[OpenAFS-port-darwin] disktool -r in OpenAFS StartupItems script

Steve Lidie sol0@Lehigh.EDU
Tue, 22 Apr 2003 19:04:26 -0400 

On Tuesday, April 22, 2003, at 05:44 PM, John C. Welch wrote:

> On 04/22/2003 17:37, "Jonathan Z. Simon" <jzsimon@eng.umd.edu> wrote:
>
>> Following Alexei Kosut's suggestion (appending disktool -r to the
>> OpenAFS StartupItems script) has made my world a better place.
>
> Just as a follow up for some folks who were asking, and because 
> Alexei's
> most excellent work made it possible, I have a PDF at:
>
> <http://web.mit.edu/jwelch/www/AFS_homedirs_and_Mac_OS_X.pdf>
>
> Which is the procedure we've tested at MIT for using AFS home 
> directories as
> OS X Home directories. It works pretty well for us, and although it's 
> pretty
> MIT - Centric, it should (hopefully) help others along the path.
>
> I'm working on OS X Server docs that do a bit more, but that's going 
> to take
> longer.
>
> On a side note, most of the Mac OS X folks at MIT would like to thank 
> Alexei
> for his aklog plugin, as without it, we wouldn't have been able to do
> anything with AFS home directories, and Alexei, if you're ever in 
> Boston,
> let us know, we'll make sure you get at least a couple free beers.
>

Ditto on the thanks to Alexei.  As well, many thanks to Ragnar Sundblad 
for his Kerberos plugin - they've both spent many hours helping me 
debug my Kerberos ticket -> AFS token problem.  John, thanks for your 
summary.

I, too, have created a PowerMac OS X 10.2.5 image that uses Kerberos 
authentication and AFS home directories.  I've taken a slightly 
different tack and used Directory Services tied to our LDAP (v2) server 
so that a user's home directory is automatically mapped to AFS-land - 
no local account required. That parallels how we've dealt with previous 
AIX and IRIX operating systems, where NIS specifies home directories in 
AFS space. So, at Lehigh, every Unix-based machine does krb 
authentication and uses a consistent home directory.

Does it work very, very well?  No );  Does it work well?  Yes!  The 
biggest problem here at Lehigh is that we use kaserver for  
authentication, and so far neither of the krb plugins can get me an AFS 
token.  That's a big problem during login, since Mac OS X wants to 
read/write ~/Library.  My current kludge is a Perl/Tk program that runs 
as a LoginHook to re-authenticate (e.g. does a klog).  Until a token is 
acquired, login proceeds very slowly (i.e. ~= 60 seconds).  If a token 
already exists from a prior login, login happens as fast as a login 
using a local account.

I wasn't aware that anyone else was using AFS as a home directory, so 
I'd like to hear all war stories.  I can say that IE's default cache 
size of 10 MB can cause login to fail if you only have a 10 MB quota.  
I can verify that you'd better have indexed you LDAP data or logins 
will do a sequential lookup of uidNumber/gidNumer/NSFHomeDirectory, and 
delay login for a long time (;

Comments welcomed, thanks,

Steve