########################
AFS Client Configuration
########################

Authentication and Identification
=================================

We use pam_krb5 and nss LDAP.  We also abuse the PAM system to provide afs
tokens for the session (as is typical).  Installing any kind of PAM LDAP
integration is probably unnecessary and unwise. You may in fact need to disable
some PAM modules.

Cell Discovery
==============

We have all the DNS records for automagic cell discovery inserted, so there's no
real need to manipulate ``CellServDB``.

AFS Hard Mount Semantics
========================

You may find it desirable to engage "hard-mount" semantics (retry forever for
volumes in ThisCell; see this `thread_`) with something like these lines in
``/etc/rc.local``::

	# AFS hard-mount semantics, on both RO and RW volumes, with retries every 10 seconds.
	echo 10 > /proc/sys/afs/hm_retry_int
	echo 1 > /proc/sys/afs/hm_retry_RW
	echo 1 > /proc/sys/afs/hm_retry_RO

or better, something like this in /etc/openafs/afs.conf on Debian systems::

    OPTIONS=AUTOMATIC

    afs_post_init_hook() {
        # AFS hard-mount semantics, on both RO and RW volumes, with retries every 10 seconds.
        sysctl afs.hm_retry_RO=1
        sysctl afs.hm_retry_RW=1
        sysctl afs.hm_retry_int=10
    }

    AFS_POST_INIT=afs_post_init_hook

.. _thread: https://lists.openafs.org/pipermail/openafs-devel/2002-January/007335.html

.. _host-keytabs:

Landing a Keytab
================

We often want hosts to be able to access configuration or store data in afs. In
order to do so, you will need to create a kerberos principal for the machine and
give it an entry in the pts database, much like you would for a user hat.

Host Principal and Keytab
-------------------------

If a machine needs to be able to access configuration from afs, you need to
create a keytab and pts entry for it to use and then fiddle with its local afs
configuration.

.. _tutorial: http://www.microhowto.info/howto/create_a_host_principal_using_mit_kerberos.html

Based on a tutorial_ identified by nwf, you can do the following to get a proper
keytab for the machine. First, kadmin from an appropriate machine. Then
(replacing ``HOSTNAME`` with the name of the machine you're setting up)::

   addprinc -randkey host/HOSTNAME.acm.jhu.edu
   ktadd -k HOSTNAME.keytab host/HOSTNAME.acm.jhu.edu

This will give you a keytab called ``HOSTNAME.keytab`` in the homedir of
whatever machine you were kadmin'ing from. ``scp`` (or otherwise transfer) it
over to the machine that actually needs it, then stick that keytab in
``/etc/krb5.keytab``.

PTS Entry
---------

Because ``afs`` is old, it uses a somewhat different syntax for host principals.
In any event, the command you want (after putting on your admin hat and running
``aklog``) is::

   pts cu -na rcmd.HOSTNAME 

Local Config
------------

.. todo finish