/[gentoo]/xml/htdocs/doc/en/openafs.xml
Gentoo

Contents of /xml/htdocs/doc/en/openafs.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.21 - (hide annotations) (download) (as text)
Sat Oct 29 20:20:57 2005 UTC (8 years, 11 months ago) by so
Branch: MAIN
Changes since 1.20: +133 -131 lines
File MIME type: application/xml
#108338 OpenAFS updated

1 zhen 1.3 <?xml version='1.0' encoding="UTF-8"?>
2 so 1.21 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.20 2005/07/18 10:44:57 swift Exp $ -->
3 drobbins 1.1
4     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5    
6 so 1.21 <guide link="/doc/en/openafs.xml">
7 drobbins 1.1 <title>Gentoo Linux OpenAFS Guide</title>
8 swift 1.19
9 drobbins 1.1 <author title="Editor">
10     <mail link="darks@gentoo.org">Holger Brueckner</mail>
11     </author>
12 bennyc 1.8 <author title="Editor">
13     <mail link="bennyc@gentoo.org">Benny Chuang</mail>
14     </author>
15 blubber 1.10 <author title="Editor">
16     <mail link="blubber@gentoo.org">Tiemo Kieft</mail>
17     </author>
18 swift 1.17 <author title="Editor">
19     <mail link="fnjordy@gmail.com">Steven McCoy</mail>
20     </author>
21 drobbins 1.1
22     <abstract>
23 so 1.21 This guide shows you how to install an OpenAFS server and client on Gentoo
24     Linux.
25 drobbins 1.1 </abstract>
26    
27 swift 1.20 <!-- The content of this document is licensed under the CC-BY-SA license -->
28     <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
29 swift 1.9 <license/>
30    
31 swift 1.20 <version>0.9</version>
32     <date>2005-07-18</date>
33 drobbins 1.1
34     <chapter>
35 swift 1.19 <title>Overview</title>
36     <section>
37     <title>About this Document</title>
38     <body>
39    
40     <p>
41 so 1.21 This document provides you with all neccessary steps to install an OpenAFS
42     server on Gentoo Linux. Parts of this document are taken from the AFS FAQ and
43     IBM's Quick Beginnings guide on AFS. Well, never reinvent the wheel. :)
44 swift 1.19 </p>
45    
46     </body>
47     </section>
48     <section>
49 so 1.21 <title>What is AFS?</title>
50 swift 1.19 <body>
51    
52     <p>
53     AFS is a distributed filesystem that enables co-operating hosts
54     (clients and servers) to efficiently share filesystem resources
55 so 1.21 across both local area and wide area networks. Clients hold a
56 swift 1.19 cache for often used objects (files), to get quicker
57     access to them.
58     </p>
59    
60     <p>
61     AFS is based on a distributed file system originally developed
62     at the Information Technology Center at Carnegie-Mellon University
63 so 1.21 that was called the "Andrew File System". "Andrew" was the name of the
64     research project at CMU - honouring the founders of the University. Once
65     Transarc was formed and AFS became a product, the "Andrew" was dropped to
66 swift 1.19 indicate that AFS had gone beyond the Andrew research project and had become
67 so 1.21 a supported, product quality filesystem. However, there were a number of
68     existing cells that rooted their filesystem as /afs. At the time, changing
69     the root of the filesystem was a non-trivial undertaking. So, to save the
70     early AFS sites from having to rename their filesystem, AFS remained as the
71 swift 1.19 name and filesystem root.
72     </p>
73    
74     </body>
75     </section>
76     <section>
77 so 1.21 <title>What is an AFS cell?</title>
78 swift 1.19 <body>
79    
80     <p>
81 so 1.21 An AFS cell is a collection of servers grouped together administratively and
82     presenting a single, cohesive filesystem. Typically, an AFS cell is a set of
83     hosts that use the same Internet domain name (for example, gentoo.org) Users
84     log into AFS client workstations which request information and files from the
85     cell's servers on behalf of the users. Users won't know on which server a
86     file which they are accessing, is located. They even won't notice if a server
87     will be located to another room, since every volume can be replicated and
88     moved to another server without any user noticing. The files are always
89     accessable. Well, it's like NFS on steroids :)
90 swift 1.19 </p>
91    
92     </body>
93     </section>
94     <section>
95 so 1.21 <title>What are the benefits of using AFS?</title>
96 swift 1.19 <body>
97    
98     <p>
99 so 1.21 The main strengths of AFS are its:
100 swift 1.19 caching facility (on client side, typically 100M to 1GB),
101     security features (Kerberos 4 based, access control lists),
102     simplicity of addressing (you just have one filesystem),
103     scalability (add further servers to your cell as needed),
104 so 1.21 communications protocol.
105 swift 1.19 </p>
106    
107     </body>
108     </section>
109     <section>
110 so 1.21 <title>Where can I get more information?</title>
111 swift 1.19 <body>
112    
113     <p>
114 so 1.21 Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS
115 swift 1.19 FAQ</uri>.
116     </p>
117    
118     <p>
119 so 1.21 OpenAFS main page is at <uri
120 swift 1.19 link="http://www.openafs.org">www.openafs.org</uri>.
121     </p>
122    
123     <p>
124     AFS was originally developed by Transarc which is now owned by IBM.
125     You can find some information about AFS on
126 so 1.21 <uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarc's
127 swift 1.19 Webpage</uri>.
128     </p>
129 drobbins 1.1
130 swift 1.19 </body>
131     </section>
132 swift 1.20 <section>
133     <title>How Can I Debug Problems?</title>
134     <body>
135    
136     <p>
137     OpenAFS has great logging facilities. However, by default it logs straight into
138     its own logs instead of through the system logging facilities you have on your
139 so 1.21 system. To have the servers log through your system logger, use the
140 swift 1.20 <c>-syslog</c> option for all <c>bos</c> commands.
141     </p>
142    
143     </body>
144     </section>
145 drobbins 1.1 </chapter>
146    
147     <chapter>
148     <title>Documentation</title>
149 swift 1.19 <section>
150     <title>Getting AFS Documentation</title>
151     <body>
152    
153     <p>
154 so 1.21 You can get the original IBM AFS Documentation. It is very well written and you
155 swift 1.19 really want read it if it is up to you to administer a AFS Server.
156     </p>
157    
158 swift 1.18 <pre caption="Installing afsdoc">
159 drobbins 1.1 # <i>emerge app-doc/afsdoc</i>
160     </pre>
161 swift 1.19
162     </body>
163     </section>
164 drobbins 1.1 </chapter>
165    
166     <chapter>
167     <title>Client Installation</title>
168 swift 1.19 <section>
169     <title>Preliminary Work</title>
170     <body>
171    
172     <note>
173 so 1.21 All commands should be written in one line!! In this document they are
174 swift 1.19 sometimes wrapped to two lines to make them easier to read.
175     </note>
176    
177     <note>
178 so 1.21 Unfortunately the AFS Client needs a ext2 partiton for its cache to run
179     correctly, because there are some locking issues with reiserfs. You need to
180     create a ext2 partition of approx. 200MB (more won't hurt) and mount it to
181 swift 1.19 <path>/usr/vice/cache</path>
182     </note>
183    
184     <p>
185 so 1.21 You should adjust the two files CellServDB and ThisCell before you build the
186     AFS client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>)
187 swift 1.19 </p>
188    
189     <pre caption="Adjusting CellServDB and ThisCell">
190     CellServDB:
191     >netlabs #Cell name
192     10.0.0.1 #storage
193    
194     ThisCell:
195     netlabs
196     </pre>
197    
198     <warn>
199     Only use spaces inside the <path>CellServDB</path> file. The client will most
200     likely fail if you use TABs.
201     </warn>
202    
203     <p>
204 so 1.21 CellServDB tells your client which server(s) it needs to contact for a
205 swift 1.19 specific cell. ThisCell should be quite obvious. Normally you use a name
206     which is unique for your organisation. Your (official) domain might be a
207 so 1.21 good choice.
208 swift 1.19 </p>
209    
210     </body>
211     </section>
212     <section>
213     <title>Building the Client</title>
214     <body>
215    
216 swift 1.18 <pre caption="Installing openafs">
217 swift 1.11 # <i>emerge net-fs/openafs</i>
218 drobbins 1.1 </pre>
219 swift 1.19
220     <p>
221     After successful compilation you're ready to go.
222     </p>
223    
224     </body>
225     </section>
226     <section>
227 so 1.21 <title>Starting AFS on startup</title>
228 swift 1.19 <body>
229    
230     <p>
231 so 1.21 The following command will create the appropriate links to start your afs
232     client on system startup.
233 swift 1.19 </p>
234    
235     <warn>
236 so 1.21 You should always have a running afs server in your domain when trying to
237     start the afs client. You're system won't boot until it gets some timeout
238     if your AFS server is down. (And this is quite a long long time)
239 swift 1.19 </warn>
240    
241 so 1.21 <pre caption="Adding AFS to the default runlevel">
242 drobbins 1.1 # <i>rc-update add afs default</i>
243     </pre>
244 swift 1.19
245     </body>
246     </section>
247 drobbins 1.1 </chapter>
248    
249     <chapter>
250     <title>Server Installation</title>
251 swift 1.19 <section>
252     <title>Building the Server</title>
253     <body>
254    
255     <p>
256 so 1.21 The following command will install all necessary binaries for setting up an AFS
257 swift 1.19 Server <e>and</e> Client.
258     </p>
259    
260 swift 1.18 <pre caption="Installing openafs">
261 swift 1.11 # <i>emerge net-fs/openafs</i>
262 drobbins 1.1 </pre>
263 swift 1.19
264     </body>
265     </section>
266     <section>
267     <title>Starting AFS Server</title>
268     <body>
269    
270     <p>
271     You need to remove the sample CellServDB and ThisCell file first.
272     </p>
273    
274 swift 1.18 <pre caption="Remove sample files">
275 drobbins 1.1 # <i>rm /usr/vice/etc/ThisCell</i>
276     # <i>rm /usr/vice/etc/CellServDB</i>
277     </pre>
278 swift 1.19
279     <p>
280 so 1.21 Next you will run the <c>bosserver</c> command to initialize the Basic OverSeer
281     (BOS) Server, which monitors and controls other AFS server processes on its
282     server machine. Think of it as init for the system. Include the <c>-noauth</c>
283 swift 1.19 flag to disable authorization checking, since you haven't added the admin user
284     yet.
285     </p>
286    
287     <warn>
288 so 1.21 Disabling authorization checking gravely compromises cell security. You must
289     complete all subsequent steps in one uninterrupted pass and must not leave
290     the machine unattended until you restart the BOS Server with authorization
291     checking enabled. Well, this is what the AFS documentation says. :)
292 swift 1.19 </warn>
293    
294 swift 1.18 <pre caption="Initialize the Basic OverSeer Server">
295 drobbins 1.1 # <i>/usr/afs/bin/bosserver -noauth &amp;</i>
296     </pre>
297 swift 1.19
298     <p>
299 so 1.21 Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path>
300 swift 1.19 and <path>/usr/vice/etc/ThisCell</path>
301     </p>
302    
303 swift 1.18 <pre caption="Check if CellServDB and ThisCell are created">
304 drobbins 1.1 # <i>ls -al /usr/vice/etc/</i>
305     -rw-r--r-- 1 root root 41 Jun 4 22:21 CellServDB
306     -rw-r--r-- 1 root root 7 Jun 4 22:21 ThisCell
307     </pre>
308 swift 1.19
309     </body>
310     </section>
311     <section>
312     <title>Defining Cell Name and Membership for Server Process</title>
313     <body>
314    
315     <p>
316 so 1.21 Now assign your cell's name.
317 swift 1.19 </p>
318    
319     <impo>
320 so 1.21 There are some restrictions on the name format. Two of the most important
321     restrictions are that the name cannot include uppercase letters or more than
322     64 characters. Remember that your cell name will show up under
323     <path>/afs</path>, so you might want to choose a short one.
324 swift 1.19 </impo>
325    
326     <note>
327 so 1.21 In the following and every instruction in this guide, for the &lt;server
328     name&gt; argument substitute the full-qualified hostname (such as
329     <b>afs.gentoo.org</b>) of the machine you are installing. For the &lt;cell
330     name&gt; argument substitute your cell's complete name (such as
331 swift 1.19 <b>gentoo</b>)
332     </note>
333    
334     <p>
335 so 1.21 Run the <c>bos setcellname</c> command to set the cell name:
336 swift 1.19 </p>
337    
338 swift 1.18 <pre caption="Set the cell name">
339 cam 1.14 # <i>/usr/afs/bin/bos setcellname &lt;server name&gt; &lt;cell name&gt; -noauth</i>
340     </pre>
341 swift 1.19
342     </body>
343     </section>
344     <section>
345     <title>Starting the Database Server Process</title>
346     <body>
347    
348     <p>
349 so 1.21 Next use the <c>bos create</c> command to create entries for the four database
350     server processes in the <path>/usr/afs/local/BosConfig</path> file. The four
351 swift 1.19 processes run on database server machines only.
352     </p>
353    
354     <table>
355     <tr>
356     <ti>kaserver</ti>
357     <ti>
358     The Authentication Server maintains the Authentication Database.
359 so 1.21 This can be replaced by a Kerberos 5 daemon. If anybody wants to try that
360 swift 1.19 feel free to update this document :)
361     </ti>
362     </tr>
363     <tr>
364     <ti>buserver</ti>
365     <ti>The Backup Server maintains the Backup Database</ti>
366     </tr>
367     <tr>
368     <ti>ptserver</ti>
369     <ti>The Protection Server maintains the Protection Database</ti>
370     </tr>
371     <tr>
372     <ti>vlserver</ti>
373     <ti>
374     The Volume Location Server maintains the Volume Location Database (VLDB).
375     Very important :)
376     </ti>
377     </tr>
378     </table>
379    
380 swift 1.18 <pre caption="Create entries for the database processes">
381 swift 1.19 # <i>/usr/afs/bin/bos create &lt;server name&gt; kaserver simple /usr/afs/bin/kaserver -cell &lt;cell name&gt; -noauth</i>
382     # <i>/usr/afs/bin/bos create &lt;server name&gt; buserver simple /usr/afs/bin/buserver -cell &lt;cell name&gt; -noauth</i>
383     # <i>/usr/afs/bin/bos create &lt;server name&gt; ptserver simple /usr/afs/bin/ptserver -cell &lt;cell name&gt; -noauth</i>
384     # <i>/usr/afs/bin/bos create &lt;server name&gt; vlserver simple /usr/afs/bin/vlserver -cell &lt;cell name&gt; -noauth</i>
385     </pre>
386    
387     <p>
388 so 1.21 You can verify that all servers are running with the <c>bos status</c> command:
389 swift 1.19 </p>
390    
391 swift 1.18 <pre caption="Check if all the servers are running">
392 drobbins 1.1 # <i>/usr/afs/bin/bos status &lt;server name&gt; -noauth</i>
393     Instance kaserver, currently running normally.
394     Instance buserver, currently running normally.
395     Instance ptserver, currently running normally.
396     Instance vlserver, currently running normally.
397     </pre>
398 swift 1.19
399     </body>
400     </section>
401     <section>
402     <title>Initializing Cell Security</title>
403     <body>
404    
405     <p>
406 so 1.21 Now we'll initialize the cell's security mechanisms. We'll begin by creating
407     the following two initial entries in the Authentication Database: The main
408 swift 1.19 administrative account, called <b>admin</b> by convention and an entry for
409 so 1.21 the AFS server processes, called <c>afs</c>. No user logs in under the
410     identity <b>afs</b>, but the Authentication Server's Ticket Granting
411     Service (TGS) module uses the account to encrypt the server tickets that
412 swift 1.19 it grants to AFS clients. This sounds pretty much like Kerberos :)
413     </p>
414    
415     <p>
416 so 1.21 Enter <c>kas</c> interactive mode
417 swift 1.19 </p>
418    
419 swift 1.18 <pre caption="Entering the interactive mode">
420 drobbins 1.1 # <i>/usr/afs/bin/kas -cell &lt;cell name&gt; -noauth</i>
421     ka&gt; <i>create afs</i>
422     initial_password:
423     Verifying, please re-enter initial_password:
424     ka&gt; <i>create admin</i>
425     initial_password:
426     Verifying, please re-enter initial_password:
427     ka&gt; <i>examine afs</i>
428    
429     User data for afs
430 swift 1.19 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:30 2001
431     password will never expire.
432     An unlimited number of unsuccessful authentications is permitted.
433     entry never expires. Max ticket lifetime 100.00 hours.
434     last mod on Mon Jun 4 20:49:30 2001 by $lt;none&gt;
435     permit password reuse
436 drobbins 1.1 ka&gt; <i>setfields admin -flags admin</i>
437     ka&gt; <i>examine admin</i>
438 swift 1.19
439 drobbins 1.1 User data for admin (ADMIN)
440 swift 1.19 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:59 2001
441     password will never expire.
442     An unlimited number of unsuccessful authentications is permitted.
443     entry never expires. Max ticket lifetime 25.00 hours.
444     last mod on Mon Jun 4 20:51:10 2001 by $lt;none&gt;
445     permit password reuse
446 drobbins 1.1 ka&gt;
447     </pre>
448 swift 1.19
449     <p>
450 so 1.21 Run the <c>bos adduser</c> command, to add the <b>admin</b> user to
451 swift 1.19 the <path>/usr/afs/etc/UserList</path>.
452     </p>
453    
454 swift 1.18 <pre caption="Add the admin user to the UserList">
455 drobbins 1.1 # <i>/usr/afs/bin/bos adduser &lt;server name&gt; admin -cell &lt;cell name&gt; -noauth</i>
456     </pre>
457 swift 1.19
458     <p>
459 so 1.21 Issue the <c>bos addkey</c> command to define the AFS Server
460     encryption key in <path>/usr/afs/etc/KeyFile</path>.
461 swift 1.19 </p>
462    
463     <note>
464 so 1.21 If asked for the input key, give the password you entered when creating
465     the AFS entry with <c>kas</c>
466 swift 1.19 </note>
467    
468 swift 1.18 <pre caption="Entering the password">
469 drobbins 1.1 # <i>/usr/afs/bin/bos addkey &lt;server name&gt; -kvno 0 -cell &lt;cell name&gt; -noauth</i>
470 swift 1.19 input key:
471     Retype input key:
472 drobbins 1.1 </pre>
473 swift 1.19
474     <p>
475 so 1.21 Issue the <c>pts createuser</c> command to create a Protection Database entry
476     for the admin user.
477 swift 1.19 </p>
478    
479     <note>
480 so 1.21 By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user,
481 swift 1.19 because it is the first user entry you are creating. If the local password file
482 so 1.21 (<path>/etc/passwd</path> or equivalent) already has an entry for <b>admin</b>
483     that assigns a different UID use the <c>-id</c> argument to create matching
484     UIDs.
485 swift 1.19 </note>
486    
487 swift 1.18 <pre caption="Create a Protection Database entry for the database user">
488 drobbins 1.1 # <i>/usr/afs/bin/pts createuser -name admin -cell &lt;cell name&gt; [-id &lt;AFS UID&gt;] -noauth</i>
489     </pre>
490 swift 1.19
491     <p>
492 so 1.21 Issue the <c>pts adduser</c> command to make the <b>admin</b> user a member
493     of the system:administrators group, and the <c>pts membership</c> command to
494 swift 1.19 verify the new membership
495     </p>
496    
497 swift 1.18 <pre caption="Make admin a member of the administrators group and verify">
498 drobbins 1.1 # <i>/usr/afs/bin/pts adduser admin system:administrators -cell &lt;cell name&gt; -noauth</i>
499     # <i>/usr/afs/bin/pts membership admin -cell &lt;cell name&gt; -noauth</i>
500 swift 1.19 Groups admin (id: 1) is a member of:
501     system:administrators
502 drobbins 1.1 </pre>
503 swift 1.19
504     <p>
505     Restart all AFS Server processes
506     </p>
507    
508 swift 1.18 <pre caption="Restart all AFS server processes">
509 drobbins 1.1 # <i>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell name&gt; -noauth</i>
510     </pre>
511 swift 1.19
512     </body>
513     </section>
514     <section>
515     <title>Starting the File Server, Volume Server and Salvager</title>
516     <body>
517    
518     <p>
519 so 1.21 Start the <c>fs</c> process, which consists of the
520     File Server,
521     Volume Server and Salvager (fileserver,
522     volserver and salvager processes).
523 swift 1.19 </p>
524    
525 swift 1.18 <pre caption="Start the fs process">
526 swift 1.19 # <i>/usr/afs/bin/bos create &lt;server name&gt; fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell &lt;cell name&gt; -noauth</i>
527     </pre>
528    
529     <p>
530     Verify that all processes are running
531     </p>
532    
533 swift 1.18 <pre caption="Check if all processes are running">
534 swift 1.19 # <i>/usr/afs/bin/bos status &lt;server name&gt; -long -noauth</i>
535     Instance kaserver, (type is simple) currently running normally.
536     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
537     Last exit at Mon Jun 4 21:07:17 2001
538     Command 1 is '/usr/afs/bin/kaserver'
539    
540     Instance buserver, (type is simple) currently running normally.
541     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
542     Last exit at Mon Jun 4 21:07:17 2001
543     Command 1 is '/usr/afs/bin/buserver'
544    
545     Instance ptserver, (type is simple) currently running normally.
546     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
547     Last exit at Mon Jun 4 21:07:17 2001
548     Command 1 is '/usr/afs/bin/ptserver'
549    
550     Instance vlserver, (type is simple) currently running normally.
551     Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
552     Last exit at Mon Jun 4 21:07:17 2001
553     Command 1 is '/usr/afs/bin/vlserver'
554    
555     Instance fs, (type is fs) currently running normally.
556     Auxiliary status is: file server running.
557     Process last started at Mon Jun 4 21:09:30 2001 (2 proc starts)
558     Command 1 is '/usr/afs/bin/fileserver'
559     Command 2 is '/usr/afs/bin/volserver'
560     Command 3 is '/usr/afs/bin/salvager'
561     </pre>
562    
563     <p>
564 so 1.21 Your next action depends on whether you have ever run AFS file server machines
565     in the cell.
566 swift 1.19 </p>
567    
568     <p>
569 so 1.21 If you are installing the first AFS Server ever in the cell create the
570 swift 1.19 first AFS volume, <b>root.afs</b>
571     </p>
572    
573     <note>
574 so 1.21 For the partition name argument, substitute the name of one of the machine's
575 swift 1.19 AFS Server partitions. By convention
576     these partitions are named <path>/vicepx</path>, where x is in the range of a-z.
577     </note>
578    
579 swift 1.18 <pre caption="Create the root.afs volume">
580 swift 1.19 # <i>/usr/afs/bin/vos create &lt;server name&gt; &lt;partition name&gt; root.afs -cell &lt;cell name&gt; -noauth</i>
581     </pre>
582    
583     <p>
584 so 1.21 If there are existing AFS file server machines and volumes in the cell
585     issue the <c>vos sncvldb</c> and <c>vos syncserv</c> commands to synchronize
586     the VLDB (Volume Location Database) with the actual state of volumes on the
587 swift 1.19 local machine. This will copy all necessary data to your new server.
588     </p>
589    
590     <p>
591     If the command fails with the message "partition /vicepa does not exist on
592     the server", ensure that the partition is mounted before running OpenAFS
593     servers, or mount the directory and restart the processes using
594     <c>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell
595     name&gt; -noauth</c>.
596     </p>
597    
598 swift 1.18 <pre caption="Synchronise the VLDB">
599 swift 1.19 # <i>/usr/afs/bin/vos syncvldb &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
600     # <i>/usr/afs/bin/vos syncserv &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
601 drobbins 1.1 </pre>
602 swift 1.19
603     </body>
604     </section>
605     <section>
606     <title>Starting the Server Portion of the Update Server</title>
607     <body>
608    
609 swift 1.18 <pre caption="Start the update server">
610 drobbins 1.1 # <i>/usr/afs/bin/bos create &lt;server name&gt;
611 swift 1.19 upserver simple "/usr/afs/bin/upserver
612     -crypt /usr/afs/etc -clear /usr/afs/bin"
613     -cell &lt;cell name&gt; -noauth</i>
614     </pre>
615    
616     </body>
617     </section>
618     <section>
619     <title>Configuring the Top Level of the AFS filespace</title>
620     <body>
621    
622     <p>
623 so 1.21 First you need to set some ACLs, so that any user can lookup
624 swift 1.19 <path>/afs</path>.
625     </p>
626    
627 swift 1.18 <pre caption="Set access control lists">
628 drobbins 1.1 # <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i>
629     </pre>
630 swift 1.19
631     <p>
632 so 1.21 Then you need to create the root volume, mount it readonly on
633     <path>/afs/&lt;cell name&gt;</path> and read/write on <path>/afs/.&lt;cell
634     name&gt;</path>.
635 swift 1.19 </p>
636    
637 swift 1.18 <pre caption="Prepare the root volume">
638 drobbins 1.1 # <i>/usr/afs/bin/vos create &lt;server name&gt;&lt;partition name&gt; root.cell</i>
639     # <i>/usr/afs/bin/fs mkmount /afs/&lt;cell name&gt; root.cell </i>
640     # <i>/usr/afs/bin/fs setacl /afs/&lt;cell name&gt; system:anyuser rl</i>
641 cam 1.14 # <i>/usr/afs/bin/fs mkmount /afs/.&lt;cell name&gt; root.cell -rw</i>
642 drobbins 1.1 </pre>
643 swift 1.19
644     <p>
645 so 1.21 Finally you're done!!! You should now have a working AFS file server
646 swift 1.19 on your local network. Time to get a big
647 so 1.21 cup of coffee and print out the AFS documentation!!!
648 swift 1.19 </p>
649    
650     <note>
651 so 1.21 It is very important for the AFS server to function properly, that all system
652     clocks are synchronized. This is best accomplished by installing a ntp server
653     on one machine (e.g. the AFS server) and synchronize all client clocks
654     with the ntp client. This can also be done by the AFS client.
655 swift 1.19 </note>
656    
657     </body>
658     </section>
659 drobbins 1.1 </chapter>
660    
661     <chapter>
662 swift 1.17 <title>Basic Administration</title>
663     <section>
664     <title>Disclaimer</title>
665     <body>
666    
667     <p>
668     OpenAFS is an extensive technology. Please read the AFS documentation for more
669     information. We only list a few administrative tasks in this chapter.
670     </p>
671    
672     </body>
673     </section>
674     <section>
675     <title>Configuring PAM to Acquire an AFS Token on Login</title>
676     <body>
677    
678     <p>
679     To use AFS you need to authenticate against the KA Server if using
680     an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using
681 so 1.21 MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a
682 swift 1.17 machine you will also need a user account, this can be local in
683 so 1.21 <path>/etc/passwd</path>, NIS, LDAP (OpenLDAP), or a Hesiod database.
684     PAM allows Gentoo to tie the authentication against AFS and login to the
685     user account.
686 swift 1.17 </p>
687    
688     <p>
689 so 1.21 You will need to update <path>/etc/pam.d/system-auth</path> which is
690     used by the other configurations. "use_first_pass" indicates it will be
691     checked first against the user login, and "ignore_root" stops the local
692     superuser being checked so as to order to allow login if AFS or the network
693 swift 1.17 fails.
694     </p>
695    
696     <pre caption="/etc/pam.d/system-auth">
697 so 1.21 auth required pam_env.so
698     auth sufficient pam_unix.so likeauth nullok
699     auth sufficient pam_afs.so.1 use_first_pass ignore_root
700     auth required pam_deny.so
701 swift 1.17
702 so 1.21 account required pam_unix.so
703 swift 1.17
704 so 1.21 password required pam_cracklib.so retry=3
705     password sufficient pam_unix.so nullok md5 shadow use_authtok
706     password required pam_deny.so
707 swift 1.17
708 so 1.21 session required pam_limits.so
709     session required pam_unix.so
710 swift 1.17 </pre>
711    
712     <p>
713 so 1.21 In order for <c>sudo</c> to keep the real user's token and to prevent local
714     users gaining AFS access change <path>/etc/pam.d/su</path> as follows:
715 swift 1.17 </p>
716    
717     <pre caption="/etc/pam.d/su">
718     <comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with
719     # uid &lt;= 100 are ignored by pam_afs.</comment>
720     auth sufficient /usr/afsws/lib/pam_afs.so.1 ignore_uid 100
721    
722     auth sufficient /lib/security/pam_rootok.so
723    
724     <comment># If you want to restrict users begin allowed to su even more,
725     # create /etc/security/suauth.allow (or to that matter) that is only
726     # writable by root, and add users that are allowed to su to that
727     # file, one per line.
728     #auth required /lib/security/pam_listfile.so item=ruser \
729     # sense=allow onerr=fail file=/etc/security/suauth.allow
730    
731     # Uncomment this to allow users in the wheel group to su without
732     # entering a passwd.
733     #auth sufficient /lib/security/pam_wheel.so use_uid trust
734    
735     # Alternatively to above, you can implement a list of users that do
736     # not need to supply a passwd with a list.
737     #auth sufficient /lib/security/pam_listfile.so item=ruser \
738     # sense=allow onerr=fail file=/etc/security/suauth.nopass
739    
740     # Comment this to allow any user, even those not in the 'wheel'
741     # group to su</comment>
742     auth required /lib/security/pam_wheel.so use_uid
743    
744     auth required /lib/security/pam_stack.so service=system-auth
745    
746     account required /lib/security/pam_stack.so service=system-auth
747    
748     password required /lib/security/pam_stack.so service=system-auth
749    
750     session required /lib/security/pam_stack.so service=system-auth
751     session optional /lib/security/pam_xauth.so
752    
753     <comment># Here we prevent the real user id's token from being dropped</comment>
754     session optional /usr/afsws/lib/pam_afs.so.1 no_unlog
755     </pre>
756    
757     </body>
758     </section>
759 drobbins 1.1 </chapter>
760     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20