kafs - In-kernel AFS filesystem
"kafs" is a network filesystem driver in the Linux kernel that is able
to access AFS cells and the servers contained therein to locate the logical
volumes that comprise the cell and the files contained in each volume.
It supports transport over IPv4 UDP and IPv6 UDP and security based on Kerberos.
The authentication token is used to define the user for the purpose of
providing access control as well as providing communications security.
The filesystem is of type "afs" and the mount command can be used to
mount afs volumes manually using the "-t" flag on
mount(8).
The "kafs-client" package should be installed to so that systemd is
configured to include a mount of AFS dynamic root on /afs. Note that mounting
/afs is not enabled by default, so if it is needed, then "systemd"
should be told to enable it. This can be done with the following step:
systemctl enable afs.mount
This will mount a special directory on "/afs" which will be populated
by an automount directory for each cell listed in the configuration. Doing a
pathwalk into one of these directories will result in the "afs.cell"
volume from the cell being mounted onto that directory.
Local configuration should be placed in a file in the /etc/kafs/client.d/
directory. This will be included from /etc/client.conf file.
Typically in the local configuration, the local cell name would be specified and
backup details of its Volume Location server addresses would be given.
Also any overrides for the @sys filename substitution would be specified. See
kafs-client.conf(5).
Once the kafs-client is set up (and if there's no local cell, this is
practically zero-conf, provided the cells to be accessed are properly set up
with AFSDB or SRV records in the DNS), the /afs directory can be accessed:
ls /afs/<cell>/location/within/cell
For example:
ls /afs/rivendell.example.com/doc
The user isn't limited to cells listed in /afs, but any cell can be tried by
just substituting the name of the cell into the above formula. It does require
the target to have DNS-based configuration provided.
Note that each logical volume gets a discrete superblock and links between
volumes turn into kernel mountpoints that, if stepped on, cause the
appropriate volume to be mounted over them.
kafs supports Kerberos-based authentication and communication encryption through
the use of Kerberos. "kinit" program can be use to authenticate with
a Kerberos server:
kinit [email protected]
and then the "aklog-kafs" program to get a ticket for the kernel
filesystem to use:
aklog-kafs rivendell.example.com
This will be placed on the caller's session keyring and can be viewed there
with:
keyctl show
Note that the default realm is assumed to be the same as the cell name, but in
all upper case.
aklog-kafs(1),
kafs-client.conf(5),
keyctl(1),
kinit(1),
rxrpc(7),
session-keyring(7),
systemctl(1)
Copyright (C) 2019 Red Hat, Inc. All Rights Reserved.
Written by David Howells (
[email protected])
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.