/[gentoo]/xml/htdocs/doc/en/openafs.xml
Gentoo

Diff of /xml/htdocs/doc/en/openafs.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.20 Revision 1.21
1<?xml version='1.0' encoding="UTF-8"?> 1<?xml version='1.0' encoding="UTF-8"?>
2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.20 2005/07/18 10:44:57 swift Exp $ --> 2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.21 2005/10/29 20:20:57 so Exp $ -->
3 3
4<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 4<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5 5
6<guide link = "/doc/en/openafs.xml"> 6<guide link="/doc/en/openafs.xml">
7<title>Gentoo Linux OpenAFS Guide</title> 7<title>Gentoo Linux OpenAFS Guide</title>
8 8
9<author title="Editor"> 9<author title="Editor">
10 <mail link="darks@gentoo.org">Holger Brueckner</mail> 10 <mail link="darks@gentoo.org">Holger Brueckner</mail>
11</author> 11</author>
18<author title="Editor"> 18<author title="Editor">
19 <mail link="fnjordy@gmail.com">Steven McCoy</mail> 19 <mail link="fnjordy@gmail.com">Steven McCoy</mail>
20</author> 20</author>
21 21
22<abstract> 22<abstract>
23This guide shows you how to install a openafs server and client on gentoo linux 23This guide shows you how to install an OpenAFS server and client on Gentoo
24Linux.
24</abstract> 25</abstract>
25 26
26<!-- The content of this document is licensed under the CC-BY-SA license --> 27<!-- The content of this document is licensed under the CC-BY-SA license -->
27<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> 28<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
28<license/> 29<license/>
35<section> 36<section>
36<title>About this Document</title> 37<title>About this Document</title>
37<body> 38<body>
38 39
39<p> 40<p>
40This document provides you with all neccessary steps to install an openafs 41This document provides you with all neccessary steps to install an OpenAFS
41server on Gentoo Linux. Parts of this document are taken from the AFS FAQ and 42server on Gentoo Linux. Parts of this document are taken from the AFS FAQ and
42IBM's Quick Beginnings guide on AFS. Well, never reinvent the wheel :) 43IBM's Quick Beginnings guide on AFS. Well, never reinvent the wheel. :)
43</p> 44</p>
44 45
45</body> 46</body>
46</section>
47<section> 47</section>
48<section>
48<title>What is AFS ?</title> 49<title>What is AFS?</title>
49<body> 50<body>
50 51
51<p> 52<p>
52AFS is a distributed filesystem that enables co-operating hosts 53AFS is a distributed filesystem that enables co-operating hosts
53(clients and servers) to efficiently share filesystem resources 54(clients and servers) to efficiently share filesystem resources
54across both local area and wide area networks. Clients hold a 55across both local area and wide area networks. Clients hold a
55cache for often used objects (files), to get quicker 56cache for often used objects (files), to get quicker
56access to them. 57access to them.
57</p> 58</p>
58 59
59<p> 60<p>
60AFS is based on a distributed file system originally developed 61AFS is based on a distributed file system originally developed
61at the Information Technology Center at Carnegie-Mellon University 62at the Information Technology Center at Carnegie-Mellon University
62that was called the "Andrew File System". "Andrew" was the name of the 63that was called the "Andrew File System". "Andrew" was the name of the
63research project at CMU - honouring the founders of the University. Once 64research project at CMU - honouring the founders of the University. Once
64Transarc was formed and AFS became a product, the "Andrew" was dropped to 65Transarc was formed and AFS became a product, the "Andrew" was dropped to
65indicate that AFS had gone beyond the Andrew research project and had become 66indicate that AFS had gone beyond the Andrew research project and had become
66a supported, product quality filesystem. However, there were a number of 67a supported, product quality filesystem. However, there were a number of
67existing cells that rooted their filesystem as /afs. At the time, changing 68existing cells that rooted their filesystem as /afs. At the time, changing
68the root of the filesystem was a non-trivial undertaking. So, to save the 69the root of the filesystem was a non-trivial undertaking. So, to save the
69early AFS sites from having to rename their filesystem, AFS remained as the 70early AFS sites from having to rename their filesystem, AFS remained as the
70name and filesystem root. 71name and filesystem root.
71</p> 72</p>
72 73
73</body> 74</body>
74</section> 75</section>
75<section> 76<section>
76<title>What is an AFS cell ?</title> 77<title>What is an AFS cell?</title>
77<body> 78<body>
78 79
79<p> 80<p>
80An AFS cell is a collection of servers grouped together administratively 81An AFS cell is a collection of servers grouped together administratively and
81and presenting a single, cohesive filesystem. Typically, an AFS cell is a set 82presenting a single, cohesive filesystem. Typically, an AFS cell is a set of
82of hosts that use the same Internet domain name (like for example gentoo.org) 83hosts that use the same Internet domain name (for example, gentoo.org) Users
83Users log into AFS client workstations which request information and files 84log into AFS client workstations which request information and files from the
84from the cell's servers on behalf of the users. Users won't know on which server 85cell's servers on behalf of the users. Users won't know on which server a
85a file which they are accessing, is located. They even won't notice if a server 86file which they are accessing, is located. They even won't notice if a server
86will be located to another room, since every volume can be replicated and moved 87will be located to another room, since every volume can be replicated and
87to another server without any user noticing. The files are always accessable. 88moved to another server without any user noticing. The files are always
88Well it's like NFS on steroids :) 89accessable. Well, it's like NFS on steroids :)
89</p> 90</p>
90 91
91</body> 92</body>
92</section> 93</section>
93<section> 94<section>
94<title>What are the benefits of using AFS ?</title> 95<title>What are the benefits of using AFS?</title>
95<body> 96<body>
96 97
97<p> 98<p>
98The main strengths of AFS are its: 99The main strengths of AFS are its:
99caching facility (on client side, typically 100M to 1GB), 100caching facility (on client side, typically 100M to 1GB),
100security features (Kerberos 4 based, access control lists), 101security features (Kerberos 4 based, access control lists),
101simplicity of addressing (you just have one filesystem), 102simplicity of addressing (you just have one filesystem),
102scalability (add further servers to your cell as needed), 103scalability (add further servers to your cell as needed),
103communications protocol. 104communications protocol.
104</p> 105</p>
105 106
106</body> 107</body>
107</section> 108</section>
108<section> 109<section>
109<title>Where can i get more information ?</title> 110<title>Where can I get more information?</title>
110<body> 111<body>
111 112
112<p> 113<p>
113Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS 114Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS
114FAQ</uri>. 115FAQ</uri>.
115</p> 116</p>
116 117
117<p> 118<p>
118Openafs main page is at <uri 119OpenAFS main page is at <uri
119link="http://www.openafs.org">www.openafs.org</uri>. 120link="http://www.openafs.org">www.openafs.org</uri>.
120</p> 121</p>
121 122
122<p> 123<p>
123AFS was originally developed by Transarc which is now owned by IBM. 124AFS was originally developed by Transarc which is now owned by IBM.
124You can find some information about AFS on 125You can find some information about AFS on
125<uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarcs 126<uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarc's
126Webpage</uri>. 127Webpage</uri>.
127</p> 128</p>
128 129
129</body> 130</body>
130</section> 131</section>
133<body> 134<body>
134 135
135<p> 136<p>
136OpenAFS has great logging facilities. However, by default it logs straight into 137OpenAFS has great logging facilities. However, by default it logs straight into
137its own logs instead of through the system logging facilities you have on your 138its own logs instead of through the system logging facilities you have on your
138system. To have the servers log through your system logger, use the 139system. To have the servers log through your system logger, use the
139<c>-syslog</c> option for all <c>bos</c> commands. 140<c>-syslog</c> option for all <c>bos</c> commands.
140</p> 141</p>
141 142
142</body> 143</body>
143</section> 144</section>
148<section> 149<section>
149<title>Getting AFS Documentation</title> 150<title>Getting AFS Documentation</title>
150<body> 151<body>
151 152
152<p> 153<p>
153You can get the original IBM AFS Documentation. It is very well written and you 154You can get the original IBM AFS Documentation. It is very well written and you
154really want read it if it is up to you to administer a AFS Server. 155really want read it if it is up to you to administer a AFS Server.
155</p> 156</p>
156 157
157<pre caption="Installing afsdoc"> 158<pre caption="Installing afsdoc">
158# <i>emerge app-doc/afsdoc</i> 159# <i>emerge app-doc/afsdoc</i>
167<section> 168<section>
168<title>Preliminary Work</title> 169<title>Preliminary Work</title>
169<body> 170<body>
170 171
171<note> 172<note>
172All commands should be written in one line !! In this document they are 173All commands should be written in one line!! In this document they are
173sometimes wrapped to two lines to make them easier to read. 174sometimes wrapped to two lines to make them easier to read.
174</note> 175</note>
175 176
176<note> 177<note>
177Unfortunately the AFS Client needs a ext2 partiton for it's cache to run 178Unfortunately the AFS Client needs a ext2 partiton for its cache to run
178correctly, because there are some locking issues with reiserfs. You need to 179correctly, because there are some locking issues with reiserfs. You need to
179create a ext2 partition of approx. 200MB (more won't hurt) and mount it to 180create a ext2 partition of approx. 200MB (more won't hurt) and mount it to
180<path>/usr/vice/cache</path> 181<path>/usr/vice/cache</path>
181</note> 182</note>
182 183
183<p> 184<p>
184You should adjust the two files CellServDB and ThisCell before you build the 185You should adjust the two files CellServDB and ThisCell before you build the
185afs client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>) 186AFS client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>)
186</p> 187</p>
187 188
188<pre caption="Adjusting CellServDB and ThisCell"> 189<pre caption="Adjusting CellServDB and ThisCell">
189CellServDB: 190CellServDB:
190>netlabs #Cell name 191>netlabs #Cell name
198Only use spaces inside the <path>CellServDB</path> file. The client will most 199Only use spaces inside the <path>CellServDB</path> file. The client will most
199likely fail if you use TABs. 200likely fail if you use TABs.
200</warn> 201</warn>
201 202
202<p> 203<p>
203CellServDB tells your client which server(s) he needs to contact for a 204CellServDB tells your client which server(s) it needs to contact for a
204specific cell. ThisCell should be quite obvious. Normally you use a name 205specific cell. ThisCell should be quite obvious. Normally you use a name
205which is unique for your organisation. Your (official) domain might be a 206which is unique for your organisation. Your (official) domain might be a
206good choice. 207good choice.
207</p> 208</p>
208 209
209</body> 210</body>
210</section> 211</section>
211<section> 212<section>
221</p> 222</p>
222 223
223</body> 224</body>
224</section> 225</section>
225<section> 226<section>
226<title>Starting afs on startup</title> 227<title>Starting AFS on startup</title>
227<body> 228<body>
228 229
229<p> 230<p>
230The following command will create the appropriate links to start your afs client 231The following command will create the appropriate links to start your afs
231on system startup. 232client on system startup.
232</p> 233</p>
233 234
234<warn> 235<warn>
235You should always have a running afs server in your domain when trying to 236You should always have a running afs server in your domain when trying to
236start the afs client. You're system won't boot until it gets some timeout 237start the afs client. You're system won't boot until it gets some timeout
237if your afs server is down. (and this is quite a long long time) 238if your AFS server is down. (And this is quite a long long time)
238</warn> 239</warn>
239 240
240<pre caption="Adding afs to the default runlevel"> 241<pre caption="Adding AFS to the default runlevel">
241# <i>rc-update add afs default</i> 242# <i>rc-update add afs default</i>
242</pre> 243</pre>
243 244
244</body> 245</body>
245</section> 246</section>
250<section> 251<section>
251<title>Building the Server</title> 252<title>Building the Server</title>
252<body> 253<body>
253 254
254<p> 255<p>
255The following command will install all necessary binaries for setting up a AFS 256The following command will install all necessary binaries for setting up an AFS
256Server <e>and</e> Client. 257Server <e>and</e> Client.
257</p> 258</p>
258 259
259<pre caption="Installing openafs"> 260<pre caption="Installing openafs">
260# <i>emerge net-fs/openafs</i> 261# <i>emerge net-fs/openafs</i>
274# <i>rm /usr/vice/etc/ThisCell</i> 275# <i>rm /usr/vice/etc/ThisCell</i>
275# <i>rm /usr/vice/etc/CellServDB</i> 276# <i>rm /usr/vice/etc/CellServDB</i>
276</pre> 277</pre>
277 278
278<p> 279<p>
279Next you will run the <b>bosserver</b> command to initialize the Basic OverSeer 280Next you will run the <c>bosserver</c> command to initialize the Basic OverSeer
280(BOS) Server, which monitors and controls other AFS server processes on its 281(BOS) Server, which monitors and controls other AFS server processes on its
281server machine. Think of it as init for the system. Include the <b>-noauth</b> 282server machine. Think of it as init for the system. Include the <c>-noauth</c>
282flag to disable authorization checking, since you haven't added the admin user 283flag to disable authorization checking, since you haven't added the admin user
283yet. 284yet.
284</p> 285</p>
285 286
286<warn> 287<warn>
287Disabling authorization checking gravely compromises cell security. 288Disabling authorization checking gravely compromises cell security. You must
288You must complete all subsequent steps in one uninterrupted pass 289complete all subsequent steps in one uninterrupted pass and must not leave
289and must not leave the machine unattended until you restart the BOS Server with 290the machine unattended until you restart the BOS Server with authorization
290authorization checking enabled. Well this is what the AFS documentation says :) 291checking enabled. Well, this is what the AFS documentation says. :)
291</warn> 292</warn>
292 293
293<pre caption="Initialize the Basic OverSeer Server"> 294<pre caption="Initialize the Basic OverSeer Server">
294# <i>/usr/afs/bin/bosserver -noauth &amp;</i> 295# <i>/usr/afs/bin/bosserver -noauth &amp;</i>
295</pre> 296</pre>
296 297
297<p> 298<p>
298Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path> 299Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path>
299and <path>/usr/vice/etc/ThisCell</path> 300and <path>/usr/vice/etc/ThisCell</path>
300</p> 301</p>
301 302
302<pre caption="Check if CellServDB and ThisCell are created"> 303<pre caption="Check if CellServDB and ThisCell are created">
303# <i>ls -al /usr/vice/etc/</i> 304# <i>ls -al /usr/vice/etc/</i>
310<section> 311<section>
311<title>Defining Cell Name and Membership for Server Process</title> 312<title>Defining Cell Name and Membership for Server Process</title>
312<body> 313<body>
313 314
314<p> 315<p>
315Now assign your cells name. 316Now assign your cell's name.
316</p> 317</p>
317 318
318<impo> 319<impo>
319There are some restrictions on the name format. 320There are some restrictions on the name format. Two of the most important
320Two of the most important restrictions are that the name 321restrictions are that the name cannot include uppercase letters or more than
321cannot include uppercase letters or more than 64 characters. Remember that 32264 characters. Remember that your cell name will show up under
322your cell name will show up under <path>/afs</path>, so you might want to choose 323<path>/afs</path>, so you might want to choose a short one.
323a short one.
324</impo> 324</impo>
325 325
326<note> 326<note>
327In the following and every instruction in this guide, for the &lt;server 327In the following and every instruction in this guide, for the &lt;server
328name&gt; argument substitute the full-qualified hostname (such as 328name&gt; argument substitute the full-qualified hostname (such as
329<b>afs.gentoo.org</b>) of the machine you are installing. For the &lt;cell 329<b>afs.gentoo.org</b>) of the machine you are installing. For the &lt;cell
330name&gt; argument substitute your cell's complete name (such as 330name&gt; argument substitute your cell's complete name (such as
331<b>gentoo</b>) 331<b>gentoo</b>)
332</note> 332</note>
333 333
334<p> 334<p>
335Run the <b>bos setcellname</b> command to set the cell name: 335Run the <c>bos setcellname</c> command to set the cell name:
336</p> 336</p>
337 337
338<pre caption="Set the cell name"> 338<pre caption="Set the cell name">
339# <i>/usr/afs/bin/bos setcellname &lt;server name&gt; &lt;cell name&gt; -noauth</i> 339# <i>/usr/afs/bin/bos setcellname &lt;server name&gt; &lt;cell name&gt; -noauth</i>
340</pre> 340</pre>
344<section> 344<section>
345<title>Starting the Database Server Process</title> 345<title>Starting the Database Server Process</title>
346<body> 346<body>
347 347
348<p> 348<p>
349Next use the <b>bos create</b> command to create entries for the four database 349Next use the <c>bos create</c> command to create entries for the four database
350server processes in the <path>/usr/afs/local/BosConfig</path> file. The four 350server processes in the <path>/usr/afs/local/BosConfig</path> file. The four
351processes run on database server machines only. 351processes run on database server machines only.
352</p> 352</p>
353 353
354<table> 354<table>
355<tr> 355<tr>
356 <ti>kaserver</ti> 356 <ti>kaserver</ti>
357 <ti> 357 <ti>
358 The Authentication Server maintains the Authentication Database. 358 The Authentication Server maintains the Authentication Database.
359 This can be replaced by a Kerberos 5 daemon. If anybody want's to try that 359 This can be replaced by a Kerberos 5 daemon. If anybody wants to try that
360 feel free to update this document :) 360 feel free to update this document :)
361 </ti> 361 </ti>
362</tr> 362</tr>
363<tr> 363<tr>
364 <ti>buserver</ti> 364 <ti>buserver</ti>
383# <i>/usr/afs/bin/bos create &lt;server name&gt; ptserver simple /usr/afs/bin/ptserver -cell &lt;cell name&gt; -noauth</i> 383# <i>/usr/afs/bin/bos create &lt;server name&gt; ptserver simple /usr/afs/bin/ptserver -cell &lt;cell name&gt; -noauth</i>
384# <i>/usr/afs/bin/bos create &lt;server name&gt; vlserver simple /usr/afs/bin/vlserver -cell &lt;cell name&gt; -noauth</i> 384# <i>/usr/afs/bin/bos create &lt;server name&gt; vlserver simple /usr/afs/bin/vlserver -cell &lt;cell name&gt; -noauth</i>
385</pre> 385</pre>
386 386
387<p> 387<p>
388You can verify that all servers are running with the <b>bos status</b> command: 388You can verify that all servers are running with the <c>bos status</c> command:
389</p> 389</p>
390 390
391<pre caption="Check if all the servers are running"> 391<pre caption="Check if all the servers are running">
392# <i>/usr/afs/bin/bos status &lt;server name&gt; -noauth</i> 392# <i>/usr/afs/bin/bos status &lt;server name&gt; -noauth</i>
393Instance kaserver, currently running normally. 393Instance kaserver, currently running normally.
401<section> 401<section>
402<title>Initializing Cell Security</title> 402<title>Initializing Cell Security</title>
403<body> 403<body>
404 404
405<p> 405<p>
406Now we'll initialize the cell's security mechanisms. We'll begin by creating 406Now we'll initialize the cell's security mechanisms. We'll begin by creating
407the following two initial entries in the Authentication Database: The main 407the following two initial entries in the Authentication Database: The main
408administrative account, called <b>admin</b> by convention and an entry for 408administrative account, called <b>admin</b> by convention and an entry for
409the AFS server processes, called <b>afs</b>. No user logs in under the 409the AFS server processes, called <c>afs</c>. No user logs in under the
410identity <b>afs</b>, but the Authentication Server's Ticket Granting 410identity <b>afs</b>, but the Authentication Server's Ticket Granting
411Service (TGS) module uses the account to encrypt the server tickets that 411Service (TGS) module uses the account to encrypt the server tickets that
412it grants to AFS clients. This sounds pretty much like Kerberos :) 412it grants to AFS clients. This sounds pretty much like Kerberos :)
413</p> 413</p>
414 414
415<p> 415<p>
416Enter <b>kas</b> interactive mode 416Enter <c>kas</c> interactive mode
417</p> 417</p>
418 418
419<pre caption="Entering the interactive mode"> 419<pre caption="Entering the interactive mode">
420# <i>/usr/afs/bin/kas -cell &lt;cell name&gt; -noauth</i> 420# <i>/usr/afs/bin/kas -cell &lt;cell name&gt; -noauth</i>
421ka&gt; <i>create afs</i> 421ka&gt; <i>create afs</i>
445permit password reuse 445permit password reuse
446ka&gt; 446ka&gt;
447</pre> 447</pre>
448 448
449<p> 449<p>
450Run the <b>bos adduser</b> command, to add the <b>admin</b> user to 450Run the <c>bos adduser</c> command, to add the <b>admin</b> user to
451the <path>/usr/afs/etc/UserList</path>. 451the <path>/usr/afs/etc/UserList</path>.
452</p> 452</p>
453 453
454<pre caption="Add the admin user to the UserList"> 454<pre caption="Add the admin user to the UserList">
455# <i>/usr/afs/bin/bos adduser &lt;server name&gt; admin -cell &lt;cell name&gt; -noauth</i> 455# <i>/usr/afs/bin/bos adduser &lt;server name&gt; admin -cell &lt;cell name&gt; -noauth</i>
456</pre> 456</pre>
457 457
458<p> 458<p>
459Issue the <b>bos addkey</b> command to define the AFS Server 459Issue the <c>bos addkey</c> command to define the AFS Server
460encryption key in <path>/usr/afs/etc/KeyFile</path> 460encryption key in <path>/usr/afs/etc/KeyFile</path>.
461</p> 461</p>
462 462
463<note> 463<note>
464If asked for the input key, give the password you entered when creating 464If asked for the input key, give the password you entered when creating
465the afs entry with <b>kas</b> 465the AFS entry with <c>kas</c>
466</note> 466</note>
467 467
468<pre caption="Entering the password"> 468<pre caption="Entering the password">
469# <i>/usr/afs/bin/bos addkey &lt;server name&gt; -kvno 0 -cell &lt;cell name&gt; -noauth</i> 469# <i>/usr/afs/bin/bos addkey &lt;server name&gt; -kvno 0 -cell &lt;cell name&gt; -noauth</i>
470input key: 470input key:
471Retype input key: 471Retype input key:
472</pre> 472</pre>
473 473
474<p> 474<p>
475Issue the <b>pts createuser</b> command to create a Protection Database 475Issue the <c>pts createuser</c> command to create a Protection Database entry
476entry for the admin user 476for the admin user.
477</p> 477</p>
478 478
479<note> 479<note>
480By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user, 480By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user,
481because it is the first user entry you are creating. If the local password file 481because it is the first user entry you are creating. If the local password file
482(/etc/passwd or equivalent) already has an entry for <b>admin</b> that assigns 482(<path>/etc/passwd</path> or equivalent) already has an entry for <b>admin</b>
483a different UID use the <b>-id</b> argument to create matching UID's 483that assigns a different UID use the <c>-id</c> argument to create matching
484UIDs.
484</note> 485</note>
485 486
486<pre caption="Create a Protection Database entry for the database user"> 487<pre caption="Create a Protection Database entry for the database user">
487# <i>/usr/afs/bin/pts createuser -name admin -cell &lt;cell name&gt; [-id &lt;AFS UID&gt;] -noauth</i> 488# <i>/usr/afs/bin/pts createuser -name admin -cell &lt;cell name&gt; [-id &lt;AFS UID&gt;] -noauth</i>
488</pre> 489</pre>
489 490
490<p> 491<p>
491Issue the <b>pts adduser</b> command to make the <b>admin</b> user a member 492Issue the <c>pts adduser</c> command to make the <b>admin</b> user a member
492of the system:administrators group, and the <b>pts membership</b> command to 493of the system:administrators group, and the <c>pts membership</c> command to
493verify the new membership 494verify the new membership
494</p> 495</p>
495 496
496<pre caption="Make admin a member of the administrators group and verify"> 497<pre caption="Make admin a member of the administrators group and verify">
497# <i>/usr/afs/bin/pts adduser admin system:administrators -cell &lt;cell name&gt; -noauth</i> 498# <i>/usr/afs/bin/pts adduser admin system:administrators -cell &lt;cell name&gt; -noauth</i>
513<section> 514<section>
514<title>Starting the File Server, Volume Server and Salvager</title> 515<title>Starting the File Server, Volume Server and Salvager</title>
515<body> 516<body>
516 517
517<p> 518<p>
518Start the <b>fs</b> process, which consists of the File Server, Volume Server 519Start the <c>fs</c> process, which consists of the
519and Salvager (fileserver, volserver and salvager processes). 520File Server,
521Volume Server and Salvager (fileserver,
522volserver and salvager processes).
520</p> 523</p>
521 524
522<pre caption="Start the fs process"> 525<pre caption="Start the fs process">
523# <i>/usr/afs/bin/bos create &lt;server name&gt; fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell &lt;cell name&gt; -noauth</i> 526# <i>/usr/afs/bin/bos create &lt;server name&gt; fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell &lt;cell name&gt; -noauth</i>
524</pre> 527</pre>
556Command 2 is '/usr/afs/bin/volserver' 559Command 2 is '/usr/afs/bin/volserver'
557Command 3 is '/usr/afs/bin/salvager' 560Command 3 is '/usr/afs/bin/salvager'
558</pre> 561</pre>
559 562
560<p> 563<p>
561Your next action depends on whether you have ever run AFS file server machines 564Your next action depends on whether you have ever run AFS file server machines
562in the cell: 565in the cell.
563</p>
564
565<p> 566</p>
567
568<p>
566If you are installing the first AFS Server ever in the cell create the 569If you are installing the first AFS Server ever in the cell create the
567first AFS volume, <b>root.afs</b> 570first AFS volume, <b>root.afs</b>
568</p> 571</p>
569 572
570<note> 573<note>
571For the partition name argument, substitute the name of one of the machine's 574For the partition name argument, substitute the name of one of the machine's
572AFS Server partitions. By convention 575AFS Server partitions. By convention
573these partitions are named <path>/vicepx</path>, where x is in the range of a-z. 576these partitions are named <path>/vicepx</path>, where x is in the range of a-z.
574</note> 577</note>
575 578
576<pre caption="Create the root.afs volume"> 579<pre caption="Create the root.afs volume">
577# <i>/usr/afs/bin/vos create &lt;server name&gt; &lt;partition name&gt; root.afs -cell &lt;cell name&gt; -noauth</i> 580# <i>/usr/afs/bin/vos create &lt;server name&gt; &lt;partition name&gt; root.afs -cell &lt;cell name&gt; -noauth</i>
578</pre> 581</pre>
579 582
580<p> 583<p>
581If there are existing AFS file server machines and volumes in the cell 584If there are existing AFS file server machines and volumes in the cell
582issue the <b>vos sncvldb</b> and <b>vos syncserv</b> commands to synchronize 585issue the <c>vos sncvldb</c> and <c>vos syncserv</c> commands to synchronize
583the VLDB (Volume Location Database) with the actual state of volumes on the 586the VLDB (Volume Location Database) with the actual state of volumes on the
584local machine. This will copy all necessary data to your new server. 587local machine. This will copy all necessary data to your new server.
585</p> 588</p>
586 589
587<p> 590<p>
588If the command fails with the message "partition /vicepa does not exist on 591If the command fails with the message "partition /vicepa does not exist on
615<section> 618<section>
616<title>Configuring the Top Level of the AFS filespace</title> 619<title>Configuring the Top Level of the AFS filespace</title>
617<body> 620<body>
618 621
619<p> 622<p>
620First you need to set some acl's, so that any user can lookup 623First you need to set some ACLs, so that any user can lookup
621<path>/afs</path>. 624<path>/afs</path>.
622</p> 625</p>
623 626
624<pre caption="Set access control lists"> 627<pre caption="Set access control lists">
625# <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i> 628# <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i>
626</pre> 629</pre>
627 630
628<p> 631<p>
629Then you need to create the root volume, mount it readonly on 632Then you need to create the root volume, mount it readonly on
630<path>/afs/&lt;cell name&gt;</path> and read/write on <path>/afs/.&lt;cell 633<path>/afs/&lt;cell name&gt;</path> and read/write on <path>/afs/.&lt;cell
631name&gt;</path> 634name&gt;</path>.
632</p> 635</p>
633 636
634<pre caption="Prepare the root volume"> 637<pre caption="Prepare the root volume">
635# <i>/usr/afs/bin/vos create &lt;server name&gt;&lt;partition name&gt; root.cell</i> 638# <i>/usr/afs/bin/vos create &lt;server name&gt;&lt;partition name&gt; root.cell</i>
636# <i>/usr/afs/bin/fs mkmount /afs/&lt;cell name&gt; root.cell </i> 639# <i>/usr/afs/bin/fs mkmount /afs/&lt;cell name&gt; root.cell </i>
637# <i>/usr/afs/bin/fs setacl /afs/&lt;cell name&gt; system:anyuser rl</i> 640# <i>/usr/afs/bin/fs setacl /afs/&lt;cell name&gt; system:anyuser rl</i>
638# <i>/usr/afs/bin/fs mkmount /afs/.&lt;cell name&gt; root.cell -rw</i> 641# <i>/usr/afs/bin/fs mkmount /afs/.&lt;cell name&gt; root.cell -rw</i>
639</pre> 642</pre>
640 643
641<p> 644<p>
642Finally you're done !!! You should now have a working AFS file server 645Finally you're done!!! You should now have a working AFS file server
643on your local network. Time to get a big 646on your local network. Time to get a big
644cup of coffee and print out the AFS documentation !!! 647cup of coffee and print out the AFS documentation!!!
645</p> 648</p>
646 649
647<note> 650<note>
648It is very important for the AFS server to function properly, that all system 651It is very important for the AFS server to function properly, that all system
649clock's are synchronized. This is best accomplished by installing a ntp server 652clocks are synchronized. This is best accomplished by installing a ntp server
650on one machine (e.g. the AFS server) and synchronize all client clock's 653on one machine (e.g. the AFS server) and synchronize all client clocks
651with the ntp client. This can also be done by the afs client. 654with the ntp client. This can also be done by the AFS client.
652</note> 655</note>
653 656
654</body> 657</body>
655</section> 658</section>
656</chapter> 659</chapter>
673<body> 676<body>
674 677
675<p> 678<p>
676To use AFS you need to authenticate against the KA Server if using 679To use AFS you need to authenticate against the KA Server if using
677an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using 680an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using
678MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a 681MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a
679machine you will also need a user account, this can be local in 682machine you will also need a user account, this can be local in
680/etc/passwd, NIS, LDAP (OpenLDAP), or a Hesiod database. PAM allows 683<path>/etc/passwd</path>, NIS, LDAP (OpenLDAP), or a Hesiod database.
681Gentoo to tie the authentication against AFS and login to the user 684PAM allows Gentoo to tie the authentication against AFS and login to the
682account. 685user account.
683</p>
684
685<p> 686</p>
687
688<p>
686You will need to update /etc/pam.d/system-auth which is used by the 689You will need to update <path>/etc/pam.d/system-auth</path> which is
687other configurations. "use_first_pass" indicates it will be checked 690used by the other configurations. "use_first_pass" indicates it will be
688first against the user login, and "ignore_root" stops the local super 691checked first against the user login, and "ignore_root" stops the local
689user being checked so as to order to allow login if AFS or the network 692superuser being checked so as to order to allow login if AFS or the network
690fails. 693fails.
691</p> 694</p>
692 695
693<pre caption="/etc/pam.d/system-auth"> 696<pre caption="/etc/pam.d/system-auth">
694auth required /lib/security/pam_env.so 697auth required pam_env.so
695auth sufficient /lib/security/pam_unix.so likeauth nullok 698auth sufficient pam_unix.so likeauth nullok
696auth sufficient /usr/afsws/lib/pam_afs.so.1 use_first_pass ignore_root 699auth sufficient pam_afs.so.1 use_first_pass ignore_root
697auth required /lib/security/pam_deny.so 700auth required pam_deny.so
698 701
699account required /lib/security/pam_unix.so 702account required pam_unix.so
700 703
701password required /lib/security/pam_cracklib.so retry=3 704password required pam_cracklib.so retry=3
702password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok 705password sufficient pam_unix.so nullok md5 shadow use_authtok
703password required /lib/security/pam_deny.so 706password required pam_deny.so
704 707
705session required /lib/security/pam_limits.so 708session required pam_limits.so
706session required /lib/security/pam_unix.so 709session required pam_unix.so
707</pre> 710</pre>
708 711
709<p> 712<p>
710In order for sudo to keep the real user's token and to prevent local 713In order for <c>sudo</c> to keep the real user's token and to prevent local
711users gaining AFS access change /etc/pam.d/su as follows: 714users gaining AFS access change <path>/etc/pam.d/su</path> as follows:
712</p> 715</p>
713 716
714<pre caption="/etc/pam.d/su"> 717<pre caption="/etc/pam.d/su">
715<comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with 718<comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with
716# uid &lt;= 100 are ignored by pam_afs.</comment> 719# uid &lt;= 100 are ignored by pam_afs.</comment>
752</pre> 755</pre>
753 756
754</body> 757</body>
755</section> 758</section>
756</chapter> 759</chapter>
757
758</guide> 760</guide>

Legend:
Removed from v.1.20  
changed lines
  Added in v.1.21

  ViewVC Help
Powered by ViewVC 1.1.20