OpenAFS and Mac OS X Yosemite, El Capitan

OpenAFS and Mac OS X Yosemite, El Capitan

December 26, 2014 11:17 58 comments
 
90 Kudos
Don't
move!

Long story short: Kerberos on the Mac, starting with Yosemite, does not support anymore weak ciphers (such as DES).

AFS, on the other hand, works with DES.. therefore.. no go. The best thing to do would be to try to migrate OpenAFS to support different ciphers but this requires maintenance on the AFS server, risking damage and data loss.

Therefore this (quite ugly, but still..) solution seems to overcome the limitation of the Kerberos installation provided by default with Mac OS X.

Step 1: System cleanup

If you have installed OpenAFS or already configured kerberos on your machine, uninstall everything and delete /Library/Preferences/edu.mit.Kerberos.

Please reboot.

Step 2: Install heimdal kerberos

Download and install this: http://www.h5l.org/dist/src/heimdal-1.5.3.dmg

This is the heimdal kerberos, the vanilla version. Therefore, this supports the aforementioned weak DES cipher.

Step 3: Install OpenAFS for Yosemite

As may already know, there is no official OpenAFS version for Yosemite. I compiled and uploaded one for you. You can download it here: https://dl.dropboxusercontent.com/u/355313/openafs/OpenAFS-1.6.10-2-gb9a15b-dirty-Yosemite.dmg

Download, open and install it.

Step 4: Configure ’em all

First of all, let’s configure Kerberos. You should already have the configuration for Kerberos. Make sure you have it in the correct path that, on Yosemite, is /etc/krb5.conf. Then make sure you add the allow_weak_crypto = true line to the libdefaults section.

Then configure OpenAFS.

  • Configure AFS by editing the ThisCell and CellServDB files accordingly. Don’t reboot now.
  • OpenAFS requires a kernel extensions to work properly. Unfortunately (yes, again), unsigned kernel extensions cannot be loaded on boot in Yosemite. However, this problem can be solved by using modifying the boot parameter of the kernel:
  • Now, reboot the mac
  • When everything is restored, make sure you apply the necessary settings and add AFS icon to the menu bar for quicker access:
    • Go to System Preferences > OpenAFS.
    • AFS Menu: checked
    • Backgrounder: checked
    • Use aklog: checked

Step 5: How to connect

Each time you want to use AFS, you must do the following:

  • open Terminal.app
  • issue

Everything should be working.

If you read this guide and something didn’t work, make sure you followed each step in the precise order they are written. If something is still not working properly, just drop a line in the comments and we will try to sort it out.

Update

After upgrading Yosemite to 10.10.3 or, in general, after every system update I noticed that I have to reinstall OpenAFS or, at least, re-issue the nvram command to let unsigned kernel extensions to be loaded again.

Update (take-two)

Your File System® offers a Yosemite-compatible version of OpenAFS, shipped with Heimdal Kerberos version. You can access the download page clicking here. The benefit of using this version is that the kext file is signed, therefore no need to set the nvram parameters to allow unsigned extensions to be executed.
Please notice that in this case, you have to create the krb5.conf in /private/var/db/yfs/etc.

Update (El Capitan)

Starting with Mac OS X El Capitan (10.11), Your File System® published a new client, which you can download here. If you are upgrading from any other version, please mount the image and uninstall OpenAFS completely (you can find the scripts in the Extras folder, within the DMG). After rebooting the machine, install the AuriStor client and configure Kerberos in the same way as before (see bottom of this post for a sample). After that:

    • Open a Terminal and open with sudo /etc/yfs/cellservdb.conf. Remove the content of the file and add following lines

  • Edit /etc/yfs/thiscell.conf
  • Reboot your Mac
  • Open the Terminal.app and get a Kerberos ticket (refer to Step 5) and then “aklog”

A sample of a working /etc/krb5.conf file could be:

  • Alex

    Thank you so much for this guide, it was very helpful, especially because the latest official OpenAFS really stops working on 10.10.3. I have one question that you may perhaps be able to answer very easily:

    Since Yosemite, I can no longer connect to a server via ssh and using Kerberos.

    Here’s the relevant output from ssh -vK [email protected]:

    debug1: Next authentication method: gssapi-with-mic
    debug1: Miscellaneous failure (see text)
    Encryption type des-cbc-md5-deprecated not supported

    To me this looks like the ssh is still using the stock Kerberos instead of Heimdal, and thus can’t make use of DES. Do you know whether my assumption is correct? Do you perhaps also know how I can tell ssh to make us of Heimdal?

    • Fabiano Francesconi

      Actually if you obtain the ticket with Heimdal there is no need to tell ssh anything. Have you fixed this issue?

      • Alex

        Well, I had to recompile OpenSSH with ./configure –with-kerberos5=/usr/heimdal and now it works.

  • abder

    Thanks for the help, i did follow everything and i receive pioctl error message

    • Fabiano Francesconi

      Make sure to issue sudo nvram boot-args="kext-dev-mode=1" and reboot the machine

  • abder

    we get pioctl error messagew

  • Arno

    in my installation of yosemite there is no preference file edu.mit.kerberos in /Library/Preferences :-(

    • Fabiano Francesconi

      If there is no file, then you have nothing to delete :)

  • Your File System, Inc. distributes a signed OpenAFS installer for OSX Mavericks and Yosemite that includes signed binaries and a signed kernel extension. The package includes a private Heimdal in order to support DES session keys for rxkad.

    OpenAFS as of 1.6.5 no longer requires DES service tickets for AFS servers.

    • Fabiano Francesconi

      This is absolutely great to know. I had a problem with the System firewall that was blocking the incoming connections from my local AFS server. Do you know why?

      • I do not have an issue on Yosemite 10.10.4 on my Mac Book Pro. I saw you discussing the issue with @shadow via Twitter. I suspect you will need to provide additional information.

        Note that the firewall only permits traffic from the explicit server and port that the kernel extension is communicating with. You cannot use “rxdebug” to probe the cache manager on port 7001 when the firewall is running. That is to be expected.

        You can add an explicit firewall rule to open udp/7001 to the world but it is not required.

        • Fabiano Francesconi

          Hey Jeffrey,
          will be there any support from YFS to Mac OS X El Capitan? If so, when is it expected to happen?

          • Your File System, Inc. will be releasing an AuriStor client for OSX El Capitan early next week.

          • Fabiano Francesconi

            Do you have any update on the YFS Client for El Capitan?

  • aor

    Hi,when i install heimdal theres no krb5.con files, so i created one under /etc and my configuration is
    [libdefaults]
    default_realm = INTRANET.HIGHPROPHIL.COM
    #kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

    allow_weak_crypto = true

    it works for me buit i have issue it takes 20-30 minutes for displaying the folder inside AFS mounted disk when opening in finder, The logo for afs in system tray displays authenticated, This happen everytime i restart or reboot the computer.

    Hope somebody can fix this, Thanks in advance

  • ml

    I do not find any /etc/krb5.conf file.
    Is there anyone posting his one (eventually cleaned up) so that I can use it?

    MBP13 mid-2012, Yosemite 10.10.5

    • Fabiano Francesconi

      Please read my last update in the blog post

  • AAM

    I have tried to follow your both tutorials, however I have not been able to connect to the AFS server I want. I do not know if its because they are running kerberos v4, or because Im running yosemite 10.10.5. I had Red Hat before and the only thing I had to do was install the client, compile the kernel, and run /etc/rc.d/init.d/openafs-client start, followed by klog.krb . Has anyone run into a similar problem, or been able to connect to an older AFS server.

    • Fabiano Francesconi

      You also tried the YFS package?

  • AAM

    Yes I also tried the YMS package

  • AAM

    Yes I also tried the YFS package

  • There is a bug in the OSX Application Firewall in versions 10.10.2 through 10.10.5 that blocks UDP traffic from kernel extensions to what appear to be arbitrary IPv4 addresses. If the server’s IP address is one of the blocked addresses all traffic will be dropped. The source code to the firewall has not been released so further debugging is challenging at best.

  • daniel

    Any chance of an updated AFS dmg for 10.11 El Capitan?

  • AuriStor (OpenAFS compatible) clients for OSX Yosemite and El Capitan are available from our web site.

    https://www.your-file-system.com/auristor/client-installer/

    • Fabiano Francesconi

      All I get is: “Can’t populate server list for cell mycell.example.com”

      • What operation is producing that error message?

        Does the message actually say ‘mycell.example.com’ or are you using that as a replacement for your actual cell name.

        • Fabiano Francesconi

          It’s “aklog -d”. Yeah, I am obfuscating my real cell name. Anyway, I have found a file in /etc/yfs/cellservdb.conf.
          I have added my cell and now I have a different error (same command):

          Authenticating to cell foo.bar.net
          GSSAPI Error [851968:2529638919]
          Miscellaneous failure (see text)
          Matching credential ([email protected]) not found
          Trying to authenticate to user’s realm BAR.NET.
          Using Kerberos V5 ticket natively
          aklog: Unknown error: 11862790 while setting tokens for cell foo.bar.net

          What can I do?

  • Do you have DNS SRV or DNS AFSDB entries for your cell?

  • Vincent

    Hi,
    admittedly I’m pretty much a n00b in this regard, but for me it worked fine simply to sidestep the version check during the OpenAFS installation as explained here: http://zeeshanali.com/sysadmin/openafs-on-yosemite-mac/
    Am I taking a security risk in doing so, or is this likely to not be working soon? Because right now it seems to be working like a charm.
    Any ideas why?
    Best, Vincent

  • Angel Merchan

    I am trying to get the El Capitan version to work. I followed the instructions. But I keep getting the following error:
    kinit: krb5_get_init_creds: Preauth required but no preauth options send by KDC
    This is my kinit version just in case that might be the issue:
    kinit (Heimdal 1.5.1apple1)
    Copyright 1995-2011 Kungliga Tekniska Högskolan
    Send bug-reports to [email protected]

    Has anyone run into this error.

    • Try to append the following lines to /etc/krb5.conf


      [kdc]
      require-preauth = false

      Let me know if this helps

      • Angel Merchan

        I tried that, still have the same results. The weird thing is that I can see the AFS mount drive, and inside there is a folder with my cell. I can navigate through the folders, but I can not access any files. Just the directories.

        • That’s super weird. Can you post here the output of aklog -d?

          • Angel Merchan

            The output of aklog -d is the following: (cell.example.com is just me hiding my cell name)

            Authenticating to cell cell.example.com.
            GSSAPI Error [851968:2529639053]
            Miscellaneous failure (see text)
            No API credential found
            No API credential found while getting principal from credentials cache
            aklog: All mechanisms failed to produce tokens for cell cell.example.com

          • Can you try rebooting your machine and obtaining a new kerberos ticket and retry the aklog command?

          • Angel Merchan

            Just tried that and got the same errors
            kinit –> kinit: krb5_get_init_creds: Preauth required but no preauth options send by KDC
            aklog -d –>
            Authenticating to cell cell.example.com.
            GSSAPI Error [851968:2529639053]
            Miscellaneous failure (see text)
            No API credential found
            No API credential found while getting principal from credentials cache
            aklog: All mechanisms failed to produce tokens for cell cell.example.com

          • Then I guess that klist is showing no Kerberos ticket. Then your problem is with Kerberos, not OpenAFS.

          • Angel Merchan

            Should I try reinstalling Heimdal ? BTW thanks for the help

          • As far as I know, Heimdal is provided with AuriStor. Just try to remove everything and then make sure you only have /etc/krb5.conf containing your Kerberos configuration

          • Angel Merchan

            What do you mean by everything?? Sorry just want to make sure I remove all the things I would need to remove

          • Run the uninstall scripts that are inside the Extras folder (both of them)

          • Angel Merchan

            Perfect. I will try that. Thanks for the help

          • fotinsky

            I have exactly the same problem as Angel with the same outputs. Here is some extra info:

            Before upgrading to El Capitan, I was using OpenAFS and Heimdal as described in this blog. After upgrading, there was no /usr/heimdal/ folder anymore. Trying to install any DMG Heimdal failed – I read about the reasons.

            I removed OpenAFS and followed the updated instructions for AuriStor and still cannot find a Heimdal folder on my system. Typing kinit in the console executes OS X’s native kinit in /usr/bin/, which obviously is a Heimdal implementation itself (Heimdal 1.5.1apple1). The question is: where is the Heimdal kinit version that reportedly comes with AuriStor? It is definitely not /usr/bin/kinit since that binary remained untouched while installing or uninstalling AuriStor.

            Second question: is the /etc/krb5.conf or the /private/var/db/yfs/krb5.conf meant to be used? (I tried both)

          • I really don’t know what to say. I am using the kinit in /usr/bin but you definitely have a point with that.

            However you should not have anymore a /private/var/db/yfs/ folder (or at least I have deleted it). The new client doesn’t read stuff from there anymore (as far as I could “debug”)

          • fotinsky

            Yes, the /private/var/db/yfs/ folder is not created by the installer. Seems this is obsolete then.

            I found out that aklog is indeed installed by the AuriStor package. So some Kerberos parts come shipped with AuriStor.

            I’m using the same krb5.conf that I used with the self-installed Heimdal before upgrading to El Capitan. I think the configuration is fine.

          • fotinsky

            Alright, I found a solution. I figured out that this error message was exactly the one I had previous on Yosemite because of lacking DES support. Installing Heimdal Kerberos fixed the problem back then. This led me to the conclusion, that I just need to install Heimdal. I did so quiet simply with Homebrew. Building Heimdal from source is also possible, but you have to pre-install some other dependencies. Here’s a good tutorial for that https://wiki.cyanogenmod.org/w/Install_and_compile_Heimdall. I just cannot really understand why for some you this already worked “out of the box” with Apple’s provided version of kinit?

          • Angel Merchan

            How did you get around this error:

            Error: Could not create /usr/local/Cellar
            Check you have permission to write to /usr/local

          • At which point you get this error?

          • Angel Merchan

            I got that error when trying to install some prereqs (pkgconfig) for Heimdal using Homebrew.

          • There is a link in my post. Try to install it using that link

          • Angel Merchan

            Will that version work with El Capitan

          • fotinsky

            You have to own this directory to use Homebrew like it is meant to be: sudo chown -R $USER /usr/local/Cellar

  • Ulrich Landgraf

    I have just upgraded to El Capitan and installed AFS from AuriStor as suggested. I can obtain Kerberos and afs tokens and can access the main directories and read my files.

    However if I try to list the content of some subdirectories, the Mac OS crashes with a blue screen (actually it is a white screen). This happens reproducibly every time for the same subdirectories. It does not seem to depend if the affected subdirectory is on the same volume or a different one. With other subdirectories everything is fine.

    Anybody has an idea what could go wrong?

    I am appending the first part of the entry from the system log (its probably too long to append all!):

    Process: afsd [97]

    Path: /usr/local/libexec/afsd

    Identifier: afsd

    Version: 0

    Code Type: X86-64 (Native)

    Parent Process: launchd [1]

    Responsible: afsd [97]

    User ID: 0

    Date/Time: 2015-12-27 17:22:40.121 +0100

    OS Version: Mac OS X 10.11.2 (15C50)

    Report Version: 11

    Anonymous UUID: BE7D8D66-6F34-4897-3D3C-16A2A584EC2C

    Time Awake Since Boot: 100 seconds

    System Integrity Protection: enabled

    Crashed Thread: 0 Dispatch queue: com.apple.main-thread

    Exception Type: EXC_BAD_ACCESS (SIGSEGV)

    Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000

    Exception Note: EXC_CORPSE_NOTIFY

    VM Regions Near 0:

    –>

    __TEXT 0000000109048000-000000010905a000 [ 72K] r-x/rwx SM=COW /usr/local/libexec/afsd

    Thread 0 Crashed:: Dispatch queue: com.apple.main-thread

    0 libsystem_c.dylib 0x00007fff82da1152 strlen + 18

    1 libsystem_c.dylib 0x00007fff82dfbb79 strdup + 18

    2 libyfs_cmd.0.dylib 0x000000010915758f cmd_OpenConfigFile + 64

    3 libyfs_util.0.dylib 0x00000001090e6299 util_NewConfigContext + 54

    4 afsd 0x0000000109056cd9 0x109048000 + 60633

    5 com.apple.CoreFoundation 0x00007fff853d5bc4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20

    6 com.apple.CoreFoundation 0x00007fff853d5853 __CFRunLoopDoTimer + 1075

    7 com.apple.CoreFoundation 0x00007fff85453e6a __CFRunLoopDoTimers + 298

    8 com.apple.CoreFoundation 0x00007fff85390cd1 __CFRunLoopRun + 1841

    9 com.apple.CoreFoundation 0x00007fff85390338 CFRunLoopRunSpecific + 296

    10 com.apple.CoreFoundation 0x00007fff854531f1 CFRunLoopRun + 97

    11 afsd 0x0000000109056b49 0x109048000 + 60233

    12 afsd 0x00000001090532f4 0x109048000 + 45812

    13 libdyld.dylib 0x00007fff986a75ad start + 1

    Thread 1:: Dispatch queue: com.apple.libdispatch-manager

    0 libsystem_kernel.dylib 0x00007fff902edff6 kevent_qos + 10

    1 libdispatch.dylib 0x00007fff8d62d099 _dispatch_mgr_invoke + 216

    2 libdispatch.dylib 0x00007fff8d62cd01 _dispatch_mgr_thread + 52

    Thread 0 crashed with X86 Thread State (64-bit):

    rax: 0x00007fff737d2420 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000

    rdi: 0x0000000000000000 rsi: 0x0000000109507400 rbp: 0x00007fff56bb1e70 rsp: 0x00007fff56bb1e70

    r8: 0x000000000000003f r9: 0x00007fcd31c074a0 r10: 0x000000006d8f3931 r11: 0x00007fcd31c00000

    r12: 0x0000000000000000 r13: 0x00007fcd31d48810 r14: 0x0000000000000000 r15: 0x000000000000000c

    rip: 0x00007fff82da1152 rfl: 0x0000000000010246 cr2: 0x0000000000000000

    Logical CPU: 1

    Error Code: 0x00000004

    Trap Number: 14

    Binary Images:

    0x109048000 – 0x109059fff +afsd (0) /usr/local/libexec/afsd

    0x109066000 – 0x10906afff +libyfs_acquire.0.dylib (0) /Library/Auristor/*/libyfs_acquire.0.dylib

    0x109071000 – 0x10907cfff +libyfs_prot.0.dylib (0) /Library/Auristor/*/libyfs_prot.0.dylib

    0x109086000 – 0x109087fff +libyfs_ubikclient.0.dylib (0) /Library/Auristor/*/libyfs_ubikclient.0.dylib

    0x10908a000 – 0x10908bffb com.apple.kerberos.reachability (4.0 – 2.0) /System/Library/KerberosPlugins/KerberosFrameworkPlugins/Reachability.bundle/Contents/MacOS/Reachability

    0x109090000 – 0x10909bfff +libyfs_auth.0.dylib (0) /Library/Auristor/*/libyfs_auth.0.dylib

    0x1090a2000 – 0x1090aefff +libyfs_rxkad.0.dylib (0) /Library/Auristor/*/libyfs_rxkad.0.dylib

    0x1090b5000 – 0x1090bafff +libyfs_rfc3961.0.dylib (0) /Library/Auristor/*/libyfs_rfc3961.0.dylib

    0x1090be000 – 0x1090bffff com.apple.kerberos.sckerberosconfig (4.0 – 1) /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig

    0x1090c4000 – 0x1090cdfff +libyfs_rxgk.0.dylib (0) /Library/Auristor/*/libyfs_rxgk.0.dylib

    0x1090d5000 – 0x1090d7ff7 +libyfs_sys.0.dylib (0) /Library/Auristor/*/libyfs_sys.0.dylib

    0x1090e0000 – 0x1090e7fff +libyfs_util.0.dylib (0) /Library/Auristor/*/libyfs_util.0.dylib

    0x1090ec000 – 0x1090edfff com.apple.heimdalodpac (10.11 – 205) /System/Library/KerberosPlugins/KerberosFrameworkPlugins/heimdalodpac.bundle/Contents/MacOS/heimdalodpac

    0x1090f3000 – 0x10911afff +libgssapi.3.dylib (0) /Library/Auristor/*/libgssapi.3.dylib

    0x109143000 – 0x109148ff7 +libheimntlm.0.dylib (0) /Library/Auristor/*/libheimntlm.0.dylib

    0x109154000 – 0x109159fff +libyfs_cmd.0.dylib (0) /Library/Auristor/*/libyfs_cmd.0.dylib

    0x10915d000 – 0x109166fff +libyfs_fsint.0.dylib (0) /Library/Auristor/*/libyfs_fsint.0.dylib

    0x109172000 – 0x109191ff7 +libyfs_rx.0.dylib (0) /Library/Auristor/*/libyfs_rx.0.dylib

    0x1091a2000 – 0x1091a6fff +libyfs_opr.0.dylib (0) /Library/Auristor/*/libyfs_opr.0.dylib

    0x1091ad000 – 0x1091aefff +libyfs_comerr.0.dylib (0) /Library/Auristor/*/libyfs_comerr.0.dylib

    0x1091b3000 – 0x1091c7fff +libyfs_hcrypto.0.dylib (0) /Library/Auristor/*/libyfs_hcrypto.0.dylib

    0x1091d3000 – 0x1091d5ff7 +libyfs_roken.0.dylib (0) /Library/Auristor/*/libyfs_roken.0.dylib

    0x1091de000 – 0x109239ff7 +libkrb5.26.dylib (0) /Library/Auristor/*/libkrb5.26.dylib

    0x109281000 – 0x10932dfff +libheimsqlite.0.dylib (0) /Library/Auristor/*/libheimsqlite.0.dylib

    0x109352000 – 0x109380fff +libhx509.5.dylib (0) /Library/Auristor/*/libhx509.5.dylib

    0x1093aa000 – 0x1093d3ff7 +libhcrypto.4.dylib (0) /Library/Auristor/*/libhcrypto.4.dylib

    0x1093f7000 – 0x109464fff +libasn1.8.dylib (0) /Library/Auristor/*/libasn1.8.dylib

    0x1094a9000 – 0x1094cfff7 +libwind.0.dylib (0) /Library/Auristor/*/libwind.0.dylib

    0x1094d6000 – 0x1094d7fff +libcom_err.1.dylib (0) /Library/Auristor/*/libcom_err.1.dylib

    0x1094da000 – 0x1094e2ff7 +libheimbase.1.dylib (0) /Library/Auristor/*/libheimbase.1.dylib

    0x1094ee000 – 0x1094fafff +libroken.18.dylib (0) /Library/Auristor/*/libroken.18.dylib

    0x7fff6cf81000 – 0x7fff6cfb7fa7 dyld (360.18) /usr/lib/dyld

    0x7fff82989000 – 0x7fff82989fff com.apple.CoreServices (728.6 – 728.6) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices

    0x7fff829e3000 – 0x7fff82a25ff7 com.apple.Metal (55.2.8 – 55.2.8) /System/Library/Frameworks/Metal.framework/Versions/A/Metal

    0x7fff82bb4000 – 0x7fff82bd8ff7 libJPEG.dylib (1442) /System/Library/Frameworks/ImageIO.framework/Versions/A/

    • Have you completely removed the old installation of AFS before installing the Auristor client?

      • Ulrich Landgraf

        Thanks for your quick reply. Yes used the scripts in the distribution several times to remove and reinstall, but nothing changed.

        From the log it seems there is an issue in “OpenConfigFile”. Any idea which file this could be (thiscell.conf and cellservdb.conf seem to be ok)?

  • Pingback: OpenAFS and Mac OS X Yosemite 10.10.4 - CSS PHP()