<– authors: hanke plone_url: https://www.mpcdf.mpg.de/services/desktop-support/configuring-your-pc –>

AFS and Kerberos

How to configure a machine to use the MPCDF afs and kerberos infrastructure.

General remarks

This document describe some configurations you should use on a PC which is installed within the Garching campus and IPP in Greifswald.

Note for Windows-users :

These configurations are only for Windows-stand-alone PCs. Do not use them if your PC is member of the Active Directories (ipp.mpg.de or ipp-hgw.mpg.de)

Note for non-IPP-users :

If you are not within IPP, but want to use the AFS-cell ipp-garching.mpg.de, you should use the configuration of Kerberos and the AFS-client for the location closest to you.

If you are in doubt, use the location Garching.

Kerberos

DNS-entries

Garching :

• Alias: kerberos1.rzg.mpg.de, kerberos2.rzg.mpg.de, kerberos3.rzg.mpg.de

• Round-Robin: kerberos.rzg.mpg.de

Greifswald :

• see Garching

SRV-Records available: you can also configure your client to get this information from the DNS, but then you’ll get those server located in Garching, which is not what you want, when you are sitting in Greifswald.

File location on your PC

• UNIX: /etc/krb5.conf or /etc/krb5/krb5.conf

Windows:

• MIT: KfW: C:\WINDOWS\krb5.ini

• Heimdal (recommended) C:\ProgramData\Kerberos

Download

Download standard configuration for your client :

System
Linux	krb5.conf
Windows/Heimdal	krb5.conf

Snippets :

If you want to configure your client differently, the snippets might help you:

[realms]
IPP-GARCHING.MPG.DE = {
        kdc = kerberos.rzg.mpg.de
        kdc = kerberos1.rzg.mpg.de
        kdc = kerberos2.rzg.mpg.de
        kdc = kerberos3.rzg.mpg.de
        admin_server = kerberos1.rzg.mpg.de
        default_domain = rzg.mpg.de
}
[domain_realm]

        mpcdf.mpg.de = IPP-GARCHING.MPG.DE
        .mpcdf.mpg.de = IPP-GARCHING.MPG.DE
        rzg.mpg.de = IPP-GARCHING.MPG.DE
        .rzg.mpg.de = IPP-GARCHING.MPG.DE
        ipp.mpg.de = IPP-GARCHING.MPG.DE
        .ipp.mpg.de = IPP-GARCHING.MPG.DE
        ipp-hgw.mpg.de = IPP-GARCHING.MPG.DE
        .ipp-hgw.mpg.de = IPP-GARCHING.MPG.DE
        ipp-garching.mpg.de = IPP-GARCHING.MPG.DE
        .ipp-garching.mpg.de = IPP-GARCHING.MPG.DE

Passwordless ssh within MPCDF

Most linux machines at MPCDF allow direct login with kerberos tickets.

If you want to use this, you need to create the file

~/.ssh/config with

HOST *.rzg.mpg.de
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

To make this work, you’d then need always to use the FQDN of the hostname.

If you are sure not to use ssh to machines outside IPP/MPCDF, you can omit the “HOST”-line but then your ticket is send to all machines you ever ssh to (which is maybe not what you want).

AFS-Client

The openAFS-Client requires mainly two configurations:

The cell it belongs to (ThisCell) and where to find the AFS-Database-servers.

The configuration of the cache is complex and should only be touched by experienced users.

Please search the documentation of your distribution on how-to install you client.

The packages itself you may find in your distribution or at www.openafs.org.

Unix users should use a version >1.8.7.

Windows users the latest version from www.openafs.org. A short installlation guide for windows is given here.

If you change any of the parameters described below, do not forget to restart the AFS-client.

AFS-ThisCell

File-location on your PC

Unix: /usr/vice/etc/ThisCell or /etc/openafs/ThisCell

Windows : C:\Programme\OpenAFS\Client\ThisCell

This file should contain only “ipp-garching.mpg.de” without a newline-character.

Download ThisCell.

AFS-Database-servers

DNS-entries

SRV-Records. Clients using DNS-servers in Greifswald, will be directed to AFS-Database-Servers in Greifswald, those using the DNS-servers in Garching,will be directed to Serves located in Garching.

File-location on your PC

Unix: /usr/vice/etc/CellServDB or /etc/openafs/CellServDB

Windows : C:\Programme\OpenAFS\Client\CellServDB

Standard configuration for your client:

Download CellServDB.

Snippets

Here is the for the AFS-cell “ipp-garching.mpg.de” relevant snippet.

Other cells can be taken from other sources.

>ipp-garching.mpg.de    #Institut fuer Plasmaphysik
130.183.9.5                     #afs-db1.rzg.mpg.de
130.183.100.10                  #afs-db2.aug.ipp-garching.mpg.de
130.183.14.14                   #afs-db3.bc.rzg.mpg.de

CellAlias

A cellalias is a shortcut in the /afs - directory. The (here) most well-known is /afs/ipp to /afs/ipp-garching.mpg.de

File-location on your PC

Unix: /usr/vice/etc/CellAlias or /etc/openafs/CellAlias

Windows : Registry-Key [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks]

Download

Download standard configuration for your client :

UNIX: CellAlias

Windows: see snippets below

Snippets

Here is the for the AFS-cell ipp-garching.mpg.de relevant snippet.

Other cells can be taken from other sources.

Unix :

ipp-garching.mpg.de ipp
ipp-garching.mpg.de rzg.mpg.de
ipp-garching.mpg.de rzg
ipp-garching.mpg.de @cell
mpa-garching.mpg.de mpa
mpe.mpg.de mpe

Windows :

Warning! Only do this, when you know what you are doing!

You need to add following entries of type REG_SZ (Zeichenfolge) to the registry-key [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks]:

(Do not forget the dots “.” !)

ipp:ipp-garching.mpg.de.
.ipp:.ipp-garching.mpg.de.

Firewall

AFS is a distributed filesystem. For performance reasons, files are cached locally on the client.

Therefore, a fileserver needs to be able to inform your client that the file it has cached has been

changed by another client and the local copy must be discarded.

For this to work, the fileservers need to be able to talk to the client on port UDP/7001.

Please make sure that your personal firewall allows incoming packets on this port.

Login using PAM (UNIX only)

This section is about getting the credentials (Kerberos-Ticket, AFS-Token) directly with the login by means of PAM (Pluggable Authentication Mechanism).

! If you install this, you need to use your userid and password from MPCDF to login to your PC/Laptop.

We recommend the use of pam-krb5 and pam-afs-session from Russ Allbery at Stanford.

You can get those at :

www.eyrie.org/~eagle/software/pam-afs-session/

www.eyrie.org/~eagle/software/pam-krb5/

Notes:

Some LINUX-distributions have already packaged versions of those. Unfortunately there also exists another pam_krb5- package which is not written by Russ Allbery and not compatible with this way of doing things. Using rpm you can check this with rpm -qi pam_krb5

For compiling you might need to install the krb5-devel or equivalent package.

you would need to install the pam_afs_session.so and pam_krb5.so in the same directory as the other libraries e.g. pam_unix2.so

After compiling, you will need to activate those in /etc/pam.d/login (for text-login), /etc/pam.d/[egk]dm (for graphical login) or /etc/pam.d/sshd (for sshd), the exact mechnism depends on your UNIX-flavour.

ATTENTION: pam-afs-session needs the binary “aklog” to work. This should be included with you openafs-client installation.

As an example /etc/pam.d/login could look like this, but do not just copy this over your given pam-file!

The important lines are are marked with # XXX.

For further documentation, read the respective README.html on the web-pages given above.