AFS at Lewin.nu

AFS (Andrews File System) is a protocol for accessing disk files over a network. This is similar to Windows file sharing, NFS (Network File System).

The lewin.nu domain has an AFS cell by the same name (lewin.nu).

We use the OpenAFS AFS implementation.

AFS requires the Kerberos authentication system for user authentication. The lewin.nu AFS cell uses Kerberos for authentication rather than AFS' native aklog scheme.

File Access Rights

Available permissions

The following ACL permissions can be granted:

Lookup (l), which allows a user to list the contents of the AFS directory, examine the ACL associated with the directory and access subdirectories.
Insert (i), which allows a user to add new files or subdirectories to the directory.
Delete (d), which allows a user to remove files and subdirectories from the directory.
Administer (a), which allows a user to change the ACL for the directory. Users always have this right on their home directory, even if they accidentally remove themselves from the ACL.

Permissions that affect files and subdirectories include:

Read (r), which allows a user to look at the contents of files in a directory and list files in subdirectories. Files that are to be granted read access to any user, including the owner, need to have the standard UNIX "owner read" permission set. This can be done with the command chmod o+r filename.
Write (w), which allows a user to modify files in a directory. Files that are to be granted write access to any user, including the owner, need to have the standard UNIX "owner write" permission set. This can be done with the chmod o+w filename command.
Lock (k), which allows the processor to run programs that need to "flock" files in the directory. See the UNIX man page for "flock" for more details.

System administation info

Creating an AFS partition:

To create an AFS partition on an existing partition by creating a file, and mounting it with the loopback driver:

Create the file to hold the partition by:

dd if=/dev/zero of=vicepb bs=1M count=58k

This example created a 58 GB partition (58k blocks @ 1Mbyte each).

Create a file system on the partition (format the partition)

mke2fs -v -T largefiles -L "AFS no backup" vicepb

Create the mount point. The partition must be mounted at /vicep[a-z].

mkdir /vicepb

Create an entry in /etc/fstab

/mnt/hda3/vicepb /vicepb ext2 loop 0 0

mount the disk:

mount /vicepb

Restart the AFS bos server. This will restart AFS' fs process, causing it to recognize the new partition.

bos restart localhost fs -localauth

To create a volume

(as root):

/usr/sbin/vos create localhost /vicepb media.music -maxquota 15360 -localauth

Mount it:

fs mkmount /afs/lewin.nu/media/music media.music -rw

Creating a user (the complicated way)

Create the user:

pts createuser <username> <unix user id>

Create a volume for the user's home directory:

/usr/sbin/vos create localhost /vicepa user.erl -localauth

Mount the user home directory volume:

fs mkmount /afs/lewin.nu/home/erl user.erl

Give the user rights to his own directory

fs setacl /afs/lewin.nu/homeærl -acl erl all

chown erl /afs/lewin.nu/home/erl

To create a global group

pts creategroup -name music-editors

Disk content plan: Music: 12G Video: 36G Voxi: 3.8G? =52G? voxi stuff @/mnt/hdc3/hdb1 put on 58GB non-backed up AFS partition?

AFS Access From Windows

Install MIT Kerberos For Windows.

Installing AFS Client under Linux

To use AFS 1.3.83 under Linux 2.6.10, the patch from https://lists.openafs.org/pipermail/openafs-devel/2005-June/012267.html is required.

Linux System settings

Settings for starting AFS under Linux are in /etc/sysconfig/afs

If "/usr/sbin/vos listvol localhost -localauth" shows volumes are not mounted, run "bos salvage localhost -all -localauth".

Installing AFS Client under Mac OS X

Install OpenAFS from openafs.org.

Add the following lines to the beginning of the file /var/db/openafs/CellServDB:

>lewin.nu
83.227.241.4       #sol.lewin.nu

A restart might be neccessary after the above file editing, to get the computer to discover the lewin.nu cell.

Kerberos is built into Mac OS X at least from 10.4 on. But, to get a Kerberos ticket you need to find and run the Kerberos program, which is located under :System:Library:Core Services:Kerberos.

However, as far as I can tell, after getting Kerberos tickets, you need to run the command "aklog -c lewin.nu -k LEWIN.NU" in a terminal window in order to be able to access AFS directories with limited access.

Moving volumes between partitions

/usr/sbin/vos move -fromserver localhost -id media.photos -frompartition /vicepd -topartition /vicepf -toserver localhost -localauth

Installing on a new Linux machine

System administration

The AFS logs are under /usr/var/openafs/logs.