openbsd-ports/net/openafs/files
ajacoutot 9daafcfa69 - use TRUEPREFIX instead of LOCALBASE where it makes sense (following
previous commit)
- fix mkdir args (from todd@)

ok todd@ (maintainer)
2009-03-28 16:11:48 +00:00
..
krb5.conf o update openafs to 1.4.7 2008-07-21 03:13:01 +00:00
openafs-setup - use TRUEPREFIX instead of LOCALBASE where it makes sense (following 2009-03-28 16:11:48 +00:00
param.i386_obsd.h o update openafs to 1.4.7 2008-07-21 03:13:01 +00:00
README.OpenBSD - use TRUEPREFIX instead of LOCALBASE where it makes sense (following 2009-03-28 16:11:48 +00:00

Using OpenAFS in an OpenBSD environment

Some knob twiddling you may find useful:

  1. Increase the default maximum number of open files in /etc/login.conf
     for daemon to at least a few thousand.

        :openfiles-cur=infinity:\

  2. If you increase #1 above the default then consider also updating
     kern.maxfiles in /etc/sysctl.conf:

	kern.maxfiles=102400            # increase maximum files

  3. Setting up kerberos authentication for users is accomplished by modifying
     /etc/login.conf's auth-defaults line:

	auth-defaults:auth=krb5-or-pwd,passwd,skey:

     Please note if you have a local password and wish to login using that
     instead of kerberos, you'll need to use 'username:passwd' to login.

To setup OpenAFS, you must first have a KerberosV realm setup.  Below
are brief instructions to do so.  See 'info heimdal' for further details.

Once the KerberosV realm is setup, run '${TRUEPREFIX}/sbin/openafs-setup'
to setup your first OpenAFS server in your cell.

Add the below to /etc/rc.local:

   if [ -x ${TRUEPREFIX}/sbin/bosserver ]; then
	echo -n " openafs"
	PATH=${TRUEPREFIX}/bin:${TRUEPREFIX}/sbin:$PATH

	# help this detach from console, proper fix is to properly daemonize!
	sh -c "bosserver -log -syslog > /dev/null 2>&1 &"

	# give the servers started by bosserver time to settle
	# before attacking it with salvaging activity
	sleep 10
	
        # to salvage automatically on startup, for the paranoid
        echo -n "(salvaging"
	set -A volumes $(
		vos listvol localhost -noauth 2> /dev/null| \
		awk '
		/ partition / { sub(":","",$9); part=$9; next; }
		/R[OW].* K .*-line/ { printf "%s %s\n",part,$2; }'
	)

	# 20 dots total, adjust based on volume count
	freq=$((${#volumes[*]}/20))
	i=0
	while [ i -lt ${#volumes[*]} ]
	do
		# progress by volume count
		if [ $(((i/2)%freq)) -eq 0 ]; then
			echo -n .
		fi
		part=${volumes[$i]}
		let i=i+1
		vid=${volumes[$i]}
		let i=i+1
		bos salvage localhost $part $vid -localauth > /var/tmp/$vid.log 2>&1
	done

        echo -n ")"
   fi

Add the following to /etc/rc.shutdown:

   if [ -x ${TRUEPREFIX}/bin/bos ]; then
        ${TRUEPREFIX}/bin/bos shutdown localhost -localauth -wait
        sleep 1
        pkill bosserver
   fi


Quick Start Guide to KerberosV as needed by OpenAFS
---------------------------------------------------

For KerberosV setup, it is highly recommended to have some entries
in the DNS domain that you will use that is the lowercase equivalent
of your KerberosV realm name.  If, for example, you had the domain
'example.com' you would have a realm of 'EXAMPLE.COM' and add the
following to the 'example.com' zone file:

  _kerberos._udp      SRV 0 0 88 kdc0
  _kerberos._tcp      SRV 0 0 88 kdc0
  _kpasswd._udp       SRV 0 0 464 kdc0
  _kerberos-adm._tcp  SRV 0 0 749 kdc0
  _kerberos           TXT "EXAMPLE.COM"

Setting a default krb5.conf is useful on all AFS clients and servers.

  cd /etc/kerberosV
  REALM=EXAMPLE.COM
  cell=example.com
  host=kdc0
  sed 's/%host%/'$host'/g;s/%cell%/'$cell'/g;s/%REALM%/'$REALM'/g' \
	< ${TRUEPREFIX}/share/examples/openafs/krb5.conf > krb5.conf

Create the heimdal directory:

  mkdir -m 700 /var/heimdal

Initialize the basic key:

  kstash --random-key

Initialize the Kerberos realm:

  kadmin -l
   kadmin> init EXAMPLE.COM
   Max ticket life [1 day]:unlimited
   Max renewable life [1 week]:unlimited
   Principal expiration time [never]:
   Password expiration time [never]:
   Attributes []:
   todd@EXAMPLE.COM's Password: 
   Verifying - todd@EXAMPLE.COM's Password: 
   kadmin> add todd/admin
   Max ticket life [1 day]:
   Max renewable life [1 week]:
   Principal expiration time [never]:
   Password expiration time [never]:
   Attributes []:
   todd/admin@EXAMPLE.COM's Password: 
   Verifying - todd/admin@EXAMPLE.COM's Password: 

 .. do this last part per KerberosV client and server:
  
   kadmin> add --random-key host/kdc0.example.com
   Max ticket life [1 day]:unlimited
   Max renewable life [1 week]:unlimited
   Principal expiration time [never]:
   Password expiration time [never]:
   Attributes []:
   kadmin> ext host/kdc0.example.com
   kadmin> quit

On the server run:

   /usr/libexec/kdc &

Verify authentication works:

  kinit todd
  todd@EXAMPLE.COM's Password: 
  klist
   Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: todd@EXAMPLE.COM

     Issued           Expires          Principal
   Jul 20 22:10:41  Aug 30 22:10:41  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Permit network based kerberos administration:

  /usr/libexec/kadmind &

Setup the acl file:

 Put the following into /var/heimdal/kadmind.acl:

   todd/admin@EXAMPLE.COM	all

Make sure things startup properly upon reboot:

 Put the following into /etc/rc.conf.local:

   krb5_master_kdc=YES