[OpenAFS] New to OpenAFS

[Jason Edgecombe]

billbaird3 wrote:
> Jason,
>
> Thanks so much for clarifying things, for the majority of users I think this
> will solve a lot of file sharing issues. Most of our locations are dedicated
> to a specific department, so traffic will stay on the local network. I do
> have a few additional questions if you don't mind...
>
> - Our accounting group is distributed with a equal amount of people in NY,
> NC & LA. Right now they all connect to our server (WebDAV, Oracle Content
> Services) in NY. It is great for the NY users, but slow for others. Is there
> anyway to make an accounting folder available for fast access in multiple
> locations? Is there anyway to have read/write clones? If your example, you
> say that the read/write copy is accessible via:
> "/afs/.example.com/shared/procedures". This is different than
> "/afs/example.com/shared/procedures". Just wanted to confirm that it isn't a
> typo...
>
> - Have you integrated your OpenAFS server into an LDAP or Directory server?
> We are planning to run Samba with an OpenLDAP backend for our domain. Is
> this possible? I haven't been able to find my documentation about this. We
> are actually starting fresh, so we are open to any directory system as long
> as we can have other other apps authenticate via LDAP.
>
> - Lastly, when users are connecting to AFS do they need to only be able to
> contact one AFS server? Or contact others? For example, do the LA users need
> to talk to the NY server? Or do they talk to the LA server and the LA server
> handles interaction with NY?
>   
Glad to help.

Currently, OpenAFS cannot do read/write replicas. Only read-only data
can be replicated. The multi-office accounting folder would have to be
hosted at one office. read-only copies could be kept at all offices, but
the read-write copy can only be on one server.  /afs/.example.com was
not a typo. that's called the "dotted path" in AFS jargon. That is the
path to use to reach the read-write copy of data. /afs/example.com will
prefer read-only data when certain rules are met. If you like, you can
get more fine-grained that I showed. Each directory could be on a
different volume, which could be in a different server in a different
office. You could set up project directories under the departmental
shared folders. For example, /afs/example.com/accounting/payroll could
be in New York and /afs/example.com/accounting/auditing could be in
Chicago. A user cannot tell which server a file is on except possible by
the delay incurred from a distant office. Keep in mind that AFS clients
have good caching. If you save a file in AFS, then immediately open it,
then there will be no delay because the file is still cached. AFS caches
chunks of files.You can have a 1GB or larger disk cache on windows
(check the release notes), so the client won't have to re-fetch the file
unless it has changed.

At my work, we are not using a directory server. We use script to
distribute /etc/passwd. you will need to set up a kerberos server for
AFS. openldap can serve the /etc/passwd data to linux/unix machines. I
don't know how samba+openldap would work. Since AFs requires kerberos,
kerberos will be your primary password store for AFS. you either need to
have openldap/samba bounce password requests to kerberos or do some type
of password synchronization. I have heard of people using kerberos with
openldap, though.

The client must be able to contact the fileserver with the files AND the
DB servers. Each client must find the DB servers for your AFS cell via
the CellServDB file or DNS. The client contacts one of the DB servers to
find out which server contains the file it wants. After that, the client
talks to the fileserver containing the files. DB servers are a critical
part of AFS infrastructure. Three is the recommended minimum of DB
servers so that you still have full functionaliy if one goes down. You
still have partial functionality and normal file serving with two down,
but you can't do some admin operations like moving volumes. with
multiple offices, I highly recommend putting the three DB servers in
different offices.Using the "fs setserverprefs" command, you can set
clients to contact the DB server nearest to them to avoid WAN traffic.

I forgot to mention that a single machine can be both a fileserver and a
DB server. DB and fileserver are just different processes that define
roles in the infrastructure.

Any more questions?

Sincerely,
Jason