19-december-2003 INTRODUCTION This is the readme for the LCMAPS afs module. It explains the requisites of the AFS module. First and foremost you need to install AFS at your site. Without a complete AFS installed, you will not be able to grant AFS access on your site. Explaining how to install AFS is beyond the scope of this document. Take any AFS package of AFS you feel comfortable with. One free package can be found on: http://www.openafs.org. Follow the install instructions found there. Having a working set of AFS servers is the first step. Next you will need to have a package called: gssklog. The AFS module uses this underneath to grant AFS access. The gssklog package consists of two executables. One is a client (gssklog), the other a daemon (gssklogd). The client asks the daemon for an AFS token. The daemon contact one of the AFS servers in the local network to get an AFS token. When successful, the token is returned to the client. OBTAINING GSSKLOG PACKAGE The gssklog package can be obtained at: ftp://achilles.ctd.anl.gov/pub/DEE. For the developing and testing the AFS module, version 0.9 has been used, i.e. gssklog-0.9.tar. BUILDING In order to install the gssklog package, first untar it and run ./configure with the apprpriate options. For info on the options look at the README file in the gssklog package. CONFIGURATION The daemon must know how to map a grid credential name to an AFS account name. This is discribed in a map file. The map file can be found or created at: /etc/grid-security/afsgrid-mapfile. Entries in it should look like the following: "/O=Grid/O=Globus/OU=anl.gov/CN=John Doe" jdoe Please note that if more than one mapping exists from a credential name to an AFS account, the first match is always used. The daemon runs on one or more AFS servers and needs access to /usr/afs/etc/KeyFile which contains the DES keys used by AFS. Also, with GSI the server's credential is a server certificate with "CN=gssklog/hostname" (!) and a matching private key. These are defaulted to: /etc/grid-security/afscert.pem and /etc/grid-security/afskey.pem. The trusted certificates directory: /etc/grid-security/certificates is also needed. For more information, please read the README file of the gssklog package. CAVEATS The AFS module forks itself and the child process then execvp the gssklog command. This means that the gssklog executable have to be in the search path of the AFS module. This means that the environment variable PATH must include the path to the gssklog executable.