Select Page

Contents

Easy Install of OpenAFS for OS X 10.4

From your Web browser go to [mirror.cs.auckland.ac.nz] and get the Kerberos Extras and OpenAFS packages. Unzip the Kerberos Disk image and install it. Unzip the OpenAFS package and install it, restart at the end as requested.

The most recent version of OpenAFS that has been built and tested for OS X 10.4 will be installed and should be running, there should be an icon on your desktop called afs and inside should be a folder icon called ec.auckland.ac.nz.

To obtain tokens drag the Kerberos symbolic link in /Applications/Utilities onto the dock. Launch it and enter your upi and password into the name and password field, you should obtain Kerberos Tickets and afs tokens.

Alternately from the command line

$ kinit your_upi

enter your password

$ aklog

to get afs tokens

$klist

to see what Kerberos tickets and afs tokens you have or

$tokens

to list afs tokens.

To get AFS tokens at login see the Post Login Authentication Section.

Note that if you are setting up a new account set the users account short name to their UPI and change the account to have the users afs UID as these changes will help afs. There are tools available to help with this.

AFS clients for OS X 10.4 (Tiger)

Arla 0.90

From arla project This project has source code and a precompiled Binary.

This AFS implimentation is very easy to set up, has some nice user features, but implements some things differently to OpenAFS, which could cause support problems.

I have not been able to compile this package from source, but may work on this later.

OpenAFS

From openafs.org has released OpenAFS 1.4.4 and has both source and a binary for OSX 10.4 and OpenAFS 1.4.1 binaries for OS X 10.3.

I have been able to compile and build the source including aklog using the configuration switches on both PPC and Intel iMacs.

$ ./regen.sh

$./configure  --with-krb5-conf=/usr/bin/krb5-config

and

$make

#make packages

or

#make dest

It has been reprted that the following configuration should be used For OS X 10.4.

ARCHFLAGS="-arch i386 -arch ppc" ./configure --enable-transarc-paths --with-krb5-conf=/usr/bin/krb5-config
ARCHFLAGS="-arch i386 -arch ppc" make dest
sudo make packages

To find out what version of OpenAFS is running.

$ /Library/OpenAFS/Tools/etc/rxdebug localhost 7001 -version

Post login Authentication

This Apple link enabling Kerberos authentication and
this link Kerberos at login shows how to modify /etc/authorization after making a backup copy.

Do not allow fast user switching if this is used.

There is an plugin that works for both arla and openafs available but it is still early days yet.

 

Obtaining Kerberos Tickets for the EC Realm at Login

The MIT kerberos extras for OS X 10.4 need to be installed, or the necessay files included in the afs package used. Also the file /Library/Preferences/edu.mit.Kerberos needs to be configured for the EC kerberos realm, note that an extra line has been added which causes Arla to use an in memory credentials cache.

The user can make a startup item of /Applications/Utilities/Kerberos and if they login to an account where their account short name is their UPI and use their NetLogin password they should obtain Kerberos Tickets at login.

Obtaining afs tickets for the EC cell at login

Arla

Cells are added to Arla from the Arla Configuration application /Applications/Arla/ArlaConfiguration after the user has authenticated themselves.

To obtain tokens at login make a startup item to run Afslog in /Applications/Arla/Afslog.

OpenAFS

At the moment the only way to obtain afs tokens is to make a startup item of aklog which is found at /Library/OpenAFS/Tools/bin/aklog. Mac OS X 10.3 has an aklog plugin that automates this but it is not yet available for OS X 10.4. A terminal window will be opened and will need to be closed after it has run:-(.

Obtaining afs tickets for other cells in the EC Kerberos realm at login

Arla

Add the cells as discussed above and you should be able to obtain tokens at login as described for the EC cell.

OpenAFS

To obtain access to multiple cells in the EC Kerberos realm it is necessary to create a file in /var/db/openafs/etc/ ccalled TheseCells and add the cell names into it one per line, to change the ThisCell file in the same directory to not point to the EC cell. Stop and restart OpenAFS so that it finds the new settings.

$ sudo /Library/StartupItems/OpenAFS/OpenAFS stop/start

To check that things are working, obtain new kerberos tickets and aklog using

$ aklog -c ec.auckland.ac.nz sfac.auckland.ac.nz -k EC.AUCKLAND.AC.NZ

use the -d option to see what is being done

and
$ tokens
or
$ klist

to check what tokens or tickets and tokens have been obtained.

Skip to toolbar