It's actually easier for Mac admins, in my opinion, since you have the campus Unix/Linux cluster machines to use, your Mac server already has the Kerberos bits built in, and you don't have to compile or install AFS components, either.
You will, however, need to request the keytabs to be generated. This is done by the University's Kerberos authority. Follow the instructions here, where you need to send an email along with some requisite information. She or he will send you an email when the proper access controls have been added and you can proceed generating your ketabs.
The actual keytab generation process can be done by ssh'ing to cardinal, vine, pod or any of the other hosts. In my experience, the machine you use seems to be particular, and I always use one of the hedge machines. Others may work, but my luck always seems to be solid with these computers. Perhaps its the version of Ubuntu that's running on them, I'm not sure.
Here are the simplified instructions:
ssh to hedge.
2) at the prompt, run the
3) cd to a directory in your AFS space that's private and secure.
4) run this command:
/usr/pubsw/sbin/leland_srvtab -u yoursunetid -f mysrvtab -k mykeytab service.myserver
The leland_srvtab is the actual command. The
-u yoursunetid part seems like it shouldn't be necessary, but seems to be (even if you've done the
kinit step above). The -f mysrvtab part is the Kerberos 4 srvtab generation, where "mysrvtab" is an arbitrary name you've chosen for this file. The
-k mykeytab is the same for Kerberos 5. The
service.myserver is whatever the service is (say, rcmd, afpserver, cifs) plus dot-hostname (not the fully qualified domain name).
An example command would be:
leland_srvtab -u nbfa -f cifs.srvtab -k cifs.keytab cifs.betenoire.
The output in the terminal will be:
srvtab successfully created.
keytab successfully created.
You should have a process in place for handling these keytabs so that they're kept exceptionally secure. My process is to use the OpenAFS desktop tool running on my Mac laptop, so that my AFS space is accessible via the Finder. I make an encrypted disk image using Disk Utility (and a high-quality password). I transfer the tabs to this virtual disk; then, when I need to import them on my server, I just scp the .dmg to my server's desktop. This way, I have a secure repository for my server's tabs, while the .dmg in multiple locations. I won't need to regenerate the keytabs if I need to rebuild the server in the future, only if the hostname changes.