diff --git a/doc/xml/AdminGuide/auagd007.xml b/doc/xml/AdminGuide/auagd007.xml
index 4ca5fa0ba8..5b8927ef17 100644
--- a/doc/xml/AdminGuide/auagd007.xml
+++ b/doc/xml/AdminGuide/auagd007.xml
@@ -122,7 +122,7 @@
- Passwords are stored in two separate places: the Authentication Database for AFS and each machine's local password
+ Passwords may be stored in two separate places: the Kerberos Server and, optionally, each machine's local password
file (/etc/passwd or equivalent) for the UNIX file system. A user's passwords in the
two places can differ if desired, though the resulting behavior depends on whether and how the cell is using an
AFS-modified login utility.
@@ -202,28 +202,6 @@
Only members of the system:administrators can issue this command on AFS files
and directories.
-
- ftpd command
-
- AFS compared to UNIX
-
-
-
- commands
-
- ftpd (AFS compared to UNIX)
-
-
-
-
-
- The ftpd daemon
-
-
- The AFS-modified version of this daemon attempts to authenticate remote issuers of the ftp command with the local AFS authentication service. See Using UNIX
- Remote Services in the AFS Environment.
-
groups command
@@ -243,11 +221,11 @@
If the user's AFS tokens are associated with a process authentication group (PAG), the output of this command
- sometimes includes two large numbers. To learn about PAGs, see Identifying AFS Tokens by
+ can include one or two large numbers. To learn about PAGs, see Identifying AFS Tokens by
PAG.
- inetd command
+ login utilityAFS compared to UNIX
@@ -255,18 +233,9 @@
commands
- inetd (AFS compared to UNIX)
+ login (AFS compared to UNIX)
-
-
-
-
- The inetd daemon
-
-
- The AFS-modified version of this daemon authenticates remote issuers of the AFS-modified rcp and rsh commands with the local AFS authentication
- service. See Using UNIX Remote Services in the AFS Environment.
+
@@ -299,7 +268,7 @@
linkend="HDRWQ32">Creating Hard Links.
- rcp command
+ sshd commandAFS compared to UNIX
@@ -307,20 +276,19 @@
commands
- rcp (AFS compared to UNIX)
+ sshd (AFS compared to UNIX)
- The rcp command
+ The sshd daemon
- The AFS-modified version of this command enables the issuer to access files on the remote machine as an
- authenticated AFS user. See Using UNIX Remote Services in the AFS Environment.
+ The OpenSSH project provides an sshd daemon that uses the GSSAPI protocol to pass Kerberos tickets between machines.
- rlogind command
+ ssh commandAFS compared to UNIX
@@ -328,44 +296,10 @@
commands
- rlogind (AFS compared to UNIX)
+ ssh (AFS compared to UNIX)
-
-
- The rlogind daemon
-
-
- The AFS-modified version of this daemon authenticates remote issuers of the rlogin command with the local AFS authentication service. See Using
- UNIX Remote Services in the AFS Environment.
-
- The AFS distribution for some system types possibly does not include a modified rlogind program. See the OpenAFS Release Notes.
-
-
- rsh command
-
- AFS compared to UNIX
-
-
-
- commands
-
- rsh (AFS compared to UNIX)
-
-
-
-
-
- The remsh or rsh command
-
-
- The AFS-modified version of this command enables the issuer to execute commands on the remote machine as an
- authenticated AFS user. See Using UNIX Remote Services in the AFS Environment.
-
-
@@ -374,6 +308,14 @@
AFS compared to UNIX
+
+ inode-based fileserver
+
+
+
+ namei-based fileserver
+
+
commands
@@ -404,9 +346,23 @@
- The AFS version of the fsck Command
+ The AFS version of the fsck Command and inode-based fileservers
- Never run the standard UNIX fsck command on an AFS file server machine. It does not
+
+ The fileserver uses either of two formats for storing data
+ on disk. The inode format uses a combination of regular files and
+ extra fields stored in the inode data structures that are normally
+ reserved for use by the operating system. The namei interface uses
+ normal file storage and does not use special structures. The
+ choice of storage formats is chosen at compile time and the two
+ formats are incompatible. The storage format must be consistent
+ for the fileserver binaries and all vice partitions on a given
+ fileserver machine.
+
+
+ This section on fsck advice only applies to the inode-based fileserver binaries. On servers using namei-based binaries, the vendor-supplied fsck is required.
+
+ If you are using AFS fileserver binaries compiled with the inode-based format, never run the standard UNIX fsck command on an AFS file server machine. It does not
understand how the File Server organizes volume data on disk, and so moves all AFS data into the lost+found directory on the partition.
@@ -425,9 +381,11 @@
where version is the AFS version. For correct results, it must match the AFS version of the server
binaries in use on the machine.
- If you ever accidentally run the standard version of the program, contact AFS Product Support immediately. It is
- sometimes possible to recover volume data from the lost+found directory.
+ If you ever accidentally run the standard version of the program, contact your AFS support provider or refer to the OpenAFS support web page for support options. It is
+ sometimes possible to recover volume data from the lost+found directory. If the data is not recoverabled, then restoring from backup is recommended.
+ Running the fsck binary supplied by the operating system vendor on an fileserver using inode-based binaries will result in data corruption!
+
hard link
@@ -514,7 +472,7 @@
Any file can be marked with the setuid bit, but only members of the system:administrators group can issue the chown system call or the
- /etc/chown command.
+ chown command.The fs setcell command determines whether setuid programs that originate in a foreign
cell can run on a given client machine. See Determining if a Client Can Run Setuid
@@ -566,7 +524,7 @@
Internet site, then it is simplest to choose your Internet domain name as the cellname.If you are not an Internet site, it is best to choose a unique Internet-style name, particularly if you plan to connect to
- the Internet in the future. AFS Product Support is available for help in selecting an appropriate name. There are a few
+ the Internet in the future. There are a few
constraints on AFS cell names: It can contain as many as 64 characters, but shorter names are better because the cell name frequently is part of
@@ -627,17 +585,16 @@
Internet
- Network Information Center
+ Domain Registrar
- Network Information Center (for Internet)
+ Domain Registrar
- Other suffixes are available if none of these are appropriate. You can learn about suffixes by calling the Defense Data
- Network [Internet] Network Information Center in the United States at (800) 235-3155. The NIC can also provide you with the
- forms necessary for registering your cell name as an Internet domain name. Registering your name prevents another Internet site
- from adopting the name later.
+ Other suffixes are available if none of these are
+ appropriate. Contact a domain registrar to purchase a domain name for
+ your cell.setting
@@ -677,9 +634,9 @@
role="bold">/usr/afs/etc/ThisCell and /usr/afs/etc/CellServDB files. As described
more explicitly in the OpenAFS Quick Beginnings, you set the cell name in both by issuing the bos setcellname command on the first file server machine you install in your cell. It is not usually
- necessary to issue the command again. If you run the United States edition of AFS and use the Update Server, it distributes
+ necessary to issue the command again. If you use the Update Server, it distributes
its copy of the ThisCell and CellServDB files to additional
- server machines that you install. If you use the international edition of AFS, the OpenAFS Quick
+ server machines that you install. If you do not use the Update Server, the OpenAFS Quick
Beginnings explains how to copy the files manually.For client machines, the two files that record the cell name are the ThisCell file on the local disk and then contact the database server machines listed in the CellServDB file for the indicated cell (the bos commands work
differently because the issuer always has to name of the machine on which to run the command).
-
- The ThisCell file also determines the cell for which a user receives an AFS token when
- he or she logs in to a machine. The cell name also plays a role in security. As it converts a user password into an encryption
- key for storage in the Authentication Database, the Authentication Server combines the password with the cell name found in
- the ThisCell file. AFS-modified login utilities use the same algorithm to convert the user's
- password into an encryption key before contacting the Authentication Server to obtain a token for the user. (For a description
- of how AFS's security system uses encryption keys, see A More Detailed Look at Mutual
- Authentication.)
-
+ The ThisCell file also determines the cell for which a
+user receives an AFS token when
+ he or she logs in to a machine.This method of converting passwords into encryption keys means that the same password results in different keys in
different cells. Even if a user uses the same password in multiple cells, obtaining a user's token from one cell does not
enable unauthorized access to the user's account in another cell.
@@ -2782,7 +2733,7 @@
- Passwords are stored in two separate places: in the Authentication Database for AFS and in the each machine's local
+ Passwords are stored in two separate places: in the Kerberos Database for AFS and in the each machine's local
password file (the /etc/passwd file or equivalent) for the local file system.
@@ -3972,124 +3923,9 @@
detailed information about the AFS Backup System, see Configuring the AFS Backup System and
Backing Up and Restoring AFS Data.
-
- remote services
-
- modifications for AFS
-
-
-
- commands
-
- ftp (AFS compared to UNIX)
-
-
-
- ftpd command
-
- AFS compared to UNIX
-
-
-
- commands
-
- ftpd (AFS compared to UNIX)
-
-
-
- inetd command
-
- AFS compared to UNIX
-
-
-
- commands
-
- inetd (AFS compared to UNIX)
-
-
-
- rcp command
-
- AFS compared to UNIX
-
-
-
- commands
-
- rcp (AFS compared to UNIX)
-
-
-
- rlogind command
-
- AFS compared to UNIX
-
-
-
- commands
-
- rlogind (AFS compared to UNIX)
-
-
-
- rsh command
-
- AFS compared to UNIX
-
-
-
- commands
-
- rsh (AFS compared to UNIX)
-
-
- Using UNIX Remote Services in the AFS Environment
-
- The AFS distribution includes modified versions of several standard UNIX commands, daemons and programs that provide
- remote services, including the following:
-
- The ftpd program
-
-
-
- The inetd daemon
-
-
-
- The rcp program
-
-
-
- The rlogind daemon
-
-
-
- The rsh command
-
-
-
- These modifications enable the commands to handle AFS authentication information (tokens). This enables issuers to be
- recognized on the remote machine as an authenticated AFS user.
-
- Replacing the standard versions of these programs in your file tree with the AFS-modified versions is optional. It is
- likely that AFS's transparent access reduces the need for some of the programs anyway, especially those involved in transferring
- files from machine to machine, like the ftpd and rcp
- programs.
-
- If you decide to use the AFS versions of these commands, be aware that several of them are interdependent. For example,
- the passing of AFS authentication information works correctly with the rcp command only if you
- are using the AFS version of both the rcp and inetd
- commands.
-
- The conventional installation location for the modified remote commands are the /usr/afsws/bin and /usr/afsws/etc directories. To learn more about
- commands' functionality, see their reference pages in the OpenAFS Administration Reference.
-
-
Accessing AFS through NFS