Automatic CRC/ND AFS cell setup


Update 01-06-2014:
The CRC now requires version 1.6.5 or greater for OpenAFS. The following instructions have not been thoroughly tested and may or may not still be applicable. If you have any problems, please contact CRCSupport@nd.edu.




Automatic CRC/ND AFS cell setup for Linux

A package for RHEL4 and RHEL5 has been developed to automate the client setup of the CRC or ND cell as the primary cell - you can then access the other cell interactively.

This procedure is highly recommended unless you know and understand what you're doing ;-)

This tar package contains the following source rpms:


How to use the package

The package can be downloaded from the CRC wiki AFS-1.4.10-1.1.1_install.tgz.

The installation needs to be done with root privileges process. It takes approximately 10 minutes depending on the client hardware.

# tar xzvf AFS-1.4.10-1.1.1_install.tgz
# ./install_afs
or 
# ./compile_afs
if you've already been running AFS and just need to compile a new version or module

Then the user will be asked to choose to setup the AFS cell/Kerberos Realm of either nd.edu or crc.nd.edu

How to access ND cell if the primary cell is CRC

  1. if you are correctly authenticated to CRC realm and if you have a valid token for CRC cell, you should have something along those lines:
    # klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: jducom@CRC.ND.EDU
    
    Valid starting     Expires            Service principal
    05/13/08 10:50:04  06/12/08 10:50:04  krbtgt/CRC.ND.EDU@CRC.ND.EDU
            renew until 06/12/08 10:50:04
    
    
    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached
    
    # tokens
    
    Tokens held by the Cache Manager:
    
    User's (AFS ID 82784) tokens for afs@crc.nd.edu [Expires Jun 12 10:50]
       --End of list--
    
  2. obtain a Kerberos ticket for ND cell (kinit command requests by default a 24hour ticket. The option -l 30d will request a ticket with a maximum of 30days lifetime if the user principals allow it)
    # kinit -l 30d jducom@ND.EDU
    Password for jducom@ND.EDU:
    

    To check that you have a valid ticket for ND realm:

    # klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: jducom@ND.EDU
    
    Valid starting     Expires            Service principal
    05/13/08 10:51:22  06/12/08 10:51:16  krbtgt/ND.EDU@ND.EDU
            renew until 05/20/08 10:51:22
    
    
    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached
    
  3. obtain a token for ND cell
    # aklog -d -c nd.edu -k ND.EDU
    Authenticating to cell nd.edu (server john.helios.nd.edu).
    We were told to authenticate to realm ND.EDU.
    Getting tickets: afs/nd.edu@ND.EDU
    Getting tickets: afs/nd.edu@ND.EDU
    Getting tickets: afs@ND.EDU
    Using Kerberos V5 ticket natively
    About to resolve name jducom to id in cell nd.edu.
    Id 82784
    Set username to AFS ID 82784
    Setting tokens. AFS ID 82784 /  @ ND.EDU 
    
  4. check that you have valid tokens for both cells:
    # tokens
    
    Tokens held by the Cache Manager:
    
    User's (AFS ID 82784) tokens for afs@nd.edu [Expires Jun 12 10:51]
    User's (AFS ID 82784) tokens for afs@crc.nd.edu [Expires Jun 12 10:50]
       --End of list--
    

What does the script do (or how to do it manually)

The bash script executes in more details the following operations:

  1. removes previous AFS setup and AFS packages
    # rm /opt/und /usr/local/Startup
    # rpm -qa |grep pam-afs-session | xargs rpm -e 
    # rpm -qa |grep pam-krb5 | xargs rpm -e 
    # rpm -qa |grep openafs | xargs rpm -e 
    # rpm -qa |grep pam_krb5 | xargs rpm -e --allmatches
    
  2. compiles source RPMs
    # rpmbuild --rebuild pam-afs-session-1.7-0.src.rpm
    # rpmbuild --rebuild pam-krb5-3.13-0.src.rpm
    # rpmbuild --rebuild openafs-1.4.10-1.1.1.src.rpm --define "fedorakmod 0" --define "build_modules 1"   (for RHEL4)
    # rpmbuild --rebuild openafs-1.4.10-1.1.1.src.rpm                                                      (for RHEL5)
    
  3. installs compiled RPMs
    # cd /usr/src/redhat/RPMS/`uname -m`
    # rpm -ivh --force openafs-1.4.10-1.1.1* openafs-client* openafs-krb5* openafs-docs* openafs-kernel-*   (for RHEL4)
    # rpm -ivh --force openafs-1.4.10-1.1.1* openafs-client* openafs-krb5* openafs-docs* kmod-openafs*      (for RHEL5)
    
  4. configures selected cell (CRC in the the example)
    Home cell set to crc.nd.edu in /usr/vice/etc/ThisCell.
    # sed -i '1s/.*/crc.nd.edu/' /usr/vice/etc/ThisCell
    
    Chunksize set to 19
    # sed -i '2s/.*/AFSD_ARGS="-nosettime -chunksize 19 -fakestat"/' /etc/sysconfig/openafs  
    
    The AFS cache set to 3 GB in /usr/vice/etc/cacheinfo
    # sed -i '1s/.*/\/afs:\/usr\/vice\/cache:3000000/' /usr/vice/etc/cacheinfo 
    
    Add group 1313 if it has been done:
    # echo "campus:x:1313:" >> /etc/group
    
    Add links
    # ln -s /afs/crc.nd.edu/`/usr/bin/sys`/opt/und /opt/und
    # ln -s /afs/crc.nd.edu/`/usr/bin/sys`/usr/local/Startup /usr/local/Startup
    # ln -s /usr/lib/libtcl8.4.so /usr/lib/libtcl8.3.so
    
  5. create /etc/krb5.conf that works for both CRC and ND realm (a pre-exisiting krb5.conf is renamed /etc/krb5.conf.preopenafs)
    #Krb5.conf v1.0
    [appdefaults]
            debug = false
            forward = true
            forwardable = true
            ticket_lifetime = 30d
            renew_lifetime = 30d
    
    [libdefaults]
            forwardable = true
            dns_lookup_realm = false
            dns_lookup_kdc = true
            default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
            default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
            default_realm = CRC.ND.EDU
            ticket_lifetime = 30d
            renew_lifetime = 30d
    
    [realms]
            CRC.ND.EDU = {
                    admin_server = kerberos.crc.nd.edu:749
            }
    
            ND.EDU = {
                    kdc = kerberos.nd.edu:88
                    kdc = kerberos-1.nd.edu:88
                    kdc = kerberos-2.nd.edu:88
                    admin_server = kerberos.nd.edu:749
            }
    
    [domain_realm]
            .helios.nd.edu = ND.EDU
            .crc.nd.edu = CRC.ND.EDU
    
    
  6. modifies /etc/pam.d/system-auth (a previous system-auth is renamed /etc/pam.d/system-auth-afs-session).

    Depending on the previous configuration of the system (LDAP authentication used or not, etc..) and on the selected realm (CRC or ND), the final version of that file should look like (for RHEL 4 and CRC realm)

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      /lib/security/$ISA/pam_env.so
    auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
    auth        [success=ok default=1]    /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=1100
    auth        [default=done] /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog
    auth        required      /lib/security/$ISA/pam_deny.so
    
    account     required      /lib/security/$ISA/pam_unix.so broken_shadow
    account     sufficient    /lib/security/$ISA/pam_localuser.so
    account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 1100 quiet
    account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5afs.so minimum_uid=1100
    account     required      /lib/security/$ISA/pam_permit.so
    
    password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=
    password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
    password    required      /lib/security/$ISA/pam_deny.so
    
    session     optional      /lib/security/$ISA/pam_krb5.so
    session     required     /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog
    session     required      /lib/security/$ISA/pam_limits.so
    session     required      /lib/security/$ISA/pam_unix.so
    

If any problem with the script or any question, please send an email to crcsupport@nd.edu.