To Add a Client Computer to AFS...

Our hypothetical client system's hostname is 'leroy'

Leroy is a Redhat-style i386 Linux system.

  1. Install the necessary software packages.
  2. Modify /etc/krb5.conf to read as:
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     ticket_lifetime = 24000
     default_realm = NICK.GS.WASHINGTON.EDU
     dns_lookup_realm = false
     dns_lookup_kdc = false
    
    [realms]
     NICK.GS.WASHINGTON.EDU = {
      kdc = legionofdoom.gs.washington.edu:88
      admin_server = legionofdoom.gs.washington.e:749
      default_domain = gs.washington.edu
     }
    
    [domain_realm]
     .gs.washington.edu = NICK.GS.WASHINGTON.EDU
     gs.washington.edu = NICK.GS.WASHINGTON.EDU
    
    [kdc]
     profile = /var/kerberos/krb5kdc/kdc.conf
    
    [appdefaults]
     pam = {
       debug = false
       afs_cells = nick.gs.washington.edu
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }
    
  3. Modify /etc/krb.conf to read as:
    NICK.GS.WASHINGTON.EDU
    NICK.GS.WASHINGTON.EDU  legionofdoom.gs.washington.edu:88
    NICK.GS.WASHINGTON.EDU  legionofdoom.gs.washington.edu:749
  4. Modify /etc/krb.realms to read as:
    .NICK.GS.WASHINGTON.EDU NICK.GS.WASHINGTON.EDU
  5. Modify /usr/vice/etc/CellServDB to read as:
    >nick.gs.washington.edu #Cell name
    128.95.231.16    #legionofdoom.gs.washington.edu
  6. Modify /usr/vice/etc/ThisCell to read as:
    nick.gs.washington.edu
  7. Modify /usr/vice/etc/cacheinfo to read as:
    /afs:/usr/vice/cache:10000000
  8. Modify /etc/sysconfig/afs such that:
  9. Start AFS up for the first time: /etc/init.d/afs start
  10. Place /etc/rc.d symbolic links such that AFS is started automagically upon system reboot and shutdown gracefully on system halt.

At this point AFS is installed and running.

To automatically obtain Kerberos tickets and AFS credentials for system users, modify /etc/pam.d scripts as follows.

  1. Modify /etc/pam.d/system-auth to read as:
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      /lib/security/pam_env.so
    auth        sufficient    /lib/security/pam_unix.so likeauth nullok
    auth        sufficient    /lib/security/pam_krb5afs.so use_first_pass ignore_root tokens
    auth        required      /lib/security/pam_deny.so
    
    account     required      /lib/security/pam_unix.so
    
    password    required      /lib/security/pam_cracklib.so retry=3 type=
    password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
    password    sufficient    /lib/security/pam_krb5afs.so try_first_pass ignore_root use_authtok
    password    required      /lib/security/pam_deny.so
    
    session     required      /lib/security/pam_limits.so
    session     required      /lib/security/pam_unix.so
    session     optional      /lib/security/pam_krb5afs.so ignore_root use_authtok