--- /dev/null
+Uninstall
+complete
--- /dev/null
+6/27/02
+
+This is a brief description of how to use the OpenAFS Tools to create a cell
+that uses Kerberos 5 authentication, rather than the kaserver program that
+comes with OpenAFS.
+
+*** INTRODUCTION ***
+
+Kerberos 5 is an authentication protocol that is widely used by many
+applications. If you have an OpenAFS environment that is K5-aware, your
+users will not have to obtain authenticate separately with OpenAFS -- they
+can use their Kerberos tickets instead. For more information about the
+benefits of K5 over AFS authentication, see the following webpage:
+
+http://www.mathematik.uni-karlsruhe.de/~iwrmm/Persons/Schulz/Unix/afs/afs-krb5.html
+
+You should also check out AFSLore (http://grand.central.org/twiki/).
+
+Also, refer to the OpenAFS Tools README for a much more complete set
+of requirements and instructions. This document contains only things that
+are specific to the process of using Kerberos; it assumes you are already
+familiar with the other OpenAFS Tools requirements.
+
+*** REQUIREMENTS ***
+
+There are two major implementations of K5 -- MIT, and Heimdal. From what
+I can gather, one is not significantly better than the other. Unfortunately,
+their command line interfaces differ slightly, so for these tools I had to
+choose one with which to be compatible. I chose the MIT version. It is
+available at http://web.mit.edu/kerberos/www/index.html. You should download,
+compile, and install this if you haven't already.
+
+If you have an existing Kerberos realm that you plan to use, you only need to
+configure your soon-to-be OpenAFS server as a Kerberos client. If you're
+making a new realm, you're going to have to create a master KDC (which can
+be the same as your OpenAFS server if you want, but that's not advised), and
+also configure your OpenAFS server to be a client. The aforementioned MIT
+website has all the information you'll need on how to create or connect to
+a K5 realm. IMPORTANT NOTE: If you're creating a new realm, keep in mind
+that the OpenAFS cell you will be creating later must have the same name as
+the realm, except the name of the realm must be in all caps.
+
+The next step is to install the OpenAFS RPMs, available at
+http://www.openafs.org/. You'll need to get the openafs, openafs-kernel,
+openafs-client, openafs-server, and openafs-krb5 packages, and install
+them all.
+
+*** INSTALLATION ***
+
+Installation is pretty easy. Just do a normal install_afs command (as
+described in the OpenAFS Tools README), but specify the "-k" option. This
+informs the program that you are going to be using Kerberos for authentication.
+During the installation process, it will ask for a Kerberos administration
+password; this is the password for the admin/admin principal in your
+Kerberos realm. If it is not correct, the installation will not work!
+
+IMPORTANT NOTE: As far as I can tell, the name of your cell must be THE SAME
+as the name of the Kerberos realm you are using, except in should be in lower
+case letters instead of upper case. Supposedly there are ways to get around
+this, but I have not found them. Currently, the OpenAFS Tools supports only
+same-name integration.
+
+*** USE ***
+
+After the install_afs program completes, you should be ready to go. To test
+it out, execute the following commands.
+
+ kinit admin
+ aklog
+ vos create <machine_name> <partition_name> test.vol
+
+This will create a test volume in your AFS cell. If you see any error
+messages about authentication, then something's not working.
+
+If everything works, you can start using your AFS cell. When you want to make
+new users, make them a Kerberos account, and then give them a PTS entry in
+your OpenAFS cell. That should be it!
+
+*** COMMON PROBLEMS ***
+
+Here are some solutions to problems I've encountered:
+
+- Some KDC in your Kerberos realm must be running the following programs
+before you run the OpenAFS installation program:
+ kadmind
+ krb5kdc
+ krb524d -m
+- The name of your OpenAFS cell and Kerberos realm must be the same, except
+for differences in capitalization.
+- Make sure, after uninstalling OpenAFS, to delete the 'admin' and 'afs'
+principals from the Kerberos database.
+
+*** Future Work ***
+
+These tools should support both MIT and Heimdal implementations, and any
+others that may exist. Unfortunately, the only reasonable way to do this
+that I can see is to use the actual Kerberos 5 API. This would require
+writing a C program or two and integrating them into the OpenAFS
+installation script. While certainly possible, this would probably take
+some work.
+
+Removing the same name dependency between the OpenAFS cell and the Kerberos
+realm would be fantastic.
+
## License. For details, see the LICENSE file in the top-level source
## directory or online at http://www.openafs.org/dl/license10.html
##
-## openafs-tools, Version 1.2.2 ##
+## openafs-tools, Version 1.2.5 ##
Follow these steps to create a binary distribution RPM for the
openafs-tools-cmd package no Red Hat Linux:
1) Copy the spec file to your SPECS directory.
- cp openafs-tools-cmd-1.2.2-1.spec /usr/src/redhat/SPECS/
+ cp openafs-tools-cmd-1.2.5-1.spec /usr/src/redhat/SPECS/
2) Create the source package by running:
3) Now you can create the RPM:
cd /usr/src/redhat/SPECS
- rpm -ba --clean openafs-tools-cmd-1.2.2-1.i386.rpm
+ rpm -ba --clean openafs-tools-cmd-1.2.5-1.i386.rpm
The RPM is now ready for use in the
/usr/src/redhat/RPMS directory.
rm -f /usr/vice/etc/ThisCell
rm -f /usr/vice/etc/AFSLog
rm -rf /usr/vice/cache
+rm -f $afscodeFileDir/install_output
+rm -f $afscodeFileDir/done.txt
mkdir /usr/vice/cache
+echo "If you were using K5 authentication, make sure you delete all AFS related principals."
echo "Uninstall" > $afscodeFileDir/.afs_state
echo "complete" >> $afscodeFileDir/.afs_state
echo -e "\t-adminPassword (or -p) password: the administrative\n\t password of the cell. Ignored if this is not a server"
echo -e "\t-existingServer (or -e) name: the name of an\n\t existing server already in the cell. Ignored if\n\t this is not an additional server"
echo -e "\t-scriptDirectory (or -d) name: the name of the\n\t directory containing these OpenAFS installation\n\t scripts"
+ echo -e "\t-krb5 (or -k): Set up Kerberos 5 authentication on this\n\t machine. Assumes this machine is a client of a Kerberos\n\t realm that has the same name as the cell being created,\n\t but all caps. Ignored if this is not a first server."
+ echo -e "\t-kadminPassword (or -ka) password: the administrative\n\t password of the kerberos realm. Ignored if the -krb5\n\t flag is not set."
echo -e "\t-noConf (or -n): Do not ask for confirmation before\n\t performing the installation."
echo -e "\thelp: Display this help dialogue"
echo
if [ $# -ne 0 ]; then
shift
fi
- if [ $flag != "-noConf" -a $flag != "-n" ]; then
+ if [ $flag != "-noConf" -a $flag != "-n" -a $flag != "-krb5" -a $flag != "-k" ]; then
val=$1
if [ $# -ne 0 ]; then
shift
else
if [ $flag = "-noConf" -o $flag = "-n" ]; then
noConf=$val
+ else
+ if [ $flag = "-krb5" -o $flag = "-k" ]; then
+ krb5=$val
+ else
+ if [ $flag = "-kadminPassword" -o $flag = "-ka" ]; then
+ kadminPassword=$val
else
echo Invalid flag $flag. Use \"install_afs help\" for syntax.
exit 0;
- fi fi fi fi fi fi fi fi fi fi
+ fi fi fi fi fi fi fi fi fi fi fi fi
done
# Collect variables not given:
done
fi
+if [ $krb5 -ne 0 ]; then
+ while [ -z $kadminPassword ]; do
+ echo -ne "Provide the administrative password of the Kerberos realm: "
+ stty -echo echonl
+ read kadminPassword
+ stty echo
+ echo -ne "Please confirm the password: "
+ stty -echo echonl
+ read kadminPassword2
+ stty echo
+
+ if [ -z $kadminPassword ]; then
+ echo -e "You must give a password"
+ else
+ if [ -z $kadminPassword2 ]; then
+ echo -e "You must confirm the password"
+ adminPassword=""
+ else
+ if [ $kadminPassword != $kadminPassword2 ]; then
+ echo -e "Passwords do not match"
+ kadminPassword=""
+ fi fi fi
+ done
+fi
+
# Make sure the needed files exist:
if [ $serverType -eq $addServer ]; then
while [ ! -e $scriptDir/afs/ -o ! -e $scriptDir/afs/ThisCell -o ! -e $scriptDir/afs/CellServDB -o ! -e $scriptDir/afs/KeyFile -o ! -e $scriptDir/afs/UserList ]; do
echo kill ${bosserver_process%% /*}
kill ${bosserver_process%% /*}
- /usr/afs/bin/kaserver -noauth &
+ if [ -z $krb5 ]; then
+ /usr/afs/bin/kaserver -noauth &
- echo Configuring kaserver
- kas create afs -initial_password $afsPassword -cell $cellName -noauth
- kas examine -name afs -cell $cellName -noauth
- kas create admin -initial_password $adminPassword -cell $cellName -noauth
- kas setfields admin -flags admin -cell $cellName -noauth
- kas examine -name admin -cell $cellName -noauth
+ echo Configuring kaserver
+ kas create afs -initial_password $afsPassword -cell $cellName -noauth
+ kas examine -name afs -cell $cellName -noauth
+ kas create admin -initial_password $adminPassword -cell $cellName -noauth
+ kas setfields admin -flags admin -cell $cellName -noauth
+ kas examine -name admin -cell $cellName -noauth
- kaserver_process=$(ps -Ao pid,cmd | grep kaserver)
- echo kill ${kaserver_process%% /*}
- kill ${kaserver_process%% /*}
+ kaserver_process=$(ps -Ao pid,cmd | grep kaserver)
+ echo kill ${kaserver_process%% /*}
+ kill ${kaserver_process%% /*}
+
+ else
+
+ echo Setting up krb5
+ kadmin -p admin/admin -w $kadminPassword -q "addprinc -pw $adminPassword afs"
+ kadmin -p admin/admin -w $kadminPassword -q "modprinc -kvno 0 afs"
+ kadmin -p admin/admin -w $kadminPassword -q "ktadd -k /etc/krb5.keytab -e des-cbc-crc:afs3 afs"
+ asetkey add 1 /etc/krb5.keytab afs
+ kadmin -p admin/admin -w $kadminPassword -q "ktremove -k /etc/krb5.keytab afs all"
+ kadmin -p admin/admin -w $kadminPassword -q "addprinc -pw $adminPassword admin"
+ kadmin -p admin/admin -w $kadminPassword -q "ktadd -k /etc/krb5.keytab admin"
+
+ fi
echo Bootstrapping ptserver
- echo -e "admin 128/20 1 -204 -204\nsystem:administrators 130/20 -204 -204 -204\n admin 1\n" | pt_util -p /usr/afs/db/prdb.DB0 -w
+ echo -e "admin 128/20 1 -204 -204\nsystem:administrators 130/20 -204 -204 -204\n admin 1\n" | /usr/afs/bin/pt_util -p /usr/afs/db/prdb.DB0 -w
fi
#
echo Starting the Database Server Processes
#
- echo bos create -server $machineName -instance kaserver -type simple -cmd /usr/afs/bin/kaserver -cell $cellName -localauth
- bos create -server $machineName -instance kaserver -type simple -cmd /usr/afs/bin/kaserver -cell $cellName -localauth
+ if [ -z $krb5 ]; then
+ echo bos create -server $machineName -instance kaserver -type simple -cmd /usr/afs/bin/kaserver -cell $cellName -localauth
+ bos create -server $machineName -instance kaserver -type simple -cmd /usr/afs/bin/kaserver -cell $cellName -localauth
+ fi
echo bos create -server $machineName -instance buserver -type simple -cmd /usr/afs/bin/buserver -cell $cellName -localauth
bos create -server $machineName -instance buserver -type simple -cmd /usr/afs/bin/buserver -cell $cellName -localauth
echo bos create -server $machineName -instance ptserver -type simple -cmd /usr/afs/bin/ptserver -cell $cellName -localauth
echo /etc/rc.d/init.d/afs start
/etc/rc.d/init.d/afs start
if [ $serverType -ne $notServer ]; then
- # klog in as admin
- echo klog admin -password
- klog admin -password $adminPassword
+
+ if [ -z $krb5 ]; then
+ # klog in as admin
+ echo klog admin -password
+ klog admin -password $adminPassword
+ else
+ kinit -t /etc/krb5.keytab admin
+ aklog
+ fi
+
# verify klog worked correctly:
echo tokens
tokens
/etc/rc.d/init.d/afs start
cd /afs
- # klog in as admin
- echo klog admin -password
- klog admin -password $adminPassword
+ if [ -z $krb5 ]; then
+ # klog in as admin
+ echo klog admin -password
+ klog admin -password $adminPassword
+ else
+ kinit -t /etc/krb5.keytab admin
+ aklog
+ kadmin -p admin/admin -w $kadminPassword -q "ktremove -k /etc/krb5.keytab admin all"
+ kadmin -p admin/admin -w $kadminPassword -q "cpw -pw $adminPassword admin"
+ fi
# Wait for Ubik to elect a quorum
echo Waiting for a quorum election . . .
echo fs examine /afs/$cellName
fs examine /afs/$cellName
-#
-#
fi
fs checkvolumes
#
cp $mainFileDir/afsinit_server .
cp $mainFileDir/afs_uninstall .
cp $mainFileDir/install_afs .
+cp $mainFileDir/K5_README .
+cp $mainFileDir/check_udebug.pl .
cp $mainFileDir/write_fstab.pl .
cp $mainFileDir/write_pam.pl .
#
--- /dev/null
+Summary: A program that can install and uninstall OpenAFS for Linux (command line only).
+Name: openafs-tools-cmd
+Version: 1.2.5
+Release: 1
+Copyright: IPL
+Packager: OpenAFS
+Group: Applications/File
+Source: openafs-tools-cmd.tar
+Conflicts: openafs-tools
+Requires: openafs, openafs-kernel, openafs-client, openafs-server
+BuildRoot: /var/tmp/%{name}-buildroot
+
+%description
+This rpm will extract and install the files needed to install and uninstall
+OpenAFS on a Linux system.
+
+%prep
+%setup -c
+gunzip afs_linux.tar.gz
+tar -xf afs_linux.tar
+
+%build
+chmod 744 unpack_cmd
+
+%install
+rm -rf $RPM_BUILD_ROOT
+./unpack_cmd
+
+%post
+%ifnos Linux
+ echo -e "WARNING: Operating system is not Linux.\n openafs-tools has only been tested on Red Hat Linux, so proceed with caution."
+%endif
+if [ ! -e /usr/src/redhat ]; then
+ echo -e "WARNING: This operating system may not be Red Hat Linux.\nopenafs-tools has only been tested on Red Hat, so proceed with caution."
+fi
+%ifos Linux
+ ver=$(uname -r)
+ verdash=${ver%%-*}
+ vermaj=${verdash%.*}
+ vermin=${verdash##*.}
+ if [ $vermaj != "2.2" -a $vermaj != "2.4" ]; then
+ echo -e "WARNING: Kernel version is not 2.2 or 2.4.\n openafs-tools-client has only been tested on kernel versions 2.2 and 2.4, so proceed with caution."
+ fi
+%endif
+
+%preun
+rm -f /usr/afs/tools/install/*install_output*
+rm -rf /usr/afs/tools/install/afs
+rm -rf /usr/afs/tools/install/vice
+rm -rf /usr/afs/tools/install/done.txt
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%doc openafs-tools-cmd.README
+/usr/afs/tools/openafs-tools-cmd.README
+/usr/afs/tools/install/.afs_state
+/usr/afs/tools/install/afsinit_both
+/usr/afs/tools/install/afsinit_client
+/usr/afs/tools/install/afsinit_server
+/usr/afs/tools/install/afs_uninstall
+/usr/afs/tools/install/install_afs
+/usr/afs/tools/install/K5_README
+/usr/afs/tools/install/check_udebug.pl
+/usr/afs/tools/install/write_fstab.pl
+/usr/afs/tools/install/write_pam.pl
+%dir /usr/afs/tools/install/
+
+
+
+
cp -f afsinit_server $mainFileDir/
cp -f afs_uninstall $mainFileDir/
cp -f install_afs $mainFileDir/
+cp -f K5_README $mainFileDir/
cp -f check_udebug.pl $mainFileDir/
cp -f write_fstab.pl $mainFileDir/
cp -f write_pam.pl $mainFileDir/
## License. For details, see the LICENSE file in the top-level source
## directory or online at http://www.openafs.org/dl/license10.html
##
-## openafs-tools, Version 1.2.2 ##
+## openafs-tools, Version 1.2.5 ##
####################### TABLE OF CONTENTS ###########################
openafs-server-1.2.2-rh6.2.1.i386.rpm
Red Hat 7.1:
openafs-kernel-1.2.2-rh7.1.1.i386.rpm
- openafs-1.2.2-rh7.11..i386.rpm
+ openafs-1.2.2-rh7.1.1.i386.rpm
openafs-client-1.2.2-rh7.1.1.i386.rpm
openafs-server-1.2.2-rh7.1.1.i386.rpm
Once these are downloaded, install them (using an rpm -i or rpm -U
c) OpenAFS Tools
Now all that's left to do is install the OpenAFS Tools rpm. The
-file you need is openafs-tools-1.1.1-1.i386.rpm. Install it using
+file you need is openafs-tools-1.2.2-1.i386.rpm. Install it using
an rpm -i or rpm -U command. This will create several directories
and populate your system with necessary files. The main directories
created and populated is:
on the command line, you will be prompted for them interactively.
To get a rundown on how to use install_afs, execute:
/usr/afs/tools/install/install_afs help
-Once configured correctly, this machine will run the installation
-program (the same one run by the web interface), and restart your
-computer.
+
+If you are creating an additional server or not a server, OpenAFS
+Tools will ensure that you have all the required files on your
+system. These are files needed by the OpenAFS installation program
+to connect you to cells that already exist. You must get these files
+manually from an existing server, as we have not yet implemented
+a secure way of doing this automatically. For additional servers,
+the files you need to copy are:
+ - Copy the /usr/afs/etc/ThisCell file from the existing server
+to /usr/afs/tools/install/afs/ThisCell on your machine.
+ - Copy the /usr/afs/etc/CellServDB file from the existing server
+to /usr/afs/tools/install/afs/CellServDB on your machine.
+ - Copy the /usr/afs/etc/KeyFile file from the existing server
+to /usr/afs/tools/install/afs/KeyFile on your machine.
+ - Copy the /usr/afs/etc/UserList file from the existing server
+to /usr/afs/tools/install/afs/UserList on your machine.
+ - Copy the /usr/vice/etc/CellServDB file from the existing server
+to /usr/afs/tools/install/vice/CellServDB on your machine.
+
+ For client-only installation, you need the following file:
+ - Copy the /usr/vice/etc/CellServDB file from the existing server
+to /usr/afs/tools/install/vice/CellServDB on your machine.
b) OpenAFS Uninstallation
- Installation starts with the script install_afs. The first thing
it does is ensure that the files needed for setting up additional
servers and/or clients exist in the appropriate places (see section
-3.a.i for a description of these files). Then, after indicating to
+3.a for a description of these files). Then, after indicating to
the state file that installation has begun, it begins installing
OpenAFS.
- For clients, it then enables Pam Login Authentication using
Currently we use the administrative password for the afs account
password. The admin account is now added to the bos server database
and a pts entry is created as well. Also, the afs account password
-is added as a key for the server. The kaserver proces is terminated.
+is added as a key for the server. The kaserver process is terminated.
The pts database is then bootstrapped to add the administrator to it.
- For first servers, a normal bosserver is started. It then
creates the database server processes (kaserver, buserver, ptserver,
b) OpenAFS Uninstallation
- Uninstallation has only two files: the main script and the
-redirection script.
+ Uninstallation has only one file:
/usr/afs/tools/install/afs_uninstall
Here is a brief summary of what it does to uninstall OpenAFS:
- First it indicates to the state file that uninstallation has
projects / packages / o / openafs.git / commitdiff