Re: [OpenAFS] getting (re)started on debian

2013-05-25 Thread Dave Cottlehuber
On 25 May 2013 09:51, Dirk Heinrichs  wrote:
> Am Freitag 24 Mai 2013, 22:50:17 schrieb Dave Cottlehuber:
>
>> The formal docs look good but I'm thinking of
>> something that cover debian startup scripts and setting up pam stuff
>> etc.
>
> This will all be set up automatically on Debian. To (re-)configure PAM one
> usually uses pam-auth-update on Debian. For service management I install sysv-
> rc-conf (systemd is also quite usable on Debian).
>
> Todo (by yourself):
>
> * Create afs principal in Kerberos and setup AFS key file (asetkey).
> * In /etc/openafs, adapt
>
> afs.conf.client
> cacheinfo
> server/UserList
>   to your needs
> * Create and mount /var/cache/openafs (on clients)
> * Create and mount /vicepXX (on servers)
> * Setup AFS db-/fileserver processes (on servers)
>
> Don't know how long you didn't use OpenAFS, so you may not be aware of the new
> DAFS (Demand Attach) file servers introduced with 1.6. I'd recommend using
> these instead of the old file server (the docs will tell you how to set them
> up).
>
> Did I forget something?
>
> HTH...
>
> Dirk

Many thanks everybody!

DAFS sounds pretty cool, I'll read up. I still have my old afs / krb
notes from last time, so with the tips above I should be up & running
in no time.

A+
Dave
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] getting (re)started on debian

2013-05-25 Thread Dirk Heinrichs
Am Freitag 24 Mai 2013, 22:50:17 schrieb Dave Cottlehuber:

> The formal docs look good but I'm thinking of
> something that cover debian startup scripts and setting up pam stuff
> etc.

This will all be set up automatically on Debian. To (re-)configure PAM one 
usually uses pam-auth-update on Debian. For service management I install sysv-
rc-conf (systemd is also quite usable on Debian).

Todo (by yourself):

* Create afs principal in Kerberos and setup AFS key file (asetkey).
* In /etc/openafs, adapt

afs.conf.client
cacheinfo
server/UserList
  to your needs
* Create and mount /var/cache/openafs (on clients)
* Create and mount /vicepXX (on servers)
* Setup AFS db-/fileserver processes (on servers)

Don't know how long you didn't use OpenAFS, so you may not be aware of the new 
DAFS (Demand Attach) file servers introduced with 1.6. I'd recommend using 
these instead of the old file server (the docs will tell you how to set them 
up).

Did I forget something?

HTH...

Dirk 
-- 
Dirk Heinrichs 
Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913
GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de


signature.asc
Description: This is a digitally signed message part.


Re: [OpenAFS] getting (re)started on debian

2013-05-24 Thread Dirk Heinrichs
Am Freitag 24 Mai 2013, 16:56:07 schrieb Benjamin Kaduk:

> I'm not sure what pam configuration you want, so I can't say more about 
> that.

There are two PAM modules needed in OpenAFS/KRB5 context: pam_krb5 (to get 
tickets) and pam_afs_session (to get AFS tokens). Both are automatically 
configured correctly during installation thanks to Debians pam-auth-update.

Speaking of that, Debian is the easiest platform to setup OpenAFS/KerberosV on 
due to a) its great install time configuration dialogs and b) its automatic 
kernel module management (DKMS).

Bye...

Dirk
-- 
Dirk Heinrichs 
Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913
GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de


signature.asc
Description: This is a digitally signed message part.


Re: [OpenAFS] getting (re)started on debian

2013-05-24 Thread Russ Allbery
Benjamin Kaduk  writes:

> As far as a KDC goes, Debian's default is the MIT code (disclosure: my
> employer).  I expect you'd need to be doing something reasonably unusual
> for there to be a reason to pick one of Heimdal and MIT over the other,
> other than personal preference.

I would say that Debian doesn't have a default KDC, in the sense that
nothing is going to make assumptions about or install a particular KDC.
Both the MIT Kerberos KDC and the Heimdal KDC are present and usable, and
Debian doesn't particularly care or recommend which one you use.  However,
the OpenAFS documentation has an example of a complete setup from scratch
including setting up an MIT Kerberos KDC, and doesn't have a corresponding
piece of documentation for Heimdal.

MIT Kerberos is indeed Debian's default *client library*, and all software
in Debian that uses Kerberos is built against the MIT Kerberos client
libraries by default.

For most purposes, the MIT Kerberos and Heimdal KDCs are both fine and
would both work without any issues.  However, I will note that the
incremental propagation implementation in Heimdal (for synchronizing
multiple KDCs) is still significantly less buggy the MIT Kerberos
implementation, although the latter has made great strides in the past two
years.

(Stanford used to use MIT Kerberos for our KDC implementation and switched
to Heimdal some years back.  Some, but not all, of the reasons for that
switch at the time have since been remedied in MIT Kerberos.  Most of the
remaining reasons are fairly obscure and are related to our desire to
customize the KDC code rather than run a stock KDC.)

-- 
Russ Allbery (r...@stanford.edu) 
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] getting (re)started on debian

2013-05-24 Thread Benjamin Kaduk

On Fri, 24 May 2013, Dave Cottlehuber wrote:


I'm now on debian wheezy, with assorted macs and windows boxes about,
and wondered if there are any good guides to getting started both with
openafs & especially with heimdal again - I assume it's still the
preferred krb server? Stuff I've found so far is 2006 or earlier,
likely out of date. The formal docs look good but I'm thinking of
something that cover debian startup scripts and setting up pam stuff
etc.


The debian packages come with scripts to help automate setting up a cell 
-- /usr/sbin/afs-newcell and /usr/sbin/afs-rootvol from openafs-dbserver.


As far as a KDC goes, Debian's default is the MIT code (disclosure: my 
employer).  I expect you'd need to be doing something reasonably unusual 
for there to be a reason to pick one of Heimdal and MIT over the other, 
other than personal preference.


I'm not sure what pam configuration you want, so I can't say more about 
that.


-Ben Kaduk
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


[OpenAFS] getting (re)started on debian

2013-05-24 Thread Dave Cottlehuber
Hi folks,

I was a long time openafs user (and afs before it was open), and it's
time to set up my own cell again.

I'm now on debian wheezy, with assorted macs and windows boxes about,
and wondered if there are any good guides to getting started both with
openafs & especially with heimdal again - I assume it's still the
preferred krb server? Stuff I've found so far is 2006 or earlier,
likely out of date. The formal docs look good but I'm thinking of
something that cover debian startup scripts and setting up pam stuff
etc.

Many thanks,
Dave
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info