ARCHIVED - Setup CRC AFS Cell Access for Mac


This Page Has Been Retired:
The CRC no longer supports AFS desktop clients. For file transfer to the desktop we recommend FTP clients or Globus Online




This content was provided by Dr. Patrick Flynn 'without warranty'. CRC staff will facilitate revisions of this documentation as additional campus researchers using Mac's contribute their experiences.

The following steps will setup the CRC AFS Cell as your default login directory on Macs.

NOTE: Currently there seems to be no way to get tokens-at-login for both CRC.ND.EDU AFS and ND.EDU AFS.


  1. Using Directory Services, set up LDAP to point to ldap.nd.edu. Using LDAP gives you correct UIDs, which is important to AFS. Using the AD server in place of LDAP may work but would require a Mac OS X server and the "augmented records" two-step, which is one of the most poorly documented parts of OS X Server.
  2. Unfortunately, the default LDAP entries for accounts assume ND AFS home directories (not CRC AFS) and have a default loginShell attribute value that will cause logins to fail. The "proper" solution is to ask the LDAP people to change the account attributes... at which point the user will be unable to login to a machine that uses the ND.EDU AFS cell.
    A usable workaround to these LDAP problems that doesn't require LDAP directory entry modification employs two static mappings that override the values obtained from the LDAP server. THE SECOND MAPPING WILL REQUIRE MODIFICATION to work for you.:
    • Change the loginShell attribute to /usr/bin/tcsh;
    • Change the homeDirectory attribute to /afs/crc.nd.edu/user/FIRST-LETTER-OF-USERNAME/$uid$


  3. Install and configure [OpenAFS] for Mac.

  4. Use Kerberos.app or vi to set up access to the CRC cell. The [edu.mit.Kerberos] that works for me (with 30-day tickets at login) goes in
    /Library/Preferences/edu.mit.Kerberos
  5. Tweak /etc/authorization to get tickets-at-login by modifying the rights entry for login. The /etc/authorization I use is [here].
    • NOTE: You will most likely need to run a diff -c against the default /etc/authorization file to see the changes.


  6. Now, one should be able to login to the machine. It is a good idea to wait for LDAP binding to complete after booting (click on the hostname until you see the red dot, and then wait for it to turn into a green dot) before you log in.

  7. Unfortunately, these changes do not allow one to ssh in to the machine. Some additional PAM-fu is needed to get ssh working with tokens. But if your files are on the CRC.ND.EDU AFS server, this may not be a problem for you. I am not sure whether screen sharing works or not.


Simplified Instructions that have worked for many users

Installing and configuring Kerberos and OpenAFS for the Mac

NOTE: you will need to be logged in as root (su -) for many of these steps


  1. Install the latest OpenAFS for Mac from openafs.org [OpenAFS for Mac]
  2. Edit /var/db/openafs/etc/ThisCell to read nd.edu instead of the default.
  3. Install the edu.mit.Kerberos file in /Library/Preferences. The file is here: [edu.mit.Kerberos]
  4. Reboot so that AFS gets restarted with the new settings.
  5. Run two commands to authenticate before browsing to AFS directories (the two commands below are CASE sensitive):
    kinit -l 30d netid@ND.EDU     ! obviously replace netid with your actual netid
  6. Prompted for your password, and receive a KRB5 ticket. Run "klist" to see it.
    aklog -d -c nd.edu -k ND.EDU     ! this is password-less and returns a new command prompt that will turn your KRB5 ticket into an AFS token.
  7. Run "tokens" at the command prompt to see your tokens.


NOTE: In the steps above, you can replace nd.edu and ND.EDU with crc.nd.edu and CRC.ND.EDU to use the new cell as your primary.

It's also possible that you have an old CellServDB file, which is included, and should go in

/var/db/openafs/etc/