Re: [OpenAFS] getting (re)started on debian
Am Freitag 24 Mai 2013, 16:56:07 schrieb Benjamin Kaduk: I'm not sure what pam configuration you want, so I can't say more about that. There are two PAM modules needed in OpenAFS/KRB5 context: pam_krb5 (to get tickets) and pam_afs_session (to get AFS tokens). Both are automatically configured correctly during installation thanks to Debians pam-auth-update. Speaking of that, Debian is the easiest platform to setup OpenAFS/KerberosV on due to a) its great install time configuration dialogs and b) its automatic kernel module management (DKMS). Bye... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] getting (re)started on debian
Am Freitag 24 Mai 2013, 22:50:17 schrieb Dave Cottlehuber: The formal docs look good but I'm thinking of something that cover debian startup scripts and setting up pam stuff etc. This will all be set up automatically on Debian. To (re-)configure PAM one usually uses pam-auth-update on Debian. For service management I install sysv- rc-conf (systemd is also quite usable on Debian). Todo (by yourself): * Create afs principal in Kerberos and setup AFS key file (asetkey). * In /etc/openafs, adapt afs.conf.client cacheinfo server/UserList to your needs * Create and mount /var/cache/openafs (on clients) * Create and mount /vicepXX (on servers) * Setup AFS db-/fileserver processes (on servers) Don't know how long you didn't use OpenAFS, so you may not be aware of the new DAFS (Demand Attach) file servers introduced with 1.6. I'd recommend using these instead of the old file server (the docs will tell you how to set them up). Did I forget something? HTH... Dirk -- Dirk Heinrichs dirk.heinri...@altum.de Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913 GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] getting (re)started on debian
On 25 May 2013 09:51, Dirk Heinrichs dirk.heinri...@altum.de wrote: Am Freitag 24 Mai 2013, 22:50:17 schrieb Dave Cottlehuber: The formal docs look good but I'm thinking of something that cover debian startup scripts and setting up pam stuff etc. This will all be set up automatically on Debian. To (re-)configure PAM one usually uses pam-auth-update on Debian. For service management I install sysv- rc-conf (systemd is also quite usable on Debian). Todo (by yourself): * Create afs principal in Kerberos and setup AFS key file (asetkey). * In /etc/openafs, adapt afs.conf.client cacheinfo server/UserList to your needs * Create and mount /var/cache/openafs (on clients) * Create and mount /vicepXX (on servers) * Setup AFS db-/fileserver processes (on servers) Don't know how long you didn't use OpenAFS, so you may not be aware of the new DAFS (Demand Attach) file servers introduced with 1.6. I'd recommend using these instead of the old file server (the docs will tell you how to set them up). Did I forget something? HTH... Dirk Many thanks everybody! DAFS sounds pretty cool, I'll read up. I still have my old afs / krb notes from last time, so with the tips above I should be up running in no time. A+ Dave ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] getting (re)started on debian
Hi folks, I was a long time openafs user (and afs before it was open), and it's time to set up my own cell again. I'm now on debian wheezy, with assorted macs and windows boxes about, and wondered if there are any good guides to getting started both with openafs especially with heimdal again - I assume it's still the preferred krb server? Stuff I've found so far is 2006 or earlier, likely out of date. The formal docs look good but I'm thinking of something that cover debian startup scripts and setting up pam stuff etc. Many thanks, Dave ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] getting (re)started on debian
On Fri, 24 May 2013, Dave Cottlehuber wrote: I'm now on debian wheezy, with assorted macs and windows boxes about, and wondered if there are any good guides to getting started both with openafs especially with heimdal again - I assume it's still the preferred krb server? Stuff I've found so far is 2006 or earlier, likely out of date. The formal docs look good but I'm thinking of something that cover debian startup scripts and setting up pam stuff etc. The debian packages come with scripts to help automate setting up a cell -- /usr/sbin/afs-newcell and /usr/sbin/afs-rootvol from openafs-dbserver. As far as a KDC goes, Debian's default is the MIT code (disclosure: my employer). I expect you'd need to be doing something reasonably unusual for there to be a reason to pick one of Heimdal and MIT over the other, other than personal preference. I'm not sure what pam configuration you want, so I can't say more about that. -Ben Kaduk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] getting (re)started on debian
Benjamin Kaduk ka...@mit.edu writes: As far as a KDC goes, Debian's default is the MIT code (disclosure: my employer). I expect you'd need to be doing something reasonably unusual for there to be a reason to pick one of Heimdal and MIT over the other, other than personal preference. I would say that Debian doesn't have a default KDC, in the sense that nothing is going to make assumptions about or install a particular KDC. Both the MIT Kerberos KDC and the Heimdal KDC are present and usable, and Debian doesn't particularly care or recommend which one you use. However, the OpenAFS documentation has an example of a complete setup from scratch including setting up an MIT Kerberos KDC, and doesn't have a corresponding piece of documentation for Heimdal. MIT Kerberos is indeed Debian's default *client library*, and all software in Debian that uses Kerberos is built against the MIT Kerberos client libraries by default. For most purposes, the MIT Kerberos and Heimdal KDCs are both fine and would both work without any issues. However, I will note that the incremental propagation implementation in Heimdal (for synchronizing multiple KDCs) is still significantly less buggy the MIT Kerberos implementation, although the latter has made great strides in the past two years. (Stanford used to use MIT Kerberos for our KDC implementation and switched to Heimdal some years back. Some, but not all, of the reasons for that switch at the time have since been remedied in MIT Kerberos. Most of the remaining reasons are fairly obscure and are related to our desire to customize the KDC code rather than run a stock KDC.) -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info