Post Tagged with: "yosemite"

OpenAFS and Mac OS X Yosemite, El Capitan

OpenAFS and Mac OS X Yosemite, El Capitan

 
90 Kudos
Don't
move!

Long story short: Kerberos on the Mac, starting with Yosemite, does not support anymore weak ciphers (such as DES).

AFS, on the other hand, works with DES.. therefore.. no go. The best thing to do would be to try to migrate OpenAFS to support different ciphers but this requires maintenance on the AFS server, risking damage and data loss.

Therefore this (quite ugly, but still..) solution seems to overcome the limitation of the Kerberos installation provided by default with Mac OS X.

Step 1: System cleanup

If you have installed OpenAFS or already configured kerberos on your machine, uninstall everything and delete /Library/Preferences/edu.mit.Kerberos.

Please reboot.

Step 2: Install heimdal kerberos

Download and install this: http://www.h5l.org/dist/src/heimdal-1.5.3.dmg

This is the heimdal kerberos, the vanilla version. Therefore, this supports the aforementioned weak DES cipher.

Step 3: Install OpenAFS for Yosemite

As may already know, there is no official OpenAFS version for Yosemite. I compiled and uploaded one for you. You can download it here: https://dl.dropboxusercontent.com/u/355313/openafs/OpenAFS-1.6.10-2-gb9a15b-dirty-Yosemite.dmg

Download, open and install it.

Step 4: Configure ’em all

First of all, let’s configure Kerberos. You should already have the configuration for Kerberos. Make sure you have it in the correct path that, on Yosemite, is /etc/krb5.conf. Then make sure you add the allow_weak_crypto = true line to the libdefaults section.

Then configure OpenAFS.

  • Configure AFS by editing the ThisCell and CellServDB files accordingly. Don’t reboot now.
  • OpenAFS requires a kernel extensions to work properly. Unfortunately (yes, again), unsigned kernel extensions cannot be loaded on boot in Yosemite. However, this problem can be solved by using modifying the boot parameter of the kernel:
  • Now, reboot the mac
  • When everything is restored, make sure you apply the necessary settings and add AFS icon to the menu bar for quicker access:
    • Go to System Preferences > OpenAFS.
    • AFS Menu: checked
    • Backgrounder: checked
    • Use aklog: checked

Step 5: How to connect

Each time you want to use AFS, you must do the following:

  • open Terminal.app
  • issue

Everything should be working.

If you read this guide and something didn’t work, make sure you followed each step in the precise order they are written. If something is still not working properly, just drop a line in the comments and we will try to sort it out.

Update

After upgrading Yosemite to 10.10.3 or, in general, after every system update I noticed that I have to reinstall OpenAFS or, at least, re-issue the nvram command to let unsigned kernel extensions to be loaded again.

Update (take-two)

Your File System® offers a Yosemite-compatible version of OpenAFS, shipped with Heimdal Kerberos version. You can access the download page clicking here. The benefit of using this version is that the kext file is signed, therefore no need to set the nvram parameters to allow unsigned extensions to be executed.
Please notice that in this case, you have to create the krb5.conf in /private/var/db/yfs/etc.

Update (El Capitan)

Starting with Mac OS X El Capitan (10.11), Your File System® published a new client, which you can download here. If you are upgrading from any other version, please mount the image and uninstall OpenAFS completely (you can find the scripts in the Extras folder, within the DMG). After rebooting the machine, install the AuriStor client and configure Kerberos in the same way as before (see bottom of this post for a sample). After that:

    • Open a Terminal and open with sudo /etc/yfs/cellservdb.conf. Remove the content of the file and add following lines

  • Edit /etc/yfs/thiscell.conf
  • Reboot your Mac
  • Open the Terminal.app and get a Kerberos ticket (refer to Step 5) and then “aklog”

A sample of a working /etc/krb5.conf file could be:

December 26, 2014 58 comments