04 January 2021

Installing AuriStorFS clients for macOS 11.0 Big Sur

Recently Apple released the next version of macOS, version 11.0, also known as Big Sur. In addition to adding support for ARM-based Apple Silicon, Big Sur removes most network APIs in the kernel from what is available for use by kernel extensions. AuriStorFS, as a full-service file system, uses a kernel extension to plug into the virtual filesystem (VFS) interface in order to provide access to all processes on a machine. Following are details about installing and configuring AuriStorFS for Big Sur. Note that some details differ between Intel-based Macs, and systems using Apple Silicon. We will attempt to distinguish where the steps differ.

You should also know that for Intel-based Macs, clients before AuriStorFS v0.204 when upgraded to Big Sur, will not have access to AuriStorFS servers after upgrading; Clients which are running v0.204 for their prior macOS version will continue to have access to AuriStorFS, but as always, AuriStor recommends that you install a matching client for the major macOS release your system is running.

1) Download the AuriStorFS client installation package from https://www.auristor.com/filesystem/client-installer/ or your local licensed organization. If it does not mount, you will need to open the dmg file you just downloaded.
2) Double-click on “Auristor.pkg” to open the installation app. Click “Allow” to permit macOS to scan the application package to determine if it can be installed. Assuming you are installing the correct version for your system's version of macOS, the AuriStor End User License Agreement (EULA) will be displayed for you to read and accept.
3) Read the AuriStor EULA. If you agree to the terms, click “Continue”. Otherwise, terminate the installation app.
4) If you accepted the EULA, the installation app will display a "Read Me", which contains basic information about the AuriStorFS installation. Read the “Read Me” text and confirm that you are installing on Big Sur. Then click “Continue”.
5) A dialog requesting the system's default local AuriStorFS or OpenAFS cell name will be displayed. Enter the name of the cell that you wish to be the default for this machine.
6) An alias, which can be any name that you wish to use as an abbreviation for the full cell name when accessing it via /afs, can also be provided. The alias is optional. Note that entering a cell name for a cell which does not exist or is not accessible to this system can cause delays when accessing the mounted network drive. Select the installation location if the default is not the desired location. Click “Install” when the installation location is correct.
7) Enter an Administrator account name and password, then click “Install Software” to proceed.
8) The AuriStorFS client relies upon a proprietary System Extension. macOS Big Sur blocks all third-party System Extensions by default. Click “Open Security Preferences” to begin the process of approving the “AuriStor, Inc” System Extension.
9) Click the lock at lower left to make changes.
10) Enter an Administrator account name and password, then click “Unlock” to continue.
11) Click “Enable system extensions…” to continue.
Steps 12-22 apply to Apple Silicon systems only. Intel users may skip ahead to step 23.

12) New Apple Silicon macs are configured from the factory to only accept System Extensions from Apple. To permit third-party System Extensions, the system must be rebooted and the Startup Security Utility must be executed.
13) Click “Shutdown” and then hold either the “Touch ID” button or the Power button for six seconds to enter the Startup Security Utility.
14) After the system reboots, the “Loading startup options …” message will be displayed.
15) If this is the first time startup options are executed, you will be prompted for your Language. Select the language of choice and click the right arrow to continue.
16) macOS Recovery will examine the available volumes. Select the volume on which the security policy should be set and then click “Security Policy …” to continue.
17) The default policy is “Full Security” which only permits operating system software and System Extensions from Apple to execute. Select the “Reduced Security” policy and enable “Allow user management of kernel extensions from identified developers”. (An identified developer in the context of macOS is a developer organization registered in Apple’s Developer program that has been approved for a System Extension Signing Certificate. “AuriStor, Inc.” is such a developer.) After selecting the new security policy click “OK” to continue.
18) A dialog list containing the set of Administrator accounts is provided. Select one, enter the matching password, and click “OK” to apply the Security Policy.
19) When the dialog clears the display will appear to be unchanged except that neither “Cancel” nor “OK” are available. Select “Restart” from the Apple menu at upper left to reboot the machine.
The system will restart.
20) After logging in to the desktop you will once again be prompted that the “AuriStor, Inc.” System Extension has been blocked. Click “Open Security Preferences” to continue.
21) Click the lock at lower left to make changes.
22) Enter an Administrator account name and password, then click “Unlock” to continue.
23) The dialog will report “System software from developer ‘AuriStor, Inc.’ was blocked from loading.” Click “Allow” to approve the “AuriStor, Inc.” System Extension.
24) Now that the “AuriStor, Inc.” System Extension has been approved, the system must be restarted to load it. Click “Restart” to continue.
25) After the system restarts and you have logged in to the desktop the “Security & Privacy” will no longer prompt for “AuriStor, Inc.” approval.
26) Click the “˂” to return to the main System Preferences menu. The “AuriStor” icon will now be displayed.
27) Double-click the icon to open the AuriStorFS System Preferences dialog. When prompted to create the “~/Library/LaunchAgents” directory, click “Create” to continue.
28) Click “OK” to continue.
29) Click the lock at lower left to make changes.
30) Enter an Administrator account name and password, then click “OK” to continue.
31) For most configurations we recommend the following settings. Check both "AuriStor Menu" and "Backgrounder"; in Kerberos Settings, check "Use aklog" and "Get credential at login time".
32) The AuriStor Menu will then be displayed. Click the Menu and select “Get New Token” to acquire AuriStorFS tokens using Kerberos v5 authentication.
33) Enter your Kerberos v5 client principal and matching password, then click “OK”.
34) If tokens are successfully acquired, the AuriStor Menu icon will change to a checkmark badge. The token details will be listed in the AuriStorFS Preferences dialog.
35) Open the “Terminal” application in /Applications/Utilities, and list the “/afs” directory by running ls /afs. Upon first use of “/afs” by an application a dialog will appear requesting permission. Click “OK” to continue.
36) After permission is granted the contents of “/afs” will be displayed. By default, the “/afs” directory only contains two or three entries:
  1. @cell – an alias to the default cell name
  2. The default cell name
  3. The alias name if configured.
To display tokens from the command line use “tokens”.
The AuriStorFS client configuration is located under the /etc/yfs directory and may be configured as with any other AuriStor client.

No comments:

Post a Comment