OpenAFS System Administration

About This Course

The objective of this course is to teach students OpenAFS system administration in a Linux environment. AFS is a distributed file system product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Lab). It offers a client-server architecture for file sharing, providing location independence, scalability and transparent migration capabilities for data. OpenAFS is a version of the AFS product which IBM branched and made available for community development and maintenance.

Who Should Attend

IT professionals who are responsible for the configuration, customization and administration of OpenAFS; users of OpenAFS-deploying applications; system administrators who are evaluating OpenAFS.

Learning Objectives

  1. Understand the Concepts of distributed file systems in general and Open AFS in particular
  2. Learn to configure an AFS cell
  3. Learn to manage an AFS cell


Unix Systems Administration

Course Duration

Five (5) days, 9 am - 5 pm

Course Dates

This course is offered based on demand. Check the calendar for updates. Call (734) 761-4689 to schedule a class. Course will be held with a minimum of four (4) students. For the optimal class experience, class size should not exceed eight (8) students.

Course Price

E-mail for current price list

Course Instructors

Marcus Watts

Sample Course Outline

A. History
    • Carnegie Mellon University
    • Transarc
    • IBM
    • Open source
    • AFS3
    • AFS4 a.k.a DCE/DFS
B. Comparisons to other file systems
    • NFS, NIS, CIFS, NDS, OpenLDAP perspective
C. AFS components and terminology
    1. cells
    2. volumes
    3. mount points
    4. authentication
    5. tokens
    6. access control lists (ACL)
    7. quotas
    8. server machines
    9. client machines
    10. cache managers
    11. translators
D. Fundamental concepts
    1. AFS authentication
    2. file/directory protection basics
    3. home directories and basic survival
    4. AFS directory structure
E. Accounts
    1. identification, authentication, authorization, billing
F. Command syntax
    1. bos
    2. vos
    3. fs
    4. kas/kadmin
    5. pts
G. Access OpenAFS data
H. Protection groups
    1. Protect OpenAFS data using ACLs and protection groups, manage basic security issues
I. Brief tutorial on cryptography
    1. symmetric keys vs. asymmetric
    2. authentication
    3. authorization
    4. mallet
    5. attacks
    6. denial of service
    7. entropy
    8. cryptographic checksum
    9. pwhash
J. Kerberos
    1. principles
    2. keys, keytypes, keytabs
    3. differences from UFS
    4. suid
    5. link ACL & file permissions
    6. pags
    7. acls, suid, link acl & file permissions, pags, acls ubik, rx
K. Enterprise vs. department
    1. scaling issues
    2. distributed authority
L. Administration
    1. Configure and administer AFS clients (Linux, Windows NT, Mac) and servers (Linux), installing:
      • a new cell
      • a cache manager
      • a new top-level pts group
M. Time
    1. Kerberos
    2. file server
N. Manage volumes
    1. making volumes
    2. mount point
    3. moving volumes
    4. replicating volumes
    5. bos, backups and restores, db: vl, ka (backup) (up)
    6. fs: salvager, fileserver, volserver, security on trusted machines
    7. Accounts: create and administer OpenAFS accounts
      • creating a user: pt, ka, home dir
    8. Management tools
      • tickets and tokens
      • keyfile
      • key of afs
      • cellservdb
      • root.afs
      • root.cell
      • dns
    9. Troubleshooting methodology
      • status and debugging
      • monitoring activity
      • rxdebug
      • ubikdebug
      • fs checks
    10. Change control topics
    11. Release upgrades
    12. Program applications in the OpenAFS environment
      • application design
      • file sharing
      • mail
      • cell architecture

Course Labs

  1. Interactive simulation: Kerberos/KDC exchange
  2. Interactive simulation: AFS db, file server, and cache manager interchange
  3. Make a drop folder, set permissions right
  4. Debug a permissions problem with an existing directory — (perhaps fs sa -negative someuser all)
  5. Install AFS on a client workstation
  6. Install a new cell on an existing workstation — make sure it comes back after a reboot; make a mount point for an existing volume in another cell
  7. Make a new fileserver for an existing cell
  8. Make a new cell — db servers file service
  9. Volume load management — figure out which fileserver is overloaded; move volumes to make them more balanced
  10. Volume replication — make a replicated volume; populate it; do a vos release; fs flushv from a separate workstation
  11. Make a user account — volume; contents; acl, mount point, pts entityid, kerberos principal, /etc/passwd line; vos release on any replicated volumes (mount point, ?pw file?)
  12. Set up pts groups including prefixless group-- for a new group membership hierarchy
  13. Backups: make a volume backup, restore it
  14. Performance and debugging — learn how to use: rxdebug; udebug, distribute attacks. One person runs the attack. Everyone else tries to figure out what happened, and how to fix it. Attacks: pts script to add lots & lots of people to lots & lots of groups; something that writes a *lot* to AFS, from a bunch of machines all at once
  15. Shut down a random service (vl, pt)
  16. Fill up disk on a db server; make ubik try to use non-available disk; botch time on a client workstation, botch time on a db server, fill up disk on a file server. quota management - set quota down on something
  17. Delete root.cell: Make a recursive mount point; fill ("screw") up cache on workstation; also tcpdump; introduce some sort of network data dependency. (need a firewall between a file server or db server?). use tcpdump to show normal vs. non-normal data
  18. Find an error message in AFS source code
    • translate_et - number to error message
    • find *.et files - contain error message; locate error code
    • take error code, do a search for all occurrences of that code
    • use logic to deduce actual cause of error
  19. Write a small RX based client & server; give stubs for server, client code
  20. Set up a small replicated web site in AFS, configure apache server to serve files
  21. Make an "active" cgi-bin that modifies files in AFS using srvtab on apache server
  22. Install kx509 on client workstation, kct on kdc, mod_kct on apache
  23. Make an "active" application on web server that uses kerberos authentication to modify files as user.