[OpenAFS] Heimdal & OpenAFS 1.7.4: Difficult user experience

John Tang Boyland boyland@uwm.edu
Thu, 26 Jan 2012 13:26:28 -0600 

As readers to this list know; I teach a class with 40-50 students every
semester which uses AFS and I have 30+ people trying to install OpenAFS
on their laptops.  This exposes many usability problems with the
installation process.  I'm pleased with the quality of the software once
it starts working, but it's a real struggle to install.

We need a series of simple instructions for how to install
OpenAFS on Windows machines.  The download web page is confusing,
and even if you follow it precisely, the software
doesn't work out of the box.  

I had several students dutifully download OpenAFS 1.7.4 and Heimdal KfW
(as recommended) and then NetworkIdentityManager v2 (three separate
downloads and installs) only to have NIM say that it can't get AFS
tokens.  Apparently (and I couldn't see how to get this information from
NIM), the "allow_weak_crypto" flag has to be explicitly turned on in
krb5.conf.  The web page is utterly silent on this required step.

After a lot of searching (searching C:\ takes a LONG time!), I found
krb5.conf in C:\ProgramData\Kerberos but being a system file, it
couldn't be edited.  Finally with one student, he was able to make it so
we could save our changes, but then NIM didn't work at ALL (and "kinit"
in the command window gave error 22: couldn't initialize the context).
Even removing allow_weak_crypto again still didn't solve the problem so
we removed the file and reinstalled, this time with MIT KfW (64 bit from
secure endpoints, thanks) which doesn't have the disallow-AFS-by-default
"feature".

With the next student, we edited the file, saved it under
a different name, and then used an administrator shell to 
rename the files.  Then with NIM restarted everything worked.

Questions:

(1) Is it really true that OpenAFS tells people to download software
    that doesn't work without manually fiddling with configuration
    files?  Or did I do something wrong with the install?

(2) Instead, could we have the Heimdal installer default
    "allow_weak_crypto = true" ?

(3) If we're stuck with (1) and can't do (2), would anyone like me to
    write up the installation sequence required on the Wiki?  And maybe
    the download page could point to it so poor lusers could find it?
    And maybe for MacOSX too, with also requires
    a manual fiddling with /etc/krb5.conf after installation.

(4) Is there a plan to finally wean AFS servers off des-cbc-crc ?

Thanks,
John