Configuring AFS clients
From Syscore
The "correct" AFS Client configuration for use at UMBC is as follows:
Contents |
Cell
umbc.edu
Special Note for Windows Clients
If you are running any sort of firewall on your system -- windows or not, actually -- make sure it is configured to allow traffic in to port 7001/udp. If it isn't, your AFS cache manager (client) will not be able to receive cache callback notifications. In addition, clients which drop cache-callback notifications without responding to them in a reasonable amount of time can cause thread starvation on AFS servers in which they communicate with.
We may soon scan active AFS clients for open callback ports, and block those that do not accept callback traffic from using our servers.
Database Servers
Correct Configuration
db1.afs.umbc.edu db2.afs.umbc.edu db3.afs.umbc.edu
Or, in CellServDB format:
>umbc.edu #University of Maryland, Baltimore County 130.85.24.101 #db1.afs.umbc.edu 130.85.24.23 #db2.afs.umbc.edu 130.85.24.87 #db3.afs.umbc.edu
We also have AFS DB server records in our DNS, for "freelance" clients to automatically use our cell.
umbc.edu subtype = 1, DCE/AFS server = db1.afs.umbc.edu umbc.edu subtype = 1, DCE/AFS server = db2.afs.umbc.edu umbc.edu subtype = 1, DCE/AFS server = db3.afs.umbc.edu db1.afs.umbc.edu internet address = 130.85.24.101 db2.afs.umbc.edu internet address = 130.85.24.23 db3.afs.umbc.edu internet address = 130.85.24.87
Incorrect Configuration
The DB servers listed here are not the only ones that provide this service. Our DB servers used to live on different IPs, and while we have provided service on these IPs for backwards compatibility, because of network configuration changes they will have to go away soon. Please make sure that your CellServDB information is up-to-date.
Incorrectly Configured Hosts
We collect traffic logs for hosts trying to access the "old" addresses for the database servers. For the past 7 days, we have logged the following UMBC hosts as having accessed the database services on the "old", incorrect IP addresses. If your host shows up in this list, please update your CellServDB information in your AFS client and restart the AFS client. If you are unable to reboot the machine, you can run the following command to "reload" the AFS database server information for the umbc.edu cell.
fs newcell -name umbc.edu -servers 130.85.24.101 130.85.24.23 130.85.24.87
Here is the current list of "bad" hosts for the 7 days ending on 12/19/2005:
130.85.106.75 ( imcmac05.UMBC.EDU )
130.85.133.103 ( )
130.85.163.57 ( zodiac.jca.umbc.edu )
130.85.31.13 ( kaitain.umbc.edu )
130.85.31.3 ( fasweb.umbc.edu )
130.85.53.14 ( ecs021mac01.ucslab.umbc.edu )
130.85.53.15 ( ecs021mac02.ucslab.umbc.edu )
130.85.53.19 ( ecs021mac06.ucslab.umbc.edu )
130.85.53.20 ( ecs021mac07.ucslab.umbc.edu )
130.85.53.23 ( ecs021mac10.ucslab.umbc.edu )
130.85.53.25 ( ecs021mac11.ucslab.umbc.edu )
130.85.53.63 ( ecs021mac15.ucslab.umbc.edu )
130.85.54.202 ( ecs336mac02.acslab.umbc.edu )
130.85.54.203 ( ecs336mac03.acslab.umbc.edu )
130.85.54.204 ( ecs336mac04.acslab.umbc.edu )
130.85.54.206 ( ecs336mac06.acslab.umbc.edu )
130.85.54.207 ( ecs336mac07.acslab.umbc.edu )
130.85.54.208 ( ecs336mac08.acslab.umbc.edu )
130.85.54.210 ( ecs336mac10.acslab.umbc.edu )
130.85.54.211 ( ecs336mac11.acslab.umbc.edu )
130.85.54.212 ( ecs336mac12.acslab.umbc.edu )
130.85.54.213 ( ecs336mac13.acslab.umbc.edu )
130.85.54.215 ( ecs336mac15.acslab.umbc.edu )
130.85.54.216 ( ecs336mac16.acslab.umbc.edu )
130.85.54.217 ( ecs336mac17.acslab.umbc.edu )
130.85.54.221 ( ecs336mac21.acslab.umbc.edu )
130.85.54.225 ( ecs336mac25.acslab.umbc.edu )
130.85.54.226 ( ecs336mac26.acslab.umbc.edu )
130.85.54.228 ( ecs336mac28.acslab.umbc.edu )
130.85.70.162 ( sonata.ucs.umbc.edu )
130.85.70.163 ( concerto.ucs.umbc.edu )
130.85.88.202 ( coeit-dynamic-202.coeit.UMBC.EDU )
130.85.91.15 ( ite375pc14.cs.UMBC.EDU )
130.85.91.17 ( ite375pc16.cs.UMBC.EDU )
130.85.91.18 ( ite375pc17.cs.UMBC.EDU )
130.85.91.19 ( ite375pc18.cs.umbc.edu )
130.85.91.22 ( ite375pc21.cs.umbc.edu )
130.85.91.23 ( ite375pc22.cs.umbc.edu )
130.85.91.24 ( ite375pc23.cs.UMBC.EDU )
130.85.91.25 ( ite375pc24.cs.UMBC.EDU )
130.85.91.26 ( ite375pc25.cs.umbc.edu )
130.85.91.9 ( ite375pc08.cs.UMBC.EDU )
130.85.94.147 ( tribble.cs.UMBC.EDU )
130.85.94.47 ( horta.cs.UMBC.EDU )
130.85.95.34 ( chennai.cs.UMBC.EDU )
130.85.95.75 ( scotty.cs.UMBC.EDU )
Authentication
We currently support authentication via the legacy AFS "klog" (rx-based) protocols, and using Kerberos5 through 'aklog', which converts Kerberos 5 tickets to Kerberos 4 AFS tokens. We will be supporting raw Kerberos 5 authentication to our servers very soon.
Deprication of Kerberos4/rxka authentication
Due to security concerns regarding Kerberos 4, it is planned that we will be phasing out Kerberos4 and, therefore, rxka-based authentication to our Kerberos realm in the near future. Please begin to migrate from using 'klog' to using either a modified Kerberos5 kinit, or, a standard kinit + aklog solution to retrieve AFS tokens.
For example, to retrieve AFS Admin tokens with kinit on our central systems, just type:
% kinit user/afsadmin
instead of
% klog user.afsadmin
On a system which doesn't have a kinit which has been enhanced to do AFS authentication as well, you'll need to have a copy of aklog around. aklog comes with newer verions of OpenAFS and can be optionally built. To use aklog, it's a two-step process:
% kinit user/afsadmin % aklog
All Central OIT UNIX/Linux systems currently use this method of authenticaiton for system logins, however, there is a particular concern with installs AFS clients on Windows machines. There are multiple solutions for these, including one which takes advantage of Microsoft's installed Kerberos for login, and running a Microsofterized aklog to retrieve AFS tokens from this. Information for implementing this solution is available in the current AFS client distributions available at [OpenAFS.org].
