[OpenAFS] Re: Minimal toy OpenAFS install?

Andrew Deason adeason@sinenomine.net
Fri, 14 Feb 2014 00:59:30 -0600


On Thu, 13 Feb 2014 19:59:28 -0800
fork <forkandwait@gmail.com> wrote:

> I hate to ask a question like this, but ... is there a guide to the
> most minimal OpenAFS install possible, for a learning exercise?

Pretty much any setup guide you find will be for a small setup, since
that's how cells are normally created (you create a small "toy" setup,
and then grow it). They can look complicated, but that's because they
are trying to cover a lot of different scenarios; the most simple and
"best" guides will be for a very specific environment, but of course
they are most helpful for that specific environment. I'm not aware of
any FreeBSD-targeted guides, unless there's something in the FreeBSD
port itself; you'd have to follow a guide for setting up a Linux server
and try to ignore/translate the Linuxisms.

And that's just for the server. Setting up the Windows client and an OS
X client would be covered in a separate guide. Setting up clients is
generally easier, though, and you may not need a guide for that.

> I would like to install a server on my FreeBSD box and share the files
> to the household Windows and Mac OSX computer (one each).  I figure I
> would install Kerberos and OpenAFS, but I am hoping to avoid BIND if I
> can.  I thought I would install the Kerberos key server on the same
> machine as OpenAFS, since it is a toy system anyway.

You don't need a DNS server (BIND), but you do need to pick a name for
the "AFS cell", and some people will recommend that having a real DNS
server can make things easier. The cell name is usually a DNS FQDN, but
it doesn't actually need to be related to anything in DNS, so you can
make something up if you want to. All guides I am aware of will require
a Kerberos KDC; in my opinion, a truly "minimal" setup would not require
one, but I don't think any guides let you skip that.

Anyway, there are many guides, of varying styles and quality. I don't
think I've read an entire setup guide in a very long time, so I can't
provide a meaningful recommendation, but newer ones are usually better.
Here are a few Linux server guides if you'd like to decide for yourself,
if you like how one of these looks or something (or wait for someone
else on the list to recommend something):

<https://openafs.dk/doku.php?id=server:start>
<http://techpubs.spinlocksolutions.com/dklar/afs.html>
<http://www.ibm.com/developerworks/opensource/library/os-openafs-kerberos5/index.html>
<http://wiki.openafs.org/FedoraAFSInstall/>
The official documentation starting here:
<http://docs.openafs.org/QuickStartUnix/HDRWQ50.html>

This guide: <https://wiki.gentoo.org/wiki/OpenAFS> is usually
recommended against, since it describes a setup with an older, insecure,
security mechanism (kaserver). But if you don't care about that for a
"toy" setup, then maybe it's okay.

A few bits of information and advice as you're looking at guides:

 - Even though I linked several, only follow one for actually following
   procedures. There are a few different ways to do some of the setup
   steps, and mixing and matching will sometimes not work.

 - Some guides will tell you that afs stuff goes in paths that may look
   strange to you, like /usr/afs/bin, /usr/afs/etc, /usr/vice/etc, and
   so on. Some guides will put stuff in more normal paths, like
   /usr/bin, /etc, and so on. The weird /usr/afs-y paths are referred to
   as "transarc paths", and the more normal ones just usually are
   referred to as "non-transarc paths". It doesn't really matter which
   one you use, but if you're compiling the code yourself, the configure
   switch --enable-transarc-paths turns on the "transarc paths".
 
 - Most guides will tell you to set up Kerberos 5 using the commands
   'asetkey' and a file called the KeyFile. Some people may tell you to
   use a more modern mechanism using a file called 'rxkad.keytab'
   instead. If you don't care much about security, it doesn't matter
   which way you do, and all guides I am aware of currently use the
   asetkey/KeyFile route (the rxkad.keytab thing is rather new).

 - As soon as something doesn't work and you're confused and can't
   figure out what's going on, stop and ask for help. Sometimes people
   keep messing around with the setup trying to make things work, and it
   can make it much harder to figure out what they did afterwards :)
   Places to find help are listed here: <http://openafs.org/support.html>.

The information in this email should probably be in one of those guides,
but I don't think any guide contains everything I said. Anyone who feels
motivated feel free to correct that :)

-- 
Andrew Deason
adeason@sinenomine.net