
being able to really test it is that we do not currently user  
kerberos (ssha in ldap).  It would be absolutely wonderful if  
kerberos could import ssha and use it for the backend, but I am  
guessing that is impossible.  (Why we didn't put up a KDC when we  
moved away from netinfo is beyond me.  I wasn't there, but if we  
decide to do this, it is institutionally possible to have everyone  
change their password.)

Does anyone know how AFS performs versus AFP on osx?  AFP is pretty  
bad, so it is hopefully a lot better.  If there are any pages about  
osx issues with afs, that would be great is well.

Am I missing something that is better than AFS for these requirements?

Thank you.  I'm sorry about having such vague questions and statements.

Jonathan Dobbie
Academic System Administrator
Minneapolis College of Art & Design