AFS: Andrew File System, server side

Based upon Tracy's talk at the AFS Workshop, 2005. Heavily modified for OpenAFS coverage by BenKaduk in 2011.


Before getting into the afs side, make sure you have a working Kerberos5 setup. Follow the handbook to get that starting. Since I didn't setup any DNS servers, I required some extra info in /etc/krb5.conf:

        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_realm = MEILAND.NL
        MEILAND.NL = {
                kdc =
                admin_server =
[domain_realm] = MEILAND.NL
        kdc = FILE:/var/log/kdc.log
        default = FILE:/var/log/kdc.log

It is also most convenient to have a afs client running on the initial server. Check out the installation instructions on the afs page.


There are a few things to keep in mind when assigning storage locations for AFS fileservers: first, the mountpoints should be named /vicepa, /vicepb and so on. (This is a long tradition that is essentially hardcoded in.) The next is that there are two backends that may be used for the storage area of the fileserver: inode and namei. The namei backend uses ordinary files with particular names to store the fileserver data (which should not be accessed other than by an AFS client), whereas the older inode backend performs interesting manipulations with the inodes on dis. As such, it is important to never let a filesystem check tool look at those partitions; non-AFS implementations of fsck or alike have no clue on what AFS is doing to files while adding blocks to store ACL information, and AFS has it's own tool to do low level file system maintenance. An example setup of the fstab would look like this, with a second harddisk (ada1) reserved for AFS:

/dev/ada1s1d             /vicepa         ufs     rw              0       0
/dev/ada1s1e             /vicepb         ufs     rw              0       0
/dev/ada1s1f             /vicepc         ufs     rw              0       0

OpenAFS server

The OpenAFS client and server are currently installed in the same port, but may be enabled and disabled separately in rc.conf.

#>cd /usr/ports/net
#>sh openafs.shar
#>cd openafs
#>make install
#>echo 'afsserver="YES"' >> /etc/rc.conf

Unlike the client, the idea of default configuration values for the AFS server does not make sense, so they are not provided.

OpenAFS configuration

create kerberos host keys

#>kadmin -l
kadmin> add --random-key afs/
kadmin> ext_keytab -k /tmp/afsv5key afs/
#>mkdir -p /usr/afs/etc
#>echo "" > /usr/afs/etc/ThisCell
#>ktutil copy /tmp/afsv5key AFSKEYFILE:/tmp/KeyFile

create some configuration files

#>echo "" > /usr/local/etc/openafs/server/ThisCell
#>cp /tmp/KeyFile /usr/local/etc/openafs/server/KeyFile

add the following to /usr/local/etc/openafs/server/CellServDB

>             #demo cell              

create the cell. Old instructions use the '-noauth' argument to bosserver, which is insecure and no longer needed after the introduction of '-localauth' for most bos commands.

#>bos setcellname -localauth
#>bos create buserver simple /usr/local/libexec/openafs/buserver -localauth
#>bos create ptserver simple /usr/local/libexec/openafs/ptserver -localauth
#>bos create vlserver simple /usr/local/libexec/openafs/vlserver -localauth

create users:

# pts createuser -name hugo -id 1000 -localauth
User hugo has id 1000
# pts createuser -name hugo.afs -id 1001 -localauth   '''hugo.afs instead of hugo/afs is not a typo'''
User hugo/afs has id 1001
# pts adduser hugo.afs system:administrators -localauth
# bos adduser hugo.afs -localauth

now restart the bosserver and check that authentication works:

#> bos shutdown
#> killall bosserver
#> bosserver
#> kinit hugo/afs
#> aklog
#> tokens
#> bos status -server
Instance buserver, currently running normally.
Instance ptserver, currently running normally.
Instance vlserver, currently running normally.

create storage space

#> bos create fs fs /usr/local/libexec/openafs/fileserver /usr/local/libexec/openafs/volserver /usr/local/libexec/openafs/salvager -cell -localauth
#> vos create /vicepa root.afs -localauth
#> vos create /vicepa root.cell -localauth
#> fs setacl /afs system:administrators rlidwka
#> fs setacl /afs system:anyuser rl
#> fs mkmount /afs/ root.cell
#> fs setacl /afs/ system:administrators rlidwka
#> fs setacl /afs/ system:anyuser rl
#> fs mkmount /afs/ root.cell -rw
#> fs setacl /afs/ system:administrators rlidwka
#> fs setacl /afs/ system:anyuser rl

mount external cells:
#> fs mkmount -dir /afs/ -cell -vol root.cell

replicate database servers

To make sure multiple database servers are available the following actions are required: Install a bosserver on as stated above, no other services are required yet. Make sure to copy the keyfile from

#> bos addhost
#> bos addhost
#> bos restart ptserver
#> bos restart vlserver
#>bos create ptserver simple /usr/local/libexec/openafs/ptserver
#>bos create vlserver simple /usr/local/libexec/openafs/vlserver

The servers will sync now automagicly and you can modify you CellServDB on the client to point to the second server as well...

>             #demo cell                   

afs-server (last edited 2011-05-25 05:29:15 by BenKaduk)