Creating a New Cell on Fedora

This is a step-by-step guide to setting up an AFS server on Fedora. I used Fedora 7 with OpenAFS^? 1.4.4 and the standard MIT KerberosV^? provided by the Fedora repositories.

When I set out to create an AFS server, I found little up to date documentation. Simply realizing that I should use KerberosV^? took a while- actually getting it installed was a different story. The original IBM documentation was complete, but very old. This wiki was good, but the Kerberos page was a little hard to understand and fit into the IBM instructions. The mailing list was quite helpful but difficult to search.

I chose Fedora simply because it is used where I work. These instructions should work just as well for RHEL or any other distribution of Linux. Remember that some distros install AFS files to different directories.

Server Setup

Preparing the Installation

You first need to install Fedora or RHEL. I'll leave this to you. An important thing to keep in mind is that you'll need a partition to store volumes for AFS. This will be mounted at /vicepa. If you have multiple partitions they can be mounted at /vicepb, /vicepc, etc. From what I've heard, ext2/3 are good choices, while ReiserFS^? is a bad choice. I've also heard that XFS works well, although I'm not sure (I used ext3).

When I first installed AFS, I couldn't connect due to the firewall blocking the necessary ports. I have since disabled the firewall and SELinux. If you need a secure environment, I would recommend figuring out what ports to leave open and how to get SELinux to cooperate. I leave this to you.

When installing AFS, I found networking to be rather painful. Make sure that DNS is setup before you begin. Just to make life easier, I set up a DNS server on my AFS box. This was very simple- 'yum install bind system-config-bind'. Use system-config-bind to add a zone and entries and you'll be set.

Installing Kerberos

Install Kerberos via 'yum install krb5-server krb5-workstation'. You will need to edit /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf before creating the database and necessary principals (a Kerberos user or application is internally known as a principal).

First edit /etc/krb5.conf: any instance of should be replaced by your realm name, such as COM. Note it should be in all caps. should be replaced by the name of your server, such as dns.example.com.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = <REALM>
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 <REALM> = {
  kdc = <server>:88
  admin_server = <server>:749
  default_domain = <domain>
 }

[domain_realm]
 .<domain> = <REALM>
 <domain> = <REALM>

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 afs_krb5 = {
  <REALM> = {
   afs/<REALM> = false
   afs = false
  }
 }

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

-- StevenPelley - 25 Jul 2007