[OpenAFS-port-darwin] disktool -r in OpenAFS StartupItems script
Steve Lidie
sol0@Lehigh.EDU
Tue, 22 Apr 2003 19:04:26 -0400
On Tuesday, April 22, 2003, at 05:44 PM, John C. Welch wrote:
> On 04/22/2003 17:37, "Jonathan Z. Simon" <jzsimon@eng.umd.edu> wrote:
>
>> Following Alexei Kosut's suggestion (appending disktool -r to the
>> OpenAFS StartupItems script) has made my world a better place.
>
> Just as a follow up for some folks who were asking, and because
> Alexei's
> most excellent work made it possible, I have a PDF at:
>
> <http://web.mit.edu/jwelch/www/AFS_homedirs_and_Mac_OS_X.pdf>
>
> Which is the procedure we've tested at MIT for using AFS home
> directories as
> OS X Home directories. It works pretty well for us, and although it's
> pretty
> MIT - Centric, it should (hopefully) help others along the path.
>
> I'm working on OS X Server docs that do a bit more, but that's going
> to take
> longer.
>
> On a side note, most of the Mac OS X folks at MIT would like to thank
> Alexei
> for his aklog plugin, as without it, we wouldn't have been able to do
> anything with AFS home directories, and Alexei, if you're ever in
> Boston,
> let us know, we'll make sure you get at least a couple free beers.
>
Ditto on the thanks to Alexei. As well, many thanks to Ragnar Sundblad
for his Kerberos plugin - they've both spent many hours helping me
debug my Kerberos ticket -> AFS token problem. John, thanks for your
summary.
I, too, have created a PowerMac OS X 10.2.5 image that uses Kerberos
authentication and AFS home directories. I've taken a slightly
different tack and used Directory Services tied to our LDAP (v2) server
so that a user's home directory is automatically mapped to AFS-land -
no local account required. That parallels how we've dealt with previous
AIX and IRIX operating systems, where NIS specifies home directories in
AFS space. So, at Lehigh, every Unix-based machine does krb
authentication and uses a consistent home directory.
Does it work very, very well? No ); Does it work well? Yes! The
biggest problem here at Lehigh is that we use kaserver for
authentication, and so far neither of the krb plugins can get me an AFS
token. That's a big problem during login, since Mac OS X wants to
read/write ~/Library. My current kludge is a Perl/Tk program that runs
as a LoginHook to re-authenticate (e.g. does a klog). Until a token is
acquired, login proceeds very slowly (i.e. ~= 60 seconds). If a token
already exists from a prior login, login happens as fast as a login
using a local account.
I wasn't aware that anyone else was using AFS as a home directory, so
I'd like to hear all war stories. I can say that IE's default cache
size of 10 MB can cause login to fail if you only have a 10 MB quota.
I can verify that you'd better have indexed you LDAP data or logins
will do a sequential lookup of uidNumber/gidNumer/NSFHomeDirectory, and
delay login for a long time (;
Comments welcomed, thanks,
Steve