/[gentoo]/xml/htdocs/doc/en/openafs.xml
Gentoo

Contents of /xml/htdocs/doc/en/openafs.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.20 - (hide annotations) (download) (as text)
Mon Jul 18 10:44:57 2005 UTC (9 years, 1 month ago) by swift
Branch: MAIN
Changes since 1.19: +18 -3 lines
File MIME type: application/xml
#97481 - Add information on -syslog argument

1 zhen 1.3 <?xml version='1.0' encoding="UTF-8"?>
2 swift 1.20 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.19 2005/07/02 09:50:30 swift Exp $ -->
3 drobbins 1.1
4     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5    
6 zhen 1.2 <guide link = "/doc/en/openafs.xml">
7 drobbins 1.1 <title>Gentoo Linux OpenAFS Guide</title>
8 swift 1.19
9 drobbins 1.1 <author title="Editor">
10     <mail link="darks@gentoo.org">Holger Brueckner</mail>
11     </author>
12 bennyc 1.8 <author title="Editor">
13     <mail link="bennyc@gentoo.org">Benny Chuang</mail>
14     </author>
15 blubber 1.10 <author title="Editor">
16     <mail link="blubber@gentoo.org">Tiemo Kieft</mail>
17     </author>
18 swift 1.17 <author title="Editor">
19     <mail link="fnjordy@gmail.com">Steven McCoy</mail>
20     </author>
21 drobbins 1.1
22     <abstract>
23     This guide shows you how to install a openafs server and client on gentoo linux
24     </abstract>
25    
26 swift 1.20 <!-- The content of this document is licensed under the CC-BY-SA license -->
27     <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
28 swift 1.9 <license/>
29    
30 swift 1.20 <version>0.9</version>
31     <date>2005-07-18</date>
32 drobbins 1.1
33     <chapter>
34 swift 1.19 <title>Overview</title>
35     <section>
36     <title>About this Document</title>
37     <body>
38    
39     <p>
40     This document provides you with all neccessary steps to install an openafs
41     server on Gentoo Linux. Parts of this document are taken from the AFS FAQ and
42     IBM's Quick Beginnings guide on AFS. Well, never reinvent the wheel :)
43     </p>
44    
45     </body>
46     </section>
47     <section>
48     <title>What is AFS ?</title>
49     <body>
50    
51     <p>
52     AFS is a distributed filesystem that enables co-operating hosts
53     (clients and servers) to efficiently share filesystem resources
54     across both local area and wide area networks. Clients hold a
55     cache for often used objects (files), to get quicker
56     access to them.
57     </p>
58    
59     <p>
60     AFS is based on a distributed file system originally developed
61     at the Information Technology Center at Carnegie-Mellon University
62     that was called the "Andrew File System". "Andrew" was the name of the
63     research project at CMU - honouring the founders of the University. Once
64     Transarc was formed and AFS became a product, the "Andrew" was dropped to
65     indicate that AFS had gone beyond the Andrew research project and had become
66     a supported, product quality filesystem. However, there were a number of
67     existing cells that rooted their filesystem as /afs. At the time, changing
68     the root of the filesystem was a non-trivial undertaking. So, to save the
69     early AFS sites from having to rename their filesystem, AFS remained as the
70     name and filesystem root.
71     </p>
72    
73     </body>
74     </section>
75     <section>
76     <title>What is an AFS cell ?</title>
77     <body>
78    
79     <p>
80     An AFS cell is a collection of servers grouped together administratively
81     and presenting a single, cohesive filesystem. Typically, an AFS cell is a set
82     of hosts that use the same Internet domain name (like for example gentoo.org)
83     Users log into AFS client workstations which request information and files
84     from the cell's servers on behalf of the users. Users won't know on which server
85     a file which they are accessing, is located. They even won't notice if a server
86     will be located to another room, since every volume can be replicated and moved
87     to another server without any user noticing. The files are always accessable.
88     Well it's like NFS on steroids :)
89     </p>
90    
91     </body>
92     </section>
93     <section>
94     <title>What are the benefits of using AFS ?</title>
95     <body>
96    
97     <p>
98     The main strengths of AFS are its:
99     caching facility (on client side, typically 100M to 1GB),
100     security features (Kerberos 4 based, access control lists),
101     simplicity of addressing (you just have one filesystem),
102     scalability (add further servers to your cell as needed),
103     communications protocol.
104     </p>
105    
106     </body>
107     </section>
108     <section>
109     <title>Where can i get more information ?</title>
110     <body>
111    
112     <p>
113     Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS
114     FAQ</uri>.
115     </p>
116    
117     <p>
118     Openafs main page is at <uri
119     link="http://www.openafs.org">www.openafs.org</uri>.
120     </p>
121    
122     <p>
123     AFS was originally developed by Transarc which is now owned by IBM.
124     You can find some information about AFS on
125     <uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarcs
126     Webpage</uri>.
127     </p>
128 drobbins 1.1
129 swift 1.19 </body>
130     </section>
131 swift 1.20 <section>
132     <title>How Can I Debug Problems?</title>
133     <body>
134    
135     <p>
136     OpenAFS has great logging facilities. However, by default it logs straight into
137     its own logs instead of through the system logging facilities you have on your
138     system. To have the servers log through your system logger, use the
139     <c>-syslog</c> option for all <c>bos</c> commands.
140     </p>
141    
142     </body>
143     </section>
144 drobbins 1.1 </chapter>
145    
146     <chapter>
147     <title>Documentation</title>
148 swift 1.19 <section>
149     <title>Getting AFS Documentation</title>
150     <body>
151    
152     <p>
153     You can get the original IBM AFS Documentation. It is very well written and you
154     really want read it if it is up to you to administer a AFS Server.
155     </p>
156    
157 swift 1.18 <pre caption="Installing afsdoc">
158 drobbins 1.1 # <i>emerge app-doc/afsdoc</i>
159     </pre>
160 swift 1.19
161     </body>
162     </section>
163 drobbins 1.1 </chapter>
164    
165     <chapter>
166     <title>Client Installation</title>
167 swift 1.19 <section>
168     <title>Preliminary Work</title>
169     <body>
170    
171     <note>
172     All commands should be written in one line !! In this document they are
173     sometimes wrapped to two lines to make them easier to read.
174     </note>
175    
176     <note>
177     Unfortunately the AFS Client needs a ext2 partiton for it's cache to run
178     correctly, because there are some locking issues with reiserfs. You need to
179     create a ext2 partition of approx. 200MB (more won't hurt) and mount it to
180     <path>/usr/vice/cache</path>
181     </note>
182    
183     <p>
184     You should adjust the two files CellServDB and ThisCell before you build the
185     afs client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>)
186     </p>
187    
188     <pre caption="Adjusting CellServDB and ThisCell">
189     CellServDB:
190     >netlabs #Cell name
191     10.0.0.1 #storage
192    
193     ThisCell:
194     netlabs
195     </pre>
196    
197     <warn>
198     Only use spaces inside the <path>CellServDB</path> file. The client will most
199     likely fail if you use TABs.
200     </warn>
201    
202     <p>
203     CellServDB tells your client which server(s) he needs to contact for a
204     specific cell. ThisCell should be quite obvious. Normally you use a name
205     which is unique for your organisation. Your (official) domain might be a
206     good choice.
207     </p>
208    
209     </body>
210     </section>
211     <section>
212     <title>Building the Client</title>
213     <body>
214    
215 swift 1.18 <pre caption="Installing openafs">
216 swift 1.11 # <i>emerge net-fs/openafs</i>
217 drobbins 1.1 </pre>
218 swift 1.19
219     <p>
220     After successful compilation you're ready to go.
221     </p>
222    
223     </body>
224     </section>
225     <section>
226     <title>Starting afs on startup</title>
227     <body>
228    
229     <p>
230     The following command will create the appropriate links to start your afs client
231     on system startup.
232     </p>
233    
234     <warn>
235     You should always have a running afs server in your domain when trying to
236     start the afs client. You're system won't boot until it gets some timeout
237     if your afs server is down. (and this is quite a long long time)
238     </warn>
239    
240 swift 1.18 <pre caption="Adding afs to the default runlevel">
241 drobbins 1.1 # <i>rc-update add afs default</i>
242     </pre>
243 swift 1.19
244     </body>
245     </section>
246 drobbins 1.1 </chapter>
247    
248     <chapter>
249     <title>Server Installation</title>
250 swift 1.19 <section>
251     <title>Building the Server</title>
252     <body>
253    
254     <p>
255     The following command will install all necessary binaries for setting up a AFS
256     Server <e>and</e> Client.
257     </p>
258    
259 swift 1.18 <pre caption="Installing openafs">
260 swift 1.11 # <i>emerge net-fs/openafs</i>
261 drobbins 1.1 </pre>
262 swift 1.19
263     </body>
264     </section>
265     <section>
266     <title>Starting AFS Server</title>
267     <body>
268    
269     <p>
270     You need to remove the sample CellServDB and ThisCell file first.
271     </p>
272    
273 swift 1.18 <pre caption="Remove sample files">
274 drobbins 1.1 # <i>rm /usr/vice/etc/ThisCell</i>
275     # <i>rm /usr/vice/etc/CellServDB</i>
276     </pre>
277 swift 1.19
278     <p>
279     Next you will run the <b>bosserver</b> command to initialize the Basic OverSeer
280     (BOS) Server, which monitors and controls other AFS server processes on its
281     server machine. Think of it as init for the system. Include the <b>-noauth</b>
282     flag to disable authorization checking, since you haven't added the admin user
283     yet.
284     </p>
285    
286     <warn>
287     Disabling authorization checking gravely compromises cell security.
288     You must complete all subsequent steps in one uninterrupted pass
289     and must not leave the machine unattended until you restart the BOS Server with
290     authorization checking enabled. Well this is what the AFS documentation says :)
291     </warn>
292    
293 swift 1.18 <pre caption="Initialize the Basic OverSeer Server">
294 drobbins 1.1 # <i>/usr/afs/bin/bosserver -noauth &amp;</i>
295     </pre>
296 swift 1.19
297     <p>
298     Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path>
299     and <path>/usr/vice/etc/ThisCell</path>
300     </p>
301    
302 swift 1.18 <pre caption="Check if CellServDB and ThisCell are created">
303 drobbins 1.1 # <i>ls -al /usr/vice/etc/</i>
304     -rw-r--r-- 1 root root 41 Jun 4 22:21 CellServDB
305     -rw-r--r-- 1 root root 7 Jun 4 22:21 ThisCell
306     </pre>
307 swift 1.19
308     </body>
309     </section>
310     <section>
311     <title>Defining Cell Name and Membership for Server Process</title>
312     <body>
313    
314     <p>
315     Now assign your cells name.
316     </p>
317    
318     <impo>
319     There are some restrictions on the name format.
320     Two of the most important restrictions are that the name
321     cannot include uppercase letters or more than 64 characters. Remember that
322     your cell name will show up under <path>/afs</path>, so you might want to choose
323     a short one.
324     </impo>
325    
326     <note>
327     In the following and every instruction in this guide, for the &lt;server
328     name&gt; argument substitute the full-qualified hostname (such as
329     <b>afs.gentoo.org</b>) of the machine you are installing. For the &lt;cell
330     name&gt; argument substitute your cell's complete name (such as
331     <b>gentoo</b>)
332     </note>
333    
334     <p>
335     Run the <b>bos setcellname</b> command to set the cell name:
336     </p>
337    
338 swift 1.18 <pre caption="Set the cell name">
339 cam 1.14 # <i>/usr/afs/bin/bos setcellname &lt;server name&gt; &lt;cell name&gt; -noauth</i>
340     </pre>
341 swift 1.19
342     </body>
343     </section>
344     <section>
345     <title>Starting the Database Server Process</title>
346     <body>
347    
348     <p>
349     Next use the <b>bos create</b> command to create entries for the four database
350     server processes in the <path>/usr/afs/local/BosConfig</path> file. The four
351     processes run on database server machines only.
352     </p>
353    
354     <table>
355     <tr>
356     <ti>kaserver</ti>
357     <ti>
358     The Authentication Server maintains the Authentication Database.
359     This can be replaced by a Kerberos 5 daemon. If anybody want's to try that
360     feel free to update this document :)
361     </ti>
362     </tr>
363     <tr>
364     <ti>buserver</ti>
365     <ti>The Backup Server maintains the Backup Database</ti>
366     </tr>
367     <tr>
368     <ti>ptserver</ti>
369     <ti>The Protection Server maintains the Protection Database</ti>
370     </tr>
371     <tr>
372     <ti>vlserver</ti>
373     <ti>
374     The Volume Location Server maintains the Volume Location Database (VLDB).
375     Very important :)
376     </ti>
377     </tr>
378     </table>
379    
380 swift 1.18 <pre caption="Create entries for the database processes">
381 swift 1.19 # <i>/usr/afs/bin/bos create &lt;server name&gt; kaserver simple /usr/afs/bin/kaserver -cell &lt;cell name&gt; -noauth</i>
382     # <i>/usr/afs/bin/bos create &lt;server name&gt; buserver simple /usr/afs/bin/buserver -cell &lt;cell name&gt; -noauth</i>
383     # <i>/usr/afs/bin/bos create &lt;server name&gt; ptserver simple /usr/afs/bin/ptserver -cell &lt;cell name&gt; -noauth</i>
384     # <i>/usr/afs/bin/bos create &lt;server name&gt; vlserver simple /usr/afs/bin/vlserver -cell &lt;cell name&gt; -noauth</i>
385     </pre>
386    
387     <p>
388     You can verify that all servers are running with the <b>bos status</b> command:
389     </p>
390    
391 swift 1.18 <pre caption="Check if all the servers are running">
392 drobbins 1.1 # <i>/usr/afs/bin/bos status &lt;server name&gt; -noauth</i>
393     Instance kaserver, currently running normally.
394     Instance buserver, currently running normally.
395     Instance ptserver, currently running normally.
396     Instance vlserver, currently running normally.
397     </pre>
398 swift 1.19
399     </body>
400     </section>
401     <section>
402     <title>Initializing Cell Security</title>
403     <body>
404    
405     <p>
406     Now we'll initialize the cell's security mechanisms. We'll begin by creating
407     the following two initial entries in the Authentication Database: The main
408     administrative account, called <b>admin</b> by convention and an entry for
409     the AFS server processes, called <b>afs</b>. No user logs in under the
410     identity <b>afs</b>, but the Authentication Server's Ticket Granting
411     Service (TGS) module uses the account to encrypt the server tickets that
412     it grants to AFS clients. This sounds pretty much like Kerberos :)
413     </p>
414    
415     <p>
416     Enter <b>kas</b> interactive mode
417     </p>
418    
419 swift 1.18 <pre caption="Entering the interactive mode">
420 drobbins 1.1 # <i>/usr/afs/bin/kas -cell &lt;cell name&gt; -noauth</i>
421     ka&gt; <i>create afs</i>
422     initial_password:
423     Verifying, please re-enter initial_password:
424     ka&gt; <i>create admin</i>
425     initial_password:
426     Verifying, please re-enter initial_password:
427     ka&gt; <i>examine afs</i>
428    
429     User data for afs
430 swift 1.19 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:30 2001
431     password will never expire.
432     An unlimited number of unsuccessful authentications is permitted.
433     entry never expires. Max ticket lifetime 100.00 hours.
434     last mod on Mon Jun 4 20:49:30 2001 by $lt;none&gt;
435     permit password reuse
436 drobbins 1.1 ka&gt; <i>setfields admin -flags admin</i>
437     ka&gt; <i>examine admin</i>
438 swift 1.19
439 drobbins 1.1 User data for admin (ADMIN)
440 swift 1.19 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:59 2001
441     password will never expire.
442     An unlimited number of unsuccessful authentications is permitted.
443     entry never expires. Max ticket lifetime 25.00 hours.
444     last mod on Mon Jun 4 20:51:10 2001 by $lt;none&gt;
445     permit password reuse
446 drobbins 1.1 ka&gt;
447     </pre>
448 swift 1.19
449     <p>
450     Run the <b>bos adduser</b> command, to add the <b>admin</b> user to
451     the <path>/usr/afs/etc/UserList</path>.
452     </p>
453    
454 swift 1.18 <pre caption="Add the admin user to the UserList">
455 drobbins 1.1 # <i>/usr/afs/bin/bos adduser &lt;server name&gt; admin -cell &lt;cell name&gt; -noauth</i>
456     </pre>
457 swift 1.19
458     <p>
459     Issue the <b>bos addkey</b> command to define the AFS Server
460     encryption key in <path>/usr/afs/etc/KeyFile</path>
461     </p>
462    
463     <note>
464     If asked for the input key, give the password you entered when creating
465     the afs entry with <b>kas</b>
466     </note>
467    
468 swift 1.18 <pre caption="Entering the password">
469 drobbins 1.1 # <i>/usr/afs/bin/bos addkey &lt;server name&gt; -kvno 0 -cell &lt;cell name&gt; -noauth</i>
470 swift 1.19 input key:
471     Retype input key:
472 drobbins 1.1 </pre>
473 swift 1.19
474     <p>
475     Issue the <b>pts createuser</b> command to create a Protection Database
476     entry for the admin user
477     </p>
478    
479     <note>
480     By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user,
481     because it is the first user entry you are creating. If the local password file
482     (/etc/passwd or equivalent) already has an entry for <b>admin</b> that assigns
483     a different UID use the <b>-id</b> argument to create matching UID's
484     </note>
485    
486 swift 1.18 <pre caption="Create a Protection Database entry for the database user">
487 drobbins 1.1 # <i>/usr/afs/bin/pts createuser -name admin -cell &lt;cell name&gt; [-id &lt;AFS UID&gt;] -noauth</i>
488     </pre>
489 swift 1.19
490     <p>
491     Issue the <b>pts adduser</b> command to make the <b>admin</b> user a member
492     of the system:administrators group, and the <b>pts membership</b> command to
493     verify the new membership
494     </p>
495    
496 swift 1.18 <pre caption="Make admin a member of the administrators group and verify">
497 drobbins 1.1 # <i>/usr/afs/bin/pts adduser admin system:administrators -cell &lt;cell name&gt; -noauth</i>
498     # <i>/usr/afs/bin/pts membership admin -cell &lt;cell name&gt; -noauth</i>
499 swift 1.19 Groups admin (id: 1) is a member of:
500     system:administrators
501 drobbins 1.1 </pre>
502 swift 1.19
503     <p>
504     Restart all AFS Server processes
505     </p>
506    
507 swift 1.18 <pre caption="Restart all AFS server processes">
508 drobbins 1.1 # <i>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell name&gt; -noauth</i>
509     </pre>
510 swift 1.19
511     </body>
512     </section>
513     <section>
514     <title>Starting the File Server, Volume Server and Salvager</title>
515     <body>
516    
517     <p>
518     Start the <b>fs</b> process, which consists of the File Server, Volume Server
519     and Salvager (fileserver, volserver and salvager processes).
520     </p>
521    
522 swift 1.18 <pre caption="Start the fs process">
523 swift 1.19 # <i>/usr/afs/bin/bos create &lt;server name&gt; fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell &lt;cell name&gt; -noauth</i>
524     </pre>
525    
526     <p>
527     Verify that all processes are running
528     </p>
529    
530 swift 1.18 <pre caption="Check if all processes are running">
531 swift 1.19 # <i>/usr/afs/bin/bos status &lt;server name&gt; -long -noauth</i>
532     Instance kaserver, (type is simple) currently running normally.
533     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
534     Last exit at Mon Jun 4 21:07:17 2001
535     Command 1 is '/usr/afs/bin/kaserver'
536    
537     Instance buserver, (type is simple) currently running normally.
538     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
539     Last exit at Mon Jun 4 21:07:17 2001
540     Command 1 is '/usr/afs/bin/buserver'
541    
542     Instance ptserver, (type is simple) currently running normally.
543     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
544     Last exit at Mon Jun 4 21:07:17 2001
545     Command 1 is '/usr/afs/bin/ptserver'
546    
547     Instance vlserver, (type is simple) currently running normally.
548     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
549     Last exit at Mon Jun 4 21:07:17 2001
550     Command 1 is '/usr/afs/bin/vlserver'
551    
552     Instance fs, (type is fs) currently running normally.
553     Auxiliary status is: file server running.
554     Process last started at Mon Jun 4 21:09:30 2001 (2 proc starts)
555     Command 1 is '/usr/afs/bin/fileserver'
556     Command 2 is '/usr/afs/bin/volserver'
557     Command 3 is '/usr/afs/bin/salvager'
558     </pre>
559    
560     <p>
561     Your next action depends on whether you have ever run AFS file server machines
562     in the cell:
563     </p>
564    
565     <p>
566     If you are installing the first AFS Server ever in the cell create the
567     first AFS volume, <b>root.afs</b>
568     </p>
569    
570     <note>
571     For the partition name argument, substitute the name of one of the machine's
572     AFS Server partitions. By convention
573     these partitions are named <path>/vicepx</path>, where x is in the range of a-z.
574     </note>
575    
576 swift 1.18 <pre caption="Create the root.afs volume">
577 swift 1.19 # <i>/usr/afs/bin/vos create &lt;server name&gt; &lt;partition name&gt; root.afs -cell &lt;cell name&gt; -noauth</i>
578     </pre>
579    
580     <p>
581     If there are existing AFS file server machines and volumes in the cell
582     issue the <b>vos sncvldb</b> and <b>vos syncserv</b> commands to synchronize
583     the VLDB (Volume Location Database) with the actual state of volumes on the
584     local machine. This will copy all necessary data to your new server.
585     </p>
586    
587     <p>
588     If the command fails with the message "partition /vicepa does not exist on
589     the server", ensure that the partition is mounted before running OpenAFS
590     servers, or mount the directory and restart the processes using
591     <c>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell
592     name&gt; -noauth</c>.
593     </p>
594    
595 swift 1.18 <pre caption="Synchronise the VLDB">
596 swift 1.19 # <i>/usr/afs/bin/vos syncvldb &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
597     # <i>/usr/afs/bin/vos syncserv &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
598 drobbins 1.1 </pre>
599 swift 1.19
600     </body>
601     </section>
602     <section>
603     <title>Starting the Server Portion of the Update Server</title>
604     <body>
605    
606 swift 1.18 <pre caption="Start the update server">
607 drobbins 1.1 # <i>/usr/afs/bin/bos create &lt;server name&gt;
608 swift 1.19 upserver simple "/usr/afs/bin/upserver
609     -crypt /usr/afs/etc -clear /usr/afs/bin"
610     -cell &lt;cell name&gt; -noauth</i>
611     </pre>
612    
613     </body>
614     </section>
615     <section>
616     <title>Configuring the Top Level of the AFS filespace</title>
617     <body>
618    
619     <p>
620     First you need to set some acl's, so that any user can lookup
621     <path>/afs</path>.
622     </p>
623    
624 swift 1.18 <pre caption="Set access control lists">
625 drobbins 1.1 # <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i>
626     </pre>
627 swift 1.19
628     <p>
629     Then you need to create the root volume, mount it readonly on
630     <path>/afs/&lt;cell name&gt;</path> and read/write on <path>/afs/.&lt;cell
631     name&gt;</path>
632     </p>
633    
634 swift 1.18 <pre caption="Prepare the root volume">
635 drobbins 1.1 # <i>/usr/afs/bin/vos create &lt;server name&gt;&lt;partition name&gt; root.cell</i>
636     # <i>/usr/afs/bin/fs mkmount /afs/&lt;cell name&gt; root.cell </i>
637     # <i>/usr/afs/bin/fs setacl /afs/&lt;cell name&gt; system:anyuser rl</i>
638 cam 1.14 # <i>/usr/afs/bin/fs mkmount /afs/.&lt;cell name&gt; root.cell -rw</i>
639 drobbins 1.1 </pre>
640 swift 1.19
641     <p>
642     Finally you're done !!! You should now have a working AFS file server
643     on your local network. Time to get a big
644     cup of coffee and print out the AFS documentation !!!
645     </p>
646    
647     <note>
648     It is very important for the AFS server to function properly, that all system
649     clock's are synchronized. This is best accomplished by installing a ntp server
650     on one machine (e.g. the AFS server) and synchronize all client clock's
651     with the ntp client. This can also be done by the afs client.
652     </note>
653    
654     </body>
655     </section>
656 drobbins 1.1 </chapter>
657    
658     <chapter>
659 swift 1.17 <title>Basic Administration</title>
660     <section>
661     <title>Disclaimer</title>
662     <body>
663    
664     <p>
665     OpenAFS is an extensive technology. Please read the AFS documentation for more
666     information. We only list a few administrative tasks in this chapter.
667     </p>
668    
669     </body>
670     </section>
671     <section>
672     <title>Configuring PAM to Acquire an AFS Token on Login</title>
673     <body>
674    
675     <p>
676     To use AFS you need to authenticate against the KA Server if using
677     an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using
678     MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a
679     machine you will also need a user account, this can be local in
680     /etc/passwd, NIS, LDAP (OpenLDAP), or a Hesiod database. PAM allows
681     Gentoo to tie the authentication against AFS and login to the user
682     account.
683     </p>
684    
685     <p>
686     You will need to update /etc/pam.d/system-auth which is used by the
687     other configurations. "use_first_pass" indicates it will be checked
688     first against the user login, and "ignore_root" stops the local super
689     user being checked so as to order to allow login if AFS or the network
690     fails.
691     </p>
692    
693     <pre caption="/etc/pam.d/system-auth">
694     auth required /lib/security/pam_env.so
695     auth sufficient /lib/security/pam_unix.so likeauth nullok
696     auth sufficient /usr/afsws/lib/pam_afs.so.1 use_first_pass ignore_root
697     auth required /lib/security/pam_deny.so
698    
699     account required /lib/security/pam_unix.so
700    
701     password required /lib/security/pam_cracklib.so retry=3
702     password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
703     password required /lib/security/pam_deny.so
704    
705     session required /lib/security/pam_limits.so
706     session required /lib/security/pam_unix.so
707     </pre>
708    
709     <p>
710     In order for sudo to keep the real user's token and to prevent local
711     users gaining AFS access change /etc/pam.d/su as follows:
712     </p>
713    
714     <pre caption="/etc/pam.d/su">
715     <comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with
716     # uid &lt;= 100 are ignored by pam_afs.</comment>
717     auth sufficient /usr/afsws/lib/pam_afs.so.1 ignore_uid 100
718    
719     auth sufficient /lib/security/pam_rootok.so
720    
721     <comment># If you want to restrict users begin allowed to su even more,
722     # create /etc/security/suauth.allow (or to that matter) that is only
723     # writable by root, and add users that are allowed to su to that
724     # file, one per line.
725     #auth required /lib/security/pam_listfile.so item=ruser \
726     # sense=allow onerr=fail file=/etc/security/suauth.allow
727    
728     # Uncomment this to allow users in the wheel group to su without
729     # entering a passwd.
730     #auth sufficient /lib/security/pam_wheel.so use_uid trust
731    
732     # Alternatively to above, you can implement a list of users that do
733     # not need to supply a passwd with a list.
734     #auth sufficient /lib/security/pam_listfile.so item=ruser \
735     # sense=allow onerr=fail file=/etc/security/suauth.nopass
736    
737     # Comment this to allow any user, even those not in the 'wheel'
738     # group to su</comment>
739     auth required /lib/security/pam_wheel.so use_uid
740    
741     auth required /lib/security/pam_stack.so service=system-auth
742    
743     account required /lib/security/pam_stack.so service=system-auth
744    
745     password required /lib/security/pam_stack.so service=system-auth
746    
747     session required /lib/security/pam_stack.so service=system-auth
748     session optional /lib/security/pam_xauth.so
749    
750     <comment># Here we prevent the real user id's token from being dropped</comment>
751     session optional /usr/afsws/lib/pam_afs.so.1 no_unlog
752     </pre>
753    
754     </body>
755     </section>
756 drobbins 1.1 </chapter>
757 swift 1.17
758 drobbins 1.1 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20