Long story short: Kerberos on the Mac, starting with Yosemite, does not support anymore weak ciphers (such as DES).
AFS, on the other hand, works with DES.. therefore.. no go. The best thing to do would be to try to migrate OpenAFS to support different ciphers but this requires maintenance on the AFS server, risking damage and data loss.
Therefore this (quite ugly, but still..) solution seems to overcome the limitation of the Kerberos installation provided by default with Mac OS X.
Step 1: System cleanup
If you have installed OpenAFS or already configured kerberos on your machine, uninstall everything and delete
Step 2: Install heimdal kerberos
Download and install this: http://www.h5l.org/dist/src/heimdal-1.5.3.dmg
This is the heimdal kerberos, the vanilla version. Therefore, this supports the aforementioned weak DES cipher.
Step 3: Install OpenAFS for Yosemite
As may already know, there is no official OpenAFS version for Yosemite. I compiled and uploaded one for you. You can download it here: https://dl.dropboxusercontent.com/u/355313/openafs/OpenAFS-1.6.10-2-gb9a15b-dirty-Yosemite.dmg
Download, open and install it.
Step 4: Configure ’em all
First of all, let’s configure Kerberos. You should already have the configuration for Kerberos. Make sure you have it in the correct path that, on Yosemite, is
/etc/krb5.conf. Then make sure you add the
allow_weak_crypto = true line to the
[libdefaults] ... allow_weak_crypto = true ...
Then configure OpenAFS.
- Configure AFS by editing the ThisCell and CellServDB files accordingly. Don’t reboot now.
- OpenAFS requires a kernel extensions to work properly. Unfortunately (yes, again), unsigned kernel extensions cannot be loaded on boot in Yosemite. However, this problem can be solved by using modifying the boot parameter of the kernel:
$> sudo cp -r /private/var/db/openafs/etc/afs.kext /Library/Extensions $> sudo nvram boot-args="kext-dev-mode=1"
- Now, reboot the mac
- When everything is restored, make sure you apply the necessary settings and add AFS icon to the menu bar for quicker access:
- Go to System Preferences > OpenAFS.
- AFS Menu: checked
- Backgrounder: checked
- Use aklog: checked
Step 5: How to connect
Each time you want to use AFS, you must do the following:
- open Terminal.app
$> /usr/heimdal/bin/kinit <kerberos username here> $> aklog
Everything should be working.
If you read this guide and something didn’t work, make sure you followed each step in the precise order they are written. If something is still not working properly, just drop a line in the comments and we will try to sort it out.
After upgrading Yosemite to 10.10.3 or, in general, after every system update I noticed that I have to reinstall OpenAFS or, at least, re-issue the nvram command to let unsigned kernel extensions to be loaded again.