You are here

AFS for Debian / Ubuntu

Printer-friendly versionPrinter-friendly version

This page describes steps to get connectivity with DICE AFS on a non-DICE Debian (or derivative, e.g. Ubuntu) system.

Super-quick Summary

This should work for most Debian >=5 and Ubuntu >=10.x machines.

Run the following commands in a terminal. You might be prompted for some of the following:

Setting Value
Kerberos Servers
AFS Cell
AFS Cache size whatever you wish. Try 500000 (500Mb) if you are unsure.
$ sudo -i
# apt-get install krb5-config krb5-user ntp
# apt-get install openafs-client openafs-krb5 openafs-modules-dkms
# echo "" > /etc/openafs/ThisCell
# /etc/init.d/openafs-client start
# exit
$ kinit [DICE username]
$ aklog
$ cd /afs/[u]/[username]/ (for staff)
$ cd /afs/[MA]/sMATRIC/ (for students)

On the last line, [u/MA] is the first character(s) of your username/matric.

Get required packages

Install at least the following using # apt-get install ...

krb5-config krb5-user ntp
openafs-client openafs-krb5 openafs-modules-dkms

(if you are using Ubuntu you may need to enable the Universe repository for Kerberos packages.)

These packages will likely request configuration. Depending on the distribution this may configure your system correctly, but some distributions do not modify the configuration sufficiently to work with DICE.

Example dpkg prompts:

Setting Value
Kerberos realm INF.ED.AC.UK
AFS Cell
AFS Cache size not too important. Try 2000002000000, or as appropriate for the size of your dedicated AFS partition.
Kerberos Servers (any prompts)

Try filling in any other prompts using information extracted from the config files below, if you wish. Otherwise just replace the files as shown.

Extended Kerberos Configuration

'kinit' may probably work just by setting the kdc as above. If so, you can skip this step.

If it does not, or for more functionality (for example, iFriend AFS access seems to need this), you may also set up /etc/krb5.conf to the following (and lose dpkg-managed configuration of the file):

  default = FILE:/var/log/krb5libs.log

  default_realm = INF.ED.AC.UK
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 64800
  forwardable = yes

  INF.ED.AC.UK = {
    admin_server =
    default_domain =

[domain_realm] = INF.ED.AC.UK = INF.ED.AC.UK

  INF.ED.AC.UK = {
  ED.AC.UK = {

If you are using openafs version 1.4.11 on Ubuntu 10.04, or for any other reason also have Kerberos 1.8 installed, you will also need to add the following to the libdefaults section.

allow_weak_crypto = true

From version 1.4.12 onwards this is not necessary as openafs knows how to ask kerberos 1.8 for the correct configuration. At the time of writing, OpenAFS 1.6.14 is the current version with Ubuntu 15.10.

Configure AFS

The dkms package should have built the openafs kernel module for your installed kernel versions. It will continue to do so whenever a new version becomes available.

First, prepare a partition for OpenAFS. This can be your root partition (no configuration required), if it is formatted using ext2 or ext3.

If you did not set your AFS client as belonging to the '' cell at dpkg configuration-time, configure it now:

# echo "" > /etc/openafs/ThisCell

Now start OpenAFS:

# /etc/init.d/openafs-client start

Establish connection

Get your Kerberos credentials: type

$ kinit [DICE username]

and enter your password. Now establish your AFS credentials using

$ aklog

Your AFS home directory can be found in

/afs/[u]/[username]/ or /afs/[MA]/sMATRIC/

where [u/MA] is the first character(s) of your username/matric.

If you have problems, check that the openafs module is loaded, and check afs daemons are running. If the kernel module failed to build/load, try removing and then re-installing the module, and then stopping/restarting the client eg:

apt-get remove openafs-modules-dkms
apt-get install openafs-modules-dkms
/etc/init.d/openafs-client stop
/etc/init.d/openafs-client start

If the afs module still fails to load, check for any errors/warnings from the above commands.

Further Configuration

SSL Certificates

Installing the EUCS root certificates may be useful (though not required). A prepackaged certificate is available at: and this can be installed using # dpkg -i ....

Sorry, the certificates packaged here have expired (but are still installable and remain available to demonstrate how the latest certificates might be installed). The latest certificates can be found at


    according to software preference.


    Some Debian packages are compiled with Kerberos / GSSAPI support by default - you might be pleasantly surprised when applications no longer request your password. Other applications may need to be recompiled to take advantage of Kerberos authentication.

  • Last reviewed: 

    System Status

    Home dirs (AFS)
    Other services
    Scheduled downtime

    Choose a topic