Configuration of AFS client for access to cern.ch on Ubuntu/Debian

Tested on Debian Stretch

Install Packages

$ sudo apt-get install openafs-client openafs-modules-dkms openafs-krb5 krb5-user krb5-config

Configure AFS and Kerberos

1. Use "cern.ch" as default AFS cell

$ echo "cern.ch" | sudo tee /etc/openafs/ThisCell

2. Set up Kerberos authentication

Add the following lines to file /etc/krb5.conf:

# settings for CERN.CH realm are taken from file
#   lxplus.cern.ch:/etc/krb5.conf

[libdefaults]
  default_realm = CERN.CH

[realms]
  CERN.CH = {
    default_domain = cern.ch
    kpasswd_server = cerndc.cern.ch
    admin_server = cerndc.cern.ch
    kdc = cerndc.cern.ch
  }

[domain_realm]
  cern.ch = CERN.CH
  .cern.ch = CERN.CH

3. Restart OpenAFS client

On Ubuntu 16.04 and above:

$ sudo systemctl restart openafs-client.service

On older versions:

$ sudo service openafs-client restart

4. Login (optional, only needed to access protected paths):

$ kinit $LOGNAME@CERN.CH     # get kerberos ticket
$ aklog                      # login to AFS cell

Miscellanea

Configuration steps 1) and 2) can be done with:

$ sudo dpkg-reconfigure openafs-client
$ sudo dpkg-reconfigure krb5-config

It might be useful to set-up a crontab job (e.g. every 6h) to automatically renew the kerberos token:

0 */6 * * *  kinit -R ; aklog -c cern.ch -k CERN.CH
Pay attention that kinit -R (i.e. renew existing token) won't require any password to be typed in; on the other hand, a token can be renew for a maximum of 5d after its generation, hence a kinit (with password) is needed. Anyway, if kinit is issued on Monday morning, so that for the rest of the week you don't have to bother with that.

Reference: http://akorneev.web.cern.ch/akorneev/howto/openafs.txt

-- Main.VeronicaOlsen - 2017-10-16

Update: Possible problems on Ubuntu

If you have a recent Ubuntu installation, the above procedure might not entirely work as there could be a kernel incompatibility with the latest openafs. This is shown if you try aklog: it will then give the error

aklog: a pioctl failed while obtaining tokens for cell cern.ch

Furthermore, also a query of the openafs service with

$ sudo systemctl status openafs-client.service

will give errors:

openafs-client-precheck[2963]: modprobe: FATAL: Module openafs not found in directory /lib/modules/4.10.
openafs-client-precheck[2963]: Failed to load openafs.ko.  Does it need to be built?

I found a solution that worked for me, by adding a specific repository for openafs:

$ sudo apt-get purge openafs-client
$ sudo add-apt-repository ppa:openafs/stable
$ sudo apt-get update
$ sudo apt install openafs-client
$ sudo apt install --reinstall openafs-modules-dkms

Now we need to restart the service:

$ sudo systemctl stop openafs-client.service
$ kinit username@CERN.CH
$ sudo systemctl start openafs-client.service

You can check that the service is running as it should:

$ sudo systemctl status openafs-client.service

No more errors! Continue as before, aklog and possibly a crontab for kinit.

-- Main.FrederikVanDerVeken - 2017-11-21

Note: It may be enough to just run

$ sudo dpkg-reconfigure openafs-modules-dkms
-- Main.VeronicaOlsen - 2017-12-06
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r6 - 2017-12-06 - VeronicaOlsen
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ABPComputing All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback