/[gentoo]/xml/htdocs/doc/en/openafs.xml
Gentoo

Contents of /xml/htdocs/doc/en/openafs.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.20 - (show annotations) (download) (as text)
Mon Jul 18 10:44:57 2005 UTC (9 years, 5 months ago) by swift
Branch: MAIN
Changes since 1.19: +18 -3 lines
File MIME type: application/xml
#97481 - Add information on -syslog argument

1 <?xml version='1.0' encoding="UTF-8"?>
2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.19 2005/07/02 09:50:30 swift Exp $ -->
3
4 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5
6 <guide link = "/doc/en/openafs.xml">
7 <title>Gentoo Linux OpenAFS Guide</title>
8
9 <author title="Editor">
10 <mail link="darks@gentoo.org">Holger Brueckner</mail>
11 </author>
12 <author title="Editor">
13 <mail link="bennyc@gentoo.org">Benny Chuang</mail>
14 </author>
15 <author title="Editor">
16 <mail link="blubber@gentoo.org">Tiemo Kieft</mail>
17 </author>
18 <author title="Editor">
19 <mail link="fnjordy@gmail.com">Steven McCoy</mail>
20 </author>
21
22 <abstract>
23 This guide shows you how to install a openafs server and client on gentoo linux
24 </abstract>
25
26 <!-- The content of this document is licensed under the CC-BY-SA license -->
27 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
28 <license/>
29
30 <version>0.9</version>
31 <date>2005-07-18</date>
32
33 <chapter>
34 <title>Overview</title>
35 <section>
36 <title>About this Document</title>
37 <body>
38
39 <p>
40 This document provides you with all neccessary steps to install an openafs
41 server on Gentoo Linux. Parts of this document are taken from the AFS FAQ and
42 IBM's Quick Beginnings guide on AFS. Well, never reinvent the wheel :)
43 </p>
44
45 </body>
46 </section>
47 <section>
48 <title>What is AFS ?</title>
49 <body>
50
51 <p>
52 AFS is a distributed filesystem that enables co-operating hosts
53 (clients and servers) to efficiently share filesystem resources
54 across both local area and wide area networks. Clients hold a
55 cache for often used objects (files), to get quicker
56 access to them.
57 </p>
58
59 <p>
60 AFS is based on a distributed file system originally developed
61 at the Information Technology Center at Carnegie-Mellon University
62 that was called the "Andrew File System". "Andrew" was the name of the
63 research project at CMU - honouring the founders of the University. Once
64 Transarc was formed and AFS became a product, the "Andrew" was dropped to
65 indicate that AFS had gone beyond the Andrew research project and had become
66 a supported, product quality filesystem. However, there were a number of
67 existing cells that rooted their filesystem as /afs. At the time, changing
68 the root of the filesystem was a non-trivial undertaking. So, to save the
69 early AFS sites from having to rename their filesystem, AFS remained as the
70 name and filesystem root.
71 </p>
72
73 </body>
74 </section>
75 <section>
76 <title>What is an AFS cell ?</title>
77 <body>
78
79 <p>
80 An AFS cell is a collection of servers grouped together administratively
81 and presenting a single, cohesive filesystem. Typically, an AFS cell is a set
82 of hosts that use the same Internet domain name (like for example gentoo.org)
83 Users log into AFS client workstations which request information and files
84 from the cell's servers on behalf of the users. Users won't know on which server
85 a file which they are accessing, is located. They even won't notice if a server
86 will be located to another room, since every volume can be replicated and moved
87 to another server without any user noticing. The files are always accessable.
88 Well it's like NFS on steroids :)
89 </p>
90
91 </body>
92 </section>
93 <section>
94 <title>What are the benefits of using AFS ?</title>
95 <body>
96
97 <p>
98 The main strengths of AFS are its:
99 caching facility (on client side, typically 100M to 1GB),
100 security features (Kerberos 4 based, access control lists),
101 simplicity of addressing (you just have one filesystem),
102 scalability (add further servers to your cell as needed),
103 communications protocol.
104 </p>
105
106 </body>
107 </section>
108 <section>
109 <title>Where can i get more information ?</title>
110 <body>
111
112 <p>
113 Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS
114 FAQ</uri>.
115 </p>
116
117 <p>
118 Openafs main page is at <uri
119 link="http://www.openafs.org">www.openafs.org</uri>.
120 </p>
121
122 <p>
123 AFS was originally developed by Transarc which is now owned by IBM.
124 You can find some information about AFS on
125 <uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarcs
126 Webpage</uri>.
127 </p>
128
129 </body>
130 </section>
131 <section>
132 <title>How Can I Debug Problems?</title>
133 <body>
134
135 <p>
136 OpenAFS has great logging facilities. However, by default it logs straight into
137 its own logs instead of through the system logging facilities you have on your
138 system. To have the servers log through your system logger, use the
139 <c>-syslog</c> option for all <c>bos</c> commands.
140 </p>
141
142 </body>
143 </section>
144 </chapter>
145
146 <chapter>
147 <title>Documentation</title>
148 <section>
149 <title>Getting AFS Documentation</title>
150 <body>
151
152 <p>
153 You can get the original IBM AFS Documentation. It is very well written and you
154 really want read it if it is up to you to administer a AFS Server.
155 </p>
156
157 <pre caption="Installing afsdoc">
158 # <i>emerge app-doc/afsdoc</i>
159 </pre>
160
161 </body>
162 </section>
163 </chapter>
164
165 <chapter>
166 <title>Client Installation</title>
167 <section>
168 <title>Preliminary Work</title>
169 <body>
170
171 <note>
172 All commands should be written in one line !! In this document they are
173 sometimes wrapped to two lines to make them easier to read.
174 </note>
175
176 <note>
177 Unfortunately the AFS Client needs a ext2 partiton for it's cache to run
178 correctly, because there are some locking issues with reiserfs. You need to
179 create a ext2 partition of approx. 200MB (more won't hurt) and mount it to
180 <path>/usr/vice/cache</path>
181 </note>
182
183 <p>
184 You should adjust the two files CellServDB and ThisCell before you build the
185 afs client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>)
186 </p>
187
188 <pre caption="Adjusting CellServDB and ThisCell">
189 CellServDB:
190 >netlabs #Cell name
191 10.0.0.1 #storage
192
193 ThisCell:
194 netlabs
195 </pre>
196
197 <warn>
198 Only use spaces inside the <path>CellServDB</path> file. The client will most
199 likely fail if you use TABs.
200 </warn>
201
202 <p>
203 CellServDB tells your client which server(s) he needs to contact for a
204 specific cell. ThisCell should be quite obvious. Normally you use a name
205 which is unique for your organisation. Your (official) domain might be a
206 good choice.
207 </p>
208
209 </body>
210 </section>
211 <section>
212 <title>Building the Client</title>
213 <body>
214
215 <pre caption="Installing openafs">
216 # <i>emerge net-fs/openafs</i>
217 </pre>
218
219 <p>
220 After successful compilation you're ready to go.
221 </p>
222
223 </body>
224 </section>
225 <section>
226 <title>Starting afs on startup</title>
227 <body>
228
229 <p>
230 The following command will create the appropriate links to start your afs client
231 on system startup.
232 </p>
233
234 <warn>
235 You should always have a running afs server in your domain when trying to
236 start the afs client. You're system won't boot until it gets some timeout
237 if your afs server is down. (and this is quite a long long time)
238 </warn>
239
240 <pre caption="Adding afs to the default runlevel">
241 # <i>rc-update add afs default</i>
242 </pre>
243
244 </body>
245 </section>
246 </chapter>
247
248 <chapter>
249 <title>Server Installation</title>
250 <section>
251 <title>Building the Server</title>
252 <body>
253
254 <p>
255 The following command will install all necessary binaries for setting up a AFS
256 Server <e>and</e> Client.
257 </p>
258
259 <pre caption="Installing openafs">
260 # <i>emerge net-fs/openafs</i>
261 </pre>
262
263 </body>
264 </section>
265 <section>
266 <title>Starting AFS Server</title>
267 <body>
268
269 <p>
270 You need to remove the sample CellServDB and ThisCell file first.
271 </p>
272
273 <pre caption="Remove sample files">
274 # <i>rm /usr/vice/etc/ThisCell</i>
275 # <i>rm /usr/vice/etc/CellServDB</i>
276 </pre>
277
278 <p>
279 Next you will run the <b>bosserver</b> command to initialize the Basic OverSeer
280 (BOS) Server, which monitors and controls other AFS server processes on its
281 server machine. Think of it as init for the system. Include the <b>-noauth</b>
282 flag to disable authorization checking, since you haven't added the admin user
283 yet.
284 </p>
285
286 <warn>
287 Disabling authorization checking gravely compromises cell security.
288 You must complete all subsequent steps in one uninterrupted pass
289 and must not leave the machine unattended until you restart the BOS Server with
290 authorization checking enabled. Well this is what the AFS documentation says :)
291 </warn>
292
293 <pre caption="Initialize the Basic OverSeer Server">
294 # <i>/usr/afs/bin/bosserver -noauth &amp;</i>
295 </pre>
296
297 <p>
298 Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path>
299 and <path>/usr/vice/etc/ThisCell</path>
300 </p>
301
302 <pre caption="Check if CellServDB and ThisCell are created">
303 # <i>ls -al /usr/vice/etc/</i>
304 -rw-r--r-- 1 root root 41 Jun 4 22:21 CellServDB
305 -rw-r--r-- 1 root root 7 Jun 4 22:21 ThisCell
306 </pre>
307
308 </body>
309 </section>
310 <section>
311 <title>Defining Cell Name and Membership for Server Process</title>
312 <body>
313
314 <p>
315 Now assign your cells name.
316 </p>
317
318 <impo>
319 There are some restrictions on the name format.
320 Two of the most important restrictions are that the name
321 cannot include uppercase letters or more than 64 characters. Remember that
322 your cell name will show up under <path>/afs</path>, so you might want to choose
323 a short one.
324 </impo>
325
326 <note>
327 In the following and every instruction in this guide, for the &lt;server
328 name&gt; argument substitute the full-qualified hostname (such as
329 <b>afs.gentoo.org</b>) of the machine you are installing. For the &lt;cell
330 name&gt; argument substitute your cell's complete name (such as
331 <b>gentoo</b>)
332 </note>
333
334 <p>
335 Run the <b>bos setcellname</b> command to set the cell name:
336 </p>
337
338 <pre caption="Set the cell name">
339 # <i>/usr/afs/bin/bos setcellname &lt;server name&gt; &lt;cell name&gt; -noauth</i>
340 </pre>
341
342 </body>
343 </section>
344 <section>
345 <title>Starting the Database Server Process</title>
346 <body>
347
348 <p>
349 Next use the <b>bos create</b> command to create entries for the four database
350 server processes in the <path>/usr/afs/local/BosConfig</path> file. The four
351 processes run on database server machines only.
352 </p>
353
354 <table>
355 <tr>
356 <ti>kaserver</ti>
357 <ti>
358 The Authentication Server maintains the Authentication Database.
359 This can be replaced by a Kerberos 5 daemon. If anybody want's to try that
360 feel free to update this document :)
361 </ti>
362 </tr>
363 <tr>
364 <ti>buserver</ti>
365 <ti>The Backup Server maintains the Backup Database</ti>
366 </tr>
367 <tr>
368 <ti>ptserver</ti>
369 <ti>The Protection Server maintains the Protection Database</ti>
370 </tr>
371 <tr>
372 <ti>vlserver</ti>
373 <ti>
374 The Volume Location Server maintains the Volume Location Database (VLDB).
375 Very important :)
376 </ti>
377 </tr>
378 </table>
379
380 <pre caption="Create entries for the database processes">
381 # <i>/usr/afs/bin/bos create &lt;server name&gt; kaserver simple /usr/afs/bin/kaserver -cell &lt;cell name&gt; -noauth</i>
382 # <i>/usr/afs/bin/bos create &lt;server name&gt; buserver simple /usr/afs/bin/buserver -cell &lt;cell name&gt; -noauth</i>
383 # <i>/usr/afs/bin/bos create &lt;server name&gt; ptserver simple /usr/afs/bin/ptserver -cell &lt;cell name&gt; -noauth</i>
384 # <i>/usr/afs/bin/bos create &lt;server name&gt; vlserver simple /usr/afs/bin/vlserver -cell &lt;cell name&gt; -noauth</i>
385 </pre>
386
387 <p>
388 You can verify that all servers are running with the <b>bos status</b> command:
389 </p>
390
391 <pre caption="Check if all the servers are running">
392 # <i>/usr/afs/bin/bos status &lt;server name&gt; -noauth</i>
393 Instance kaserver, currently running normally.
394 Instance buserver, currently running normally.
395 Instance ptserver, currently running normally.
396 Instance vlserver, currently running normally.
397 </pre>
398
399 </body>
400 </section>
401 <section>
402 <title>Initializing Cell Security</title>
403 <body>
404
405 <p>
406 Now we'll initialize the cell's security mechanisms. We'll begin by creating
407 the following two initial entries in the Authentication Database: The main
408 administrative account, called <b>admin</b> by convention and an entry for
409 the AFS server processes, called <b>afs</b>. No user logs in under the
410 identity <b>afs</b>, but the Authentication Server's Ticket Granting
411 Service (TGS) module uses the account to encrypt the server tickets that
412 it grants to AFS clients. This sounds pretty much like Kerberos :)
413 </p>
414
415 <p>
416 Enter <b>kas</b> interactive mode
417 </p>
418
419 <pre caption="Entering the interactive mode">
420 # <i>/usr/afs/bin/kas -cell &lt;cell name&gt; -noauth</i>
421 ka&gt; <i>create afs</i>
422 initial_password:
423 Verifying, please re-enter initial_password:
424 ka&gt; <i>create admin</i>
425 initial_password:
426 Verifying, please re-enter initial_password:
427 ka&gt; <i>examine afs</i>
428
429 User data for afs
430 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:30 2001
431 password will never expire.
432 An unlimited number of unsuccessful authentications is permitted.
433 entry never expires. Max ticket lifetime 100.00 hours.
434 last mod on Mon Jun 4 20:49:30 2001 by $lt;none&gt;
435 permit password reuse
436 ka&gt; <i>setfields admin -flags admin</i>
437 ka&gt; <i>examine admin</i>
438
439 User data for admin (ADMIN)
440 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:59 2001
441 password will never expire.
442 An unlimited number of unsuccessful authentications is permitted.
443 entry never expires. Max ticket lifetime 25.00 hours.
444 last mod on Mon Jun 4 20:51:10 2001 by $lt;none&gt;
445 permit password reuse
446 ka&gt;
447 </pre>
448
449 <p>
450 Run the <b>bos adduser</b> command, to add the <b>admin</b> user to
451 the <path>/usr/afs/etc/UserList</path>.
452 </p>
453
454 <pre caption="Add the admin user to the UserList">
455 # <i>/usr/afs/bin/bos adduser &lt;server name&gt; admin -cell &lt;cell name&gt; -noauth</i>
456 </pre>
457
458 <p>
459 Issue the <b>bos addkey</b> command to define the AFS Server
460 encryption key in <path>/usr/afs/etc/KeyFile</path>
461 </p>
462
463 <note>
464 If asked for the input key, give the password you entered when creating
465 the afs entry with <b>kas</b>
466 </note>
467
468 <pre caption="Entering the password">
469 # <i>/usr/afs/bin/bos addkey &lt;server name&gt; -kvno 0 -cell &lt;cell name&gt; -noauth</i>
470 input key:
471 Retype input key:
472 </pre>
473
474 <p>
475 Issue the <b>pts createuser</b> command to create a Protection Database
476 entry for the admin user
477 </p>
478
479 <note>
480 By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user,
481 because it is the first user entry you are creating. If the local password file
482 (/etc/passwd or equivalent) already has an entry for <b>admin</b> that assigns
483 a different UID use the <b>-id</b> argument to create matching UID's
484 </note>
485
486 <pre caption="Create a Protection Database entry for the database user">
487 # <i>/usr/afs/bin/pts createuser -name admin -cell &lt;cell name&gt; [-id &lt;AFS UID&gt;] -noauth</i>
488 </pre>
489
490 <p>
491 Issue the <b>pts adduser</b> command to make the <b>admin</b> user a member
492 of the system:administrators group, and the <b>pts membership</b> command to
493 verify the new membership
494 </p>
495
496 <pre caption="Make admin a member of the administrators group and verify">
497 # <i>/usr/afs/bin/pts adduser admin system:administrators -cell &lt;cell name&gt; -noauth</i>
498 # <i>/usr/afs/bin/pts membership admin -cell &lt;cell name&gt; -noauth</i>
499 Groups admin (id: 1) is a member of:
500 system:administrators
501 </pre>
502
503 <p>
504 Restart all AFS Server processes
505 </p>
506
507 <pre caption="Restart all AFS server processes">
508 # <i>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell name&gt; -noauth</i>
509 </pre>
510
511 </body>
512 </section>
513 <section>
514 <title>Starting the File Server, Volume Server and Salvager</title>
515 <body>
516
517 <p>
518 Start the <b>fs</b> process, which consists of the File Server, Volume Server
519 and Salvager (fileserver, volserver and salvager processes).
520 </p>
521
522 <pre caption="Start the fs process">
523 # <i>/usr/afs/bin/bos create &lt;server name&gt; fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell &lt;cell name&gt; -noauth</i>
524 </pre>
525
526 <p>
527 Verify that all processes are running
528 </p>
529
530 <pre caption="Check if all processes are running">
531 # <i>/usr/afs/bin/bos status &lt;server name&gt; -long -noauth</i>
532 Instance kaserver, (type is simple) currently running normally.
533 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
534 Last exit at Mon Jun 4 21:07:17 2001
535 Command 1 is '/usr/afs/bin/kaserver'
536
537 Instance buserver, (type is simple) currently running normally.
538 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
539 Last exit at Mon Jun 4 21:07:17 2001
540 Command 1 is '/usr/afs/bin/buserver'
541
542 Instance ptserver, (type is simple) currently running normally.
543 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
544 Last exit at Mon Jun 4 21:07:17 2001
545 Command 1 is '/usr/afs/bin/ptserver'
546
547 Instance vlserver, (type is simple) currently running normally.
548 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
549 Last exit at Mon Jun 4 21:07:17 2001
550 Command 1 is '/usr/afs/bin/vlserver'
551
552 Instance fs, (type is fs) currently running normally.
553 Auxiliary status is: file server running.
554 Process last started at Mon Jun 4 21:09:30 2001 (2 proc starts)
555 Command 1 is '/usr/afs/bin/fileserver'
556 Command 2 is '/usr/afs/bin/volserver'
557 Command 3 is '/usr/afs/bin/salvager'
558 </pre>
559
560 <p>
561 Your next action depends on whether you have ever run AFS file server machines
562 in the cell:
563 </p>
564
565 <p>
566 If you are installing the first AFS Server ever in the cell create the
567 first AFS volume, <b>root.afs</b>
568 </p>
569
570 <note>
571 For the partition name argument, substitute the name of one of the machine's
572 AFS Server partitions. By convention
573 these partitions are named <path>/vicepx</path>, where x is in the range of a-z.
574 </note>
575
576 <pre caption="Create the root.afs volume">
577 # <i>/usr/afs/bin/vos create &lt;server name&gt; &lt;partition name&gt; root.afs -cell &lt;cell name&gt; -noauth</i>
578 </pre>
579
580 <p>
581 If there are existing AFS file server machines and volumes in the cell
582 issue the <b>vos sncvldb</b> and <b>vos syncserv</b> commands to synchronize
583 the VLDB (Volume Location Database) with the actual state of volumes on the
584 local machine. This will copy all necessary data to your new server.
585 </p>
586
587 <p>
588 If the command fails with the message "partition /vicepa does not exist on
589 the server", ensure that the partition is mounted before running OpenAFS
590 servers, or mount the directory and restart the processes using
591 <c>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell
592 name&gt; -noauth</c>.
593 </p>
594
595 <pre caption="Synchronise the VLDB">
596 # <i>/usr/afs/bin/vos syncvldb &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
597 # <i>/usr/afs/bin/vos syncserv &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
598 </pre>
599
600 </body>
601 </section>
602 <section>
603 <title>Starting the Server Portion of the Update Server</title>
604 <body>
605
606 <pre caption="Start the update server">
607 # <i>/usr/afs/bin/bos create &lt;server name&gt;
608 upserver simple "/usr/afs/bin/upserver
609 -crypt /usr/afs/etc -clear /usr/afs/bin"
610 -cell &lt;cell name&gt; -noauth</i>
611 </pre>
612
613 </body>
614 </section>
615 <section>
616 <title>Configuring the Top Level of the AFS filespace</title>
617 <body>
618
619 <p>
620 First you need to set some acl's, so that any user can lookup
621 <path>/afs</path>.
622 </p>
623
624 <pre caption="Set access control lists">
625 # <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i>
626 </pre>
627
628 <p>
629 Then you need to create the root volume, mount it readonly on
630 <path>/afs/&lt;cell name&gt;</path> and read/write on <path>/afs/.&lt;cell
631 name&gt;</path>
632 </p>
633
634 <pre caption="Prepare the root volume">
635 # <i>/usr/afs/bin/vos create &lt;server name&gt;&lt;partition name&gt; root.cell</i>
636 # <i>/usr/afs/bin/fs mkmount /afs/&lt;cell name&gt; root.cell </i>
637 # <i>/usr/afs/bin/fs setacl /afs/&lt;cell name&gt; system:anyuser rl</i>
638 # <i>/usr/afs/bin/fs mkmount /afs/.&lt;cell name&gt; root.cell -rw</i>
639 </pre>
640
641 <p>
642 Finally you're done !!! You should now have a working AFS file server
643 on your local network. Time to get a big
644 cup of coffee and print out the AFS documentation !!!
645 </p>
646
647 <note>
648 It is very important for the AFS server to function properly, that all system
649 clock's are synchronized. This is best accomplished by installing a ntp server
650 on one machine (e.g. the AFS server) and synchronize all client clock's
651 with the ntp client. This can also be done by the afs client.
652 </note>
653
654 </body>
655 </section>
656 </chapter>
657
658 <chapter>
659 <title>Basic Administration</title>
660 <section>
661 <title>Disclaimer</title>
662 <body>
663
664 <p>
665 OpenAFS is an extensive technology. Please read the AFS documentation for more
666 information. We only list a few administrative tasks in this chapter.
667 </p>
668
669 </body>
670 </section>
671 <section>
672 <title>Configuring PAM to Acquire an AFS Token on Login</title>
673 <body>
674
675 <p>
676 To use AFS you need to authenticate against the KA Server if using
677 an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using
678 MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a
679 machine you will also need a user account, this can be local in
680 /etc/passwd, NIS, LDAP (OpenLDAP), or a Hesiod database. PAM allows
681 Gentoo to tie the authentication against AFS and login to the user
682 account.
683 </p>
684
685 <p>
686 You will need to update /etc/pam.d/system-auth which is used by the
687 other configurations. "use_first_pass" indicates it will be checked
688 first against the user login, and "ignore_root" stops the local super
689 user being checked so as to order to allow login if AFS or the network
690 fails.
691 </p>
692
693 <pre caption="/etc/pam.d/system-auth">
694 auth required /lib/security/pam_env.so
695 auth sufficient /lib/security/pam_unix.so likeauth nullok
696 auth sufficient /usr/afsws/lib/pam_afs.so.1 use_first_pass ignore_root
697 auth required /lib/security/pam_deny.so
698
699 account required /lib/security/pam_unix.so
700
701 password required /lib/security/pam_cracklib.so retry=3
702 password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
703 password required /lib/security/pam_deny.so
704
705 session required /lib/security/pam_limits.so
706 session required /lib/security/pam_unix.so
707 </pre>
708
709 <p>
710 In order for sudo to keep the real user's token and to prevent local
711 users gaining AFS access change /etc/pam.d/su as follows:
712 </p>
713
714 <pre caption="/etc/pam.d/su">
715 <comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with
716 # uid &lt;= 100 are ignored by pam_afs.</comment>
717 auth sufficient /usr/afsws/lib/pam_afs.so.1 ignore_uid 100
718
719 auth sufficient /lib/security/pam_rootok.so
720
721 <comment># If you want to restrict users begin allowed to su even more,
722 # create /etc/security/suauth.allow (or to that matter) that is only
723 # writable by root, and add users that are allowed to su to that
724 # file, one per line.
725 #auth required /lib/security/pam_listfile.so item=ruser \
726 # sense=allow onerr=fail file=/etc/security/suauth.allow
727
728 # Uncomment this to allow users in the wheel group to su without
729 # entering a passwd.
730 #auth sufficient /lib/security/pam_wheel.so use_uid trust
731
732 # Alternatively to above, you can implement a list of users that do
733 # not need to supply a passwd with a list.
734 #auth sufficient /lib/security/pam_listfile.so item=ruser \
735 # sense=allow onerr=fail file=/etc/security/suauth.nopass
736
737 # Comment this to allow any user, even those not in the 'wheel'
738 # group to su</comment>
739 auth required /lib/security/pam_wheel.so use_uid
740
741 auth required /lib/security/pam_stack.so service=system-auth
742
743 account required /lib/security/pam_stack.so service=system-auth
744
745 password required /lib/security/pam_stack.so service=system-auth
746
747 session required /lib/security/pam_stack.so service=system-auth
748 session optional /lib/security/pam_xauth.so
749
750 <comment># Here we prevent the real user id's token from being dropped</comment>
751 session optional /usr/afsws/lib/pam_afs.so.1 no_unlog
752 </pre>
753
754 </body>
755 </section>
756 </chapter>
757
758 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20