Project Vincent user home directories, as well as other filesystem resources, are served out using AFS, the Andrew Filesystem. AFS is similar in principle to NFS, but includes many useful security enhancements. TransArc, the current owners of the original AFS code, provide a commercial AFS client for Linux which Iowa State has site-licensed for use with Project Vincent; however, in order to provide a more portable solution in the spirit of Open Source, we have chosen to use arla (http://www.stacken.kth.se/projekt/arla/) and pam_afstok.
Arla is a free AFS client which is supported at the kernel level under Linux and the BSDs, as well as many other Unices. RPMs of arla can also be found at ftp://aafugit.org/VINCENT/crypto/. At present, kernel modules are only available for 2.2.13 kernels. If you are using another kernel, you will need to recompile from the source RPM. To do this, install the source package using the command rpm -i arla-0.29.1-2.src.rpm. Edit the arla.spec file, changing the KVERSION at the top to match your kernel, then rebuild the rpm with rpm -bb arla.spec.
You will want to install at least the arla and arla-kernel packages. The arla-devel component may also be useful if you will be compiling other Project Vincent applications on your system.
Again, if you install from packages, arla will be preconfigured for you to work with Project Vincent. Otherwise, you will probably want to configure arla yourself. The /usr/arla/etc/ThisCell file (symlinked to /etc/ThisCell in the aafugit.org packages) should contain the name of your local AFS cell -- in our case, iastate.edu. There is also a file, /usr/arla/etc/arla.conf, where you can configure settings specific to arla.
As with NFS and Samba, your system needs to be told to automatically mount the AFS shares on startup. With arla, this is handled through arlad. To start up arla once, you can run /etc/rc.d/init.d/arlad start as root. To make sure that arla always starts up when the machine is rebooted, you can run /sbin/chkconfig --level runlevel arlad on, where runlevel is your system's default runlevel, between 1 and 5.
If you are not using the RPM packages, or are not running RedHat, you may not have /etc/rc.d/init.d/arlad or /sbin/chkconfig on your system. If this is the case, you should still have a startarla which you can use to start arla. You can also add this command to your system startup scripts. How you do this is distribution-dependent; if you don't know how to modify your startup scripts directly, consult your distribution's documentation.
To grant your users full access to their AFS home directories, they will need an AFS authentication token. It is generally important to make this AFS token available as early as possible during the login process, since it may be needed in order to access configuration files in the user's homedir. As with Kerberos, PAM provides us with a generic method for services to acquire AFS tokens. If you will not be providing local home directories for your users, you will want to use pam_afstok.
The source to the pam_afstok module can also be found at the dementia.org ftp site, ftp://ftp.dementia.org/pub/pam/. A small patch is also needed to build this module under RedHat, which you can get at ftp://aafugit.org/VINCENT/crypto/patches/pam_afstok-linux.patch. After changing to the pam_afstok directory and running patch -p1 < pam_afstok-linux.patch, type make all install to build and install the module.
Typically, any PAM services you have configured for use with pam_krb4 should also be configured to use pam_afstok. Below is a final PAM configuration file for the login service, modified to use pam_afstok:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_unix.so
auth required /lib/security/pam_krb4.so use_first_pass
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_unix.so use_authtok \
md5 shadow
password required /lib/security/pam_krb4.so use_authtok \
try_first_pass
session required /lib/security/pam_unix.so
session required /lib/security/pam_krb4.so
session sufficient /lib/security/pam_afstok.so
session optional /lib/security/pam_console.so |
To test that Kerberos and AFS services are working correctly on your machine, try logging in to the system as a Vincent user and running klist. If everything is configured correctly at this point, you should see output similar to the following:
Ticket file: /tmp/tkt504 Principal: vorlon@IASTATE.EDU Issued Expires Principal Feb 29 15:45:01 Mar 30 15:45:01 krbtgt.IASTATE.EDU@IASTATE.EDU Feb 29 15:45:01 Mar 30 15:45:01 afs@IASTATE.EDU |
The last step in setting up your Project Vincent homedirs is to configure autofs. The AFS heirarchy is traditionally mounted as /afs on a Unix system. However, the system looks for user home directories under /home, so we need some way to redirect /home to point into the AFS heirarchy. Under the original Project Athena, and on many Project Vincent machines here on campus, this was done with a program called attach. Once again, we find here that there is a Linux service available, autofs, which supports this natively.
Although autofs works out-of-the-box with AFS lockers, the autofs package that ships with RedHat doesn't include support for Hesiod lookups. Since all information about Project Vincent lockers is distributed using Hesiod (See 4. System information: Hesiod), you will need to download the autofs-hesiod package from ftp://aafugit.org/VINCENT/. Alternatively, if you have the hesiod libraries and header files installed on your system (hesiod and hesiod-devel), you can simply recompile the autofs package, and hesiod support will be included automatically.
After installing autofs-hesiod, the only thing that remains is to point autofs to hesiod. To do this, add the single line
/home hesiod: |
to your /etc/auto.master configuration file. This designates /home as an automount directory. If you have other home directories in /home, you will probably want to move them elsewhere, as they'll be inaccessible while automount is running. Then restart the automount daemon with /etc/rc.d/init.d/autofs restart.
To confirm that automount is working correctly, type cd /home/bitbucket. If it works, then congratulations! Your machine is now fully configured to allow Project Vincent logins.