Configuration of AFS client for access to cern.ch on Ubuntu/Debian

Tested on Debian Stretch

Install Packages

$ sudo apt-get install openafs-client openafs-modules-dkms openafs-krb5 krb5-user krb5-config

Configure AFS and Kerberos

1. Use "cern.ch" as default AFS cell

$ echo "cern.ch" | sudo tee /etc/openafs/ThisCell

2. Set up Kerberos authentication

Add the following lines to file /etc/krb5.conf:

# settings for CERN.CH realm are taken from file
#   lxplus.cern.ch:/etc/krb5.conf

[libdefaults]
  default_realm = CERN.CH

[realms]
  CERN.CH = {
    default_domain = cern.ch
    kpasswd_server = cerndc.cern.ch
    admin_server = cerndc.cern.ch
    kdc = cerndc.cern.ch
  }

[domain_realm]
  cern.ch = CERN.CH
  .cern.ch = CERN.CH

3. Restart OpenAFS client

On Ubuntu 16.04 and above:

$ sudo systemctl restart openafs-client.service

On older versions:

$ sudo service openafs-client restart

4. Login (optional, only needed to access protected paths):

$ kinit $LOGNAME@CERN.CH     # get kerberos ticket
$ aklog                      # login to AFS cell

Miscellanea

Configuration steps 1) and 2) can be done with:

$ sudo dpkg-reconfigure openafs-client
$ sudo dpkg-reconfigure krb5-config

It might be useful to set-up a crontab job (e.g. every 6h) to automatically renew the kerberos token:

0 6 * * *  kinit -R ; aklog -c cern.ch -k CERN.CH
Pay attention that kinit -R (i.e. renew existing token) won't require any password to be typed in; on the other hand, a token can be renew for a maximum of 5d after its generation, hence a kinit (with password) is needed. Anyway, if kinit is issued on Monday morning, so that for the rest of the week you don't have to bother with tha.

Reference: http://akorneev.web.cern.ch/akorneev/howto/openafs.txt

-- Main.VeronicaOlsen - 2017-10-16

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2017-10-17 - AlessioMereghetti
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ABPComputing All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback