1 |
zhen |
1.3 |
<?xml version='1.0' encoding="UTF-8"?> |
2 |
so |
1.22 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.21 2005/10/29 20:20:57 so Exp $ --> |
3 |
drobbins |
1.1 |
|
4 |
|
|
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
5 |
|
|
|
6 |
so |
1.21 |
<guide link="/doc/en/openafs.xml"> |
7 |
drobbins |
1.1 |
<title>Gentoo Linux OpenAFS Guide</title> |
8 |
swift |
1.19 |
|
9 |
drobbins |
1.1 |
<author title="Editor"> |
10 |
|
|
<mail link="darks@gentoo.org">Holger Brueckner</mail> |
11 |
|
|
</author> |
12 |
bennyc |
1.8 |
<author title="Editor"> |
13 |
|
|
<mail link="bennyc@gentoo.org">Benny Chuang</mail> |
14 |
|
|
</author> |
15 |
blubber |
1.10 |
<author title="Editor"> |
16 |
|
|
<mail link="blubber@gentoo.org">Tiemo Kieft</mail> |
17 |
|
|
</author> |
18 |
swift |
1.17 |
<author title="Editor"> |
19 |
|
|
<mail link="fnjordy@gmail.com">Steven McCoy</mail> |
20 |
|
|
</author> |
21 |
drobbins |
1.1 |
|
22 |
|
|
<abstract> |
23 |
so |
1.21 |
This guide shows you how to install an OpenAFS server and client on Gentoo |
24 |
|
|
Linux. |
25 |
drobbins |
1.1 |
</abstract> |
26 |
|
|
|
27 |
swift |
1.20 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
28 |
|
|
<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
29 |
swift |
1.9 |
<license/> |
30 |
|
|
|
31 |
so |
1.22 |
<version>1.0</version> |
32 |
|
|
<date>2005-10-29</date> |
33 |
drobbins |
1.1 |
|
34 |
|
|
<chapter> |
35 |
swift |
1.19 |
<title>Overview</title> |
36 |
|
|
<section> |
37 |
|
|
<title>About this Document</title> |
38 |
|
|
<body> |
39 |
|
|
|
40 |
|
|
<p> |
41 |
so |
1.21 |
This document provides you with all neccessary steps to install an OpenAFS |
42 |
|
|
server on Gentoo Linux. Parts of this document are taken from the AFS FAQ and |
43 |
|
|
IBM's Quick Beginnings guide on AFS. Well, never reinvent the wheel. :) |
44 |
swift |
1.19 |
</p> |
45 |
|
|
|
46 |
|
|
</body> |
47 |
|
|
</section> |
48 |
|
|
<section> |
49 |
so |
1.21 |
<title>What is AFS?</title> |
50 |
swift |
1.19 |
<body> |
51 |
|
|
|
52 |
|
|
<p> |
53 |
|
|
AFS is a distributed filesystem that enables co-operating hosts |
54 |
|
|
(clients and servers) to efficiently share filesystem resources |
55 |
so |
1.21 |
across both local area and wide area networks. Clients hold a |
56 |
swift |
1.19 |
cache for often used objects (files), to get quicker |
57 |
|
|
access to them. |
58 |
|
|
</p> |
59 |
|
|
|
60 |
|
|
<p> |
61 |
|
|
AFS is based on a distributed file system originally developed |
62 |
|
|
at the Information Technology Center at Carnegie-Mellon University |
63 |
so |
1.21 |
that was called the "Andrew File System". "Andrew" was the name of the |
64 |
|
|
research project at CMU - honouring the founders of the University. Once |
65 |
|
|
Transarc was formed and AFS became a product, the "Andrew" was dropped to |
66 |
swift |
1.19 |
indicate that AFS had gone beyond the Andrew research project and had become |
67 |
so |
1.21 |
a supported, product quality filesystem. However, there were a number of |
68 |
|
|
existing cells that rooted their filesystem as /afs. At the time, changing |
69 |
|
|
the root of the filesystem was a non-trivial undertaking. So, to save the |
70 |
|
|
early AFS sites from having to rename their filesystem, AFS remained as the |
71 |
swift |
1.19 |
name and filesystem root. |
72 |
|
|
</p> |
73 |
|
|
|
74 |
|
|
</body> |
75 |
|
|
</section> |
76 |
|
|
<section> |
77 |
so |
1.21 |
<title>What is an AFS cell?</title> |
78 |
swift |
1.19 |
<body> |
79 |
|
|
|
80 |
|
|
<p> |
81 |
so |
1.21 |
An AFS cell is a collection of servers grouped together administratively and |
82 |
|
|
presenting a single, cohesive filesystem. Typically, an AFS cell is a set of |
83 |
|
|
hosts that use the same Internet domain name (for example, gentoo.org) Users |
84 |
|
|
log into AFS client workstations which request information and files from the |
85 |
|
|
cell's servers on behalf of the users. Users won't know on which server a |
86 |
|
|
file which they are accessing, is located. They even won't notice if a server |
87 |
|
|
will be located to another room, since every volume can be replicated and |
88 |
|
|
moved to another server without any user noticing. The files are always |
89 |
|
|
accessable. Well, it's like NFS on steroids :) |
90 |
swift |
1.19 |
</p> |
91 |
|
|
|
92 |
|
|
</body> |
93 |
|
|
</section> |
94 |
|
|
<section> |
95 |
so |
1.21 |
<title>What are the benefits of using AFS?</title> |
96 |
swift |
1.19 |
<body> |
97 |
|
|
|
98 |
|
|
<p> |
99 |
so |
1.21 |
The main strengths of AFS are its: |
100 |
swift |
1.19 |
caching facility (on client side, typically 100M to 1GB), |
101 |
|
|
security features (Kerberos 4 based, access control lists), |
102 |
|
|
simplicity of addressing (you just have one filesystem), |
103 |
|
|
scalability (add further servers to your cell as needed), |
104 |
so |
1.21 |
communications protocol. |
105 |
swift |
1.19 |
</p> |
106 |
|
|
|
107 |
|
|
</body> |
108 |
|
|
</section> |
109 |
|
|
<section> |
110 |
so |
1.21 |
<title>Where can I get more information?</title> |
111 |
swift |
1.19 |
<body> |
112 |
|
|
|
113 |
|
|
<p> |
114 |
so |
1.21 |
Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS |
115 |
swift |
1.19 |
FAQ</uri>. |
116 |
|
|
</p> |
117 |
|
|
|
118 |
|
|
<p> |
119 |
so |
1.21 |
OpenAFS main page is at <uri |
120 |
swift |
1.19 |
link="http://www.openafs.org">www.openafs.org</uri>. |
121 |
|
|
</p> |
122 |
|
|
|
123 |
|
|
<p> |
124 |
|
|
AFS was originally developed by Transarc which is now owned by IBM. |
125 |
|
|
You can find some information about AFS on |
126 |
so |
1.21 |
<uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarc's |
127 |
swift |
1.19 |
Webpage</uri>. |
128 |
|
|
</p> |
129 |
drobbins |
1.1 |
|
130 |
swift |
1.19 |
</body> |
131 |
|
|
</section> |
132 |
swift |
1.20 |
<section> |
133 |
|
|
<title>How Can I Debug Problems?</title> |
134 |
|
|
<body> |
135 |
|
|
|
136 |
|
|
<p> |
137 |
|
|
OpenAFS has great logging facilities. However, by default it logs straight into |
138 |
|
|
its own logs instead of through the system logging facilities you have on your |
139 |
so |
1.21 |
system. To have the servers log through your system logger, use the |
140 |
swift |
1.20 |
<c>-syslog</c> option for all <c>bos</c> commands. |
141 |
|
|
</p> |
142 |
|
|
|
143 |
|
|
</body> |
144 |
|
|
</section> |
145 |
drobbins |
1.1 |
</chapter> |
146 |
|
|
|
147 |
|
|
<chapter> |
148 |
|
|
<title>Documentation</title> |
149 |
swift |
1.19 |
<section> |
150 |
|
|
<title>Getting AFS Documentation</title> |
151 |
|
|
<body> |
152 |
|
|
|
153 |
|
|
<p> |
154 |
so |
1.21 |
You can get the original IBM AFS Documentation. It is very well written and you |
155 |
swift |
1.19 |
really want read it if it is up to you to administer a AFS Server. |
156 |
|
|
</p> |
157 |
|
|
|
158 |
swift |
1.18 |
<pre caption="Installing afsdoc"> |
159 |
drobbins |
1.1 |
# <i>emerge app-doc/afsdoc</i> |
160 |
|
|
</pre> |
161 |
swift |
1.19 |
|
162 |
|
|
</body> |
163 |
|
|
</section> |
164 |
drobbins |
1.1 |
</chapter> |
165 |
|
|
|
166 |
|
|
<chapter> |
167 |
|
|
<title>Client Installation</title> |
168 |
swift |
1.19 |
<section> |
169 |
|
|
<title>Preliminary Work</title> |
170 |
|
|
<body> |
171 |
|
|
|
172 |
|
|
<note> |
173 |
so |
1.21 |
All commands should be written in one line!! In this document they are |
174 |
swift |
1.19 |
sometimes wrapped to two lines to make them easier to read. |
175 |
|
|
</note> |
176 |
|
|
|
177 |
|
|
<note> |
178 |
so |
1.21 |
Unfortunately the AFS Client needs a ext2 partiton for its cache to run |
179 |
|
|
correctly, because there are some locking issues with reiserfs. You need to |
180 |
|
|
create a ext2 partition of approx. 200MB (more won't hurt) and mount it to |
181 |
swift |
1.19 |
<path>/usr/vice/cache</path> |
182 |
|
|
</note> |
183 |
|
|
|
184 |
|
|
<p> |
185 |
so |
1.21 |
You should adjust the two files CellServDB and ThisCell before you build the |
186 |
|
|
AFS client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>) |
187 |
swift |
1.19 |
</p> |
188 |
|
|
|
189 |
|
|
<pre caption="Adjusting CellServDB and ThisCell"> |
190 |
|
|
CellServDB: |
191 |
|
|
>netlabs #Cell name |
192 |
|
|
10.0.0.1 #storage |
193 |
|
|
|
194 |
|
|
ThisCell: |
195 |
|
|
netlabs |
196 |
|
|
</pre> |
197 |
|
|
|
198 |
|
|
<warn> |
199 |
|
|
Only use spaces inside the <path>CellServDB</path> file. The client will most |
200 |
|
|
likely fail if you use TABs. |
201 |
|
|
</warn> |
202 |
|
|
|
203 |
|
|
<p> |
204 |
so |
1.21 |
CellServDB tells your client which server(s) it needs to contact for a |
205 |
swift |
1.19 |
specific cell. ThisCell should be quite obvious. Normally you use a name |
206 |
|
|
which is unique for your organisation. Your (official) domain might be a |
207 |
so |
1.21 |
good choice. |
208 |
swift |
1.19 |
</p> |
209 |
|
|
|
210 |
|
|
</body> |
211 |
|
|
</section> |
212 |
|
|
<section> |
213 |
|
|
<title>Building the Client</title> |
214 |
|
|
<body> |
215 |
|
|
|
216 |
swift |
1.18 |
<pre caption="Installing openafs"> |
217 |
swift |
1.11 |
# <i>emerge net-fs/openafs</i> |
218 |
drobbins |
1.1 |
</pre> |
219 |
swift |
1.19 |
|
220 |
|
|
<p> |
221 |
|
|
After successful compilation you're ready to go. |
222 |
|
|
</p> |
223 |
|
|
|
224 |
|
|
</body> |
225 |
|
|
</section> |
226 |
|
|
<section> |
227 |
so |
1.21 |
<title>Starting AFS on startup</title> |
228 |
swift |
1.19 |
<body> |
229 |
|
|
|
230 |
|
|
<p> |
231 |
so |
1.21 |
The following command will create the appropriate links to start your afs |
232 |
|
|
client on system startup. |
233 |
swift |
1.19 |
</p> |
234 |
|
|
|
235 |
|
|
<warn> |
236 |
so |
1.21 |
You should always have a running afs server in your domain when trying to |
237 |
|
|
start the afs client. You're system won't boot until it gets some timeout |
238 |
|
|
if your AFS server is down. (And this is quite a long long time) |
239 |
swift |
1.19 |
</warn> |
240 |
|
|
|
241 |
so |
1.21 |
<pre caption="Adding AFS to the default runlevel"> |
242 |
drobbins |
1.1 |
# <i>rc-update add afs default</i> |
243 |
|
|
</pre> |
244 |
swift |
1.19 |
|
245 |
|
|
</body> |
246 |
|
|
</section> |
247 |
drobbins |
1.1 |
</chapter> |
248 |
|
|
|
249 |
|
|
<chapter> |
250 |
|
|
<title>Server Installation</title> |
251 |
swift |
1.19 |
<section> |
252 |
|
|
<title>Building the Server</title> |
253 |
|
|
<body> |
254 |
|
|
|
255 |
|
|
<p> |
256 |
so |
1.21 |
The following command will install all necessary binaries for setting up an AFS |
257 |
swift |
1.19 |
Server <e>and</e> Client. |
258 |
|
|
</p> |
259 |
|
|
|
260 |
swift |
1.18 |
<pre caption="Installing openafs"> |
261 |
swift |
1.11 |
# <i>emerge net-fs/openafs</i> |
262 |
drobbins |
1.1 |
</pre> |
263 |
swift |
1.19 |
|
264 |
|
|
</body> |
265 |
|
|
</section> |
266 |
|
|
<section> |
267 |
|
|
<title>Starting AFS Server</title> |
268 |
|
|
<body> |
269 |
|
|
|
270 |
|
|
<p> |
271 |
|
|
You need to remove the sample CellServDB and ThisCell file first. |
272 |
|
|
</p> |
273 |
|
|
|
274 |
swift |
1.18 |
<pre caption="Remove sample files"> |
275 |
drobbins |
1.1 |
# <i>rm /usr/vice/etc/ThisCell</i> |
276 |
|
|
# <i>rm /usr/vice/etc/CellServDB</i> |
277 |
|
|
</pre> |
278 |
swift |
1.19 |
|
279 |
|
|
<p> |
280 |
so |
1.21 |
Next you will run the <c>bosserver</c> command to initialize the Basic OverSeer |
281 |
|
|
(BOS) Server, which monitors and controls other AFS server processes on its |
282 |
|
|
server machine. Think of it as init for the system. Include the <c>-noauth</c> |
283 |
swift |
1.19 |
flag to disable authorization checking, since you haven't added the admin user |
284 |
|
|
yet. |
285 |
|
|
</p> |
286 |
|
|
|
287 |
|
|
<warn> |
288 |
so |
1.21 |
Disabling authorization checking gravely compromises cell security. You must |
289 |
|
|
complete all subsequent steps in one uninterrupted pass and must not leave |
290 |
|
|
the machine unattended until you restart the BOS Server with authorization |
291 |
|
|
checking enabled. Well, this is what the AFS documentation says. :) |
292 |
swift |
1.19 |
</warn> |
293 |
|
|
|
294 |
swift |
1.18 |
<pre caption="Initialize the Basic OverSeer Server"> |
295 |
drobbins |
1.1 |
# <i>/usr/afs/bin/bosserver -noauth &</i> |
296 |
|
|
</pre> |
297 |
swift |
1.19 |
|
298 |
|
|
<p> |
299 |
so |
1.21 |
Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path> |
300 |
swift |
1.19 |
and <path>/usr/vice/etc/ThisCell</path> |
301 |
|
|
</p> |
302 |
|
|
|
303 |
swift |
1.18 |
<pre caption="Check if CellServDB and ThisCell are created"> |
304 |
drobbins |
1.1 |
# <i>ls -al /usr/vice/etc/</i> |
305 |
|
|
-rw-r--r-- 1 root root 41 Jun 4 22:21 CellServDB |
306 |
|
|
-rw-r--r-- 1 root root 7 Jun 4 22:21 ThisCell |
307 |
|
|
</pre> |
308 |
swift |
1.19 |
|
309 |
|
|
</body> |
310 |
|
|
</section> |
311 |
|
|
<section> |
312 |
|
|
<title>Defining Cell Name and Membership for Server Process</title> |
313 |
|
|
<body> |
314 |
|
|
|
315 |
|
|
<p> |
316 |
so |
1.21 |
Now assign your cell's name. |
317 |
swift |
1.19 |
</p> |
318 |
|
|
|
319 |
|
|
<impo> |
320 |
so |
1.21 |
There are some restrictions on the name format. Two of the most important |
321 |
|
|
restrictions are that the name cannot include uppercase letters or more than |
322 |
|
|
64 characters. Remember that your cell name will show up under |
323 |
|
|
<path>/afs</path>, so you might want to choose a short one. |
324 |
swift |
1.19 |
</impo> |
325 |
|
|
|
326 |
|
|
<note> |
327 |
so |
1.21 |
In the following and every instruction in this guide, for the <server |
328 |
|
|
name> argument substitute the full-qualified hostname (such as |
329 |
|
|
<b>afs.gentoo.org</b>) of the machine you are installing. For the <cell |
330 |
|
|
name> argument substitute your cell's complete name (such as |
331 |
swift |
1.19 |
<b>gentoo</b>) |
332 |
|
|
</note> |
333 |
|
|
|
334 |
|
|
<p> |
335 |
so |
1.21 |
Run the <c>bos setcellname</c> command to set the cell name: |
336 |
swift |
1.19 |
</p> |
337 |
|
|
|
338 |
swift |
1.18 |
<pre caption="Set the cell name"> |
339 |
cam |
1.14 |
# <i>/usr/afs/bin/bos setcellname <server name> <cell name> -noauth</i> |
340 |
|
|
</pre> |
341 |
swift |
1.19 |
|
342 |
|
|
</body> |
343 |
|
|
</section> |
344 |
|
|
<section> |
345 |
|
|
<title>Starting the Database Server Process</title> |
346 |
|
|
<body> |
347 |
|
|
|
348 |
|
|
<p> |
349 |
so |
1.21 |
Next use the <c>bos create</c> command to create entries for the four database |
350 |
|
|
server processes in the <path>/usr/afs/local/BosConfig</path> file. The four |
351 |
swift |
1.19 |
processes run on database server machines only. |
352 |
|
|
</p> |
353 |
|
|
|
354 |
|
|
<table> |
355 |
|
|
<tr> |
356 |
|
|
<ti>kaserver</ti> |
357 |
|
|
<ti> |
358 |
|
|
The Authentication Server maintains the Authentication Database. |
359 |
so |
1.21 |
This can be replaced by a Kerberos 5 daemon. If anybody wants to try that |
360 |
swift |
1.19 |
feel free to update this document :) |
361 |
|
|
</ti> |
362 |
|
|
</tr> |
363 |
|
|
<tr> |
364 |
|
|
<ti>buserver</ti> |
365 |
|
|
<ti>The Backup Server maintains the Backup Database</ti> |
366 |
|
|
</tr> |
367 |
|
|
<tr> |
368 |
|
|
<ti>ptserver</ti> |
369 |
|
|
<ti>The Protection Server maintains the Protection Database</ti> |
370 |
|
|
</tr> |
371 |
|
|
<tr> |
372 |
|
|
<ti>vlserver</ti> |
373 |
|
|
<ti> |
374 |
|
|
The Volume Location Server maintains the Volume Location Database (VLDB). |
375 |
|
|
Very important :) |
376 |
|
|
</ti> |
377 |
|
|
</tr> |
378 |
|
|
</table> |
379 |
|
|
|
380 |
swift |
1.18 |
<pre caption="Create entries for the database processes"> |
381 |
swift |
1.19 |
# <i>/usr/afs/bin/bos create <server name> kaserver simple /usr/afs/bin/kaserver -cell <cell name> -noauth</i> |
382 |
|
|
# <i>/usr/afs/bin/bos create <server name> buserver simple /usr/afs/bin/buserver -cell <cell name> -noauth</i> |
383 |
|
|
# <i>/usr/afs/bin/bos create <server name> ptserver simple /usr/afs/bin/ptserver -cell <cell name> -noauth</i> |
384 |
|
|
# <i>/usr/afs/bin/bos create <server name> vlserver simple /usr/afs/bin/vlserver -cell <cell name> -noauth</i> |
385 |
|
|
</pre> |
386 |
|
|
|
387 |
|
|
<p> |
388 |
so |
1.21 |
You can verify that all servers are running with the <c>bos status</c> command: |
389 |
swift |
1.19 |
</p> |
390 |
|
|
|
391 |
swift |
1.18 |
<pre caption="Check if all the servers are running"> |
392 |
drobbins |
1.1 |
# <i>/usr/afs/bin/bos status <server name> -noauth</i> |
393 |
|
|
Instance kaserver, currently running normally. |
394 |
|
|
Instance buserver, currently running normally. |
395 |
|
|
Instance ptserver, currently running normally. |
396 |
|
|
Instance vlserver, currently running normally. |
397 |
|
|
</pre> |
398 |
swift |
1.19 |
|
399 |
|
|
</body> |
400 |
|
|
</section> |
401 |
|
|
<section> |
402 |
|
|
<title>Initializing Cell Security</title> |
403 |
|
|
<body> |
404 |
|
|
|
405 |
|
|
<p> |
406 |
so |
1.21 |
Now we'll initialize the cell's security mechanisms. We'll begin by creating |
407 |
|
|
the following two initial entries in the Authentication Database: The main |
408 |
swift |
1.19 |
administrative account, called <b>admin</b> by convention and an entry for |
409 |
so |
1.21 |
the AFS server processes, called <c>afs</c>. No user logs in under the |
410 |
|
|
identity <b>afs</b>, but the Authentication Server's Ticket Granting |
411 |
|
|
Service (TGS) module uses the account to encrypt the server tickets that |
412 |
swift |
1.19 |
it grants to AFS clients. This sounds pretty much like Kerberos :) |
413 |
|
|
</p> |
414 |
|
|
|
415 |
|
|
<p> |
416 |
so |
1.21 |
Enter <c>kas</c> interactive mode |
417 |
swift |
1.19 |
</p> |
418 |
|
|
|
419 |
swift |
1.18 |
<pre caption="Entering the interactive mode"> |
420 |
drobbins |
1.1 |
# <i>/usr/afs/bin/kas -cell <cell name> -noauth</i> |
421 |
|
|
ka> <i>create afs</i> |
422 |
|
|
initial_password: |
423 |
|
|
Verifying, please re-enter initial_password: |
424 |
|
|
ka> <i>create admin</i> |
425 |
|
|
initial_password: |
426 |
|
|
Verifying, please re-enter initial_password: |
427 |
|
|
ka> <i>examine afs</i> |
428 |
|
|
|
429 |
|
|
User data for afs |
430 |
swift |
1.19 |
key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:30 2001 |
431 |
|
|
password will never expire. |
432 |
|
|
An unlimited number of unsuccessful authentications is permitted. |
433 |
|
|
entry never expires. Max ticket lifetime 100.00 hours. |
434 |
|
|
last mod on Mon Jun 4 20:49:30 2001 by $lt;none> |
435 |
|
|
permit password reuse |
436 |
drobbins |
1.1 |
ka> <i>setfields admin -flags admin</i> |
437 |
|
|
ka> <i>examine admin</i> |
438 |
swift |
1.19 |
|
439 |
drobbins |
1.1 |
User data for admin (ADMIN) |
440 |
swift |
1.19 |
key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:59 2001 |
441 |
|
|
password will never expire. |
442 |
|
|
An unlimited number of unsuccessful authentications is permitted. |
443 |
|
|
entry never expires. Max ticket lifetime 25.00 hours. |
444 |
|
|
last mod on Mon Jun 4 20:51:10 2001 by $lt;none> |
445 |
|
|
permit password reuse |
446 |
drobbins |
1.1 |
ka> |
447 |
|
|
</pre> |
448 |
swift |
1.19 |
|
449 |
|
|
<p> |
450 |
so |
1.21 |
Run the <c>bos adduser</c> command, to add the <b>admin</b> user to |
451 |
swift |
1.19 |
the <path>/usr/afs/etc/UserList</path>. |
452 |
|
|
</p> |
453 |
|
|
|
454 |
swift |
1.18 |
<pre caption="Add the admin user to the UserList"> |
455 |
drobbins |
1.1 |
# <i>/usr/afs/bin/bos adduser <server name> admin -cell <cell name> -noauth</i> |
456 |
|
|
</pre> |
457 |
swift |
1.19 |
|
458 |
|
|
<p> |
459 |
so |
1.21 |
Issue the <c>bos addkey</c> command to define the AFS Server |
460 |
|
|
encryption key in <path>/usr/afs/etc/KeyFile</path>. |
461 |
swift |
1.19 |
</p> |
462 |
|
|
|
463 |
|
|
<note> |
464 |
so |
1.21 |
If asked for the input key, give the password you entered when creating |
465 |
|
|
the AFS entry with <c>kas</c> |
466 |
swift |
1.19 |
</note> |
467 |
|
|
|
468 |
swift |
1.18 |
<pre caption="Entering the password"> |
469 |
drobbins |
1.1 |
# <i>/usr/afs/bin/bos addkey <server name> -kvno 0 -cell <cell name> -noauth</i> |
470 |
swift |
1.19 |
input key: |
471 |
|
|
Retype input key: |
472 |
drobbins |
1.1 |
</pre> |
473 |
swift |
1.19 |
|
474 |
|
|
<p> |
475 |
so |
1.21 |
Issue the <c>pts createuser</c> command to create a Protection Database entry |
476 |
|
|
for the admin user. |
477 |
swift |
1.19 |
</p> |
478 |
|
|
|
479 |
|
|
<note> |
480 |
so |
1.21 |
By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user, |
481 |
swift |
1.19 |
because it is the first user entry you are creating. If the local password file |
482 |
so |
1.21 |
(<path>/etc/passwd</path> or equivalent) already has an entry for <b>admin</b> |
483 |
|
|
that assigns a different UID use the <c>-id</c> argument to create matching |
484 |
|
|
UIDs. |
485 |
swift |
1.19 |
</note> |
486 |
|
|
|
487 |
swift |
1.18 |
<pre caption="Create a Protection Database entry for the database user"> |
488 |
drobbins |
1.1 |
# <i>/usr/afs/bin/pts createuser -name admin -cell <cell name> [-id <AFS UID>] -noauth</i> |
489 |
|
|
</pre> |
490 |
swift |
1.19 |
|
491 |
|
|
<p> |
492 |
so |
1.21 |
Issue the <c>pts adduser</c> command to make the <b>admin</b> user a member |
493 |
|
|
of the system:administrators group, and the <c>pts membership</c> command to |
494 |
swift |
1.19 |
verify the new membership |
495 |
|
|
</p> |
496 |
|
|
|
497 |
swift |
1.18 |
<pre caption="Make admin a member of the administrators group and verify"> |
498 |
drobbins |
1.1 |
# <i>/usr/afs/bin/pts adduser admin system:administrators -cell <cell name> -noauth</i> |
499 |
|
|
# <i>/usr/afs/bin/pts membership admin -cell <cell name> -noauth</i> |
500 |
swift |
1.19 |
Groups admin (id: 1) is a member of: |
501 |
|
|
system:administrators |
502 |
drobbins |
1.1 |
</pre> |
503 |
swift |
1.19 |
|
504 |
|
|
<p> |
505 |
|
|
Restart all AFS Server processes |
506 |
|
|
</p> |
507 |
|
|
|
508 |
swift |
1.18 |
<pre caption="Restart all AFS server processes"> |
509 |
drobbins |
1.1 |
# <i>/usr/afs/bin/bos restart <server name> -all -cell <cell name> -noauth</i> |
510 |
|
|
</pre> |
511 |
swift |
1.19 |
|
512 |
|
|
</body> |
513 |
|
|
</section> |
514 |
|
|
<section> |
515 |
|
|
<title>Starting the File Server, Volume Server and Salvager</title> |
516 |
|
|
<body> |
517 |
|
|
|
518 |
|
|
<p> |
519 |
so |
1.21 |
Start the <c>fs</c> process, which consists of the |
520 |
|
|
File Server, |
521 |
|
|
Volume Server and Salvager (fileserver, |
522 |
|
|
volserver and salvager processes). |
523 |
swift |
1.19 |
</p> |
524 |
|
|
|
525 |
swift |
1.18 |
<pre caption="Start the fs process"> |
526 |
swift |
1.19 |
# <i>/usr/afs/bin/bos create <server name> fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell <cell name> -noauth</i> |
527 |
|
|
</pre> |
528 |
|
|
|
529 |
|
|
<p> |
530 |
|
|
Verify that all processes are running |
531 |
|
|
</p> |
532 |
|
|
|
533 |
swift |
1.18 |
<pre caption="Check if all processes are running"> |
534 |
swift |
1.19 |
# <i>/usr/afs/bin/bos status <server name> -long -noauth</i> |
535 |
|
|
Instance kaserver, (type is simple) currently running normally. |
536 |
|
|
Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts) |
537 |
|
|
Last exit at Mon Jun 4 21:07:17 2001 |
538 |
|
|
Command 1 is '/usr/afs/bin/kaserver' |
539 |
|
|
|
540 |
|
|
Instance buserver, (type is simple) currently running normally. |
541 |
|
|
Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts) |
542 |
|
|
Last exit at Mon Jun 4 21:07:17 2001 |
543 |
|
|
Command 1 is '/usr/afs/bin/buserver' |
544 |
|
|
|
545 |
|
|
Instance ptserver, (type is simple) currently running normally. |
546 |
|
|
Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts) |
547 |
|
|
Last exit at Mon Jun 4 21:07:17 2001 |
548 |
|
|
Command 1 is '/usr/afs/bin/ptserver' |
549 |
|
|
|
550 |
|
|
Instance vlserver, (type is simple) currently running normally. |
551 |
|
|
Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts) |
552 |
|
|
Last exit at Mon Jun 4 21:07:17 2001 |
553 |
|
|
Command 1 is '/usr/afs/bin/vlserver' |
554 |
|
|
|
555 |
|
|
Instance fs, (type is fs) currently running normally. |
556 |
|
|
Auxiliary status is: file server running. |
557 |
|
|
Process last started at Mon Jun 4 21:09:30 2001 (2 proc starts) |
558 |
|
|
Command 1 is '/usr/afs/bin/fileserver' |
559 |
|
|
Command 2 is '/usr/afs/bin/volserver' |
560 |
|
|
Command 3 is '/usr/afs/bin/salvager' |
561 |
|
|
</pre> |
562 |
|
|
|
563 |
|
|
<p> |
564 |
so |
1.21 |
Your next action depends on whether you have ever run AFS file server machines |
565 |
|
|
in the cell. |
566 |
swift |
1.19 |
</p> |
567 |
|
|
|
568 |
|
|
<p> |
569 |
so |
1.21 |
If you are installing the first AFS Server ever in the cell create the |
570 |
swift |
1.19 |
first AFS volume, <b>root.afs</b> |
571 |
|
|
</p> |
572 |
|
|
|
573 |
|
|
<note> |
574 |
so |
1.21 |
For the partition name argument, substitute the name of one of the machine's |
575 |
swift |
1.19 |
AFS Server partitions. By convention |
576 |
|
|
these partitions are named <path>/vicepx</path>, where x is in the range of a-z. |
577 |
|
|
</note> |
578 |
|
|
|
579 |
swift |
1.18 |
<pre caption="Create the root.afs volume"> |
580 |
swift |
1.19 |
# <i>/usr/afs/bin/vos create <server name> <partition name> root.afs -cell <cell name> -noauth</i> |
581 |
|
|
</pre> |
582 |
|
|
|
583 |
|
|
<p> |
584 |
so |
1.21 |
If there are existing AFS file server machines and volumes in the cell |
585 |
|
|
issue the <c>vos sncvldb</c> and <c>vos syncserv</c> commands to synchronize |
586 |
|
|
the VLDB (Volume Location Database) with the actual state of volumes on the |
587 |
swift |
1.19 |
local machine. This will copy all necessary data to your new server. |
588 |
|
|
</p> |
589 |
|
|
|
590 |
|
|
<p> |
591 |
|
|
If the command fails with the message "partition /vicepa does not exist on |
592 |
|
|
the server", ensure that the partition is mounted before running OpenAFS |
593 |
|
|
servers, or mount the directory and restart the processes using |
594 |
|
|
<c>/usr/afs/bin/bos restart <server name> -all -cell <cell |
595 |
|
|
name> -noauth</c>. |
596 |
|
|
</p> |
597 |
|
|
|
598 |
swift |
1.18 |
<pre caption="Synchronise the VLDB"> |
599 |
swift |
1.19 |
# <i>/usr/afs/bin/vos syncvldb <server name> -cell <cell name> -verbose -noauth</i> |
600 |
|
|
# <i>/usr/afs/bin/vos syncserv <server name> -cell <cell name> -verbose -noauth</i> |
601 |
drobbins |
1.1 |
</pre> |
602 |
swift |
1.19 |
|
603 |
|
|
</body> |
604 |
|
|
</section> |
605 |
|
|
<section> |
606 |
|
|
<title>Starting the Server Portion of the Update Server</title> |
607 |
|
|
<body> |
608 |
|
|
|
609 |
swift |
1.18 |
<pre caption="Start the update server"> |
610 |
drobbins |
1.1 |
# <i>/usr/afs/bin/bos create <server name> |
611 |
swift |
1.19 |
upserver simple "/usr/afs/bin/upserver |
612 |
|
|
-crypt /usr/afs/etc -clear /usr/afs/bin" |
613 |
|
|
-cell <cell name> -noauth</i> |
614 |
|
|
</pre> |
615 |
|
|
|
616 |
|
|
</body> |
617 |
|
|
</section> |
618 |
|
|
<section> |
619 |
|
|
<title>Configuring the Top Level of the AFS filespace</title> |
620 |
|
|
<body> |
621 |
|
|
|
622 |
|
|
<p> |
623 |
so |
1.21 |
First you need to set some ACLs, so that any user can lookup |
624 |
swift |
1.19 |
<path>/afs</path>. |
625 |
|
|
</p> |
626 |
|
|
|
627 |
swift |
1.18 |
<pre caption="Set access control lists"> |
628 |
drobbins |
1.1 |
# <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i> |
629 |
|
|
</pre> |
630 |
swift |
1.19 |
|
631 |
|
|
<p> |
632 |
so |
1.21 |
Then you need to create the root volume, mount it readonly on |
633 |
|
|
<path>/afs/<cell name></path> and read/write on <path>/afs/.<cell |
634 |
|
|
name></path>. |
635 |
swift |
1.19 |
</p> |
636 |
|
|
|
637 |
swift |
1.18 |
<pre caption="Prepare the root volume"> |
638 |
drobbins |
1.1 |
# <i>/usr/afs/bin/vos create <server name><partition name> root.cell</i> |
639 |
|
|
# <i>/usr/afs/bin/fs mkmount /afs/<cell name> root.cell </i> |
640 |
|
|
# <i>/usr/afs/bin/fs setacl /afs/<cell name> system:anyuser rl</i> |
641 |
cam |
1.14 |
# <i>/usr/afs/bin/fs mkmount /afs/.<cell name> root.cell -rw</i> |
642 |
drobbins |
1.1 |
</pre> |
643 |
swift |
1.19 |
|
644 |
|
|
<p> |
645 |
so |
1.21 |
Finally you're done!!! You should now have a working AFS file server |
646 |
swift |
1.19 |
on your local network. Time to get a big |
647 |
so |
1.21 |
cup of coffee and print out the AFS documentation!!! |
648 |
swift |
1.19 |
</p> |
649 |
|
|
|
650 |
|
|
<note> |
651 |
so |
1.21 |
It is very important for the AFS server to function properly, that all system |
652 |
|
|
clocks are synchronized. This is best accomplished by installing a ntp server |
653 |
|
|
on one machine (e.g. the AFS server) and synchronize all client clocks |
654 |
|
|
with the ntp client. This can also be done by the AFS client. |
655 |
swift |
1.19 |
</note> |
656 |
|
|
|
657 |
|
|
</body> |
658 |
|
|
</section> |
659 |
drobbins |
1.1 |
</chapter> |
660 |
|
|
|
661 |
|
|
<chapter> |
662 |
swift |
1.17 |
<title>Basic Administration</title> |
663 |
|
|
<section> |
664 |
|
|
<title>Disclaimer</title> |
665 |
|
|
<body> |
666 |
|
|
|
667 |
|
|
<p> |
668 |
|
|
OpenAFS is an extensive technology. Please read the AFS documentation for more |
669 |
|
|
information. We only list a few administrative tasks in this chapter. |
670 |
|
|
</p> |
671 |
|
|
|
672 |
|
|
</body> |
673 |
|
|
</section> |
674 |
|
|
<section> |
675 |
|
|
<title>Configuring PAM to Acquire an AFS Token on Login</title> |
676 |
|
|
<body> |
677 |
|
|
|
678 |
|
|
<p> |
679 |
|
|
To use AFS you need to authenticate against the KA Server if using |
680 |
|
|
an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using |
681 |
so |
1.21 |
MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a |
682 |
swift |
1.17 |
machine you will also need a user account, this can be local in |
683 |
so |
1.21 |
<path>/etc/passwd</path>, NIS, LDAP (OpenLDAP), or a Hesiod database. |
684 |
|
|
PAM allows Gentoo to tie the authentication against AFS and login to the |
685 |
|
|
user account. |
686 |
swift |
1.17 |
</p> |
687 |
|
|
|
688 |
|
|
<p> |
689 |
so |
1.21 |
You will need to update <path>/etc/pam.d/system-auth</path> which is |
690 |
|
|
used by the other configurations. "use_first_pass" indicates it will be |
691 |
|
|
checked first against the user login, and "ignore_root" stops the local |
692 |
|
|
superuser being checked so as to order to allow login if AFS or the network |
693 |
swift |
1.17 |
fails. |
694 |
|
|
</p> |
695 |
|
|
|
696 |
|
|
<pre caption="/etc/pam.d/system-auth"> |
697 |
so |
1.21 |
auth required pam_env.so |
698 |
|
|
auth sufficient pam_unix.so likeauth nullok |
699 |
|
|
auth sufficient pam_afs.so.1 use_first_pass ignore_root |
700 |
|
|
auth required pam_deny.so |
701 |
swift |
1.17 |
|
702 |
so |
1.21 |
account required pam_unix.so |
703 |
swift |
1.17 |
|
704 |
so |
1.21 |
password required pam_cracklib.so retry=3 |
705 |
|
|
password sufficient pam_unix.so nullok md5 shadow use_authtok |
706 |
|
|
password required pam_deny.so |
707 |
swift |
1.17 |
|
708 |
so |
1.21 |
session required pam_limits.so |
709 |
|
|
session required pam_unix.so |
710 |
swift |
1.17 |
</pre> |
711 |
|
|
|
712 |
|
|
<p> |
713 |
so |
1.21 |
In order for <c>sudo</c> to keep the real user's token and to prevent local |
714 |
|
|
users gaining AFS access change <path>/etc/pam.d/su</path> as follows: |
715 |
swift |
1.17 |
</p> |
716 |
|
|
|
717 |
|
|
<pre caption="/etc/pam.d/su"> |
718 |
|
|
<comment># Here, users with uid > 100 are considered to belong to AFS and users with |
719 |
|
|
# uid <= 100 are ignored by pam_afs.</comment> |
720 |
|
|
auth sufficient /usr/afsws/lib/pam_afs.so.1 ignore_uid 100 |
721 |
|
|
|
722 |
|
|
auth sufficient /lib/security/pam_rootok.so |
723 |
|
|
|
724 |
|
|
<comment># If you want to restrict users begin allowed to su even more, |
725 |
|
|
# create /etc/security/suauth.allow (or to that matter) that is only |
726 |
|
|
# writable by root, and add users that are allowed to su to that |
727 |
|
|
# file, one per line. |
728 |
|
|
#auth required /lib/security/pam_listfile.so item=ruser \ |
729 |
|
|
# sense=allow onerr=fail file=/etc/security/suauth.allow |
730 |
|
|
|
731 |
|
|
# Uncomment this to allow users in the wheel group to su without |
732 |
|
|
# entering a passwd. |
733 |
|
|
#auth sufficient /lib/security/pam_wheel.so use_uid trust |
734 |
|
|
|
735 |
|
|
# Alternatively to above, you can implement a list of users that do |
736 |
|
|
# not need to supply a passwd with a list. |
737 |
|
|
#auth sufficient /lib/security/pam_listfile.so item=ruser \ |
738 |
|
|
# sense=allow onerr=fail file=/etc/security/suauth.nopass |
739 |
|
|
|
740 |
|
|
# Comment this to allow any user, even those not in the 'wheel' |
741 |
|
|
# group to su</comment> |
742 |
|
|
auth required /lib/security/pam_wheel.so use_uid |
743 |
|
|
|
744 |
|
|
auth required /lib/security/pam_stack.so service=system-auth |
745 |
|
|
|
746 |
|
|
account required /lib/security/pam_stack.so service=system-auth |
747 |
|
|
|
748 |
|
|
password required /lib/security/pam_stack.so service=system-auth |
749 |
|
|
|
750 |
|
|
session required /lib/security/pam_stack.so service=system-auth |
751 |
|
|
session optional /lib/security/pam_xauth.so |
752 |
|
|
|
753 |
|
|
<comment># Here we prevent the real user id's token from being dropped</comment> |
754 |
|
|
session optional /usr/afsws/lib/pam_afs.so.1 no_unlog |
755 |
|
|
</pre> |
756 |
|
|
|
757 |
|
|
</body> |
758 |
|
|
</section> |
759 |
drobbins |
1.1 |
</chapter> |
760 |
|
|
</guide> |