Skip to content

Installation of OpenAFS

Installation on Debian/Ubuntu

(prepared by V. Olsen - 2017-12-06)

Tested on Debian Stretch

Install Packages

$ sudo apt install openafs-client openafs-modules-dkms openafs-krb5 krb5-user krb5-config

Issue with obsolete packages

(R. De Maria)

In case of issues (see Mattermost discussion), newer package can be sourced the following instructions.

In Ubuntu 18.04 this can be done as follows: 

sudo apt install init-system-helpers/bionic-backports
sudo add-apt-repository ppa:openafs/stable
sudo apt-get update
sudo apt-get upgrade

In UBUNTU 20.04.1 it can be done as follows:

sudo add-apt-repository ppa:openafs/stable
sudo apt-get update
sudo apt-get upgrade

Then install packages as written before

Configure AFS and Kerberos

1. Use "cern.ch" as default AFS cell

$ echo "cern.ch" | sudo tee /etc/openafs/ThisCell

Note that depending on the distribution, the access configuration might be outdated. To fix this, open /etc/openafs/CellServDB in a text editor and remove the IP-adresses below >cern.ch. The result should look like

>cern.ch                #European Laboratory for Particle Physics, Geneva
>ams.cern.ch            #AMS Experiment
>[next cell definition here...]

Then restart the afs client using

systemctl restart openafs-client.service.

More information can be found in OTG0074822.

2. Set up Kerberos authentication

Add the following lines to file /etc/krb5.conf:

# settings for CERN.CH realm are taken from file
#   lxplus.cern.ch:/etc/krb5.conf

[libdefaults]
  default_realm = CERN.CH

[realms]
  CERN.CH = {
  default_domain = cern.ch
  kpasswd_server = cerndc.cern.ch
  admin_server = cerndc.cern.ch
  kdc = cerndc.cern.ch
  }

[domain_realm]
  cern.ch = CERN.CH
  .cern.ch = CERN.CH

3. Restart OpenAFS client

On Ubuntu 16.04 and above:

$ sudo systemctl restart openafs-client.service

On older versions:

$ sudo service openafs-client restart

4. Login (optional, only needed to access protected paths):

$ kinit $LOGNAME@CERN.CH     # get kerberos ticket
$ aklog                      # login to AFS cell

Miscellanea

Configuration steps 1) and 2) can be done with:

$ sudo dpkg-reconfigure openafs-client
$ sudo dpkg-reconfigure krb5-config

It might be useful to set-up a crontab job (e.g. every 6h) to automatically renew the kerberos token:

0    -/6    -    -    - kinit -R ; aklog -c cern.ch -k CERN.CH

Pay attention that kinit -R (i.e. renew existing token) won't require any password to be typed in; on the other hand, a token can be renew for a maximum of 5d after its generation, hence a kinit (with password) is needed. Anyway, if kinit is issued on Monday morning, so that for the rest of the week you don't have to bother with that.

Reference: http://akorneev.web.cern.ch/akorneev/howto/openafs.txt

Possible problems on Ubuntu

If you have a recent Ubuntu installation, the above procedure might not entirely work as there could be a kernel incompatibility with the latest openafs. This is shown if you try aklog: it will then give the error

aklog: a pioctl failed while obtaining tokens for cell cern.ch

Furthermore, also a query of the openafs service with

$ sudo systemctl status openafs-client.service

will give errors:

openafs-client-precheck[2963]: modprobe: FATAL: Module openafs not found in directory /lib/modules/4.10.
openafs-client-precheck[2963]: Failed to load openafs.ko.  Does it need to be built?

I found a solution that worked for me, by adding a specific repository for openafs:

$ sudo apt-get purge openafs-client
$ sudo add-apt-repository ppa:openafs/stable
$ sudo apt-get update
$ sudo apt install openafs-client
$ sudo apt install --reinstall openafs-modules-dkms

Now we need to restart the service:

$ sudo systemctl stop openafs-client.service
$ kinit username@CERN.CH
$ sudo systemctl start openafs-client.service

You can check that the service is running as it should:

$ sudo systemctl status openafs-client.service

No more errors! Continue as before, aklog and possibly a crontab for kinit.

Note: It may be enough to just run

$ sudo dpkg-reconfigure openafs-modules-dkms

Within Windows Subsystem Linux (WSL)

The same error as above can occur in WSL, and while the solution is also to reconfigure the kernel modules, one needs to download the kernel source first and perform some of the build steps.

A guide has been written in this gist from Joschua.

Installation on MacOS

(prepared by F. Van Der Veken - 2020-04-01)

Mounting AFS on macOS can be a bit messy and is very poorly supported. In general it is preferred to access AFS via LxPlus and move your files to your local computer with scp. If you want to try mounting AFS anyway, there are two ways to proceed: using FUSE, or using OpenAFS.

Tested on macOS Sierra (10.12.6) and Catalina (10.15.4).

Using OpenAFS

So far, it is not possible to install OpenAFS on macOS High Sierra (10.13). More importantly, when upgrading macOS to version 10.13 it is extremely important to deinstall OpenAFS completely before making the upgrade, to avoid a never-ending loop of kernel-panics which are due to the AFS local cache being converted to the new Apple File System (APFS).

Installers can be downloaded from:

These are not officially supported, but third-party binaries provided by Sine Nomine (more information at https://wiki.openafs.org/archive/BinaryThirdParty/). Older versions of macOS are officially supported and can be downloaded from http://www.openafs.org/macos.html.

Update Auristor now has installers for later versions of macOS:

This seems to work on Catalina, however, do not upgrade macOS without deinstalling OpenAFS first (which is then named Auristor) to avoid disk crashes.

During the installation, when asked for the local cell this is cern.ch. Give the installation permissions in System Preferences when needed. After installation, a reboot is needed. Luckily macOS comes with Kerberos pre-installed, so that's all. If you want to access protected paths, you'll have to login with Kerberos:

$ kinit user@CERN.CH     # get kerberos ticket
$ aklog                  # login to AFS cell

There is an OpenAFS/Auristor preference pane in your system preferences in which you can change the cell (not needed), auto-renew Kerberos tickets, and let OpenAFS start at boot.

Using FUSE and SSHFS

FUSE for mac and the SSHFS plugin can be downloaded from http://osxfuse.github.com. Alternatively, both can be installed using macports:

$ sudo port install osxfuse ; sudo port install sshfs

Verifying if OSXFUSE is installed can be done in the preferences pane, while checking if SSHFS is installed can be done by typing

$ sshfs  -h

in the terminal. To mount the filesystem we have first to create a folder to hold its location. Normally all disks are mounted in /Volumes/, however, from macOS 10.12 one needs to have root permissions to write to this location. But this is not really a problem, as a volume can be mounted at any location, so your home folder will do fine. Mounting the volume is then done by:

$ mkdir ~/DISK_NAME
$ sshfs USER@lxplus.cern.ch:AFSPATH  ~/DISK_NAME -ovolname=DISK_NAME

This can be simplified by making an alias in .bash_profile. Unmounting the volume is done in the usual way in Finder (clicking the unmount icon to the right of the volume). If for some reason unmounting does not work, the volume can be forcefully ejected by typing

$ diskutil unmountDisk force ~/DISK_NAME

If you want to automatically mount the drive on startup, have a look at:

http://superuser.com/questions/134140/mount-an-sshfs-via-macfuse-at-boot .

February 2023: AFS update - clients rely only on configuration via DNS

Some users reported that the local afs installation is not working any more. This could be related to the update on afs, removing hard-coded IP addresses linking the cern.ch afs cell. The issue and solution is described in the resources listed below.

https://cern.service-now.com/service-portal?id=outage&n=OTG0067310

https://cern.service-now.com/service-portal?id=outage&n=OTG0074822