OpenAFS with MIT Kerberos
From Gentoo Linux Wiki
|
Filesystems TOC | |
| |
AFS is a distributed network filesystem that also allows for replication. Organizations such as Google and the Internet Archive have been known to use AFS (along with Linux) for its scalability.
From http://www.openafs.org:
AFS is a distributed filesystem product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Labs). It offers a client-server architecture for file sharing, providing location independence, scalability, security, and transparent migration capabilities for data.
IBM branched the source of the AFS product, and made a copy of the source available for community development and maintenance. They called the release OpenAFS.
Kerberos offers a network authentication protocol for use in client/server network topologies. AFS originally implemented a version of Kerberos for its authentication purposes and was based on the Kerberos v4 protocol. However, since DES is no longer approved for Federal use, organizations are replacing AFS's authentication server (kaserver) with a Kerberos v5 authentication server.
Contents |
[edit] Kerberos Installation
The first step is to install kerberos on the server and setup a KDC
Since there can be more than one kerberos server working together, kerberos breaks servers into logical groups called realms. Kerberos realms are always uppercase, and by convention consist of your domain. You will need to select a name for your realm, and add to the file on your server:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
admin_server = server.example.com
default_domain = example.com
kdc = server.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
replace "EXAMPLE.COM" above with your kerberos realm, "example.com" with your domain, and "server.example.com" with your server.
This same file will need to be copied to clients who need to access your kerberos server.
[edit] Primary KDC
Next, you'll need to create the Key Distribution Center (KDC) which is responsible for housing Kerberos principals, passwords and access control lists.
Now create a directory for storing the KDC files and databases:
Now you must create the /etc/kdc.conf file. This will contain the details for how your KDC will run.
Edit this file replacing the given realm with your own, and specifying the path you used above if it differs from /var/lib/krb5kdc. You can edit the other options if you know what you are doing or have some special need. The manpage has more information about the file:
In order to allow your database to be editable, you need to give principals access to it. This is done through the kadm5.acl file in the directory you created above. The most basic configuration allows all principals that have an instance name of admin (ends in /admin) access to everything:
*/admin@EXAMPLE.COM *
A more secure way that requires more maintenance is to list the principals that will have access:
joe/admin@EXAMPLE.COM *
See the kadmind man page for more detail if you need a more complex setup:
Now you are ready to initialize the kerberos database.
don't forget to replace EXAMPLE.COM with your realm name.
[edit] Principal Creation
At this point you should test your Kerberos installation by creating an admin principal for kerberos and afs administration. You may call it whatever you like.
Now create a principal for afs itself. You will never use this principal, it's for afs only, so we use -randkey to generate a random key that can be used by afs.
The example.com above is the afs cell name. Similar to a kerberos realm, an afs cell is a logical grouping of afs servers. Convention dictates that you should name your cell after your kerberos realm, but in lowercase, since afs cell names are always lowercase.
Each afs server needs to have the key that was generated in the last step, so we export it here:
It is important to remember (or write down) the key version number (kvno) that this command gives in its output, you will need it later.
[edit] Start Kerberos Servers
You are now ready to start the kerberos kdc and kadmin server.
Set them to start at boot:
Now that kadmind and the kdc is running, you can use kadmind instead of kadmind.local.
[edit] OpenAFS Server
You will now need to install net-fs/openafs:
Use Flags: kerberos (?)
[edit] Configure AFS Cell info
You will need to edit several files in /etc/openafs/ to set up your new afs cell.
example.com
>example.com #Example Cell 192.168.1.1 #afs.example.com
Put this info in the client configurations too:
Now that your configurations are correct, you can tell afs what kerberos principal it needs to use, and what key to use to authenticate:
The 3 above should be replaced with the kvno from earlier.
[edit] Bos and Other AFS Servers
BOS is the Basic OverSeer Server. It coordinates and starts all of the other afs servers. First you need to start the bosserver manually without authentication in order to set the server up.
Now that the bosserver is running, you can have it start and configure the protection server (for user accounts) and the volume location server:
with these started you can add your admin user to the afs user database and make it an afs admin:
Setup the final few services:
Stop the temporary (and insecure) bosserver:
[edit] /vicepx partitions
The afs fileserver stores its volumes on partitions mounted in the root directory as /vicepa, /vicepb, etc. Before you start the afs server through the initscripts, you should create and mount a partition at /vicepa.
[edit] Starting the openafs server
You are now ready to start the OpenAFS server for the first time:
To have it start at boot, which you probably want:
[edit] OpenAFS File Structure
In order to set up the file structure, a client has to run that can connect to your server. It is easiest to do this if the client is run on the server, as it will help while setting things up.
[edit] Starting the client
Before starting the client for the first time, it is necessary to disable DYN_ROOT, in order to set up the root.afs volume:
ENABLE_DYNROOT="no"
Start the client:
[edit] Create Basic volume framework
Authenticate to kerberos:
Use the kerberos authentication to authenticate to afs:
You can now run commands as the afs admin. You need to create the root.afs volume which when DYN_ROOT is disabled, is normally mounted on /afs
With DYN_ROOT disabled, you can now make /afs readable to everyone with:
Now you can create the root volume for your cell (which will be the basis for your whole AFS File Structure):
Mount it on /afs/example.com:
Make sure your cell's contents are readable too:
Mount a read-write copy on /afs/.example.com:
Other volumes can be mounted underneath the root of your cell in the same way, if you wish.
Congratulations, you now have a full AFS server!
[edit] Restarting the client
You may want to set DYN_ROOT back to yes:
ENABLE_DYNROOT="yes"
You then need to restart your client:
[edit] AFS/Kerberos Enabled Login
In order to authenticate to kerberos and get an afs token when logging in, you need to install and configure sys-auth/pam_krb5 and sys-auth/pam-afs-session:
You will also need to edit your PAM configuration files. It should look something like this when you are done:
auth required pam_env.so auth sufficient pam_krb5.so auth optional pam_afs_session.so program=/usr/bin/aklog auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_deny.so account sufficient pam_krb5.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_krb5.so use_authtok ignore_root password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session optional pam_krb5.so ignore_root debug session required pam_afs_session.so program=/usr/bin/aklog session required pam_unix.so
