I downloaded the 11 rpm files that comprise OpenAFS's current release
as of 5-6-2004, getting

openafs-1.2.11-rhel3.0.1.i386.rpm
openafs-1.2.11-rhel3.0.1.src.rpm
openafs-client-1.2.11-rhel3.0.1.i386.rpm
openafs-compat-1.2.11-rhel3.0.1.i386.rpm
openafs-debuginfo-1.2.11-rhel3.0.1.i386.rpm
openafs-devel-1.2.11-rhel3.0.1.i386.rpm
openafs-kernel-1.2.11-rhel3.0.1.i386.rpm
openafs-kernel-source-1.2.11-rhel3.0.1.i386.rpm
openafs-kpasswd-1.2.11-rhel3.0.1.i386.rpm
openafs-krb5-1.2.11-rhel3.0.1.i386.rpm
openafs-server-1.2.11-rhel3.0.1.i386.rpm

-----------------------------------------------------------------------

openafs-1.2.11-rhel3.0.1.i386.rpm = Commands in /usr/bin, /etc/sysconfig/afs,
                                    /etc/init.d/afs, and 358 Help files in
        /usr/share/doc/openafs-1.2.11.  This looks like 1 of the 3 packages
        a client needs to install.  Once installed, see all the manuals at
        file:///usr/share/doc/openafs-1.2.11/html/index.htm

openafs-1.2.11-rhel3.0.1.src.rpm = 13 files that surprisingly gets installed
                                   in /usr/src/redhat/SOURCES and
                                   /usr/src/redhat/SPECS.  Unneccesary.

openafs-client-1.2.11-rhel3.0.1.i386.rpm = The second of 3 required packages
                                           for a client.  Gets you four
        /lib/security/pam* files, a coupla more /usr/bin commands, 
        /usr/vice/cache, the /usr/vice/etc configuration files, and other
        executables in /usr/vice/etc (eg, afsd and modload).

openafs-compat-1.2.11-rhel3.0.1.i386.rpm = Looks like compat links in 
                                           /usr/afsws to the real stuff.

openafs-debuginfo-1.2.11-rhel3.0.1.i386.rpm = Source files.

openafs-devel-1.2.11-rhel3.0.1.i386.rpm = Source files.

openafs-kernel-1.2.11-rhel3.0.1.i386.rpm = .o files in /usr/vice/etc/modload.
                                           Prereq'd by openafs-client.

openafs-kernel-source-1.2.11-rhel3.0.1.i386.rpm = Source files.

openafs-kpasswd-1.2.11-rhel3.0.1.i386.rpm = /usr/bin/kpasswd & kpwvalid, but
                                            kpasswd is already delivered by
        the openafs-1.2.11-rhel3.0.1.i386.rpm package (although kpasswd isn't
        in there).  I wonder if the /usr/bin/kpasswd is the same ...  Doing
        two rpm2cpio openafs...rpm | cpio -i -d ./usr/bin/kpasswd commands
        extracted the 2 kpasswd's and yes, they are the same.

openafs-krb5-1.2.11-rhel3.0.1.i386.rpm = /usr/bin/aklog & /usr/sbin/asetkey

openafs-server-1.2.11-rhel3.0.1.i386.rpm = 13 server binaries in
                                           /usr/afs/bin (eg, fileserver),
        /usr/afs/logs, and 3 /usr/sbin/*_check thingies. 

-----------------------------------------------------------------------

The bottom line is, a client needs
rpm -ivh openafs-1.2.11-rhel3.0.1.i386.rpm
rpm -ivh openafs-kernel-1.2.11-rhel3.0.1.i386.rpm (required by openafs-client)
rpm -ivh openafs-client-1.2.11-rhel3.0.1.i386.rpm

To install on a non-AFS (duh!) system, as root on that system, you can,
  mkdir /tmp/afs
  cd /tmp/afs
  scp -p jasper@jasper:/afs/d/software/base/linux/openafs-1.2.11/* .
  rpm -ivh *rpm

  vi /usr/vice/etc/cacheinfo
and set the cache size to 95% of the number of 1K blocks of /usr/vice/cache.
95% of 1GB (my standard), is 953850.

  vi /usr/vice/etc/ThisCell
and set the cell name to delphion.com.

  vi /usr/vice/etc/CellServDB
remove all the existing lines, and add just these two lines,
  >delphion.com   # Thomson-Delphion
  10.224.88.241   #afs1.delphion.com

To start AFS, service afs start

To allow AFS-authenticated logins, ftp's, etc,
  cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.Before.AFS
  cp -p --reply=yes system-auth /etc/pam.d/system-auth

To clean up,
  cd
  rm -rf /tmp/afs

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

As far as the pam authentication stuff goes, evidently these
instructions don't know about the (new?) pam_stack.so, which
allows you to define common authentication methods and to
share them between different programs by including them.
The /etc/pam.d/login file for example, has
   #%PAM-1.0
   auth       required     pam_securetty.so
   auth       required     pam_stack.so service=system-auth
   auth       required     pam_nologin.so
   account    required     pam_stack.so service=system-auth
   password   required     pam_stack.so service=system-auth
   session    required     pam_stack.so service=system-auth
   session    optional     pam_console.so

Note that second line, which "includes" system-auth.
It's this file, /etc/pam.d/system-auth, where we want to
1) Add this line before the pam_unix.so line
     auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
2) Add try_first_pass to the pam_unix.so line, so that the password
   entered at the first "AFS Password:" prompt, gets reused for local
   authentication.  This is so that non-AFS ids can login easier.
3) Add this line at the end of the file so that user's tokens get
   deleted from memory when they logoff,
     session     optional      /lib/security/pam_afs.so
4) While you're here, you may also want to comment out that securetty
   line so that root can login from other machines.

After doing that and adding
   jasper:!!:10167:10167:Rick Jasper:/u/jasper:/bin/ksh
to /etc/passwd (note the group changed from 1 to 10167), and
   jasper:x:10167:jasper
to /etc/group,

Oh yeah, our standard is also to
   ln -s /afs/d/u /u

jasper can login, although I had to work on my .profile & .kshrc files.

=======================================================================