/[gentoo]/xml/htdocs/doc/en/openafs.xml
Gentoo

Contents of /xml/htdocs/doc/en/openafs.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.18 - (hide annotations) (download) (as text)
Sat Jul 2 09:40:23 2005 UTC (9 years, 1 month ago) by swift
Branch: MAIN
Changes since 1.17: +27 -27 lines
File MIME type: application/xml
Fix pre captions

1 zhen 1.3 <?xml version='1.0' encoding="UTF-8"?>
2 swift 1.18 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.17 2004/09/22 11:42:11 swift Exp $ -->
3 drobbins 1.1
4     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5    
6 zhen 1.2 <guide link = "/doc/en/openafs.xml">
7 drobbins 1.1 <title>Gentoo Linux OpenAFS Guide</title>
8     <author title="Editor">
9     <mail link="darks@gentoo.org">Holger Brueckner</mail>
10     </author>
11 bennyc 1.8 <author title="Editor">
12     <mail link="bennyc@gentoo.org">Benny Chuang</mail>
13     </author>
14 blubber 1.10 <author title="Editor">
15     <mail link="blubber@gentoo.org">Tiemo Kieft</mail>
16     </author>
17 swift 1.17 <author title="Editor">
18     <mail link="fnjordy@gmail.com">Steven McCoy</mail>
19     </author>
20 drobbins 1.1
21     <abstract>
22     This guide shows you how to install a openafs server and client on gentoo linux
23     </abstract>
24    
25 swift 1.9 <license/>
26    
27 swift 1.18 <version>0.8</version>
28     <date>2005-07-02</date>
29 drobbins 1.1
30     <chapter>
31     <title>Overview</title>
32     <section>
33     <title>About this Document</title>
34     <body>
35     <p>This document provides you with all neccessary steps to install an openafs server on Gentoo Linux.
36     Parts of this document are taken from the AFS FAQ and IBM's Quick Beginnings guide on AFS. Well, never reinvent
37 blubber 1.10 the wheel :)</p>
38 drobbins 1.1 </body>
39     </section>
40     <section>
41     <title>What is AFS ?</title>
42     <body>
43    
44     <p>
45     AFS is a distributed filesystem that enables co-operating hosts
46     (clients and servers) to efficiently share filesystem resources
47     across both local area and wide area networks. Clients hold a
48     cache for often used objects (files), to get quicker
49     access to them.
50     </p>
51     <p>
52     AFS is based on a distributed file system originally developed
53     at the Information Technology Center at Carnegie-Mellon University
54     that was called the "Andrew File System". "Andrew" was the name of the research project at CMU - honouring the
55     founders of the University. Once Transarc was formed and AFS became a
56     product, the "Andrew" was dropped to indicate that AFS had gone beyond
57     the Andrew research project and had become a supported, product quality
58     filesystem. However, there were a number of existing cells that rooted
59     their filesystem as /afs. At the time, changing the root of the filesystem
60     was a non-trivial undertaking. So, to save the early AFS sites from having
61     to rename their filesystem, AFS remained as the name and filesystem root.
62     </p>
63     </body>
64     </section>
65     <section>
66     <title>What is an AFS cell ?</title>
67     <body>
68     <p>An AFS cell is a collection of servers grouped together administratively
69     and presenting a single, cohesive filesystem. Typically, an AFS cell is a set of
70     hosts that use the same Internet domain name (like for example gentoo.org)
71     Users log into AFS client workstations which request information and files
72     from the cell's servers on behalf of the users. Users won't know on which server
73     a file which they are accessing, is located. They even won't notice if a server
74     will be located to another room, since every volume can be replicated and moved
75 swift 1.11 to another server without any user noticing. The files are always accessable.
76 drobbins 1.1 Well it's like NFS on steroids :)
77     </p>
78     </body>
79     </section>
80     <section>
81     <title>What are the benefits of using AFS ?</title>
82     <body>
83     <p>The main strengths of AFS are its:
84    
85     caching facility (on client side, typically 100M to 1GB),
86     security features (Kerberos 4 based, access control lists),
87     simplicity of addressing (you just have one filesystem),
88     scalability (add further servers to your cell as needed),
89     communications protocol.
90     </p>
91     </body>
92     </section>
93     <section>
94     <title>Where can i get more information ?</title>
95     <body>
96     <p>
97     Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS FAQ</uri>.
98     </p>
99     <p>
100     Openafs main page is at <uri link="http://www.openafs.org">www.openafs.org</uri>.
101     </p>
102     <p>
103     AFS was originally developed by Transarc which is now owned by IBM.
104     You can find some information about AFS on
105     <uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarcs Webpage</uri>
106     </p>
107     </body>
108     </section>
109    
110     </chapter>
111    
112     <chapter>
113     <title>Documentation</title>
114     <section>
115     <title>Getting AFS Documentation</title>
116     <body>
117     <p>
118     You can get the original IBM AFS Documentation. It is very well written and you
119     really want
120     read it if it is up to you to administer a AFS Server.
121     </p>
122 swift 1.18 <pre caption="Installing afsdoc">
123 drobbins 1.1 # <i>emerge app-doc/afsdoc</i>
124     </pre>
125     </body>
126     </section>
127     </chapter>
128    
129     <chapter>
130     <title>Client Installation</title>
131     <section>
132     <title>Preliminary Work</title>
133     <body>
134     <note>
135 swift 1.11 All commands should be written in one line !! In this document they are
136 drobbins 1.1 sometimes wrapped to two lines to make them easier to read.
137     </note>
138     <note>
139     Unfortunately the AFS Client needs a ext2 partiton for it's cache to run
140     correctly, because there are some locking issues with reiserfs. You need to
141     create a ext2 partition of approx. 200MB (more won't hurt) and mount it to
142     <path>/usr/vice/cache</path>
143     </note>
144     <p>
145 swift 1.11 You should adjust the two files CellServDB and ThisCell before you build the
146     afs client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>)
147 drobbins 1.1 </p>
148 swift 1.18 <pre caption="Adjusting CellServDB and ThisCell">
149 drobbins 1.1 CellServDB:
150     >netlabs #Cell name
151     10.0.0.1 #storage
152    
153     ThisCell:
154     netlabs
155     </pre>
156 swift 1.13
157     <warn>
158     Only use spaces inside the <path>CellServDB</path> file. The client will most
159     likely fail if you use TABs.
160     </warn>
161    
162 drobbins 1.1 <p>
163     CellServDB tells your client which server(s) he needs to contact for a
164     specific cell. ThisCell should be quite obvious. Normally you use a name
165     which is unique for your organisation. Your (official) domain might be a
166     good choice.
167     </p>
168     </body>
169     </section>
170     <section>
171     <title>Building the Client</title>
172     <body>
173 swift 1.18 <pre caption="Installing openafs">
174 swift 1.11 # <i>emerge net-fs/openafs</i>
175 drobbins 1.1 </pre>
176     <p>
177 blubber 1.10 After successful compilation you're ready to go.
178 drobbins 1.1 </p>
179     </body>
180     </section>
181     <section>
182     <title>Starting afs on startup</title>
183     <body>
184     <p>
185     The following command will create the appropriate links to start your afs client
186     on system startup.
187     </p>
188     <warn>
189     You should always have a running afs server in your domain when trying to start the afs client. You're system won't boot
190     until it gets some timeout if your afs server is down. (and this is quite a long long time)
191     </warn>
192 swift 1.18 <pre caption="Adding afs to the default runlevel">
193 drobbins 1.1 # <i>rc-update add afs default</i>
194     </pre>
195     </body>
196     </section>
197     </chapter>
198    
199     <chapter>
200     <title>Server Installation</title>
201     <section>
202     <title>Building the Server</title>
203     <body>
204     <p>
205 swift 1.4 The following command will install all necessary binaries for setting up a AFS Server
206 cam 1.14 <e>and</e> Client.
207 drobbins 1.1 </p>
208 swift 1.18 <pre caption="Installing openafs">
209 swift 1.11 # <i>emerge net-fs/openafs</i>
210 drobbins 1.1 </pre>
211     </body>
212     </section>
213     <section>
214     <title>Starting AFS Server</title>
215     <body>
216     <p>
217     You need to remove the sample CellServDB and ThisCell file first.
218     </p>
219 swift 1.18 <pre caption="Remove sample files">
220 drobbins 1.1 # <i>rm /usr/vice/etc/ThisCell</i>
221     # <i>rm /usr/vice/etc/CellServDB</i>
222     </pre>
223     <p>
224     Next you will run the <b>bosserver</b> command to initialize the Basic OverSeer (BOS)
225     Server, which monitors and controls other AFS server processes on its server
226     machine. Think of it as init for the system. Include the <b>-noauth</b>
227     flag to disable authorization checking, since you haven't added the admin user yet.
228     </p>
229     <warn>
230     Disabling authorization checking gravely compromises cell security.
231     You must complete all subsequent steps in one uninterrupted pass
232     and must not leave the machine unattended until you restart the BOS Server with
233     authorization checking enabled. Well this is what the AFS documentation says :)
234     </warn>
235 swift 1.18 <pre caption="Initialize the Basic OverSeer Server">
236 drobbins 1.1 # <i>/usr/afs/bin/bosserver -noauth &amp;</i>
237     </pre>
238     <p>
239     Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path>
240     and <path>/usr/vice/etc/ThisCell</path>
241     </p>
242 swift 1.18 <pre caption="Check if CellServDB and ThisCell are created">
243 drobbins 1.1 # <i>ls -al /usr/vice/etc/</i>
244     -rw-r--r-- 1 root root 41 Jun 4 22:21 CellServDB
245     -rw-r--r-- 1 root root 7 Jun 4 22:21 ThisCell
246     </pre>
247    
248     </body>
249     </section>
250     <section>
251     <title>Defining Cell Name and Membership for Server Process</title>
252     <body>
253     <p>
254     Now assign your cells name.
255     </p>
256     <impo>There are some restrictions on the name format.
257     Two of the most important restrictions are that the name
258     cannot include uppercase letters or more than 64 characters. Remember that
259     your cell name will show up under <path>/afs</path>, so you might want to choose
260     a short one.</impo>
261 cam 1.14 <note>In the following and every instruction in this guide, for the &lt;server name&gt;
262 drobbins 1.1 argument substitute the full-qualified hostname
263     (such as <b>afs.gentoo.org</b>) of the machine you are installing.
264 cam 1.14 For the &lt;cell name&gt;
265 drobbins 1.1 argument substitute your cell's complete name (such as <b>gentoo</b>)</note>
266     <p>
267     Run the <b>bos setcellname</b> command to set the cell name:
268     </p>
269 swift 1.18 <pre caption="Set the cell name">
270 cam 1.14 # <i>/usr/afs/bin/bos setcellname &lt;server name&gt; &lt;cell name&gt; -noauth</i>
271     </pre>
272 drobbins 1.1 </body>
273     </section>
274     <section>
275     <title>Starting the Database Server Process</title>
276     <body><p>
277     Next use the <b>bos create</b> command to create entries for the four database
278     server processes in the
279     <path>/usr/afs/local/BosConfig</path> file. The four processes run on database
280     server machines only.
281     </p>
282 cam 1.14
283 drobbins 1.1 <table>
284     <tr>
285     <ti>kaserver</ti>
286 bennyc 1.8 <ti>The Authentication Server maintains the Authentication Database.
287 drobbins 1.1 This can be replaced by a Kerberos 5 daemon. If anybody want's to try that
288     feel free to update this document :)</ti>
289     </tr>
290     <tr>
291     <ti>buserver</ti>
292     <ti>The Backup Server maintains the Backup Database</ti>
293     </tr>
294     <tr>
295     <ti>ptserver</ti>
296     <ti>The Protection Server maintains the Protection Database</ti>
297     </tr>
298     <tr>
299     <ti>vlserver</ti>
300     <ti>The Volume Location Server maintains the Volume Location Database (VLDB).
301     Very important :)</ti>
302     </tr>
303     </table>
304 swift 1.18 <pre caption="Create entries for the database processes">
305 drobbins 1.1 # <i>/usr/afs/bin/bos create &lt;server name&gt; kaserver simple
306     /usr/afs/bin/kaserver -cell &lt;cell name&gt; -noauth</i>
307     # <i>/usr/afs/bin/bos create &lt;server name&gt; buserver simple
308     /usr/afs/bin/buserver -cell &lt;cell name&gt; -noauth</i>
309     # <i>/usr/afs/bin/bos create &lt;server name&gt; ptserver simple
310     /usr/afs/bin/ptserver -cell &lt;cell name&gt; -noauth</i>
311     # <i>/usr/afs/bin/bos create &lt;server name&gt; vlserver simple
312     /usr/afs/bin/vlserver -cell &lt;cell name&gt; -noauth</i>
313     </pre>
314     <p>
315     You can verify that all servers are running with the <b>bos status</b> command:
316     </p>
317 swift 1.18 <pre caption="Check if all the servers are running">
318 drobbins 1.1 # <i>/usr/afs/bin/bos status &lt;server name&gt; -noauth</i>
319     Instance kaserver, currently running normally.
320     Instance buserver, currently running normally.
321     Instance ptserver, currently running normally.
322     Instance vlserver, currently running normally.
323     </pre>
324    
325     </body>
326     </section>
327     <section>
328     <title>Initializing Cell Security</title>
329     <body>
330     <p>
331     Now we'll initialize the cell's security mechanisms. We'll begin by creating the
332     following two initial entries in the
333 bennyc 1.8 Authentication Database: The main administrative account, called <b>admin</b> by
334 drobbins 1.1 convention and an entry for
335     the AFS server processes, called <b>afs</b>. No user logs in under the
336     identity <b>afs</b>, but the Authentication
337     Server's Ticket Granting Service (TGS) module uses the account
338     to encrypt the server tickets that it grants to AFS clients. This sounds
339     pretty much like Kerberos :)
340     </p>
341     <p>
342     Enter <b>kas</b> interactive mode
343     </p>
344 swift 1.18 <pre caption="Entering the interactive mode">
345 drobbins 1.1 # <i>/usr/afs/bin/kas -cell &lt;cell name&gt; -noauth</i>
346     ka&gt; <i>create afs</i>
347     initial_password:
348     Verifying, please re-enter initial_password:
349     ka&gt; <i>create admin</i>
350     initial_password:
351     Verifying, please re-enter initial_password:
352     ka&gt; <i>examine afs</i>
353    
354     User data for afs
355     key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:30 2001
356     password will never expire.
357     An unlimited number of unsuccessful authentications is permitted.
358     entry never expires. Max ticket lifetime 100.00 hours.
359     last mod on Mon Jun 4 20:49:30 2001 by $lt;none&gt;
360     permit password reuse
361     ka&gt; <i>setfields admin -flags admin</i>
362     ka&gt; <i>examine admin</i>
363    
364     User data for admin (ADMIN)
365     key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:59 2001
366     password will never expire.
367     An unlimited number of unsuccessful authentications is permitted.
368     entry never expires. Max ticket lifetime 25.00 hours.
369     last mod on Mon Jun 4 20:51:10 2001 by $lt;none&gt;
370     permit password reuse
371     ka&gt;
372     </pre>
373     <p>
374     Run the <b>bos adduser</b> command, to add the <b>admin</b> user to
375     the <path>/usr/afs/etc/UserList</path>.
376     </p>
377 swift 1.18 <pre caption="Add the admin user to the UserList">
378 drobbins 1.1 # <i>/usr/afs/bin/bos adduser &lt;server name&gt; admin -cell &lt;cell name&gt; -noauth</i>
379     </pre>
380     <p>
381     Issue the <b>bos addkey</b> command to define the AFS Server
382     encryption key in <path>/usr/afs/etc/KeyFile</path>
383     </p>
384     <note>
385     If asked for the input key, give the password you entered when creating
386     the afs entry with <b>kas</b>
387     </note>
388 swift 1.18 <pre caption="Entering the password">
389 drobbins 1.1 # <i>/usr/afs/bin/bos addkey &lt;server name&gt; -kvno 0 -cell &lt;cell name&gt; -noauth</i>
390     input key:
391     Retype input key:
392     </pre>
393     <p>
394     Issue the <b>pts createuser</b> command to create a Protection Database
395     entry for the admin user
396     </p>
397     <note>
398     By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user, because
399     it is the first user
400     entry you are creating. If the local password file (/etc/passwd or equivalent)
401     already has an entry for
402     <b>admin</b> that assigns a different UID use the <b>-id</b> argument
403     to create matching UID's
404     </note>
405 swift 1.18 <pre caption="Create a Protection Database entry for the database user">
406 drobbins 1.1 # <i>/usr/afs/bin/pts createuser -name admin -cell &lt;cell name&gt; [-id &lt;AFS UID&gt;] -noauth</i>
407     </pre>
408     <p>
409     Issue the <b>pts adduser</b> command to make the <b>admin</b> user a member
410     of the system:administrators group,
411 swift 1.5 and the <b>pts membership</b> command to verify the new membership
412 drobbins 1.1 </p>
413 swift 1.18 <pre caption="Make admin a member of the administrators group and verify">
414 drobbins 1.1 # <i>/usr/afs/bin/pts adduser admin system:administrators -cell &lt;cell name&gt; -noauth</i>
415     # <i>/usr/afs/bin/pts membership admin -cell &lt;cell name&gt; -noauth</i>
416     Groups admin (id: 1) is a member of:
417     system:administrators
418     </pre>
419     <p>
420     Restart all AFS Server processes
421     </p>
422 swift 1.18 <pre caption="Restart all AFS server processes">
423 drobbins 1.1 # <i>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell name&gt; -noauth</i>
424     </pre>
425     </body>
426     </section>
427     <section>
428     <title>Starting the File Server, Volume Server and Salvager</title>
429     <body>
430     <p>
431 swift 1.5 Start the <b>fs</b> process, which consists of the File Server, Volume Server and Salvager (fileserver,
432 drobbins 1.1 volserver and salvager processes).
433     </p>
434 swift 1.18 <pre caption="Start the fs process">
435 drobbins 1.1 # <i>/usr/afs/bin/bos create &lt;server name&gt; fs fs /usr/afs/bin/fileserver
436     /usr/afs/bin/volserver
437     /usr/afs/bin/salvager
438     -cell &lt;cell name&gt; -noauth</i>
439     </pre>
440     <p>
441     Verify that all processes are running
442     </p>
443 swift 1.18 <pre caption="Check if all processes are running">
444 drobbins 1.1 # <i>/usr/afs/bin/bos status &lt;server name&gt; -long -noauth</i>
445     Instance kaserver, (type is simple) currently running normally.
446     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
447     Last exit at Mon Jun 4 21:07:17 2001
448     Command 1 is '/usr/afs/bin/kaserver'
449    
450     Instance buserver, (type is simple) currently running normally.
451     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
452     Last exit at Mon Jun 4 21:07:17 2001
453     Command 1 is '/usr/afs/bin/buserver'
454    
455     Instance ptserver, (type is simple) currently running normally.
456     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
457     Last exit at Mon Jun 4 21:07:17 2001
458     Command 1 is '/usr/afs/bin/ptserver'
459    
460     Instance vlserver, (type is simple) currently running normally.
461     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
462     Last exit at Mon Jun 4 21:07:17 2001
463     Command 1 is '/usr/afs/bin/vlserver'
464    
465     Instance fs, (type is fs) currently running normally.
466     Auxiliary status is: file server running.
467     Process last started at Mon Jun 4 21:09:30 2001 (2 proc starts)
468     Command 1 is '/usr/afs/bin/fileserver'
469     Command 2 is '/usr/afs/bin/volserver'
470     Command 3 is '/usr/afs/bin/salvager'
471     </pre>
472     <p>
473     Your next action depends on whether you have ever run AFS file server machines
474     in the cell:
475     </p>
476     <p>
477     If you are installing the first AFS Server ever in the cell create the
478     first AFS volume, <b>root.afs</b>
479     </p>
480     <note>
481     For the partition name argument, substitute the name of one of the machine's
482     AFS Server partitions. By convention
483 swift 1.15 these partitions are named <path>/vicepx</path>, where x is in the range of a-z.
484 drobbins 1.1 </note>
485 swift 1.18 <pre caption="Create the root.afs volume">
486 drobbins 1.1 # <i>/usr/afs/bin/vos create &lt;server name&gt;
487     &lt;partition name&gt; root.afs
488     -cell &lt;cell name&gt; -noauth</i>
489     </pre>
490     <p>
491     If there are existing AFS file server machines and volumes in the cell
492     issue the <b>vos sncvldb</b> and <b>vos
493     syncserv</b> commands to synchronize the VLDB (Volume Location Database) with
494     the actual state of volumes on the local machine. This will copy all necessary data to your
495     new server.
496     </p>
497 swift 1.15 <p>
498     If the command fails with the message "partition /vicepa does not exist on
499 neysx 1.16 the server", ensure that the partition is mounted before running OpenAFS
500 swift 1.15 servers, or mount the directory and restart the processes using
501     <c>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell
502     name&gt; -noauth</c>.
503     </p>
504 swift 1.18 <pre caption="Synchronise the VLDB">
505 drobbins 1.1 # <i>/usr/afs/bin/vos syncvldb &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
506     # <i>/usr/afs/bin/vos syncserv &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
507     </pre>
508     </body>
509     </section>
510     <section>
511     <title>Starting the Server Portion of the Update Server</title>
512     <body>
513 swift 1.18 <pre caption="Start the update server">
514 drobbins 1.1 # <i>/usr/afs/bin/bos create &lt;server name&gt;
515     upserver simple "/usr/afs/bin/upserver
516     -crypt /usr/afs/etc -clear /usr/afs/bin"
517     -cell &lt;cell name&gt; -noauth</i>
518     </pre>
519     </body>
520     </section>
521     <section>
522     <title>Configuring the Top Level of the AFS filespace</title>
523     <body>
524     <p>
525     First you need to set some acl's, so that any user can lookup <path>/afs</path>.
526     </p>
527 swift 1.18 <pre caption="Set access control lists">
528 drobbins 1.1 # <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i>
529     </pre>
530     <p>
531 swift 1.6 Then you need to create the root volume, mount it readonly on <path>/afs/&lt;cell name&gt;</path> and read/write
532 drobbins 1.1 on <path>/afs/.&lt;cell name&gt;</path>
533 cam 1.14 </p>
534 swift 1.18 <pre caption="Prepare the root volume">
535 drobbins 1.1 # <i>/usr/afs/bin/vos create &lt;server name&gt;&lt;partition name&gt; root.cell</i>
536     # <i>/usr/afs/bin/fs mkmount /afs/&lt;cell name&gt; root.cell </i>
537     # <i>/usr/afs/bin/fs setacl /afs/&lt;cell name&gt; system:anyuser rl</i>
538 cam 1.14 # <i>/usr/afs/bin/fs mkmount /afs/.&lt;cell name&gt; root.cell -rw</i>
539 drobbins 1.1 </pre>
540     <p>
541     Finally you're done !!! You should now have a working AFS file server
542     on your local network. Time to get a big
543     cup of coffee and print out the AFS documentation !!!
544     </p>
545     <note>
546     It is very important for the AFS server to function properly, that all system
547     clock's are synchronized.
548     This is best
549     accomplished by installing a ntp server on one machine (e.g. the AFS server)
550     and synchronize all client clock's
551     with the ntp client. This can also be done by the afs client.
552     </note>
553     </body>
554     </section>
555    
556     </chapter>
557    
558     <chapter>
559 swift 1.17 <title>Basic Administration</title>
560     <section>
561     <title>Disclaimer</title>
562     <body>
563    
564     <p>
565     OpenAFS is an extensive technology. Please read the AFS documentation for more
566     information. We only list a few administrative tasks in this chapter.
567     </p>
568    
569     </body>
570     </section>
571     <section>
572     <title>Configuring PAM to Acquire an AFS Token on Login</title>
573     <body>
574    
575     <p>
576     To use AFS you need to authenticate against the KA Server if using
577     an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using
578     MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a
579     machine you will also need a user account, this can be local in
580     /etc/passwd, NIS, LDAP (OpenLDAP), or a Hesiod database. PAM allows
581     Gentoo to tie the authentication against AFS and login to the user
582     account.
583     </p>
584    
585     <p>
586     You will need to update /etc/pam.d/system-auth which is used by the
587     other configurations. "use_first_pass" indicates it will be checked
588     first against the user login, and "ignore_root" stops the local super
589     user being checked so as to order to allow login if AFS or the network
590     fails.
591     </p>
592    
593     <pre caption="/etc/pam.d/system-auth">
594     auth required /lib/security/pam_env.so
595     auth sufficient /lib/security/pam_unix.so likeauth nullok
596     auth sufficient /usr/afsws/lib/pam_afs.so.1 use_first_pass ignore_root
597     auth required /lib/security/pam_deny.so
598    
599     account required /lib/security/pam_unix.so
600    
601     password required /lib/security/pam_cracklib.so retry=3
602     password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
603     password required /lib/security/pam_deny.so
604    
605     session required /lib/security/pam_limits.so
606     session required /lib/security/pam_unix.so
607     </pre>
608    
609     <p>
610     In order for sudo to keep the real user's token and to prevent local
611     users gaining AFS access change /etc/pam.d/su as follows:
612     </p>
613    
614     <pre caption="/etc/pam.d/su">
615     <comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with
616     # uid &lt;= 100 are ignored by pam_afs.</comment>
617     auth sufficient /usr/afsws/lib/pam_afs.so.1 ignore_uid 100
618    
619     auth sufficient /lib/security/pam_rootok.so
620    
621     <comment># If you want to restrict users begin allowed to su even more,
622     # create /etc/security/suauth.allow (or to that matter) that is only
623     # writable by root, and add users that are allowed to su to that
624     # file, one per line.
625     #auth required /lib/security/pam_listfile.so item=ruser \
626     # sense=allow onerr=fail file=/etc/security/suauth.allow
627    
628     # Uncomment this to allow users in the wheel group to su without
629     # entering a passwd.
630     #auth sufficient /lib/security/pam_wheel.so use_uid trust
631    
632     # Alternatively to above, you can implement a list of users that do
633     # not need to supply a passwd with a list.
634     #auth sufficient /lib/security/pam_listfile.so item=ruser \
635     # sense=allow onerr=fail file=/etc/security/suauth.nopass
636    
637     # Comment this to allow any user, even those not in the 'wheel'
638     # group to su</comment>
639     auth required /lib/security/pam_wheel.so use_uid
640    
641     auth required /lib/security/pam_stack.so service=system-auth
642    
643     account required /lib/security/pam_stack.so service=system-auth
644    
645     password required /lib/security/pam_stack.so service=system-auth
646    
647     session required /lib/security/pam_stack.so service=system-auth
648     session optional /lib/security/pam_xauth.so
649    
650     <comment># Here we prevent the real user id's token from being dropped</comment>
651     session optional /usr/afsws/lib/pam_afs.so.1 no_unlog
652     </pre>
653    
654     </body>
655     </section>
656 drobbins 1.1 </chapter>
657 swift 1.17
658 drobbins 1.1 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20