/[gentoo]/xml/htdocs/doc/en/openafs.xml
Gentoo

Contents of /xml/htdocs/doc/en/openafs.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.22 - (show annotations) (download) (as text)
Sat Oct 29 21:10:15 2005 UTC (8 years, 8 months ago) by so
Branch: MAIN
Changes since 1.21: +3 -3 lines
File MIME type: application/xml
bumped version

1 <?xml version='1.0' encoding="UTF-8"?>
2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.21 2005/10/29 20:20:57 so Exp $ -->
3
4 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5
6 <guide link="/doc/en/openafs.xml">
7 <title>Gentoo Linux OpenAFS Guide</title>
8
9 <author title="Editor">
10 <mail link="darks@gentoo.org">Holger Brueckner</mail>
11 </author>
12 <author title="Editor">
13 <mail link="bennyc@gentoo.org">Benny Chuang</mail>
14 </author>
15 <author title="Editor">
16 <mail link="blubber@gentoo.org">Tiemo Kieft</mail>
17 </author>
18 <author title="Editor">
19 <mail link="fnjordy@gmail.com">Steven McCoy</mail>
20 </author>
21
22 <abstract>
23 This guide shows you how to install an OpenAFS server and client on Gentoo
24 Linux.
25 </abstract>
26
27 <!-- The content of this document is licensed under the CC-BY-SA license -->
28 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
29 <license/>
30
31 <version>1.0</version>
32 <date>2005-10-29</date>
33
34 <chapter>
35 <title>Overview</title>
36 <section>
37 <title>About this Document</title>
38 <body>
39
40 <p>
41 This document provides you with all neccessary steps to install an OpenAFS
42 server on Gentoo Linux. Parts of this document are taken from the AFS FAQ and
43 IBM's Quick Beginnings guide on AFS. Well, never reinvent the wheel. :)
44 </p>
45
46 </body>
47 </section>
48 <section>
49 <title>What is AFS?</title>
50 <body>
51
52 <p>
53 AFS is a distributed filesystem that enables co-operating hosts
54 (clients and servers) to efficiently share filesystem resources
55 across both local area and wide area networks. Clients hold a
56 cache for often used objects (files), to get quicker
57 access to them.
58 </p>
59
60 <p>
61 AFS is based on a distributed file system originally developed
62 at the Information Technology Center at Carnegie-Mellon University
63 that was called the "Andrew File System". "Andrew" was the name of the
64 research project at CMU - honouring the founders of the University. Once
65 Transarc was formed and AFS became a product, the "Andrew" was dropped to
66 indicate that AFS had gone beyond the Andrew research project and had become
67 a supported, product quality filesystem. However, there were a number of
68 existing cells that rooted their filesystem as /afs. At the time, changing
69 the root of the filesystem was a non-trivial undertaking. So, to save the
70 early AFS sites from having to rename their filesystem, AFS remained as the
71 name and filesystem root.
72 </p>
73
74 </body>
75 </section>
76 <section>
77 <title>What is an AFS cell?</title>
78 <body>
79
80 <p>
81 An AFS cell is a collection of servers grouped together administratively and
82 presenting a single, cohesive filesystem. Typically, an AFS cell is a set of
83 hosts that use the same Internet domain name (for example, gentoo.org) Users
84 log into AFS client workstations which request information and files from the
85 cell's servers on behalf of the users. Users won't know on which server a
86 file which they are accessing, is located. They even won't notice if a server
87 will be located to another room, since every volume can be replicated and
88 moved to another server without any user noticing. The files are always
89 accessable. Well, it's like NFS on steroids :)
90 </p>
91
92 </body>
93 </section>
94 <section>
95 <title>What are the benefits of using AFS?</title>
96 <body>
97
98 <p>
99 The main strengths of AFS are its:
100 caching facility (on client side, typically 100M to 1GB),
101 security features (Kerberos 4 based, access control lists),
102 simplicity of addressing (you just have one filesystem),
103 scalability (add further servers to your cell as needed),
104 communications protocol.
105 </p>
106
107 </body>
108 </section>
109 <section>
110 <title>Where can I get more information?</title>
111 <body>
112
113 <p>
114 Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS
115 FAQ</uri>.
116 </p>
117
118 <p>
119 OpenAFS main page is at <uri
120 link="http://www.openafs.org">www.openafs.org</uri>.
121 </p>
122
123 <p>
124 AFS was originally developed by Transarc which is now owned by IBM.
125 You can find some information about AFS on
126 <uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarc's
127 Webpage</uri>.
128 </p>
129
130 </body>
131 </section>
132 <section>
133 <title>How Can I Debug Problems?</title>
134 <body>
135
136 <p>
137 OpenAFS has great logging facilities. However, by default it logs straight into
138 its own logs instead of through the system logging facilities you have on your
139 system. To have the servers log through your system logger, use the
140 <c>-syslog</c> option for all <c>bos</c> commands.
141 </p>
142
143 </body>
144 </section>
145 </chapter>
146
147 <chapter>
148 <title>Documentation</title>
149 <section>
150 <title>Getting AFS Documentation</title>
151 <body>
152
153 <p>
154 You can get the original IBM AFS Documentation. It is very well written and you
155 really want read it if it is up to you to administer a AFS Server.
156 </p>
157
158 <pre caption="Installing afsdoc">
159 # <i>emerge app-doc/afsdoc</i>
160 </pre>
161
162 </body>
163 </section>
164 </chapter>
165
166 <chapter>
167 <title>Client Installation</title>
168 <section>
169 <title>Preliminary Work</title>
170 <body>
171
172 <note>
173 All commands should be written in one line!! In this document they are
174 sometimes wrapped to two lines to make them easier to read.
175 </note>
176
177 <note>
178 Unfortunately the AFS Client needs a ext2 partiton for its cache to run
179 correctly, because there are some locking issues with reiserfs. You need to
180 create a ext2 partition of approx. 200MB (more won't hurt) and mount it to
181 <path>/usr/vice/cache</path>
182 </note>
183
184 <p>
185 You should adjust the two files CellServDB and ThisCell before you build the
186 AFS client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>)
187 </p>
188
189 <pre caption="Adjusting CellServDB and ThisCell">
190 CellServDB:
191 >netlabs #Cell name
192 10.0.0.1 #storage
193
194 ThisCell:
195 netlabs
196 </pre>
197
198 <warn>
199 Only use spaces inside the <path>CellServDB</path> file. The client will most
200 likely fail if you use TABs.
201 </warn>
202
203 <p>
204 CellServDB tells your client which server(s) it needs to contact for a
205 specific cell. ThisCell should be quite obvious. Normally you use a name
206 which is unique for your organisation. Your (official) domain might be a
207 good choice.
208 </p>
209
210 </body>
211 </section>
212 <section>
213 <title>Building the Client</title>
214 <body>
215
216 <pre caption="Installing openafs">
217 # <i>emerge net-fs/openafs</i>
218 </pre>
219
220 <p>
221 After successful compilation you're ready to go.
222 </p>
223
224 </body>
225 </section>
226 <section>
227 <title>Starting AFS on startup</title>
228 <body>
229
230 <p>
231 The following command will create the appropriate links to start your afs
232 client on system startup.
233 </p>
234
235 <warn>
236 You should always have a running afs server in your domain when trying to
237 start the afs client. You're system won't boot until it gets some timeout
238 if your AFS server is down. (And this is quite a long long time)
239 </warn>
240
241 <pre caption="Adding AFS to the default runlevel">
242 # <i>rc-update add afs default</i>
243 </pre>
244
245 </body>
246 </section>
247 </chapter>
248
249 <chapter>
250 <title>Server Installation</title>
251 <section>
252 <title>Building the Server</title>
253 <body>
254
255 <p>
256 The following command will install all necessary binaries for setting up an AFS
257 Server <e>and</e> Client.
258 </p>
259
260 <pre caption="Installing openafs">
261 # <i>emerge net-fs/openafs</i>
262 </pre>
263
264 </body>
265 </section>
266 <section>
267 <title>Starting AFS Server</title>
268 <body>
269
270 <p>
271 You need to remove the sample CellServDB and ThisCell file first.
272 </p>
273
274 <pre caption="Remove sample files">
275 # <i>rm /usr/vice/etc/ThisCell</i>
276 # <i>rm /usr/vice/etc/CellServDB</i>
277 </pre>
278
279 <p>
280 Next you will run the <c>bosserver</c> command to initialize the Basic OverSeer
281 (BOS) Server, which monitors and controls other AFS server processes on its
282 server machine. Think of it as init for the system. Include the <c>-noauth</c>
283 flag to disable authorization checking, since you haven't added the admin user
284 yet.
285 </p>
286
287 <warn>
288 Disabling authorization checking gravely compromises cell security. You must
289 complete all subsequent steps in one uninterrupted pass and must not leave
290 the machine unattended until you restart the BOS Server with authorization
291 checking enabled. Well, this is what the AFS documentation says. :)
292 </warn>
293
294 <pre caption="Initialize the Basic OverSeer Server">
295 # <i>/usr/afs/bin/bosserver -noauth &amp;</i>
296 </pre>
297
298 <p>
299 Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path>
300 and <path>/usr/vice/etc/ThisCell</path>
301 </p>
302
303 <pre caption="Check if CellServDB and ThisCell are created">
304 # <i>ls -al /usr/vice/etc/</i>
305 -rw-r--r-- 1 root root 41 Jun 4 22:21 CellServDB
306 -rw-r--r-- 1 root root 7 Jun 4 22:21 ThisCell
307 </pre>
308
309 </body>
310 </section>
311 <section>
312 <title>Defining Cell Name and Membership for Server Process</title>
313 <body>
314
315 <p>
316 Now assign your cell's name.
317 </p>
318
319 <impo>
320 There are some restrictions on the name format. Two of the most important
321 restrictions are that the name cannot include uppercase letters or more than
322 64 characters. Remember that your cell name will show up under
323 <path>/afs</path>, so you might want to choose a short one.
324 </impo>
325
326 <note>
327 In the following and every instruction in this guide, for the &lt;server
328 name&gt; argument substitute the full-qualified hostname (such as
329 <b>afs.gentoo.org</b>) of the machine you are installing. For the &lt;cell
330 name&gt; argument substitute your cell's complete name (such as
331 <b>gentoo</b>)
332 </note>
333
334 <p>
335 Run the <c>bos setcellname</c> command to set the cell name:
336 </p>
337
338 <pre caption="Set the cell name">
339 # <i>/usr/afs/bin/bos setcellname &lt;server name&gt; &lt;cell name&gt; -noauth</i>
340 </pre>
341
342 </body>
343 </section>
344 <section>
345 <title>Starting the Database Server Process</title>
346 <body>
347
348 <p>
349 Next use the <c>bos create</c> command to create entries for the four database
350 server processes in the <path>/usr/afs/local/BosConfig</path> file. The four
351 processes run on database server machines only.
352 </p>
353
354 <table>
355 <tr>
356 <ti>kaserver</ti>
357 <ti>
358 The Authentication Server maintains the Authentication Database.
359 This can be replaced by a Kerberos 5 daemon. If anybody wants to try that
360 feel free to update this document :)
361 </ti>
362 </tr>
363 <tr>
364 <ti>buserver</ti>
365 <ti>The Backup Server maintains the Backup Database</ti>
366 </tr>
367 <tr>
368 <ti>ptserver</ti>
369 <ti>The Protection Server maintains the Protection Database</ti>
370 </tr>
371 <tr>
372 <ti>vlserver</ti>
373 <ti>
374 The Volume Location Server maintains the Volume Location Database (VLDB).
375 Very important :)
376 </ti>
377 </tr>
378 </table>
379
380 <pre caption="Create entries for the database processes">
381 # <i>/usr/afs/bin/bos create &lt;server name&gt; kaserver simple /usr/afs/bin/kaserver -cell &lt;cell name&gt; -noauth</i>
382 # <i>/usr/afs/bin/bos create &lt;server name&gt; buserver simple /usr/afs/bin/buserver -cell &lt;cell name&gt; -noauth</i>
383 # <i>/usr/afs/bin/bos create &lt;server name&gt; ptserver simple /usr/afs/bin/ptserver -cell &lt;cell name&gt; -noauth</i>
384 # <i>/usr/afs/bin/bos create &lt;server name&gt; vlserver simple /usr/afs/bin/vlserver -cell &lt;cell name&gt; -noauth</i>
385 </pre>
386
387 <p>
388 You can verify that all servers are running with the <c>bos status</c> command:
389 </p>
390
391 <pre caption="Check if all the servers are running">
392 # <i>/usr/afs/bin/bos status &lt;server name&gt; -noauth</i>
393 Instance kaserver, currently running normally.
394 Instance buserver, currently running normally.
395 Instance ptserver, currently running normally.
396 Instance vlserver, currently running normally.
397 </pre>
398
399 </body>
400 </section>
401 <section>
402 <title>Initializing Cell Security</title>
403 <body>
404
405 <p>
406 Now we'll initialize the cell's security mechanisms. We'll begin by creating
407 the following two initial entries in the Authentication Database: The main
408 administrative account, called <b>admin</b> by convention and an entry for
409 the AFS server processes, called <c>afs</c>. No user logs in under the
410 identity <b>afs</b>, but the Authentication Server's Ticket Granting
411 Service (TGS) module uses the account to encrypt the server tickets that
412 it grants to AFS clients. This sounds pretty much like Kerberos :)
413 </p>
414
415 <p>
416 Enter <c>kas</c> interactive mode
417 </p>
418
419 <pre caption="Entering the interactive mode">
420 # <i>/usr/afs/bin/kas -cell &lt;cell name&gt; -noauth</i>
421 ka&gt; <i>create afs</i>
422 initial_password:
423 Verifying, please re-enter initial_password:
424 ka&gt; <i>create admin</i>
425 initial_password:
426 Verifying, please re-enter initial_password:
427 ka&gt; <i>examine afs</i>
428
429 User data for afs
430 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:30 2001
431 password will never expire.
432 An unlimited number of unsuccessful authentications is permitted.
433 entry never expires. Max ticket lifetime 100.00 hours.
434 last mod on Mon Jun 4 20:49:30 2001 by $lt;none&gt;
435 permit password reuse
436 ka&gt; <i>setfields admin -flags admin</i>
437 ka&gt; <i>examine admin</i>
438
439 User data for admin (ADMIN)
440 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:59 2001
441 password will never expire.
442 An unlimited number of unsuccessful authentications is permitted.
443 entry never expires. Max ticket lifetime 25.00 hours.
444 last mod on Mon Jun 4 20:51:10 2001 by $lt;none&gt;
445 permit password reuse
446 ka&gt;
447 </pre>
448
449 <p>
450 Run the <c>bos adduser</c> command, to add the <b>admin</b> user to
451 the <path>/usr/afs/etc/UserList</path>.
452 </p>
453
454 <pre caption="Add the admin user to the UserList">
455 # <i>/usr/afs/bin/bos adduser &lt;server name&gt; admin -cell &lt;cell name&gt; -noauth</i>
456 </pre>
457
458 <p>
459 Issue the <c>bos addkey</c> command to define the AFS Server
460 encryption key in <path>/usr/afs/etc/KeyFile</path>.
461 </p>
462
463 <note>
464 If asked for the input key, give the password you entered when creating
465 the AFS entry with <c>kas</c>
466 </note>
467
468 <pre caption="Entering the password">
469 # <i>/usr/afs/bin/bos addkey &lt;server name&gt; -kvno 0 -cell &lt;cell name&gt; -noauth</i>
470 input key:
471 Retype input key:
472 </pre>
473
474 <p>
475 Issue the <c>pts createuser</c> command to create a Protection Database entry
476 for the admin user.
477 </p>
478
479 <note>
480 By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user,
481 because it is the first user entry you are creating. If the local password file
482 (<path>/etc/passwd</path> or equivalent) already has an entry for <b>admin</b>
483 that assigns a different UID use the <c>-id</c> argument to create matching
484 UIDs.
485 </note>
486
487 <pre caption="Create a Protection Database entry for the database user">
488 # <i>/usr/afs/bin/pts createuser -name admin -cell &lt;cell name&gt; [-id &lt;AFS UID&gt;] -noauth</i>
489 </pre>
490
491 <p>
492 Issue the <c>pts adduser</c> command to make the <b>admin</b> user a member
493 of the system:administrators group, and the <c>pts membership</c> command to
494 verify the new membership
495 </p>
496
497 <pre caption="Make admin a member of the administrators group and verify">
498 # <i>/usr/afs/bin/pts adduser admin system:administrators -cell &lt;cell name&gt; -noauth</i>
499 # <i>/usr/afs/bin/pts membership admin -cell &lt;cell name&gt; -noauth</i>
500 Groups admin (id: 1) is a member of:
501 system:administrators
502 </pre>
503
504 <p>
505 Restart all AFS Server processes
506 </p>
507
508 <pre caption="Restart all AFS server processes">
509 # <i>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell name&gt; -noauth</i>
510 </pre>
511
512 </body>
513 </section>
514 <section>
515 <title>Starting the File Server, Volume Server and Salvager</title>
516 <body>
517
518 <p>
519 Start the <c>fs</c> process, which consists of the
520 File Server,
521 Volume Server and Salvager (fileserver,
522 volserver and salvager processes).
523 </p>
524
525 <pre caption="Start the fs process">
526 # <i>/usr/afs/bin/bos create &lt;server name&gt; fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell &lt;cell name&gt; -noauth</i>
527 </pre>
528
529 <p>
530 Verify that all processes are running
531 </p>
532
533 <pre caption="Check if all processes are running">
534 # <i>/usr/afs/bin/bos status &lt;server name&gt; -long -noauth</i>
535 Instance kaserver, (type is simple) currently running normally.
536 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
537 Last exit at Mon Jun 4 21:07:17 2001
538 Command 1 is '/usr/afs/bin/kaserver'
539
540 Instance buserver, (type is simple) currently running normally.
541 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
542 Last exit at Mon Jun 4 21:07:17 2001
543 Command 1 is '/usr/afs/bin/buserver'
544
545 Instance ptserver, (type is simple) currently running normally.
546 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
547 Last exit at Mon Jun 4 21:07:17 2001
548 Command 1 is '/usr/afs/bin/ptserver'
549
550 Instance vlserver, (type is simple) currently running normally.
551 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
552 Last exit at Mon Jun 4 21:07:17 2001
553 Command 1 is '/usr/afs/bin/vlserver'
554
555 Instance fs, (type is fs) currently running normally.
556 Auxiliary status is: file server running.
557 Process last started at Mon Jun 4 21:09:30 2001 (2 proc starts)
558 Command 1 is '/usr/afs/bin/fileserver'
559 Command 2 is '/usr/afs/bin/volserver'
560 Command 3 is '/usr/afs/bin/salvager'
561 </pre>
562
563 <p>
564 Your next action depends on whether you have ever run AFS file server machines
565 in the cell.
566 </p>
567
568 <p>
569 If you are installing the first AFS Server ever in the cell create the
570 first AFS volume, <b>root.afs</b>
571 </p>
572
573 <note>
574 For the partition name argument, substitute the name of one of the machine's
575 AFS Server partitions. By convention
576 these partitions are named <path>/vicepx</path>, where x is in the range of a-z.
577 </note>
578
579 <pre caption="Create the root.afs volume">
580 # <i>/usr/afs/bin/vos create &lt;server name&gt; &lt;partition name&gt; root.afs -cell &lt;cell name&gt; -noauth</i>
581 </pre>
582
583 <p>
584 If there are existing AFS file server machines and volumes in the cell
585 issue the <c>vos sncvldb</c> and <c>vos syncserv</c> commands to synchronize
586 the VLDB (Volume Location Database) with the actual state of volumes on the
587 local machine. This will copy all necessary data to your new server.
588 </p>
589
590 <p>
591 If the command fails with the message "partition /vicepa does not exist on
592 the server", ensure that the partition is mounted before running OpenAFS
593 servers, or mount the directory and restart the processes using
594 <c>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell
595 name&gt; -noauth</c>.
596 </p>
597
598 <pre caption="Synchronise the VLDB">
599 # <i>/usr/afs/bin/vos syncvldb &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
600 # <i>/usr/afs/bin/vos syncserv &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
601 </pre>
602
603 </body>
604 </section>
605 <section>
606 <title>Starting the Server Portion of the Update Server</title>
607 <body>
608
609 <pre caption="Start the update server">
610 # <i>/usr/afs/bin/bos create &lt;server name&gt;
611 upserver simple "/usr/afs/bin/upserver
612 -crypt /usr/afs/etc -clear /usr/afs/bin"
613 -cell &lt;cell name&gt; -noauth</i>
614 </pre>
615
616 </body>
617 </section>
618 <section>
619 <title>Configuring the Top Level of the AFS filespace</title>
620 <body>
621
622 <p>
623 First you need to set some ACLs, so that any user can lookup
624 <path>/afs</path>.
625 </p>
626
627 <pre caption="Set access control lists">
628 # <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i>
629 </pre>
630
631 <p>
632 Then you need to create the root volume, mount it readonly on
633 <path>/afs/&lt;cell name&gt;</path> and read/write on <path>/afs/.&lt;cell
634 name&gt;</path>.
635 </p>
636
637 <pre caption="Prepare the root volume">
638 # <i>/usr/afs/bin/vos create &lt;server name&gt;&lt;partition name&gt; root.cell</i>
639 # <i>/usr/afs/bin/fs mkmount /afs/&lt;cell name&gt; root.cell </i>
640 # <i>/usr/afs/bin/fs setacl /afs/&lt;cell name&gt; system:anyuser rl</i>
641 # <i>/usr/afs/bin/fs mkmount /afs/.&lt;cell name&gt; root.cell -rw</i>
642 </pre>
643
644 <p>
645 Finally you're done!!! You should now have a working AFS file server
646 on your local network. Time to get a big
647 cup of coffee and print out the AFS documentation!!!
648 </p>
649
650 <note>
651 It is very important for the AFS server to function properly, that all system
652 clocks are synchronized. This is best accomplished by installing a ntp server
653 on one machine (e.g. the AFS server) and synchronize all client clocks
654 with the ntp client. This can also be done by the AFS client.
655 </note>
656
657 </body>
658 </section>
659 </chapter>
660
661 <chapter>
662 <title>Basic Administration</title>
663 <section>
664 <title>Disclaimer</title>
665 <body>
666
667 <p>
668 OpenAFS is an extensive technology. Please read the AFS documentation for more
669 information. We only list a few administrative tasks in this chapter.
670 </p>
671
672 </body>
673 </section>
674 <section>
675 <title>Configuring PAM to Acquire an AFS Token on Login</title>
676 <body>
677
678 <p>
679 To use AFS you need to authenticate against the KA Server if using
680 an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using
681 MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a
682 machine you will also need a user account, this can be local in
683 <path>/etc/passwd</path>, NIS, LDAP (OpenLDAP), or a Hesiod database.
684 PAM allows Gentoo to tie the authentication against AFS and login to the
685 user account.
686 </p>
687
688 <p>
689 You will need to update <path>/etc/pam.d/system-auth</path> which is
690 used by the other configurations. "use_first_pass" indicates it will be
691 checked first against the user login, and "ignore_root" stops the local
692 superuser being checked so as to order to allow login if AFS or the network
693 fails.
694 </p>
695
696 <pre caption="/etc/pam.d/system-auth">
697 auth required pam_env.so
698 auth sufficient pam_unix.so likeauth nullok
699 auth sufficient pam_afs.so.1 use_first_pass ignore_root
700 auth required pam_deny.so
701
702 account required pam_unix.so
703
704 password required pam_cracklib.so retry=3
705 password sufficient pam_unix.so nullok md5 shadow use_authtok
706 password required pam_deny.so
707
708 session required pam_limits.so
709 session required pam_unix.so
710 </pre>
711
712 <p>
713 In order for <c>sudo</c> to keep the real user's token and to prevent local
714 users gaining AFS access change <path>/etc/pam.d/su</path> as follows:
715 </p>
716
717 <pre caption="/etc/pam.d/su">
718 <comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with
719 # uid &lt;= 100 are ignored by pam_afs.</comment>
720 auth sufficient /usr/afsws/lib/pam_afs.so.1 ignore_uid 100
721
722 auth sufficient /lib/security/pam_rootok.so
723
724 <comment># If you want to restrict users begin allowed to su even more,
725 # create /etc/security/suauth.allow (or to that matter) that is only
726 # writable by root, and add users that are allowed to su to that
727 # file, one per line.
728 #auth required /lib/security/pam_listfile.so item=ruser \
729 # sense=allow onerr=fail file=/etc/security/suauth.allow
730
731 # Uncomment this to allow users in the wheel group to su without
732 # entering a passwd.
733 #auth sufficient /lib/security/pam_wheel.so use_uid trust
734
735 # Alternatively to above, you can implement a list of users that do
736 # not need to supply a passwd with a list.
737 #auth sufficient /lib/security/pam_listfile.so item=ruser \
738 # sense=allow onerr=fail file=/etc/security/suauth.nopass
739
740 # Comment this to allow any user, even those not in the 'wheel'
741 # group to su</comment>
742 auth required /lib/security/pam_wheel.so use_uid
743
744 auth required /lib/security/pam_stack.so service=system-auth
745
746 account required /lib/security/pam_stack.so service=system-auth
747
748 password required /lib/security/pam_stack.so service=system-auth
749
750 session required /lib/security/pam_stack.so service=system-auth
751 session optional /lib/security/pam_xauth.so
752
753 <comment># Here we prevent the real user id's token from being dropped</comment>
754 session optional /usr/afsws/lib/pam_afs.so.1 no_unlog
755 </pre>
756
757 </body>
758 </section>
759 </chapter>
760 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20