[OpenAFS] Heimdal & OpenAFS 1.7.4: Difficult user experience

Dave Botsch botsch@cnf.cornell.edu
Thu, 26 Jan 2012 14:37:02 -0500

I don't know if there's a way to make a "meta-msi" that would wrap up
and install all the sub packages.

But, you can certainly use transforms to customize each of the MSIs with
the default options needed, including a correct krb5.conf, so that users
just double click, install, reboot, done.

On Thu, Jan 26, 2012 at 01:26:28PM -0600, John Tang Boyland wrote:
> As readers to this list know; I teach a class with 40-50 students every
> semester which uses AFS and I have 30+ people trying to install OpenAFS
> on their laptops.  This exposes many usability problems with the
> installation process.  I'm pleased with the quality of the software once
> it starts working, but it's a real struggle to install.
> We need a series of simple instructions for how to install
> OpenAFS on Windows machines.  The download web page is confusing,
> and even if you follow it precisely, the software
> doesn't work out of the box.  
> I had several students dutifully download OpenAFS 1.7.4 and Heimdal KfW
> (as recommended) and then NetworkIdentityManager v2 (three separate
> downloads and installs) only to have NIM say that it can't get AFS
> tokens.  Apparently (and I couldn't see how to get this information from
> NIM), the "allow_weak_crypto" flag has to be explicitly turned on in
> krb5.conf.  The web page is utterly silent on this required step.
> After a lot of searching (searching C:\ takes a LONG time!), I found
> krb5.conf in C:\ProgramData\Kerberos but being a system file, it
> couldn't be edited.  Finally with one student, he was able to make it so
> we could save our changes, but then NIM didn't work at ALL (and "kinit"
> in the command window gave error 22: couldn't initialize the context).
> Even removing allow_weak_crypto again still didn't solve the problem so
> we removed the file and reinstalled, this time with MIT KfW (64 bit from
> secure endpoints, thanks) which doesn't have the disallow-AFS-by-default
> "feature".
> With the next student, we edited the file, saved it under
> a different name, and then used an administrator shell to 
> rename the files.  Then with NIM restarted everything worked.
> Questions:
> (1) Is it really true that OpenAFS tells people to download software
>     that doesn't work without manually fiddling with configuration
>     files?  Or did I do something wrong with the install?
> (2) Instead, could we have the Heimdal installer default
>     "allow_weak_crypto = true" ?
> (3) If we're stuck with (1) and can't do (2), would anyone like me to
>     write up the installation sequence required on the Wiki?  And maybe
>     the download page could point to it so poor lusers could find it?
>     And maybe for MacOSX too, with also requires
>     a manual fiddling with /etc/krb5.conf after installation.
> (4) Is there a plan to finally wean AFS servers off des-cbc-crc ?
> Thanks,
> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

David William Botsch
CNF Computing