16 Apr 2019
kafs - In-kernel AFS filesystem
kafs is a network filesystem driver in the Linux kernel that is able to access AFS cells and the servers contained therein to locate the logical volumes that comprise the cell and the files contained in each volume.
It supports transport over IPv4 UDP and IPv6 UDP and security based on Kerberos. The authentication token is used to define the user for the purpose of providing access control as well as providing communications security.
The filesystem is of type "afs" and the mount command can be used to mount afs volumes manually using the "-t" flag on mount(8).
The kafs-client package should be installed to so that systemd is configured to include a mount of AFS dynamic root on /afs. Note that mounting /afs is not enabled by default, so if it is needed, then systemd should be told to enable it. This can be done with the following step:
systemctl enable afs.mount
This will mount a special directory on /afs which will be populated by an automount directory for each cell listed in the configuration. Doing a pathwalk into one of these directories will result in the afs.cell volume from the cell being mounted onto that directory.
Local configuration should be placed in a file in the /etc/kafs/client.d/ directory. This will be included from client.conf in the next directory up.
Typically in the local configuration, the local cell name would be specified and backup details of its Volume Location server addresses would be given.
Also any overrides for the @sys filename substitution would be specified. See kafs-client.conf(5).
Once the kafs-client is set up (and if there’s no local cell, this is practically zero-conf, provided the cells to be accessed are properly set up with AFSDB or SRV records in the DNS), the /afs directory can be accessed:
The user isn’t limited to cells listed in /afs, but any cell can be tried by just substituting the name of the cell into the above formula. It does require the target to have DNS-based configuration provided.
Note that each logical volume gets a discrete superblock and links between volumes turn into kernel mountpoints that, if stepped on, cause the appropriate volume to be mounted over them.
kafs supports Kerberos-based authentication and communication encryption through the use of Kerberos. The kinit program can be use to authenticate with a Kerberos server:
and then the aklog-kafs program to get a ticket for the kernel filesystem to use:
This will be placed on the caller’s session keyring and can be viewed there with:
Note that the default realm is assumed to be the same as the cell name, but in all upper case.