PC configuration

How to configure a machine to use the MPCDF afs and kerberos infrastructure.

General remarks

This document describe some configurations you should use on a PC which is installed within the Garching campus and IPP in Greifswald.

Note for Windows-users :

These configurations are only for Windows-stand-alone PCs. Do not use them if your PC is member of the Active Directories (ipp.mpg.de or ipp-hgw.mpg.de)

Note for non-IPP-users :

If you are not within IPP, but want to use the AFS-cell "ipp-garching.mpg.de", you should use the configuration of Kerberos and the AFS-client for the location closest to you.

If you are in doubt, use the location Garching.

 

Kerberos

DNS-entries

Garching :

Alias : kerberos1.rzg.mpg.de, kerberos2.rzg.mpg.de, kerberos3.rzg.mpg.de

Round-Robin: kerberos.rzg.mpg.de

Greifswald :

see Garching

SRV-Records available: you can also configure your client to get this information from the DNS, but then you'll get those server located in Garching, which is not what you want, when you are sitting in Greifswald.

 

File location on your PC

    • UNIX: /etc/krb5.conf or /etc/krb5/krb5.conf
    • Windows:
      • MIT: KfW: C:\WINDOWS\krb5.ini
      • Heimdal (recommended) C:\ProgramData\Kerberos

 

Download

Download standard configuration for your client :

 

Snippets :

if you want to configure your client differently, the snippets might help you :

      [realms]
      IPP-GARCHING.MPG.DE = {
              kdc = kerberos.rzg.mpg.de
              kdc = kerberos1.rzg.mpg.de
              kdc = kerberos2.rzg.mpg.de
              kdc = kerberos3.rzg.mpg.de
              admin_server = kerberos1.rzg.mpg.de
              default_domain = rzg.mpg.de       
      }       
      [domain_realm]
      mpcdf.mpg.de = IPP-GARCHING.MPG.DE .mpcdf.mpg.de = IPP-GARCHING.MPG.DE rzg.mpg.de = IPP-GARCHING.MPG.DE .rzg.mpg.de = IPP-GARCHING.MPG.DE ipp.mpg.de = IPP-GARCHING.MPG.DE .ipp.mpg.de = IPP-GARCHING.MPG.DE ipp-hgw.mpg.de = IPP-GARCHING.MPG.DE .ipp-hgw.mpg.de = IPP-GARCHING.MPG.DE ipp-garching.mpg.de = IPP-GARCHING.MPG.DE .ipp-garching.mpg.de = IPP-GARCHING.MPG.DE

Passwordless ssh within MPCDF

Most linux machines at MPCDF allow direct login with kerberos tickets.

If you want to use this, you need to create the  file

~/.ssh/config with

      HOST *.rzg.mpg.de
      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes

To make this work, you'd then need always to use the FQDN of the hostname.

If you are sure not to use ssh to machines outside IPP/MPCDF, you can omit the "HOST"-line but then your ticket is send to all machines you ever ssh to (which is maybe not what you want).

 

AFS-Client

The openAFS-Client requires mainly two configurations:

The cell it belongs to (ThisCell) and where to find the AFS-Database-servers.

The configuration of the cache is complex and should only be touched by experienced users.

Please search the documentation of your distribution on how-to install you client.

The packages itself you may find in your distribution or at www.openafs.org.

Unix users shold use the version 1.6.x,

Windows users the latest version from www.openafs.org. A short installlation guide for windows is given here.

If you change any of the parameters described below, do not forget to restart the AFS-client.

More information about the AFS at IPP is given here.

 

AFS-ThisCell

 

File-location on your PC

Unix: /usr/vice/etc/ThisCell or /etc/openafs/ThisCell

Windows : C:\Programme\OpenAFS\Client\ThisCell

This file should contain only "ipp-garching.mpg.de" without a newline-character.

Download ThisCell.

 

AFS-Database-servers

 

DNS-entries

SRV-Records. Clients using DNS-servers in Greifswald, will be directed to AFS-Database-Servers in Greifswald, those using the DNS-servers in Garching,

will be directed to Serves located in Garching.

 

File-location on your PC

Unix: /usr/vice/etc/CellServDB or /etc/openafs/CellServDB

Windows : C:\Programme\OpenAFS\Client\CellServDB

 

Download

Download standard configuration for your client :

 

Snippets

Here is the for the AFS-cell "ipp-garching.mpg.de" relevant snippet.

Other cells can be taken from other sources.

      >ipp-garching.mpg.de    #Institut fuer Plasmaphysik
      130.183.9.5                     #afs-db1.rzg.mpg.de
      130.183.100.10                  #afs-db2.aug.ipp-garching.mpg.de
      130.183.14.14                   #afs-db3.bc.rzg.mpg.de

 

 

CellAlias

A cellalias is a shortcut in the /afs - directory. The (here) most well-known is /afs/ipp to /afs/ipp-garching.mpg.de

 

File-location on your PC

Unix: /usr/vice/etc/CellAlias or /etc/openafs/CellAlias

Windows : Registry-Key [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks] (details)

 

Download

Download standard configuration for your client :

      OS\Location IPP
      Unix CellAlias
      Windows

      see snippets below

 

Snippets

Here is the for the AFS-cell "ipp-garching.mpg.de" relevant snippet.

Other cells can be taken from other sources.

Unix :

      ipp-garching.mpg.de ipp
      ipp-garching.mpg.de rzg.mpg.de
      ipp-garching.mpg.de rzg
      ipp-garching.mpg.de @cell
      mpa-garching.mpg.de mpa
      mpe.mpg.de mpe

Windows :

Warning! Only do this, when you know what you are doing!

You need to add following entries of type "REG_SZ" (Zeichenfolge) to the registry-key [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks] :

(Do not forget the dots "." !)

      ipp:ipp-garching.mpg.de.
      .ipp:.ipp-garching.mpg.de.

 

Firewall

AFS is a distributed filesystem. For performance reasons, files are cached locally on the client.

Therefore, a fileserver needs to be able to inform your client that the file it has cached has been

changed by another client and the local copy must be discarded.

For this to work,  the fileservers need to be able to talk to the client on port UDP/7001.

Please make sure that your personal firewall allows incoming packets on this port.

 

Login using PAM (UNIX only)

This section is about getting the credentials (Kerberos-Ticket, AFS-Token) directly with the login  by means of  PAM (Pluggable Authentication Mechanism).

! If you install this, you need to use your userid and password from MPCDF to login to your PC/Laptop.

We recommend the use of pam-krb5 and pam-afs-session from Russ Allbery at Stanford.

You can get those at :

http://www.eyrie.org/~eagle/software/pam-afs-session/

http://www.eyrie.org/~eagle/software/pam-krb5/

 

Notes:

Some LINUX-distributions have already packaged versions of those. Unfortunately there also exists another pam_krb5- package which is not written by Russ Allbery and not compatible with this way of doing things. Using rpm you can check this with rpm -qi pam_krb5

For compiling you might need to install the krb5-devel or equivalent package.

you would need to install the pam_afs_session.so and pam_krb5.so in the same directory as the other libraries e.g. pam_unix2.so

After compiling, you will need to activate those in /etc/pam.d/login (for text-login), /etc/pam.d/[egk]dm (for graphical login) or /etc/pam.d/sshd (for sshd), the exact mechnism depends on your UNIX-flavour.

ATTENTION: pam-afs-session needs the binary "aklog" to work. This should be included with you openafs-client installation.

As an example  /etc/pam.d/login could look like this, but do not just copy this over your given pam-file!

The important lines are are marked with # XXX.

For further documentation, read the respective README.html on the web-pages given above.

      #%PAM-1.0
      auth     required       pam_env.so
      auth     sufficient     pam_krb5.so  minimum_uid=500 try_first_pass     # XXX
      auth     required       pam_unix2.so    # set_secrpc
      auth     required       pam_nologin.so
      account  required       pam_unix2.so
      account  required       pam_nologin.so
      account  required       pam_access.so
      password required       pam_pwcheck.so
      password required       pam_unix2.so    use_first_pass use_authtok
      session  required       pam_unix2.so    none # trace or debug
      session  optional	pam_krb5.so         # XXX
      session  optional       pam_afs_session.so ignore_root program=/usr/bin/aklog,-noprdb   # XXX
      session  required       pam_limits.so

Document Actions