[OpenAFS] Re: Minimal toy OpenAFS install?

Jason Edgecombe jason@rampaginggeek.com
Fri, 14 Feb 2014 09:49:21 -0500

On 02/14/2014 01:59 AM, Andrew Deason wrote:
> On Thu, 13 Feb 2014 19:59:28 -0800
> fork <forkandwait@gmail.com> wrote:
>> I hate to ask a question like this, but ... is there a guide to the
>> most minimal OpenAFS install possible, for a learning exercise?
> Pretty much any setup guide you find will be for a small setup, since
> that's how cells are normally created (you create a small "toy" setup,
> and then grow it). They can look complicated, but that's because they
> are trying to cover a lot of different scenarios; the most simple and
> "best" guides will be for a very specific environment, but of course
> they are most helpful for that specific environment. I'm not aware of
> any FreeBSD-targeted guides, unless there's something in the FreeBSD
> port itself; you'd have to follow a guide for setting up a Linux server
> and try to ignore/translate the Linuxisms.
> And that's just for the server. Setting up the Windows client and an OS
> X client would be covered in a separate guide. Setting up clients is
> generally easier, though, and you may not need a guide for that.
>> I would like to install a server on my FreeBSD box and share the files
>> to the household Windows and Mac OSX computer (one each).  I figure I
>> would install Kerberos and OpenAFS, but I am hoping to avoid BIND if I
>> can.  I thought I would install the Kerberos key server on the same
>> machine as OpenAFS, since it is a toy system anyway.
> You don't need a DNS server (BIND), but you do need to pick a name for
> the "AFS cell", and some people will recommend that having a real DNS
> server can make things easier. The cell name is usually a DNS FQDN, but
> it doesn't actually need to be related to anything in DNS, so you can
> make something up if you want to. All guides I am aware of will require
> a Kerberos KDC; in my opinion, a truly "minimal" setup would not require
> one, but I don't think any guides let you skip that.
> Anyway, there are many guides, of varying styles and quality. I don't
> think I've read an entire setup guide in a very long time, so I can't
> provide a meaningful recommendation, but newer ones are usually better.
> Here are a few Linux server guides if you'd like to decide for yourself,
> if you like how one of these looks or something (or wait for someone
> else on the list to recommend something):
> <https://openafs.dk/doku.php?id=server:start>
> <http://techpubs.spinlocksolutions.com/dklar/afs.html>
> <http://www.ibm.com/developerworks/opensource/library/os-openafs-kerberos5/index.html>
> <http://wiki.openafs.org/FedoraAFSInstall/>
> The official documentation starting here:
> <http://docs.openafs.org/QuickStartUnix/HDRWQ50.html>
> This guide: <https://wiki.gentoo.org/wiki/OpenAFS> is usually
> recommended against, since it describes a setup with an older, insecure,
> security mechanism (kaserver). But if you don't care about that for a
> "toy" setup, then maybe it's okay.
> A few bits of information and advice as you're looking at guides:
>   - Even though I linked several, only follow one for actually following
>     procedures. There are a few different ways to do some of the setup
>     steps, and mixing and matching will sometimes not work.
>   - Some guides will tell you that afs stuff goes in paths that may look
>     strange to you, like /usr/afs/bin, /usr/afs/etc, /usr/vice/etc, and
>     so on. Some guides will put stuff in more normal paths, like
>     /usr/bin, /etc, and so on. The weird /usr/afs-y paths are referred to
>     as "transarc paths", and the more normal ones just usually are
>     referred to as "non-transarc paths". It doesn't really matter which
>     one you use, but if you're compiling the code yourself, the configure
>     switch --enable-transarc-paths turns on the "transarc paths".
>   - Most guides will tell you to set up Kerberos 5 using the commands
>     'asetkey' and a file called the KeyFile. Some people may tell you to
>     use a more modern mechanism using a file called 'rxkad.keytab'
>     instead. If you don't care much about security, it doesn't matter
>     which way you do, and all guides I am aware of currently use the
>     asetkey/KeyFile route (the rxkad.keytab thing is rather new).
>   - As soon as something doesn't work and you're confused and can't
>     figure out what's going on, stop and ask for help. Sometimes people
>     keep messing around with the setup trying to make things work, and it
>     can make it much harder to figure out what they did afterwards :)
>     Places to find help are listed here: <http://openafs.org/support.html>.
> The information in this email should probably be in one of those guides,
> but I don't think any guide contains everything I said. Anyone who feels
> motivated feel free to correct that :)
The setup guide is best. I like to use Fedora AFS install wiki page as a 
distilled quickstart: