mirror of
https://git.openafs.org/openafs.git
synced 2025-01-22 08:50:17 +00:00
dd1798a7ba
based on information from joda@pdc.kth.se
4428 lines
191 KiB
HTML
4428 lines
191 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
|
|
<HTML><HEAD>
|
|
<TITLE>Quick Beginnings</TITLE>
|
|
<!-- Begin Header Records ========================================== -->
|
|
<!-- /tmp/idwt3574/auqbg000.scr converted by idb2h R4.2 (359) ID -->
|
|
<!-- Workbench Version (AIX) on 2 Oct 2000 at 12:25:35 -->
|
|
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 12:25:35">
|
|
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 12:25:35">
|
|
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 12:25:35">
|
|
</HEAD><BODY>
|
|
<!-- (C) IBM Corporation 2000. All Rights Reserved -->
|
|
<BODY bgcolor="ffffff">
|
|
<!-- End Header Records ============================================ -->
|
|
<A NAME="Top_Of_Page"></A>
|
|
<H1>Quick Beginnings</H1>
|
|
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auqbg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
|
|
<P>
|
|
<A NAME="IDX2218"></A>
|
|
<A NAME="IDX2219"></A>
|
|
<A NAME="IDX2220"></A>
|
|
<HR><H1><A NAME="HDRWQ17" HREF="auqbg002.htm#ToC_28">Installing the First AFS Machine</A></H1>
|
|
<P>This chapter describes how to install the first AFS machine
|
|
in your cell, configuring it as both a file server machine and a client
|
|
machine. After completing all procedures in this chapter, you can
|
|
remove the client functionality if you wish, as described in <A HREF="#HDRWQ98">Removing Client Functionality</A>.
|
|
<P>To install additional file server machines after completing this chapter,
|
|
see <A HREF="auqbg006.htm#HDRWQ99">Installing Additional Server Machines</A>.
|
|
<P>To install additional client machines after completing this chapter, see <A HREF="auqbg007.htm#HDRWQ133">Installing Additional Client Machines</A>.
|
|
<A NAME="IDX2221"></A>
|
|
<HR><H2><A NAME="Header_29" HREF="auqbg002.htm#ToC_29">Requirements and Configuration Decisions</A></H2>
|
|
<P>The instructions in this chapter assume that you meet the following
|
|
requirements.
|
|
<UL>
|
|
<P><LI>You are logged onto the machine's console as the local superuser
|
|
<B>root</B>
|
|
<P><LI>A standard version of one of the operating systems supported by the
|
|
current version of AFS is running on the machine
|
|
<P><LI>You can access the data on the AFS CD-ROMs, either through a local CD
|
|
drive or via an NFS mount of a CD drive attached to a machine that is
|
|
accessible by network
|
|
</UL>
|
|
<P>You must make the following configuration decisions while installing the
|
|
first AFS machine. To speed the installation itself, it is best to make
|
|
the decisions before beginning. See the chapter in the <I>IBM AFS
|
|
Administration Guide</I> about issues in cell administration and
|
|
configuration for detailed guidelines.
|
|
<A NAME="IDX2222"></A>
|
|
<A NAME="IDX2223"></A>
|
|
<A NAME="IDX2224"></A>
|
|
<UL>
|
|
<P><LI>Select the first AFS machine
|
|
<P><LI>Select the cell name
|
|
<P><LI>Decide which partitions or logical volumes to configure as AFS server
|
|
partitions, and choose the directory names on which to mount them
|
|
<P><LI>Decide whether to use the standard AFS authentication and authorization
|
|
software or Kerberos as obtained from another source. On several system
|
|
types, the decision determines how you incorporate AFS into the machine's
|
|
authentication system. If you wish to use Kerberos, contact the AFS
|
|
Product Support group now to learn about how you must modify the installation
|
|
procedure.
|
|
<P><LI>Decide how big to make the client cache
|
|
<P><LI>Decide how to configure the top levels of your cell's AFS filespace
|
|
</UL>
|
|
<P>This chapter is divided into three large sections corresponding to the
|
|
three parts of installing the first AFS machine. Perform all of the
|
|
steps in the order they appear. Each functional section begins with a
|
|
summary of the procedures to perform. The sections are as
|
|
follows:
|
|
<UL>
|
|
<P><LI>Installing server functionality (begins in <A HREF="#HDRWQ18">Overview: Installing Server Functionality</A>)
|
|
<P><LI>Installing client functionality (begins in <A HREF="#HDRWQ63">Overview: Installing Client Functionality</A>)
|
|
<P><LI>Configuring your cell's filespace, establishing further security
|
|
mechanisms, and enabling access to foreign cells (begins in <A HREF="#HDRWQ71">Overview: Completing the Installation of the First AFS Machine</A>)
|
|
</UL>
|
|
<A NAME="IDX2225"></A>
|
|
<A NAME="IDX2226"></A>
|
|
<A NAME="IDX2227"></A>
|
|
<HR><H2><A NAME="HDRWQ18" HREF="auqbg002.htm#ToC_30">Overview: Installing Server Functionality</A></H2>
|
|
<P>In the first phase of installing your cell's first AFS
|
|
machine, you install file server and database server functionality by
|
|
performing the following procedures:
|
|
<OL TYPE=1>
|
|
<P><LI>Choose which machine to install as the first AFS machine
|
|
<P><LI>Create AFS-related directories on the local disk
|
|
<P><LI>Incorporate AFS modifications into the machine's kernel
|
|
<P><LI>Configure partitions or logical volumes for storing AFS volumes
|
|
<P><LI>On some system types, install and configure an AFS-modified version of the
|
|
<B>fsck</B> program
|
|
<P><LI>If the machine is to remain a client machine, incorporate AFS into its
|
|
authentication system
|
|
<P><LI>Start the Basic OverSeer (BOS) Server
|
|
<P><LI>Define the cell name and the machine's cell membership
|
|
<P><LI>Start the database server processes: Authentication Server, Backup
|
|
Server, Protection Server, and Volume Location (VL) Server
|
|
<P><LI>Configure initial security mechanisms
|
|
<P><LI>Start the <B>fs</B> process, which incorporates three component
|
|
processes: the File Server, Volume Server, and Salvager
|
|
<P><LI>Start the server portion of the Update Server
|
|
<P><LI>Start the controller process (called <B>runntp</B>) for the Network
|
|
Time Protocol Daemon, which synchronizes machine clocks
|
|
</OL>
|
|
<HR><H2><A NAME="HDRWQ19" HREF="auqbg002.htm#ToC_31">Choosing the First AFS Machine</A></H2>
|
|
<P>The first AFS machine you install must have sufficient disk
|
|
space to store AFS volumes. To take best advantage of AFS's
|
|
capabilities, store client-side binaries as well as user files in
|
|
volumes. When you later install additional file server machines in your
|
|
cell, you can distribute these volumes among the different machines as you see
|
|
fit.
|
|
<P>These instructions configure the first AFS machine as a <I>database
|
|
server machine</I>, the <I>binary distribution machine</I> for its
|
|
system type, and the cell's <I>system control machine</I>. For
|
|
a description of these roles, see the <I>IBM AFS Administration
|
|
Guide</I>.
|
|
<P>Installation of additional machines is simplest if the first machine has
|
|
the lowest IP address of any database server machine you currently plan to
|
|
install. If you later install database server functionality on a
|
|
machine with a lower IP address, you must first update the
|
|
<B>/usr/vice/etc/CellServDB</B> file on all of your cell's client
|
|
machines. For more details, see <A HREF="auqbg006.htm#HDRWQ114">Installing Database Server Functionality</A>.
|
|
<HR><H2><A NAME="Header_32" HREF="auqbg002.htm#ToC_32">Creating AFS Directories</A></H2>
|
|
<A NAME="IDX2228"></A>
|
|
<A NAME="IDX2229"></A>
|
|
<A NAME="IDX2230"></A>
|
|
<A NAME="IDX2231"></A>
|
|
<A NAME="IDX2232"></A>
|
|
<A NAME="IDX2233"></A>
|
|
<A NAME="IDX2234"></A>
|
|
<A NAME="IDX2235"></A>
|
|
<A NAME="IDX2236"></A>
|
|
<A NAME="IDX2237"></A>
|
|
<A NAME="IDX2238"></A>
|
|
<P>Create the <B>/usr/afs</B> and <B>/usr/vice/etc</B> directories on
|
|
the local disk, to house server and client files respectively.
|
|
Subsequent instructions copy files from the AFS CD-ROM into them.
|
|
Create the <B>/cdrom</B> directory as a mount point for CD-ROMs, if it
|
|
does not already exist.
|
|
<PRE>
|
|
# <B>mkdir /usr/afs</B>
|
|
|
|
# <B>mkdir /usr/vice</B>
|
|
|
|
# <B>mkdir /usr/vice/etc</B>
|
|
|
|
# <B>mkdir /cdrom</B>
|
|
|
|
</PRE>
|
|
<HR><H2><A NAME="HDRWQ20" HREF="auqbg002.htm#ToC_33">Performing Platform-Specific Procedures</A></H2>
|
|
<P>Several of the initial procedures for installing a file
|
|
server machine differ for each system type. For convenience, the
|
|
following sections group them together for each system type:
|
|
<UL>
|
|
<A NAME="IDX2239"></A>
|
|
<A NAME="IDX2240"></A>
|
|
<A NAME="IDX2241"></A>
|
|
<P><LI>Incorporate AFS modifications into the kernel.
|
|
<P>The kernel on every AFS file server and client machine must incorporate AFS
|
|
extensions. On machines that use a dynamic kernel module loader, it is
|
|
conventional to alter the machine's initialization script to load the AFS
|
|
extensions at each reboot.
|
|
<A NAME="IDX2242"></A>
|
|
<A NAME="IDX2243"></A>
|
|
<A NAME="IDX2244"></A>
|
|
<A NAME="IDX2245"></A>
|
|
<A NAME="IDX2246"></A>
|
|
<A NAME="IDX2247"></A>
|
|
<A NAME="IDX2248"></A>
|
|
<P><LI>Configure server partitions or logical volumes to house AFS
|
|
volumes.
|
|
<P>Every AFS file server machine must have at least one partition or logical
|
|
volume dedicated to storing AFS volumes (for convenience, the documentation
|
|
hereafter refers to partitions only). Each server partition is mounted
|
|
at a directory named <B>/vicep</B><VAR>xx</VAR>, where <VAR>xx</VAR> is one or
|
|
two lowercase letters. By convention, the first 26 partitions are
|
|
mounted on the directories called <B>/vicepa</B> through
|
|
<B>/vicepz</B>, the 27th one is mounted on the <B>/vicepaa</B>
|
|
directory, and so on through <B>/vicepaz</B> and <B>/vicepba</B>,
|
|
continuing up to the index corresponding to the maximum number of server
|
|
partitions supported in the current version of AFS (which is specified in the
|
|
<I>IBM AFS Release Notes</I>).
|
|
<P>The <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
|
|
machine's root directory, not in one of its subdirectories (for example,
|
|
<B>/usr/vicepa</B> is not an acceptable directory location).
|
|
<P>You can also add or remove server partitions on an existing file server
|
|
machine. For instructions, see the chapter in the <I>IBM AFS
|
|
Administration Guide</I> about maintaining server machines.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types supported by an operating system are necessarily
|
|
supported as AFS server partitions. For possible restrictions, see the
|
|
<I>IBM AFS Release Notes</I>.
|
|
</TD></TR></TABLE>
|
|
<P><LI>On some system types, install and configure a modified <B>fsck</B>
|
|
program which recognizes the structures that the File Server uses to organize
|
|
volume data on AFS server partitions. The <B>fsck</B> program
|
|
provided with the operating system does not understand the AFS data
|
|
structures, and so removes them to the <B>lost+found</B> directory.
|
|
<P><LI>If the machine is to remain an AFS client machine, modify the
|
|
machine's authentication system so that users obtain an AFS token as they
|
|
log into the local file system. Using AFS is simpler and more
|
|
convenient for your users if you make the modifications on all client
|
|
machines. Otherwise, users must perform a two-step login procedure
|
|
(login to the local file system and then issue the <B>klog</B>
|
|
command). For further discussion of AFS authentication, see the chapter
|
|
in the <I>IBM AFS Administration Guide</I> about cell configuration and
|
|
administration issues.
|
|
</UL>
|
|
<P>To continue, proceed to the appropriate section:
|
|
<UL>
|
|
<P><LI><A HREF="#HDRWQ21">Getting Started on AIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ26">Getting Started on Digital UNIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ31">Getting Started on HP-UX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ36">Getting Started on IRIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ41">Getting Started on Linux Systems</A>
|
|
<P><LI><A HREF="#HDRWQ45">Getting Started on Solaris Systems</A>
|
|
</UL>
|
|
<HR><H2><A NAME="HDRWQ21" HREF="auqbg002.htm#ToC_34">Getting Started on AIX Systems</A></H2>
|
|
<P>Begin by running the AFS initialization script to call the
|
|
AIX kernel extension facility, which dynamically loads AFS modifications into
|
|
the kernel. Then use the <B>SMIT</B> program to configure
|
|
partitions for storing AFS volumes, and replace the AIX <B>fsck</B>
|
|
program helper with a version that correctly handles AFS volumes. If
|
|
the machine is to remain an AFS client machine, incorporate AFS into the AIX
|
|
secondary authentication system.
|
|
<A NAME="IDX2249"></A>
|
|
<A NAME="IDX2250"></A>
|
|
<A NAME="IDX2251"></A>
|
|
<A NAME="IDX2252"></A>
|
|
<P><H3><A NAME="HDRWQ22" HREF="auqbg002.htm#ToC_35">Loading AFS into the AIX Kernel</A></H3>
|
|
<P>The AIX kernel extension facility is the dynamic kernel
|
|
loader provided by IBM Corporation. AIX does not support incorporation
|
|
of AFS modifications during a kernel build.
|
|
<P>For AFS to function correctly, the kernel extension facility must run each
|
|
time the machine reboots, so the AFS initialization script (included in the
|
|
AFS distribution) invokes it automatically. In this section you copy
|
|
the script to the conventional location and edit it to select the appropriate
|
|
options depending on whether NFS is also to run.
|
|
<P>After editing the script, you run it to incorporate AFS into the
|
|
kernel. In later sections you verify that the script correctly
|
|
initializes all AFS components, then configure the AIX <B>inittab</B> file
|
|
so that the script runs automatically at reboot.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for AIX on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your AIX documentation. Then change directory as
|
|
indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS kernel library files to the local
|
|
<B>/usr/vice/etc/dkload</B> directory, and the AFS initialization script
|
|
to the <B>/etc</B> directory.
|
|
<PRE>
|
|
# <B>cp -rp dkload /usr/vice/etc</B>
|
|
|
|
# <B>cp -p rc.afs /etc/rc.afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the <B>/etc/rc.afs</B> script, setting the <TT>NFS</TT>
|
|
variable as indicated.
|
|
<P>If the machine is not to function as an NFS/AFS Translator, set the
|
|
<TT>NFS</TT> variable as follows.
|
|
<PRE>
|
|
NFS=$NFS_NONE
|
|
</PRE>
|
|
<P>If the machine is to function as an NFS/AFS Translator and is running AIX
|
|
4.2.1 or higher, set the <TT>NFS</TT> variable as
|
|
follows. Note that NFS must already be loaded into the kernel, which
|
|
happens automatically on systems running AIX 4.1.1 and later, as
|
|
long as the file <B>/etc/exports</B> exists.
|
|
<PRE>
|
|
NFS=$NFS_IAUTH
|
|
|
|
</PRE>
|
|
<P><LI>Invoke the <B>/etc/rc.afs</B> script to load AFS modifications
|
|
into the kernel. You can ignore any error messages about the inability
|
|
to start the BOS Server or the Cache Manager or AFS client.
|
|
<PRE>
|
|
# <B>/etc/rc.afs</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2253"></A>
|
|
<A NAME="IDX2254"></A>
|
|
<A NAME="IDX2255"></A>
|
|
<A NAME="IDX2256"></A>
|
|
<P><H3><A NAME="HDRWQ23" HREF="auqbg002.htm#ToC_36">Configuring Server Partitions on AIX Systems</A></H3>
|
|
<P>Every AFS file server machine must have at least one
|
|
partition or logical volume dedicated to storing AFS volumes. Each
|
|
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
|
|
where <VAR>xx</VAR> is one or two lowercase letters. The
|
|
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
|
|
machine's root directory, not in one of its subdirectories (for example,
|
|
<B>/usr/vicepa</B> is not an acceptable directory location). For
|
|
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
|
|
<P>To configure server partitions on an AIX system, perform the following
|
|
procedures:
|
|
<OL TYPE=1>
|
|
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
|
|
partition you are configuring (there must be at least one). Repeat the
|
|
command for each partition.
|
|
<PRE>
|
|
# <B>mkdir /vicep</B><VAR>xx</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Use the <B>SMIT</B> program to create a journaling file system on each
|
|
partition to be configured as an AFS server partition.
|
|
<P><LI>Mount each partition at one of the <B>/vicep</B><VAR>xx</VAR>
|
|
directories. Choose one of the following three methods:
|
|
<UL>
|
|
<P><LI>Use the <B>SMIT</B> program
|
|
<P><LI>Use the <B>mount -a</B> command to mount all partitions at once
|
|
<P><LI>Use the <B>mount</B> command on each partition in turn
|
|
</UL>
|
|
<P>Also configure the partitions so that they are mounted automatically at
|
|
each reboot. For more information, refer to the AIX
|
|
documentation.
|
|
</OL>
|
|
<A NAME="IDX2257"></A>
|
|
<A NAME="IDX2258"></A>
|
|
<A NAME="IDX2259"></A>
|
|
<A NAME="IDX2260"></A>
|
|
<P><H3><A NAME="HDRWQ24" HREF="auqbg002.htm#ToC_37">Replacing the fsck Program Helper on AIX Systems</A></H3>
|
|
<P>In this section, you make modifications to guarantee that the
|
|
appropriate <B>fsck</B> program runs on AFS server partitions. The
|
|
<B>fsck</B> program provided with the operating system must never run on
|
|
AFS server partitions. Because it does not recognize the structures
|
|
that the File Server uses to organize volume data, it removes all of the
|
|
data. To repeat:
|
|
<P><B>Never run the standard fsck program on AFS server partitions.
|
|
It discards AFS volumes.</B>
|
|
<P>On AIX systems, you do not replace the <B>fsck</B> binary itself, but
|
|
rather the <I>program helper</I> file included in the AIX distribution as
|
|
<B>/sbin/helpers/v3fshelper</B>.
|
|
<OL TYPE=1>
|
|
<P><LI>Move the AIX <B>fsck</B> program helper to a safe location and install
|
|
the version from the AFS distribution in its place. The AFS CD-ROM must
|
|
still be mounted at the <B>/cdrom</B> directory.
|
|
<PRE>
|
|
# <B>cd /sbin/helpers</B>
|
|
|
|
# <B>mv v3fshelper v3fshelper.noafs</B>
|
|
|
|
# <B>cp -p /cdrom/rs_aix42/root.server/etc/v3fshelper v3fshelper</B>
|
|
|
|
|
|
</PRE>
|
|
<P><LI>If you plan to retain client functionality on this machine after
|
|
completing the installation, proceed to <A HREF="#HDRWQ25">Enabling AFS Login on AIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</OL>
|
|
<A NAME="IDX2261"></A>
|
|
<A NAME="IDX2262"></A>
|
|
<A NAME="IDX2263"></A>
|
|
<A NAME="IDX2264"></A>
|
|
<A NAME="IDX2265"></A>
|
|
<P><H3><A NAME="HDRWQ25" HREF="auqbg002.htm#ToC_38">Enabling AFS Login on AIX Systems</A></H3>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
|
|
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</TD></TR></TABLE>
|
|
<P>Follow the instructions in this section to incorporate AFS modifications
|
|
into the AIX secondary authentication system.
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>ls</B> command to verify that the
|
|
<B>afs_dynamic_auth</B> and <B>afs_dynamic_kerbauth</B> programs are
|
|
installed in the local <B>/usr/vice/etc</B> directory.
|
|
<PRE>
|
|
# <B>ls /usr/vice/etc</B>
|
|
</PRE>
|
|
<P>If the files do not exist, mount the AFS CD-ROM for AIX (if it is not
|
|
already), change directory as indicated, and copy them.
|
|
<PRE>
|
|
# <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
|
|
|
|
# <B>cp -p afs_dynamic* /usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the local <B> /etc/security/user</B> file, making changes to the
|
|
indicated stanzas:
|
|
<UL>
|
|
<P><LI>In the default stanza, set the <TT>registry</TT> attribute to
|
|
<B>DCE</B> (not to <B>AFS</B>), as follows:
|
|
<PRE>
|
|
registry = DCE
|
|
|
|
</PRE>
|
|
<P><LI>In the default stanza, set the <TT>SYSTEM</TT> attribute as
|
|
indicated.
|
|
<P>If the machine is an AFS client only, set the following value:
|
|
<PRE>
|
|
SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
|
|
</PRE>
|
|
<P>If the machine is both an AFS and a DCE client, set the following value (it
|
|
must appear on a single line in the file):
|
|
<PRE>
|
|
SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL] \
|
|
AND compat[SUCCESS])"
|
|
|
|
</PRE>
|
|
<P><LI>In the <TT>root</TT> stanza, set the <TT>registry</TT> attribute as
|
|
follows. It enables the local superuser <B>root</B> to log into the
|
|
local file system only, based on the password listed in the local password
|
|
file.
|
|
<PRE>
|
|
root:
|
|
registry = files
|
|
|
|
</PRE>
|
|
</UL>
|
|
<P><LI>Edit the local <B>/etc/security/login.cfg</B> file, creating or
|
|
editing the indicated stanzas:
|
|
<UL>
|
|
<P><LI>In the <TT>DCE</TT> stanza, set the <TT>program</TT> attribute as
|
|
follows.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B>
|
|
process):
|
|
<PRE>
|
|
DCE:
|
|
program = /usr/vice/etc/afs_dynamic_auth
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
DCE:
|
|
program = /usr/vice/etc/afs_dynamic_kerbauth
|
|
|
|
</PRE>
|
|
<P><LI>In the <TT>AFS</TT> stanza, set the <TT>program</TT> attribute as
|
|
follows.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B>
|
|
process):
|
|
<PRE>
|
|
AFS:
|
|
program = /usr/vice/etc/afs_dynamic_auth
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
AFS:
|
|
program = /usr/vice/etc/afs_dynamic_kerbauth
|
|
|
|
</PRE>
|
|
</UL>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
|
|
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
|
|
</OL>
|
|
<HR><H2><A NAME="HDRWQ26" HREF="auqbg002.htm#ToC_39">Getting Started on Digital UNIX Systems</A></H2>
|
|
<P>Begin by either building AFS modifications into a new static
|
|
kernel or by setting up to dynamically load the AFS kernel module. Then create
|
|
partitions for storing AFS volumes, and replace the Digital UNIX
|
|
<B>fsck</B> program with a version that correctly handles AFS
|
|
volumes. If the machine is to remain an AFS client machine, incorporate
|
|
AFS into the machine's Security Integration Architecture (SIA)
|
|
matrix.
|
|
<A NAME="IDX2266"></A>
|
|
<A NAME="IDX2267"></A>
|
|
<A NAME="IDX2268"></A>
|
|
<A NAME="IDX2269"></A>
|
|
<P><H3><A NAME="HDRWQ27a" HREF="auqbg002.htm#ToC_40a">Loading AFS into the Digital UNIX Kernel</A></H3>
|
|
<P>The <B>sysconfig</B> program is the dynamic kernel loader provided
|
|
for Digital UNIX systems.
|
|
<P>For AFS to function correctly, the <B>sysconfig</B> program must run each
|
|
time the machine reboots, so the AFS initialization script (included on the
|
|
AFS CD-ROM) invokes it automatically. In this section you copy the
|
|
appropriate AFS library file to the location where the <B>sysconfig</B>
|
|
program accesses it and then run the script.
|
|
<P>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your Digital UNIX documentation. Then change
|
|
directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/alpha_dux40/root.client</B>
|
|
|
|
</PRE>
|
|
<P>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/sbin/init.d</B> on Digital
|
|
UNIX machines). Note the removal of the <B>.rc</B> extension
|
|
as you copy the script.
|
|
<PRE>
|
|
# <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P>Copy the AFS kernel module to the local <B>/subsys</B>
|
|
directory.
|
|
<PRE>
|
|
# <B>cp bin/afs.mod /subsys/afs.mod</B>
|
|
</PRE>
|
|
<P>Set up the system to load the module at startup.
|
|
<PRE>
|
|
# <B>/sbin/init.d/autosysconfig add afs</B>
|
|
</PRE>
|
|
<P>Reboot the machine to start using the new kernel, and login again as the
|
|
superuser <B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><H3><A NAME="HDRWQ27" HREF="auqbg002.htm#ToC_40">Building AFS into the Digital UNIX Kernel</A></H3>
|
|
<P>Use the following instructions to build AFS modifications
|
|
into the kernel on a Digital UNIX system.
|
|
<OL TYPE=1>
|
|
<P><LI>Create a copy called <B>AFS</B> of the basic kernel configuration file
|
|
included in the Digital UNIX distribution as
|
|
<B>/usr/sys/conf/</B><VAR>machine_name</VAR>, where <VAR>machine_name</VAR> is
|
|
the machine's hostname in all uppercase letters.
|
|
<PRE>
|
|
# <B>cd /usr/sys/conf</B>
|
|
|
|
# <B>cp</B> <VAR>machine_name</VAR> <B>AFS</B>
|
|
|
|
</PRE>
|
|
<P><LI>Add AFS to the list of options in the configuration file you created in
|
|
the previous step, so that the result looks like the following:
|
|
<PRE> . .
|
|
. .
|
|
options UFS
|
|
options NFS
|
|
options AFS
|
|
. .
|
|
. .
|
|
|
|
</PRE>
|
|
<P><LI>Add an entry for AFS to two places in the file
|
|
<B>/usr/sys/conf/files</B>.
|
|
<UL>
|
|
<P><LI>Add a line for AFS to the list of <TT>OPTIONS</TT>, so that the result
|
|
looks like the following:
|
|
<PRE> . . .
|
|
. . .
|
|
OPTIONS/nfs optional nfs
|
|
OPTIONS/afs optional afs
|
|
OPTIONS/nfs_server optional nfs_server
|
|
. . .
|
|
. . .
|
|
|
|
</PRE>
|
|
<P><LI>Add an entry for AFS to the list of <TT>MODULES</TT>, so that the result
|
|
looks like the following:
|
|
<PRE> . . . .
|
|
. . . .
|
|
#
|
|
MODULE/nfs_server optional nfs_server Binary
|
|
nfs/nfs_server.c module nfs_server optimize -g3
|
|
nfs/nfs3_server.c module nfs_server optimize -g3
|
|
#
|
|
MODULE/afs optional afs Binary
|
|
afs/libafs.c module afs
|
|
#
|
|
|
|
</PRE>
|
|
</UL>
|
|
<P><LI>Add an entry for AFS to two places in the file
|
|
<B>/usr/sys/vfs/vfs_conf.c</B>.
|
|
<UL>
|
|
<P><LI>Add AFS to the list of defined file systems, so that the result looks like
|
|
the following:
|
|
<PRE> . .
|
|
. .
|
|
#include <afs.h>
|
|
#if defined(AFS) && AFS
|
|
extern struct vfsops afs_vfsops;
|
|
#endif
|
|
. .
|
|
. .
|
|
|
|
</PRE>
|
|
<P><LI>Put a declaration for AFS in the <B>vfssw[]</B> table's
|
|
MOUNT_ADDON slot, so that the result looks like the following:
|
|
<PRE> . . .
|
|
. . .
|
|
&fdfs_vfsops, "fdfs", /* 12 = MOUNT_FDFS */
|
|
#if defined(AFS)
|
|
&afs_vfsops, "afs",
|
|
#else
|
|
(struct vfsops *)0, "", /* 13 = MOUNT_ADDON */
|
|
#endif
|
|
#if NFS && INFS_DYNAMIC
|
|
&nfs3_vfsops, "nfsv3", /* 14 = MOUNT_NFS3 */
|
|
|
|
</PRE>
|
|
</UL>
|
|
<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your Digital UNIX documentation. Then change
|
|
directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/alpha_dux40/root.client</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/sbin/init.d</B> on Digital
|
|
UNIX machines). Note the removal of the <B>.rc</B> extension
|
|
as you copy the script.
|
|
<PRE>
|
|
# <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS kernel module to the local <B>/usr/sys/BINARY</B>
|
|
directory.
|
|
<P>If the machine's kernel supports NFS server functionality:
|
|
<PRE>
|
|
# <B>cp bin/libafs.o /usr/sys/BINARY/afs.mod</B>
|
|
</PRE>
|
|
<P>If the machine's kernel does not support NFS server
|
|
functionality:
|
|
<PRE>
|
|
# <B>cp bin/libafs.nonfs.o /usr/sys/BINARY/afs.mod</B>
|
|
|
|
</PRE>
|
|
<P><LI>Configure and build the kernel. Respond to any prompts by pressing
|
|
<<B>Return</B>>. The resulting kernel resides in the file
|
|
<B>/sys/AFS/vmunix</B>.
|
|
<PRE>
|
|
# <B>doconfig -c AFS</B>
|
|
|
|
</PRE>
|
|
<P><LI>Rename the existing kernel file and copy the new, AFS-modified file to the
|
|
standard location.
|
|
<PRE>
|
|
# <B>mv /vmunix /vmunix_noafs</B>
|
|
|
|
# <B>cp /sys/AFS/vmunix /vmunix</B>
|
|
|
|
</PRE>
|
|
<P><LI>Reboot the machine to start using the new kernel, and login again as the
|
|
superuser <B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2270"></A>
|
|
<A NAME="IDX2271"></A>
|
|
<A NAME="IDX2272"></A>
|
|
<A NAME="IDX2273"></A>
|
|
<P><H3><A NAME="HDRWQ28" HREF="auqbg002.htm#ToC_41">Configuring Server Partitions on Digital UNIX Systems</A></H3>
|
|
<P>Every AFS file server machine must have at least one
|
|
partition or logical volume dedicated to storing AFS volumes. Each
|
|
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
|
|
where <VAR>xx</VAR> is one or two lowercase letters. The
|
|
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
|
|
machine's root directory, not in one of its subdirectories (for example,
|
|
<B>/usr/vicepa</B> is not an acceptable directory location). For
|
|
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
|
|
<OL TYPE=1>
|
|
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
|
|
partition you are configuring (there must be at least one). Repeat the
|
|
command for each partition.
|
|
<PRE>
|
|
# <B>mkdir /vicep</B><VAR>xx</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Add a line with the following format to the file systems registry file,
|
|
<B>/etc/fstab</B>, for each directory just created. The entry maps
|
|
the directory name to the disk partition to be mounted on it.
|
|
<PRE>
|
|
/dev/<VAR>disk</VAR> /vicep<VAR>xx</VAR> ufs rw 0 2
|
|
</PRE>
|
|
<P>The following is an example for the first partition being
|
|
configured.
|
|
<PRE>
|
|
/dev/rz3a /vicepa ufs rw 0 2
|
|
|
|
</PRE>
|
|
<P><LI>Create a file system on each partition that is to be mounted at a
|
|
<B>/vicep</B><VAR>xx</VAR> directory. The following command is
|
|
probably appropriate, but consult the Digital UNIX documentation for more
|
|
information.
|
|
<PRE>
|
|
#<B> newfs -v /dev/</B><VAR>disk</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
|
|
mount all partitions at once or the <B>mount</B> command to mount each
|
|
partition in turn.
|
|
</OL>
|
|
<A NAME="IDX2274"></A>
|
|
<A NAME="IDX2275"></A>
|
|
<A NAME="IDX2276"></A>
|
|
<A NAME="IDX2277"></A>
|
|
<P><H3><A NAME="HDRWQ29" HREF="auqbg002.htm#ToC_42">Replacing the fsck Program on Digital UNIX Systems</A></H3>
|
|
<P>In this section, you make modifications to guarantee that the
|
|
appropriate <B>fsck</B> program runs on AFS server partitions. The
|
|
<B>fsck</B> program provided with the operating system must never run on
|
|
AFS server partitions. Because it does not recognize the structures
|
|
that the File Server uses to organize volume data, it removes all of the
|
|
data. To repeat:
|
|
<P><B>Never run the standard fsck program on AFS server partitions.
|
|
It discards AFS volumes.</B>
|
|
<P>On Digital UNIX systems, the files <B>/sbin/fsck</B> and
|
|
<B>/usr/sbin/fsck</B> are driver programs. Rather than replacing
|
|
either of them, you replace the actual binary included in the Digital UNIX
|
|
distribution as <B>/sbin/ufs_fsck</B> and
|
|
<B>/usr/sbin/ufs_fsck</B>.
|
|
<OL TYPE=1>
|
|
<P><LI>Install the <B>vfsck</B> binary to the <B>/sbin</B> and
|
|
<B>/usr/sbin</B> directories. The AFS CD-ROM must still be mounted
|
|
at the <B>/cdrom</B> directory.
|
|
<PRE>
|
|
# <B>cd /cdrom/alpha_dux40/root.server/etc</B>
|
|
|
|
# <B>cp vfsck /sbin/vfsck</B>
|
|
|
|
# <B>cp vfsck /usr/sbin/vfsck</B>
|
|
|
|
</PRE>
|
|
<P><LI>Rename the Digital UNIX <B>fsck</B> binaries and create symbolic links
|
|
to the <B>vfsck</B> program.
|
|
<PRE>
|
|
# <B>cd /sbin</B>
|
|
|
|
# <B>mv ufs_fsck ufs_fsck.noafs</B>
|
|
|
|
# <B>ln -s vfsck ufs_fsck</B>
|
|
|
|
# <B>cd /usr/sbin</B>
|
|
|
|
# <B>mv ufs_fsck ufs_fsck.noafs</B>
|
|
|
|
# <B>ln -s vfsck ufs_fsck</B>
|
|
|
|
</PRE>
|
|
<P><LI>If you plan to retain client functionality on this machine after
|
|
completing the installation, proceed to <A HREF="#HDRWQ30">Enabling AFS Login on Digital UNIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</OL>
|
|
<A NAME="IDX2278"></A>
|
|
<A NAME="IDX2279"></A>
|
|
<A NAME="IDX2280"></A>
|
|
<A NAME="IDX2281"></A>
|
|
<A NAME="IDX2282"></A>
|
|
<A NAME="IDX2283"></A>
|
|
<P><H3><A NAME="HDRWQ30" HREF="auqbg002.htm#ToC_43">Enabling AFS Login on Digital UNIX Systems</A></H3>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
|
|
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</TD></TR></TABLE>
|
|
<P>On Digital UNIX systems, the AFS initialization script automatically
|
|
incorporates the AFS authentication library file into the Security Integration
|
|
Architecture (SIA) matrix on the machine, so that users with AFS accounts
|
|
obtain a token at login. In this section you copy the library file to
|
|
the appropriate location.
|
|
<P>For more information on SIA, see the Digital UNIX reference page for
|
|
<B>matrix.conf</B>, or consult the section on security in your
|
|
Digital UNIX documentation.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If the machine runs both the DCE and AFS client software, AFS must start
|
|
after DCE. Consult the AFS initialization script for suggested symbolic
|
|
links to create for correct ordering. Also, the system startup script
|
|
order must initialize SIA before any long-running process that uses
|
|
authentication.
|
|
</TD></TR></TABLE>
|
|
<P>Perform the following steps to enable AFS login.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
|
|
directory, if it is not already. Change directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/alpha_dux40/lib/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS authentication library file to the local
|
|
<B>/usr/shlib</B> directory.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
|
|
the cell:
|
|
<PRE>
|
|
# <B>cp libafssiad.so /usr/shlib</B>
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication, rename the
|
|
library file as you copy it:
|
|
<PRE>
|
|
# <B>cp libafssiad.krb.so /usr/shlib/libafssiad.so</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
|
|
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
|
|
</OL>
|
|
<HR><H2><A NAME="HDRWQ31" HREF="auqbg002.htm#ToC_44">Getting Started on HP-UX Systems</A></H2>
|
|
<P>Begin by building AFS modifications into a new kernel;
|
|
HP-UX does not support dynamic loading. Then create partitions for
|
|
storing AFS volumes, and install and configure the AFS-modified
|
|
<B>fsck</B> program to run on AFS server partitions. If the machine
|
|
is to remain an AFS client machine, incorporate AFS into the machine's
|
|
Pluggable Authentication Module (PAM) scheme.
|
|
<A NAME="IDX2284"></A>
|
|
<A NAME="IDX2285"></A>
|
|
<A NAME="IDX2286"></A>
|
|
<A NAME="IDX2287"></A>
|
|
<P><H3><A NAME="HDRWQ32" HREF="auqbg002.htm#ToC_45">Building AFS into the HP-UX Kernel</A></H3>
|
|
<P>Use the following instructions to build AFS modifications
|
|
into the kernel on an HP-UX system.
|
|
<OL TYPE=1>
|
|
<P><LI>Move the existing kernel-related files to a safe location.
|
|
<PRE>
|
|
# <B>cp /stand/vmunix /stand/vmunix.noafs</B>
|
|
|
|
# <B>cp /stand/system /stand/system.noafs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Mount the AFS CD-ROM for HP-UX on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your HP-UX documentation. Then change directory
|
|
as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/hp_ux110/root.client</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization file to the local directory for initialization
|
|
files (by convention, <B>/sbin/init.d</B> on HP-UX
|
|
machines). Note the removal of the <B>.rc</B> extension as
|
|
you copy the file.
|
|
<PRE>
|
|
# <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the file <B>afs.driver</B> to the local
|
|
<B>/usr/conf/master.d</B> directory, changing its name to
|
|
<B>afs</B> as you do.
|
|
<PRE>
|
|
# <B>cp usr/vice/etc/afs.driver /usr/conf/master.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS kernel module to the local <B>/usr/conf/lib</B>
|
|
directory.
|
|
<P>If the machine's kernel supports NFS server functionality:
|
|
<PRE>
|
|
# <B>cp bin/libafs.a /usr/conf/lib</B>
|
|
</PRE>
|
|
<P>If the machine's kernel does not support NFS server functionality,
|
|
change the file's name as you copy it:
|
|
<PRE>
|
|
# <B>cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a</B>
|
|
|
|
</PRE>
|
|
<P><LI>Incorporate the AFS driver into the kernel, either using the
|
|
<B>SAM</B> program or a series of individual commands.
|
|
<UL>
|
|
<P><LI>To use the <B>SAM</B> program:
|
|
<OL TYPE=a>
|
|
<P><LI>Invoke the <B>SAM</B> program, specifying the hostname of the local
|
|
machine as <VAR>local_hostname</VAR>. The <B>SAM</B> graphical user
|
|
interface pops up.
|
|
<PRE>
|
|
# <B>sam -display</B> <VAR>local_hostname</VAR><B>:0</B>
|
|
|
|
</PRE>
|
|
<P><LI>Choose the <B>Kernel Configuration</B> icon, then the
|
|
<B>Drivers</B> icon. From the list of drivers, select
|
|
<B>afs</B>.
|
|
<P><LI>Open the pull-down <B>Actions</B> menu and choose the <B>Add Driver
|
|
to Kernel</B> option.
|
|
<P><LI>Open the <B>Actions</B> menu again and choose the <B>Create a New
|
|
Kernel</B> option.
|
|
<P><LI>Confirm your choices by choosing <B>Yes</B> and <B>OK</B> when
|
|
prompted by subsequent pop-up windows. The <B>SAM</B> program
|
|
builds the kernel and reboots the system.
|
|
<P><LI>Login again as the superuser <B>root</B>.
|
|
<PRE>
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<P><LI>To use individual commands:
|
|
<OL TYPE=a>
|
|
<P><LI>Edit the file <B>/stand/system</B>, adding an entry for <B>afs</B>
|
|
to the <TT>Subsystems</TT> section.
|
|
<P><LI>Change to the <B>/stand/build</B> directory and issue the
|
|
<B>mk_kernel</B> command to build the kernel.
|
|
<PRE>
|
|
# <B>cd /stand/build</B>
|
|
|
|
# <B>mk_kernel</B>
|
|
|
|
</PRE>
|
|
<P><LI>Move the new kernel to the standard location (<B>/stand/vmunix</B>),
|
|
reboot the machine to start using it, and login again as the superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>mv /stand/build/vmunix_test /stand/vmunix</B>
|
|
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
</UL>
|
|
</OL>
|
|
<A NAME="IDX2288"></A>
|
|
<A NAME="IDX2289"></A>
|
|
<A NAME="IDX2290"></A>
|
|
<A NAME="IDX2291"></A>
|
|
<P><H3><A NAME="HDRWQ33" HREF="auqbg002.htm#ToC_46">Configuring Server Partitions on HP-UX Systems</A></H3>
|
|
<P>Every AFS file server machine must have at least one
|
|
partition or logical volume dedicated to storing AFS volumes. Each
|
|
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
|
|
where <VAR>xx</VAR> is one or two lowercase letters. The
|
|
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
|
|
machine's root directory, not in one of its subdirectories (for example,
|
|
<B>/usr/vicepa</B> is not an acceptable directory location). For
|
|
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
|
|
<OL TYPE=1>
|
|
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
|
|
partition you are configuring (there must be at least one). Repeat the
|
|
command for each partition.
|
|
<PRE>
|
|
# <B>mkdir /vicep</B><VAR>xx</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Use the <B>SAM</B> program to create a file system on each
|
|
partition. For instructions, consult the HP-UX documentation.
|
|
<P><LI>On some HP-UX systems that use logical volumes, the <B>SAM</B> program
|
|
automatically mounts the partitions. If it has not, mount each
|
|
partition by issuing either the <B>mount -a</B> command to mount all
|
|
partitions at once or the <B>mount</B> command to mount each partition in
|
|
turn.
|
|
</OL>
|
|
<A NAME="IDX2292"></A>
|
|
<A NAME="IDX2293"></A>
|
|
<A NAME="IDX2294"></A>
|
|
<A NAME="IDX2295"></A>
|
|
<P><H3><A NAME="HDRWQ34" HREF="auqbg002.htm#ToC_47">Configuring the AFS-modified fsck Program on HP-UX Systems</A></H3>
|
|
<P>In this section, you make modifications to guarantee that the
|
|
appropriate <B>fsck</B> program runs on AFS server partitions. The
|
|
<B>fsck</B> program provided with the operating system must never run on
|
|
AFS server partitions. Because it does not recognize the structures
|
|
that the File Server uses to organize volume data, it removes all of the
|
|
data. To repeat:
|
|
<P><B>Never run the standard fsck program on AFS server partitions.
|
|
It discards AFS volumes.</B>
|
|
<P>On HP-UX systems, there are several configuration files to install in
|
|
addition to the AFS-modified <B>fsck</B> program (the <B>vfsck</B>
|
|
binary).
|
|
<OL TYPE=1>
|
|
<P><LI>Create the command configuration file
|
|
<B>/sbin/lib/mfsconfig.d/afs</B>. Use a text editor to place
|
|
the indicated two lines in it:
|
|
<PRE>
|
|
format_revision 1
|
|
fsck 0 m,P,p,d,f,b:c:y,n,Y,N,q,
|
|
|
|
</PRE>
|
|
<P><LI>Create and change directory to an AFS-specific command directory called
|
|
<B>/sbin/fs/afs</B>.
|
|
<PRE>
|
|
# <B>mkdir /sbin/fs/afs</B>
|
|
|
|
# <B>cd /sbin/fs/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS-modified version of the <B>fsck</B> program (the
|
|
<B>vfsck</B> binary) and related files from the distribution directory to
|
|
the new AFS-specific command directory.
|
|
<PRE>
|
|
# <B>cp -p /cdrom/hp_ux110/root.server/etc/* .</B>
|
|
|
|
</PRE>
|
|
<P><LI>Change the <B>vfsck</B> binary's name to <B>fsck</B> and set
|
|
the mode bits appropriately on all of the files in the <B>/sbin/fs/afs</B>
|
|
directory.
|
|
<PRE>
|
|
# <B>mv vfsck fsck</B>
|
|
|
|
# <B>chmod 755 *</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the <B>/etc/fstab</B> file, changing the file system type for
|
|
each AFS server partition from <TT>hfs</TT> to <TT>afs</TT>. This
|
|
ensures that the AFS-modified <B>fsck</B> program runs on the appropriate
|
|
partitions.
|
|
<P>The sixth line in the following example of an edited file shows an AFS
|
|
server partition, <B>/vicepa</B>.
|
|
<PRE>
|
|
/dev/vg00/lvol1 / hfs defaults 0 1
|
|
/dev/vg00/lvol4 /opt hfs defaults 0 2
|
|
/dev/vg00/lvol5 /tmp hfs defaults 0 2
|
|
/dev/vg00/lvol6 /usr hfs defaults 0 2
|
|
/dev/vg00/lvol8 /var hfs defaults 0 2
|
|
/dev/vg00/lvol9 /vicepa afs defaults 0 2
|
|
/dev/vg00/lvol7 /usr/vice/cache hfs defaults 0 2
|
|
|
|
</PRE>
|
|
<P><LI>If you plan to retain client functionality on this machine after
|
|
completing the installation, proceed to <A HREF="#HDRWQ35">Enabling AFS Login on HP-UX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</OL>
|
|
<A NAME="IDX2296"></A>
|
|
<A NAME="IDX2297"></A>
|
|
<A NAME="IDX2298"></A>
|
|
<A NAME="IDX2299"></A>
|
|
<A NAME="IDX2300"></A>
|
|
<A NAME="IDX2301"></A>
|
|
<P><H3><A NAME="HDRWQ35" HREF="auqbg002.htm#ToC_48">Enabling AFS Login on HP-UX Systems</A></H3>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
|
|
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</TD></TR></TABLE>
|
|
<P>At this point you incorporate AFS into the operating system's
|
|
Pluggable Authentication Module (PAM) scheme. PAM integrates all
|
|
authentication mechanisms on the machine, including login, to provide the
|
|
security infrastructure for authenticated access to and from the
|
|
machine.
|
|
<P>Explaining PAM is beyond the scope of this document. It is assumed
|
|
that you understand the syntax and meanings of settings in the PAM
|
|
configuration file (for example, how the <TT>other</TT> entry works, the
|
|
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
|
|
<TT>sufficient</TT>, and so on).
|
|
<P>The following instructions explain how to alter the entries in the PAM
|
|
configuration file for each service for which you wish to use AFS
|
|
authentication. Other configurations possibly also work, but the
|
|
instructions specify the recommended and tested configuration.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
|
|
<TT>optional</TT>. However, marking some modules as optional can mean
|
|
that they grant access to the corresponding service even when the user does
|
|
not meet all of the module's requirements. In some operating
|
|
system revisions, for example, if you mark as optional the module that
|
|
controls login via a dial-up connection, it allows users to login without
|
|
providing a password. See the <I>IBM AFS Release Notes</I> for a
|
|
discussion of any limitations that apply to this operating system.
|
|
<P>Also, with some operating system versions you must install patches for PAM
|
|
to interact correctly with certain authentication programs. For
|
|
details, see the <I>IBM AFS Release Notes</I>.
|
|
</TD></TR></TABLE>
|
|
<P>The recommended AFS-related entries in the PAM configuration file make use
|
|
of one or more of the following three attributes.
|
|
<DL>
|
|
<P><DT><B><TT>try_first_pass</TT>
|
|
</B><DD>This is a standard PAM attribute that can be included on entries after the
|
|
first one for a service; it directs the module to use the password that
|
|
was provided to the first module. For the AFS module, it means that AFS
|
|
authentication succeeds if the password provided to the module listed first is
|
|
the user's correct AFS password. For further discussion of this
|
|
attribute and its alternatives, see the operating system's PAM
|
|
documentation.
|
|
<P><DT><B><TT>ignore_root</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
|
|
only the local superuser <B> root</B>, but also any user with UID 0
|
|
(zero).
|
|
<P><DT><B><TT>setenv_password_expires</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
|
|
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
|
|
password, which is recorded in the Authentication Database.
|
|
</DL>
|
|
<P>Perform the following steps to enable AFS login.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for HP-UX on the <B>/cdrom</B> directory, if it
|
|
is not already. Then change directory as indicated.
|
|
<PRE>
|
|
# <B>cd /usr/lib/security</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS authentication library file to the
|
|
<B>/usr/lib/security</B> directory. Then create a symbolic link to
|
|
it whose name does not mention the version. Omitting the version
|
|
eliminates the need to edit the PAM configuration file if you later update the
|
|
library file.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
|
|
the cell:
|
|
<PRE>
|
|
# <B>cp /cdrom/hp_ux110/lib/pam_afs.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
#<B> cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the <TT>Authentication management</TT> section of the HP-UX PAM
|
|
configuration file, <B>/etc/pam.conf</B> by convention. The
|
|
entries in this section have the value <TT>auth</TT> in their second
|
|
field.
|
|
<P>First edit the standard entries, which refer to the HP-UX PAM module
|
|
(usually, the file <B>/usr/lib/security/libpam_unix.1</B>) in their
|
|
fourth field. For each service for which you want to use AFS
|
|
authentication, edit the third field of its entry to read
|
|
<TT>optional</TT>. The <B>pam.conf</B> file in the HP-UX
|
|
distribution usually includes standard entries for the <B>login</B> and
|
|
<B>ftp</B> services, for instance.
|
|
<P>If there are services for which you want to use AFS authentication, but for
|
|
which the <B>pam.conf</B> file does not already include a standard
|
|
entry, you must create that entry and place the value <TT>optional</TT> in
|
|
its third field. For instance, the HP-UX <B>pam.conf</B>
|
|
file does not usually include standard entries for the <B>remsh</B> or
|
|
<B>telnet</B> services.
|
|
<P>Then create an AFS-related entry for each service, placing it immediately
|
|
below the standard entry. The following example shows what the
|
|
<TT>Authentication Management</TT> section looks like after you have you
|
|
edited or created entries for the services mentioned previously. Note
|
|
that the example AFS entries appear on two lines only for legibility.
|
|
<PRE>
|
|
login auth optional /usr/lib/security/libpam_unix.1
|
|
login auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
ftp auth optional /usr/lib/security/libpam_unix.1
|
|
ftp auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
remsh auth optional /usr/lib/security/libpam_unix.1
|
|
remsh auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
telnet auth optional /usr/lib/security/libpam_unix.1
|
|
telnet auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
|
|
</PRE>
|
|
<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
|
|
users to obtain an AFS token as they log in, also add or edit the following
|
|
four entries in the <TT>Authentication management</TT> section. Note
|
|
that the AFS-related entries appear on two lines here only for
|
|
legibility.
|
|
<PRE>
|
|
dtlogin auth optional /usr/lib/security/libpam_unix.1
|
|
dtlogin auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
dtaction auth optional /usr/lib/security/libpam_unix.1
|
|
dtaction auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
|
|
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
|
|
</OL>
|
|
<HR><H2><A NAME="HDRWQ36" HREF="auqbg002.htm#ToC_49">Getting Started on IRIX Systems</A></H2>
|
|
<A NAME="IDX2302"></A>
|
|
<A NAME="IDX2303"></A>
|
|
<A NAME="IDX2304"></A>
|
|
<A NAME="IDX2305"></A>
|
|
<A NAME="IDX2306"></A>
|
|
<A NAME="IDX2307"></A>
|
|
<A NAME="IDX2308"></A>
|
|
<P>To incorporate AFS into the kernel on IRIX systems, choose one of two
|
|
methods:
|
|
<UL>
|
|
<P><LI>Run the AFS initialization script to invoke the <B>ml</B> program
|
|
distributed by Silicon Graphics, Incorporated (SGI), which dynamically loads
|
|
AFS modifications into the kernel
|
|
<P><LI>Build a new static kernel
|
|
</UL>
|
|
<P>Then create partitions for storing AFS volumes. You do not need to
|
|
replace the IRIX <B>fsck</B> program because SGI has already modified it
|
|
to handle AFS volumes properly. If the machine is to remain an AFS
|
|
client machine, verify that the IRIX login utility installed on the machine
|
|
grants an AFS token.
|
|
<P>In preparation for either dynamic loading or kernel building, perform the
|
|
following procedures:
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for IRIX on the <B>/cdrom</B> directory.
|
|
For instructions on mounting CD-ROMs (either locally or remotely via NFS), see
|
|
your IRIX documentation. Then change directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/sgi_65/root.client</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/etc/init.d</B> on IRIX
|
|
machines). Note the removal of the <B>.rc</B> extension as
|
|
you copy the script.
|
|
<PRE>
|
|
# <B>cp -p usr/vice/etc/afs.rc /etc/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>uname -m</B> command to determine the machine's CPU
|
|
board type. The <B>IP</B><VAR>xx</VAR> value in the output must match
|
|
one of the supported CPU board types listed in the <I>IBM AFS Release
|
|
Notes</I> for the current version of AFS.
|
|
<PRE>
|
|
# <B>uname -m</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to either <A HREF="#HDRWQ37">Loading AFS into the IRIX Kernel</A> or <A HREF="#HDRWQ38">Building AFS into the IRIX Kernel</A>.
|
|
</OL>
|
|
<A NAME="IDX2309"></A>
|
|
<A NAME="IDX2310"></A>
|
|
<A NAME="IDX2311"></A>
|
|
<A NAME="IDX2312"></A>
|
|
<A NAME="IDX2313"></A>
|
|
<A NAME="IDX2314"></A>
|
|
<A NAME="IDX2315"></A>
|
|
<P><H3><A NAME="HDRWQ37" HREF="auqbg002.htm#ToC_50">Loading AFS into the IRIX Kernel</A></H3>
|
|
<P>The <B>ml</B> program is the dynamic kernel loader
|
|
provided by SGI for IRIX systems. If you use it rather than building
|
|
AFS modifications into a static kernel, then for AFS to function correctly the
|
|
<B>ml</B> program must run each time the machine reboots.
|
|
Therefore, the AFS initialization script (included on the AFS CD-ROM) invokes
|
|
it automatically when the <B>afsml</B> configuration variable is
|
|
activated. In this section you activate the variable and run the
|
|
script.
|
|
<P>In later sections you verify that the script correctly initializes all AFS
|
|
components, then create the links that incorporate AFS into the IRIX startup
|
|
and shutdown sequence.
|
|
<OL TYPE=1>
|
|
<P><LI>Create the local <B>/usr/vice/etc/sgiload</B> directory to house the
|
|
AFS kernel library file.
|
|
<PRE>
|
|
# <B>mkdir /usr/vice/etc/sgiload</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS kernel library file to the
|
|
<B>/usr/vice/etc/sgiload</B> directory. The
|
|
<B>IP</B><VAR>xx</VAR> portion of the library file name must match the value
|
|
previously returned by the <B>uname -m</B> command. Also choose the
|
|
file appropriate to whether the machine's kernel supports NFS server
|
|
functionality (NFS must be supported for the machine to act as an NFS/AFS
|
|
Translator). Single- and multiprocessor machines use the same library
|
|
file.
|
|
<P>(You can choose to copy all of the kernel library files into the <B>
|
|
/usr/vice/etc/sgiload</B> directory, but they require a significant amount
|
|
of space.)
|
|
<P>If the machine's kernel supports NFS server functionality:
|
|
<PRE>
|
|
# <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.o /usr/vice/etc/sgiload</B>
|
|
</PRE>
|
|
<P>If the machine's kernel does not support NFS server
|
|
functionality:
|
|
<PRE>
|
|
# <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.nonfs.o</B> \
|
|
<B>/usr/vice/etc/sgiload</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afsml</B>
|
|
configuration variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsml on</B>
|
|
</PRE>
|
|
<P>If the machine is to function as an NFS/AFS Translator and the kernel
|
|
supports NFS server functionality, activate the <B>afsxnfs</B>
|
|
variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsxnfs on</B>
|
|
|
|
</PRE>
|
|
<P><LI>Run the <B>/etc/init.d/afs</B> script to load AFS extensions
|
|
into the kernel. The script invokes the <B>ml</B> command,
|
|
automatically determining which kernel library file to use based on this
|
|
machine's CPU type and the activation state of the <B>afsxnfs</B>
|
|
variable.
|
|
<P>You can ignore any error messages about the inability to start the BOS
|
|
Server or the Cache Manager or AFS client.
|
|
<PRE>
|
|
# <B>/etc/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ39">Configuring Server Partitions on IRIX Systems</A>.
|
|
</OL>
|
|
<A NAME="IDX2316"></A>
|
|
<P><H3><A NAME="HDRWQ38" HREF="auqbg002.htm#ToC_51">Building AFS into the IRIX Kernel</A></H3>
|
|
<P>Use the following instructions to build AFS modifications
|
|
into the kernel on an IRIX system.
|
|
<OL TYPE=1>
|
|
<P><LI>Copy the kernel initialization file <B>afs.sm</B> to the local
|
|
<B>/var/sysgen/system</B> directory, and the kernel master file
|
|
<B>afs</B> to the local <B>/var/sysgen/master.d</B>
|
|
directory.
|
|
<PRE>
|
|
# <B>cp -p bin/afs.sm /var/sysgen/system</B>
|
|
|
|
# <B>cp -p bin/afs /var/sysgen/master.d</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS kernel library file to the local file
|
|
<B>/var/sysgen/boot/afs.a</B>; the <B>IP</B><VAR>xx</VAR>
|
|
portion of the library file name must match the value previously returned by
|
|
the <B>uname -m</B> command. Also choose the file appropriate to
|
|
whether the machine's kernel supports NFS server functionality (NFS must
|
|
be supported for the machine to act as an NFS/AFS Translator). Single-
|
|
and multiprocessor machines use the same library file.
|
|
<P>If the machine's kernel supports NFS server functionality:
|
|
<PRE>
|
|
# <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.a /var/sysgen/boot/afs.a</B>
|
|
</PRE>
|
|
<P>If the machine's kernel does not support NFS server
|
|
functionality:
|
|
<PRE>
|
|
# <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.nonfs.a /var/sysgen/boot/afs.a</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>chkconfig</B> command to deactivate the <B>afsml</B>
|
|
configuration variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsml off</B>
|
|
</PRE>
|
|
<P>If the machine is to function as an NFS/AFS Translator and the kernel
|
|
supports NFS server functionality, activate the <B>afsxnfs</B>
|
|
variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsxnfs on</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the existing kernel file, <B>/unix</B>, to a safe
|
|
location. Compile the new kernel, which is created in the file
|
|
<B>/unix.install</B>. It overwrites the existing
|
|
<B>/unix</B> file when the machine reboots in the next step.
|
|
<PRE>
|
|
# <B>cp /unix /unix_noafs</B>
|
|
|
|
# <B>autoconfig</B>
|
|
|
|
</PRE>
|
|
<P><LI>Reboot the machine to start using the new kernel, and login again as the
|
|
superuser <B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -i6 -g0 -y</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2317"></A>
|
|
<A NAME="IDX2318"></A>
|
|
<A NAME="IDX2319"></A>
|
|
<A NAME="IDX2320"></A>
|
|
<P><H3><A NAME="HDRWQ39" HREF="auqbg002.htm#ToC_52">Configuring Server Partitions on IRIX Systems</A></H3>
|
|
<P>Every AFS file server machine must have at least one
|
|
partition or logical volume dedicated to storing AFS volumes. Each
|
|
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
|
|
where <VAR>xx</VAR> is one or two lowercase letters. The
|
|
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
|
|
machine's root directory, not in one of its subdirectories (for example,
|
|
<B>/usr/vicepa</B> is not an acceptable directory location). For
|
|
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
|
|
<P>AFS supports use of both EFS and XFS partitions for housing AFS
|
|
volumes. SGI encourages use of XFS partitions.
|
|
<OL TYPE=1>
|
|
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
|
|
partition you are configuring (there must be at least one). Repeat the
|
|
command for each partition.
|
|
<PRE>
|
|
# <B>mkdir /vicep</B><VAR>xx</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Add a line with the following format to the file systems registry file,
|
|
<B>/etc/fstab</B>, for each partition (or logical volume created with the
|
|
XLV volume manager) to be mounted on one of the directories created in the
|
|
previous step.
|
|
<P>For an XFS partition or logical volume:
|
|
<PRE>
|
|
/dev/dsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> xfs rw,raw=/dev/rdsk/<VAR>disk</VAR> 0 0
|
|
</PRE>
|
|
<P>For an EFS partition:
|
|
<PRE>
|
|
/dev/dsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> efs rw,raw=/dev/rdsk/<VAR>disk</VAR> 0 0
|
|
</PRE>
|
|
<P>The following are examples of an entry for each file system type:
|
|
<PRE>
|
|
/dev/dsk/dks0d2s6 /vicepa xfs rw,raw=/dev/rdsk/dks0d2s6 0 0
|
|
/dev/dsk/dks0d3s1 /vicepb efs rw,raw=/dev/rdsk/dks0d3s1 0 0
|
|
|
|
</PRE>
|
|
<P><LI>Create a file system on each partition that is to be mounted on a
|
|
<B>/vicep</B><VAR>xx</VAR> directory. The following commands are
|
|
probably appropriate, but consult the IRIX documentation for more
|
|
information. In both cases, <VAR>raw_device</VAR> is a raw device name
|
|
like <B>/dev/rdsk/dks0d0s0</B> for a single disk partition or
|
|
<B>/dev/rxlv/xlv0</B> for a logical volume.
|
|
<P>For XFS file systems, include the indicated options to configure the
|
|
partition or logical volume with inodes large enough to accommodate
|
|
AFS-specific information:
|
|
<PRE>
|
|
# <B>mkfs -t xfs -i size=512 -l size=4000b</B> <VAR>raw_device</VAR>
|
|
</PRE>
|
|
<P>For EFS file systems:
|
|
<PRE>
|
|
# <B>mkfs -t efs</B> <VAR>raw_device</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
|
|
mount all partitions at once or the <B>mount</B> command to mount each
|
|
partition in turn.
|
|
<P><LI><B>(Optional)</B> If you have configured partitions or logical volumes
|
|
to use XFS, issue the following command to verify that the inodes are
|
|
configured properly (are large enough to accommodate AFS-specific
|
|
information). If the configuration is correct, the command returns no
|
|
output. Otherwise, it specifies the command to run in order to
|
|
configure each partition or logical volume properly.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/xfs_size_check</B>
|
|
|
|
</PRE>
|
|
<P><LI>If you plan to retain client functionality on this machine after
|
|
completing the installation, proceed to <A HREF="#HDRWQ40">Enabling AFS Login on IRIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</OL>
|
|
<A NAME="IDX2321"></A>
|
|
<A NAME="IDX2322"></A>
|
|
<A NAME="IDX2323"></A>
|
|
<A NAME="IDX2324"></A>
|
|
<P><H3><A NAME="HDRWQ40" HREF="auqbg002.htm#ToC_53">Enabling AFS Login on IRIX Systems</A></H3>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
|
|
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</TD></TR></TABLE>
|
|
<P>The standard IRIX command-line <B>login</B> program and the graphical
|
|
<B>xdm</B> login program both automatically grant an AFS token when AFS is
|
|
incorporated into the machine's kernel. However, some IRIX
|
|
distributions use another login utility by default, and it does not
|
|
necessarily incorporate the required AFS modifications. If that is the
|
|
case, you must disable the default utility if you want AFS users to obtain AFS
|
|
tokens at login. For further discussion, see the <I>IBM AFS Release
|
|
Notes</I>.
|
|
<P>If you configure the machine to use an AFS-modified login utility, then the
|
|
<B>afsauthlib.so</B> and <B>afskauthlib.so</B> files
|
|
(included in the AFS distribution) must reside in the <B>/usr/vice/etc</B>
|
|
directory. Issue the <B>ls</B> command to verify.
|
|
<PRE>
|
|
# <B>ls /usr/vice/etc</B>
|
|
</PRE>
|
|
<P>If the files do not exist, mount the AFS CD-ROM for IRIX (if it is not
|
|
already), change directory as indicated, and copy them.
|
|
<PRE>
|
|
# <B>cd /cdrom/sgi_65/root.client/usr/vice/etc</B>
|
|
|
|
# <B>cp -p *authlib* /usr/vice/etc</B>
|
|
</PRE>
|
|
<P>After taking any necessary action, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
<HR><H2><A NAME="HDRWQ41" HREF="auqbg002.htm#ToC_54">Getting Started on Linux Systems</A></H2>
|
|
<A NAME="IDX2325"></A>
|
|
<A NAME="IDX2326"></A>
|
|
<A NAME="IDX2327"></A>
|
|
<A NAME="IDX2328"></A>
|
|
<P>Begin by running the AFS initialization script to call the
|
|
<B>insmod</B> program, which dynamically loads AFS modifications into the
|
|
kernel. Then create partitions for storing AFS volumes. You do
|
|
not need to replace the Linux <B>fsck</B> program. If the machine
|
|
is to remain an AFS client machine, incorporate AFS into the machine's
|
|
Pluggable Authentication Module (PAM) scheme.
|
|
<A NAME="IDX2329"></A>
|
|
<A NAME="IDX2330"></A>
|
|
<A NAME="IDX2331"></A>
|
|
<A NAME="IDX2332"></A>
|
|
<P><H3><A NAME="HDRWQ42" HREF="auqbg002.htm#ToC_55">Loading AFS into the Linux Kernel</A></H3>
|
|
<P>The <B>insmod</B> program is the dynamic kernel loader
|
|
for Linux. Linux does not support incorporation of AFS modifications
|
|
during a kernel build.
|
|
<P>For AFS to function correctly, the <B>insmod</B> program must run each
|
|
time the machine reboots, so the AFS initialization script (included on the
|
|
AFS CD-ROM) invokes it automatically. The script also includes commands
|
|
that select the appropriate AFS library file automatically. In this
|
|
section you run the script.
|
|
<P>In later sections you verify that the script correctly initializes all AFS
|
|
components, then activate a configuration variable, which results in the
|
|
script being incorporated into the Linux startup and shutdown sequence.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Linux on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your Linux documentation. Then change directory
|
|
as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/i386_linux22/root.client/usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS kernel library files to the local
|
|
<B>/usr/vice/etc/modload</B> directory. The filenames for the
|
|
libraries have the format
|
|
<B>libafs-</B><VAR>version</VAR><B>.o</B>, where <VAR>version</VAR>
|
|
indicates the kernel build level. The string <B>.mp</B> in
|
|
the <VAR>version</VAR> indicates that the file is appropriate for machines
|
|
running a multiprocessor kernel.
|
|
<PRE>
|
|
# <B>cp -rp modload /usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/etc/rc.d/init.d</B>
|
|
on Linux machines). Note the removal of the <B>.rc</B>
|
|
extension as you copy the script.
|
|
<PRE>
|
|
# <B>cp -p afs.rc /etc/rc.d/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script to load AFS extensions into the
|
|
kernel. You can ignore any error messages about the inability to start
|
|
the BOS Server or the Cache Manager or AFS client.
|
|
<PRE>
|
|
# <B>/etc/rc.d/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2333"></A>
|
|
<A NAME="IDX2334"></A>
|
|
<A NAME="IDX2335"></A>
|
|
<A NAME="IDX2336"></A>
|
|
<P><H3><A NAME="HDRWQ43" HREF="auqbg002.htm#ToC_56">Configuring Server Partitions on Linux Systems</A></H3>
|
|
<P>Every AFS file server machine must have at least one
|
|
partition or logical volume dedicated to storing AFS volumes. Each
|
|
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
|
|
where <VAR>xx</VAR> is one or two lowercase letters. The
|
|
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
|
|
machine's root directory, not in one of its subdirectories (for example,
|
|
<B>/usr/vicepa</B> is not an acceptable directory location). For
|
|
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
|
|
<OL TYPE=1>
|
|
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
|
|
partition you are configuring (there must be at least one). Repeat the
|
|
command for each partition.
|
|
<PRE>
|
|
# <B>mkdir /vicep</B><VAR>xx</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Add a line with the following format to the file systems registry file,
|
|
<B>/etc/fstab</B>, for each directory just created. The entry maps
|
|
the directory name to the disk partition to be mounted on it.
|
|
<PRE>
|
|
/dev/<VAR>disk</VAR> /vicep<VAR>xx</VAR> ext2 defaults 0 2
|
|
</PRE>
|
|
<P>The following is an example for the first partition being
|
|
configured.
|
|
<PRE>
|
|
/dev/sda8 /vicepa ext2 defaults 0 2
|
|
|
|
</PRE>
|
|
<P><LI>Create a file system on each partition that is to be mounted at a
|
|
<B>/vicep</B><VAR>xx</VAR> directory. The following command is
|
|
probably appropriate, but consult the Linux documentation for more
|
|
information.
|
|
<PRE>
|
|
#<B> mkfs -v /dev/</B><VAR>disk</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
|
|
mount all partitions at once or the <B>mount</B> command to mount each
|
|
partition in turn.
|
|
<P><LI>If you plan to retain client functionality on this machine after
|
|
completing the installation, proceed to <A HREF="#HDRWQ44">Enabling AFS Login on Linux Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</OL>
|
|
<A NAME="IDX2337"></A>
|
|
<A NAME="IDX2338"></A>
|
|
<A NAME="IDX2339"></A>
|
|
<A NAME="IDX2340"></A>
|
|
<A NAME="IDX2341"></A>
|
|
<P><H3><A NAME="HDRWQ44" HREF="auqbg002.htm#ToC_57">Enabling AFS Login on Linux Systems</A></H3>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
|
|
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</TD></TR></TABLE>
|
|
<P>At this point you incorporate AFS into the operating system's
|
|
Pluggable Authentication Module (PAM) scheme. PAM integrates all
|
|
authentication mechanisms on the machine, including login, to provide the
|
|
security infrastructure for authenticated access to and from the
|
|
machine.
|
|
<P>Explaining PAM is beyond the scope of this document. It is assumed
|
|
that you understand the syntax and meanings of settings in the PAM
|
|
configuration file (for example, how the <TT>other</TT> entry works, the
|
|
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
|
|
<TT>sufficient</TT>, and so on).
|
|
<P>The following instructions explain how to alter the entries in the PAM
|
|
configuration file for each service for which you wish to use AFS
|
|
authentication. Other configurations possibly also work, but the
|
|
instructions specify the recommended and tested configuration.
|
|
<P>The recommended AFS-related entries in the PAM configuration file make use
|
|
of one or more of the following three attributes.
|
|
<DL>
|
|
<P><DT><B><TT>try_first_pass</TT>
|
|
</B><DD>This is a standard PAM attribute that can be included on entries after the
|
|
first one for a service; it directs the module to use the password that
|
|
was provided to the first module. For the AFS module, it means that AFS
|
|
authentication succeeds if the password provided to the module listed first is
|
|
the user's correct AFS password. For further discussion of this
|
|
attribute and its alternatives, see the operating system's PAM
|
|
documentation.
|
|
<P><DT><B><TT>ignore_root</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
|
|
only the local superuser <B> root</B>, but also any user with UID 0
|
|
(zero).
|
|
<P><DT><B><TT>setenv_password_expires</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
|
|
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
|
|
password, which is recorded in the Authentication Database.
|
|
</DL>
|
|
<P>Perform the following steps to enable AFS login.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Linux on the <B>/cdrom</B> directory, if it
|
|
is not already. Then change to the directory for PAM modules, which
|
|
depends on which Linux distribution you are using.
|
|
<P>If you are using a Linux distribution from Red Hat Software:
|
|
<PRE>
|
|
# <B>cd /lib/security</B>
|
|
</PRE>
|
|
<P>If you are using another Linux distribution:
|
|
<PRE>
|
|
# <B>cd /usr/lib/security</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS authentication library file to the directory to
|
|
which you changed in the previous step. Create a symbolic link whose
|
|
name does not mention the version. Omitting the version eliminates the
|
|
need to edit the PAM configuration file if you later update the library
|
|
file.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B>
|
|
process):
|
|
<PRE>
|
|
# <B>cp /cdrom/i386_linux22/lib/pam_afs.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
# <B>cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
|
|
|
|
</PRE>
|
|
<P><LI>For each service with which you want to use AFS authentication, insert an
|
|
entry for the AFS PAM module into the <TT>auth</TT> section of the
|
|
service's PAM configuration file. (Linux uses a separate
|
|
configuration file for each service, unlike some other operating systems which
|
|
list all services in a single file.) Mark the entry as
|
|
<TT>sufficient</TT> in the second field.
|
|
<P>Place the AFS entry below any entries that impose conditions under which
|
|
you want the service to fail for a user who does not meet the entry's
|
|
requirements. Mark these entries <TT>required</TT>. Place the
|
|
AFS entry above any entries that need to execute only if AFS authentication
|
|
fails.
|
|
<P>Insert the following AFS entry if using the Red Hat distribution:
|
|
<PRE>
|
|
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
|
|
</PRE>
|
|
<P>Insert the following AFS entry if using another distribution:
|
|
<PRE>
|
|
auth sufficient /usr/lib/security/pam_afs.so try_first_pass ignore_root
|
|
</PRE>
|
|
<P>The following example illustrates the recommended configuration of the
|
|
configuration file for the <B>login</B> service
|
|
(<B>/etc/pam.d/login</B>) on a machine using the Red Hat
|
|
distribution.
|
|
<PRE>
|
|
#%PAM-1.0
|
|
auth required /lib/security/pam_securetty.so
|
|
auth required /lib/security/pam_nologin.so
|
|
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
|
|
auth required /lib/security/pam_pwdb.so shadow nullok
|
|
account required /lib/security/pam_pwdb.so
|
|
password required /lib/security/pam_cracklib.so
|
|
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
|
session required /lib/security/pam_pwdb.so
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
|
|
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
|
|
</OL>
|
|
<HR><H2><A NAME="HDRWQ45" HREF="auqbg002.htm#ToC_58">Getting Started on Solaris Systems</A></H2>
|
|
<P>Begin by running the AFS initialization script to call the
|
|
<B>modload</B> program distributed by Sun Microsystems, which dynamically
|
|
loads AFS modifications into the kernel. Then create partitions for
|
|
storing AFS volumes, and install and configure the AFS-modified
|
|
<B>fsck</B> program to run on AFS server partitions. If the machine
|
|
is to remain an AFS client machine, incorporate AFS into the machine's
|
|
Pluggable Authentication Module (PAM) scheme.
|
|
<A NAME="IDX2342"></A>
|
|
<A NAME="IDX2343"></A>
|
|
<A NAME="IDX2344"></A>
|
|
<A NAME="IDX2345"></A>
|
|
<P><H3><A NAME="HDRWQ46" HREF="auqbg002.htm#ToC_59">Loading AFS into the Solaris Kernel</A></H3>
|
|
<P>The <B>modload</B> program is the dynamic kernel loader
|
|
provided by Sun Microsystems for Solaris systems. Solaris does not
|
|
support incorporation of AFS modifications during a kernel build.
|
|
<P>For AFS to function correctly, the <B>modload</B> program must run each
|
|
time the machine reboots, so the AFS initialization script (included on the
|
|
AFS CD-ROM) invokes it automatically. In this section you copy the
|
|
appropriate AFS library file to the location where the <B>modload</B>
|
|
program accesses it and then run the script.
|
|
<P>In later sections you verify that the script correctly initializes all AFS
|
|
components, then create the links that incorporate AFS into the Solaris
|
|
startup and shutdown sequence.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your Solaris documentation. Then change
|
|
directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/sun4x_56/root.client/usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/etc/init.d</B> on Solaris
|
|
machines). Note the removal of the <B>.rc</B> extension as
|
|
you copy the script.
|
|
<PRE>
|
|
# <B>cp -p afs.rc /etc/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS kernel library file to the local file
|
|
<B>/kernel/fs/afs</B>.
|
|
<P>If the machine is running Solaris 2.6 or the 32-bit version of
|
|
Solaris 7, its kernel supports NFS server functionality, and the
|
|
<B>nfsd</B> process is running:
|
|
<PRE>
|
|
# <B>cp -p modload/libafs.o /kernel/fs/afs</B>
|
|
</PRE>
|
|
<P>If the machine is running Solaris 2.6 or the 32-bit version of
|
|
Solaris 7, and its kernel does not support NFS server functionality or the
|
|
<B>nfsd</B> process is not running:
|
|
<PRE>
|
|
# <B>cp -p modload/libafs.nonfs.o /kernel/fs/afs</B>
|
|
</PRE>
|
|
<P>If the machine is running the 64-bit version of Solaris 7, its kernel
|
|
supports NFS server functionality, and the <B>nfsd</B> process is
|
|
running:
|
|
<PRE>
|
|
# <B>cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</B>
|
|
</PRE>
|
|
<P>If the machine is running the 64-bit version of Solaris 7, and its
|
|
kernel does not support NFS server functionality or the <B>nfsd</B>
|
|
process is not running:
|
|
<PRE>
|
|
# <B>cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script to load AFS modifications into the
|
|
kernel. You can ignore any error messages about the inability to start
|
|
the BOS Server or the Cache Manager or AFS client.
|
|
<PRE>
|
|
# <B>/etc/init.d/afs start</B>
|
|
</PRE>
|
|
<P>When an entry called <TT>afs</TT> does not already exist in the local
|
|
<B>/etc/name_to_sysnum</B> file, the script automatically creates it and
|
|
reboots the machine to start using the new version of the file. If this
|
|
happens, log in again as the superuser <B>root</B> after the reboot and
|
|
run the initialization script again. This time the required entry
|
|
exists in the <B>/etc/name_to_sysnum</B> file, and the <B>modload</B>
|
|
program runs.
|
|
<PRE>
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
# <B>/etc/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2346"></A>
|
|
<A NAME="IDX2347"></A>
|
|
<A NAME="IDX2348"></A>
|
|
<A NAME="IDX2349"></A>
|
|
<P><H3><A NAME="HDRWQ47" HREF="auqbg002.htm#ToC_60">Configuring the AFS-modified fsck Program on Solaris Systems</A></H3>
|
|
<P>In this section, you make modifications to guarantee that the
|
|
appropriate <B>fsck</B> program runs on AFS server partitions. The
|
|
<B>fsck</B> program provided with the operating system must never run on
|
|
AFS server partitions. Because it does not recognize the structures
|
|
that the File Server uses to organize volume data, it removes all of the
|
|
data. To repeat:
|
|
<P><B>Never run the standard fsck program on AFS server partitions.
|
|
It discards AFS volumes.</B>
|
|
<OL TYPE=1>
|
|
<P><LI>Create the <B>/usr/lib/fs/afs</B> directory to house the AFS-modified
|
|
<B>fsck</B> program and related files.
|
|
<PRE>
|
|
# <B>mkdir /usr/lib/fs/afs</B>
|
|
|
|
# <B>cd /usr/lib/fs/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the <B>vfsck</B> binary to the newly created directory, changing
|
|
the name as you do so.
|
|
<PRE>
|
|
# <B>cp /cdrom/sun4x_56/root.server/etc/vfsck fsck</B>
|
|
|
|
</PRE>
|
|
<P><LI>Working in the <B>/usr/lib/fs/afs</B> directory, create the following
|
|
links to Solaris libraries:
|
|
<PRE>
|
|
# <B>ln -s /usr/lib/fs/ufs/clri</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/df</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/edquota</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/ff</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/fsdb</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/fsirand</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/fstyp</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/labelit</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/lockfs</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/mkfs</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/mount</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/ncheck</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/newfs</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/quot</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/quota</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/quotaoff</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/quotaon</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/repquota</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/tunefs</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/ufsdump</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/ufsrestore</B>
|
|
# <B>ln -s /usr/lib/fs/ufs/volcopy</B>
|
|
|
|
</PRE>
|
|
<P><LI>Append the following line to the end of the file
|
|
<B>/etc/dfs/fstypes</B>.
|
|
<PRE>
|
|
afs AFS Utilities
|
|
|
|
</PRE>
|
|
<P><LI>Edit the <B>/sbin/mountall</B> file, making two changes.
|
|
<UL>
|
|
<P><LI>Add an entry for AFS to the <TT>case</TT> statement for option 2, so
|
|
that it reads as follows:
|
|
<PRE>
|
|
case "$2" in
|
|
ufs) foptions="-o p"
|
|
;;
|
|
afs) foptions="-o p"
|
|
;;
|
|
s5) foptions="-y -t /var/tmp/tmp$$ -D"
|
|
;;
|
|
*) foptions="-y"
|
|
;;
|
|
|
|
</PRE>
|
|
<P><LI>Edit the file so that all AFS and UFS partitions are checked in
|
|
parallel. Replace the following section of code:
|
|
<PRE>
|
|
# For fsck purposes, we make a distinction between ufs and
|
|
# other file systems
|
|
#
|
|
if [ "$fstype" = "ufs" ]; then
|
|
ufs_fscklist="$ufs_fscklist $fsckdev"
|
|
saveentry $fstype "$OPTIONS" $special $mountp
|
|
continue
|
|
fi
|
|
</PRE>
|
|
<P>with the following section of code:
|
|
<PRE>
|
|
# For fsck purposes, we make a distinction between ufs/afs
|
|
# and other file systems.
|
|
#
|
|
if [ "$fstype" = "ufs" -o "$fstype" = "afs" ]; then
|
|
ufs_fscklist="$ufs_fscklist $fsckdev"
|
|
saveentry $fstype "$OPTIONS" $special $mountp
|
|
continue
|
|
fi
|
|
|
|
</PRE>
|
|
</UL>
|
|
</OL>
|
|
<A NAME="IDX2350"></A>
|
|
<A NAME="IDX2351"></A>
|
|
<A NAME="IDX2352"></A>
|
|
<A NAME="IDX2353"></A>
|
|
<P><H3><A NAME="HDRWQ48" HREF="auqbg002.htm#ToC_61">Configuring Server Partitions on Solaris Systems</A></H3>
|
|
<P>Every AFS file server machine must have at least one
|
|
partition or logical volume dedicated to storing AFS volumes. Each
|
|
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
|
|
where <VAR>xx</VAR> is one or two lowercase letters. The
|
|
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
|
|
machine's root directory, not in one of its subdirectories (for example,
|
|
<B>/usr/vicepa</B> is not an acceptable directory location). For
|
|
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
|
|
<OL TYPE=1>
|
|
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
|
|
partition you are configuring (there must be at least one). Repeat the
|
|
command for each partition.
|
|
<PRE>
|
|
# <B>mkdir /vicep</B><VAR>xx</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Add a line with the following format to the file systems registry file,
|
|
<B>/etc/vfstab</B>, for each partition to be mounted on a directory
|
|
created in the previous step. Note the value <TT>afs</TT> in the
|
|
fourth field, which tells Solaris to use the AFS-modified <B>fsck</B>
|
|
program on this partition.
|
|
<PRE>
|
|
/dev/dsk/<VAR>disk</VAR> /dev/rdsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> afs <VAR>boot_order</VAR> yes
|
|
</PRE>
|
|
<P>The following is an example for the first partition being
|
|
configured.
|
|
<PRE>
|
|
/dev/dsk/c0t6d0s1 /dev/rdsk/c0t6d0s1 /vicepa afs 3 yes
|
|
|
|
</PRE>
|
|
<P><LI>Create a file system on each partition that is to be mounted at a
|
|
<B>/vicep</B><VAR>xx</VAR> directory. The following command is
|
|
probably appropriate, but consult the Solaris documentation for more
|
|
information.
|
|
<PRE>
|
|
# <B>newfs -v /dev/rdsk/</B><VAR>disk</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>mountall</B> command to mount all partitions at
|
|
once.
|
|
<P><LI>If you plan to retain client functionality on this machine after
|
|
completing the installation, proceed to <A HREF="#HDRWQ49">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</OL>
|
|
<A NAME="IDX2354"></A>
|
|
<A NAME="IDX2355"></A>
|
|
<A NAME="IDX2356"></A>
|
|
<A NAME="IDX2357"></A>
|
|
<A NAME="IDX2358"></A>
|
|
<A NAME="IDX2359"></A>
|
|
<A NAME="IDX2360"></A>
|
|
<A NAME="IDX2361"></A>
|
|
<P><H3><A NAME="HDRWQ49" HREF="auqbg002.htm#ToC_62">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</A></H3>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
|
|
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
</TD></TR></TABLE>
|
|
<P>At this point you incorporate AFS into the operating system's
|
|
Pluggable Authentication Module (PAM) scheme. PAM integrates all
|
|
authentication mechanisms on the machine, including login, to provide the
|
|
security infrastructure for authenticated access to and from the
|
|
machine.
|
|
<P>Explaining PAM is beyond the scope of this document. It is assumed
|
|
that you understand the syntax and meanings of settings in the PAM
|
|
configuration file (for example, how the <TT>other</TT> entry works, the
|
|
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
|
|
<TT>sufficient</TT>, and so on).
|
|
<P>The following instructions explain how to alter the entries in the PAM
|
|
configuration file for each service for which you wish to use AFS
|
|
authentication. Other configurations possibly also work, but the
|
|
instructions specify the recommended and tested configuration.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
|
|
<TT>optional</TT>. However, marking some modules as optional can mean
|
|
that they grant access to the corresponding service even when the user does
|
|
not meet all of the module's requirements. In some operating
|
|
system revisions, for example, if you mark as optional the module that
|
|
controls login via a dial-up connection, it allows users to login without
|
|
providing a password. See the <I>IBM AFS Release Notes</I> for a
|
|
discussion of any limitations that apply to this operating system.
|
|
<P>Also, with some operating system versions you must install patches for PAM
|
|
to interact correctly with certain authentication programs. For
|
|
details, see the <I>IBM AFS Release Notes</I>.
|
|
</TD></TR></TABLE>
|
|
<P>The recommended AFS-related entries in the PAM configuration file make use
|
|
of one or more of the following three attributes.
|
|
<DL>
|
|
<P><DT><B><TT>try_first_pass</TT>
|
|
</B><DD>This is a standard PAM attribute that can be included on entries after the
|
|
first one for a service; it directs the module to use the password that
|
|
was provided to the first module. For the AFS module, it means that AFS
|
|
authentication succeeds if the password provided to the module listed first is
|
|
the user's correct AFS password. For further discussion of this
|
|
attribute and its alternatives, see the operating system's PAM
|
|
documentation.
|
|
<P><DT><B><TT>ignore_root</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
|
|
only the local superuser <B> root</B>, but also any user with UID 0
|
|
(zero).
|
|
<P><DT><B><TT>setenv_password_expires</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
|
|
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
|
|
password, which is recorded in the Authentication Database.
|
|
</DL>
|
|
<P>Perform the following steps to enable AFS login.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B> directory, if it
|
|
is not already. Then change directory as indicated.
|
|
<PRE>
|
|
# <B>cd /usr/lib/security</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS authentication library file to the
|
|
<B>/usr/lib/security</B> directory. Then create a symbolic link to
|
|
it whose name does not mention the version. Omitting the version
|
|
eliminates the need to edit the PAM configuration file if you later update the
|
|
library file.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B>
|
|
process):
|
|
<PRE>
|
|
#<B> cp /cdrom/sun4x_56/lib/pam_afs.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
# <B>cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the <TT>Authentication management</TT> section of the Solaris PAM
|
|
configuration file, <B>/etc/pam.conf</B> by convention. The
|
|
entries in this section have the value <TT>auth</TT> in their second
|
|
field.
|
|
<P>First edit the standard entries, which refer to the Solaris PAM module
|
|
(usually, the file <B>/usr/lib/security/pam_unix.so.1</B>)
|
|
in their fourth field. For each service for which you want to use AFS
|
|
authentication, edit the third field of its entry to read
|
|
<TT>optional</TT>. The <B>pam.conf</B> file in the Solaris
|
|
distribution usually includes standard entries for the <B>login</B>,
|
|
<B>rlogin</B>, and <B>rsh</B> services, for instance.
|
|
<P>If there are services for which you want to use AFS authentication, but for
|
|
which the <B>pam.conf</B> file does not already include a standard
|
|
entry, you must create that entry and place the value <TT>optional</TT> in
|
|
its third field. For instance, the Solaris <B>pam.conf</B>
|
|
file does not usually include standard entries for the <B>ftp</B> or
|
|
<B>telnet</B> services.
|
|
<P>Then create an AFS-related entry for each service, placing it immediately
|
|
below the standard entry. The following example shows what the
|
|
<TT>Authentication Management</TT> section looks like after you have you
|
|
edited or created entries for the services mentioned previously. Note
|
|
that the example AFS entries appear on two lines only for legibility.
|
|
<PRE>
|
|
login auth optional /usr/lib/security/pam_unix.so.1
|
|
login auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
rlogin auth optional /usr/lib/security/pam_unix.so.1
|
|
rlogin auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
rsh auth optional /usr/lib/security/pam_unix.so.1
|
|
rsh auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
ftp auth optional /usr/lib/security/pam_unix.so.1
|
|
ftp auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
telnet auth optional /usr/lib/security/pam_unix.so.1
|
|
telnet auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
|
|
</PRE>
|
|
<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
|
|
users to obtain an AFS token as they log in, also add or edit the following
|
|
four entries in the <TT>Authentication management</TT> section. Note
|
|
that the AFS-related entries appear on two lines here only for
|
|
legibility.
|
|
<PRE>
|
|
dtlogin auth optional /usr/lib/security/pam_unix.so.1
|
|
dtlogin auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
dtsession auth optional /usr/lib/security/pam_unix.so.1
|
|
dtsession auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
|
|
</PRE>
|
|
<P><LI>Some Solaris distributions include a script that locates and removes
|
|
unneeded files from various file systems. Its conventional location is
|
|
<B>/usr/lib/fs/nfs/nfsfind</B>. The script generally uses an
|
|
argument to the <B>find</B> command to define which file systems to
|
|
search. In this step you modify the command to exclude the
|
|
<B>/afs</B> directory. Otherwise, the command traverses the AFS
|
|
filespace of every cell that is accessible from the machine, which can take
|
|
many hours. The following alterations are possibilities, but you must
|
|
verify that they are appropriate for your cell.
|
|
<P>The first possible alteration is to add the <B>-local</B> flag to the
|
|
existing command, so that it looks like the following:
|
|
<PRE>
|
|
find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;
|
|
</PRE>
|
|
<P>Another alternative is to exclude any directories whose names begin with
|
|
the lowercase letter <B>a</B> or a non-alphabetic character.
|
|
<PRE>
|
|
find /[A-Zb-z]* <VAR>remainder of existing command</VAR>
|
|
</PRE>
|
|
<P>Do not use the following command, which still searches under the
|
|
<B>/afs</B> directory, looking for a subdirectory of type
|
|
<B>4.2</B>.
|
|
<PRE>
|
|
find / -fstype 4.2 /* <VAR>do not use</VAR> */
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
|
|
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
|
|
</OL>
|
|
<A NAME="IDX2362"></A>
|
|
<A NAME="IDX2363"></A>
|
|
<A NAME="IDX2364"></A>
|
|
<A NAME="IDX2365"></A>
|
|
<A NAME="IDX2366"></A>
|
|
<A NAME="IDX2367"></A>
|
|
<A NAME="IDX2368"></A>
|
|
<HR><H2><A NAME="HDRWQ50" HREF="auqbg002.htm#ToC_63">Starting the BOS Server</A></H2>
|
|
<P>You are now ready to start the AFS server processes on this
|
|
machine. Begin by copying the AFS server binaries from the CD-ROM to
|
|
the conventional local disk location, the <B>/usr/afs/bin</B>
|
|
directory. The following instructions also create files in other
|
|
subdirectories of the <B>/usr/afs</B> directory.
|
|
<P>Then issue the <B>bosserver</B> command to initialize the Basic
|
|
OverSeer (BOS) Server, which monitors and controls other AFS server processes
|
|
on its server machine. Include the <B>-noauth</B> flag to disable
|
|
authorization checking. Because you have not yet configured your
|
|
cell's AFS authentication and authorization mechanisms, the BOS Server
|
|
cannot perform authorization checking as it does during normal
|
|
operation. In no-authorization mode, it does not verify the identity or
|
|
privilege of the issuer of a <B>bos</B> command, and so performs any
|
|
operation for anyone.
|
|
<P>Disabling authorization checking gravely compromises cell security.
|
|
You must complete all subsequent steps in one uninterrupted pass and must not
|
|
leave the machine unattended until you restart the BOS Server with
|
|
authorization checking enabled, in <A HREF="#HDRWQ72">Verifying the AFS Initialization Script</A>.
|
|
<P>As it initializes for the first time, the BOS Server creates the following
|
|
directories and files, setting the owner to the local superuser
|
|
<B>root</B> and the mode bits to limit the ability to write (and in some
|
|
cases, read) them. For a description of the contents and function of
|
|
these directories and files, see the chapter in the <I>IBM AFS
|
|
Administration Guide</I> about administering server machines. For
|
|
further discussion of the mode bit settings, see <A HREF="#HDRWQ96">Protecting Sensitive AFS Directories</A>.
|
|
<A NAME="IDX2369"></A>
|
|
<A NAME="IDX2370"></A>
|
|
<A NAME="IDX2371"></A>
|
|
<A NAME="IDX2372"></A>
|
|
<A NAME="IDX2373"></A>
|
|
<A NAME="IDX2374"></A>
|
|
<A NAME="IDX2375"></A>
|
|
<A NAME="IDX2376"></A>
|
|
<A NAME="IDX2377"></A>
|
|
<A NAME="IDX2378"></A>
|
|
<A NAME="IDX2379"></A>
|
|
<UL>
|
|
<P><LI><B>/usr/afs/db</B>
|
|
<P><LI><B>/usr/afs/etc/CellServDB</B>
|
|
<P><LI><B>/usr/afs/etc/ThisCell</B>
|
|
<P><LI><B>/usr/afs/local</B>
|
|
<P><LI><B>/usr/afs/logs</B>
|
|
</UL>
|
|
<P>The BOS Server also creates symbolic links called
|
|
<B>/usr/vice/etc/ThisCell</B> and <B>/usr/vice/etc/CellServDB</B> to
|
|
the corresponding files in the <B>/usr/afs/etc</B> directory. The
|
|
AFS command interpreters consult the <B>CellServDB</B> and
|
|
<B>ThisCell</B> files in the <B>/usr/vice/etc</B> directory because
|
|
they generally run on client machines. On machines that are AFS servers
|
|
only (as this machine currently is), the files reside only in the
|
|
<B>/usr/afs/etc</B> directory; the links enable the command
|
|
interpreters to retrieve the information they need. Later instructions
|
|
for installing the client functionality replace the links with actual
|
|
files.
|
|
<OL TYPE=1>
|
|
<P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
|
|
machine's system type, if it is not already. For instructions on
|
|
mounting CD-ROMs (either locally or remotely via NFS), consult the operating
|
|
system documentation.
|
|
<P><LI>Copy files from the CD-ROM to the local <B>/usr/afs</B>
|
|
directory.
|
|
<PRE>
|
|
# <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.server/usr/afs</B>
|
|
|
|
# <B>cp -rp * /usr/afs</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2380"></A>
|
|
<A NAME="IDX2381"></A>
|
|
<P><LI>Issue the <B>bosserver</B> command. Include the
|
|
<B>-noauth</B> flag to disable authorization checking.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/bosserver -noauth &</B>
|
|
|
|
</PRE>
|
|
<P><LI>Verify that the BOS Server created <B>/usr/vice/etc/ThisCell</B> and
|
|
<B>/usr/vice/etc/CellServDB</B> as symbolic links to the corresponding
|
|
files in the <B>/usr/afs/etc</B> directory.
|
|
<PRE>
|
|
# <B>ls -l /usr/vice/etc</B>
|
|
</PRE>
|
|
<P>If either or both of <B>/usr/vice/etc/ThisCell</B> and
|
|
<B>/usr/vice/etc/CellServDB</B> do not exist, or are not links, issue the
|
|
following commands.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>ln -s /usr/afs/etc/ThisCell</B>
|
|
|
|
# <B>ln -s /usr/afs/etc/CellServDB</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2382"></A>
|
|
<A NAME="IDX2383"></A>
|
|
<A NAME="IDX2384"></A>
|
|
<A NAME="IDX2385"></A>
|
|
<A NAME="IDX2386"></A>
|
|
<A NAME="IDX2387"></A>
|
|
<A NAME="IDX2388"></A>
|
|
<A NAME="IDX2389"></A>
|
|
<A NAME="IDX2390"></A>
|
|
<A NAME="IDX2391"></A>
|
|
<A NAME="IDX2392"></A>
|
|
<A NAME="IDX2393"></A>
|
|
<A NAME="IDX2394"></A>
|
|
<A NAME="IDX2395"></A>
|
|
<A NAME="IDX2396"></A>
|
|
<A NAME="IDX2397"></A>
|
|
<A NAME="IDX2398"></A>
|
|
<HR><H2><A NAME="HDRWQ51" HREF="auqbg002.htm#ToC_64">Defining Cell Name and Membership for Server Processes</A></H2>
|
|
<P>Now assign your cell's name. The chapter in the
|
|
<I>IBM AFS Administration Guide</I> about cell configuration and
|
|
administration issues discusses the important considerations, explains why
|
|
changing the name is difficult, and outlines the restrictions on name
|
|
format. Two of the most important restrictions are that the name cannot
|
|
include uppercase letters or more than 64 characters.
|
|
<P>Use the <B>bos setcellname</B> command to assign the cell name.
|
|
It creates two files:
|
|
<UL>
|
|
<P><LI><B>/usr/afs/etc/ThisCell</B>, which defines this machine's cell
|
|
membership
|
|
<P><LI><B>/usr/afs/etc/CellServDB</B>, which lists the cell's database
|
|
server machines; the machine named on the command line is placed on the
|
|
list automatically
|
|
</UL>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">In the following and every instruction in this guide, for the
|
|
<VAR>machine name</VAR> argument substitute the fully-qualified hostname
|
|
(such as <B>fs1.abc.com</B>) of the machine you are
|
|
installing. For the <VAR>cell name</VAR> argument substitute your
|
|
cell's complete name (such as <B>abc.com</B>).
|
|
</TD></TR></TABLE>
|
|
<A NAME="IDX2399"></A>
|
|
<A NAME="IDX2400"></A>
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>bos setcellname</B> command to set the cell name.
|
|
<PRE>
|
|
# <B>cd /usr/afs/bin</B>
|
|
|
|
# <B>./bos setcellname</B> <<VAR>machine name</VAR>> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
</PRE>
|
|
<P>Because you are not authenticated and authorization checking is disabled,
|
|
the <B>bos</B> command interpreter possibly produces error messages about
|
|
being unable to obtain tickets and running unauthenticated. You can
|
|
safely ignore the messages.
|
|
<A NAME="IDX2401"></A>
|
|
<A NAME="IDX2402"></A>
|
|
<A NAME="IDX2403"></A>
|
|
<A NAME="IDX2404"></A>
|
|
<P><LI>Issue the <B>bos listhosts</B> command to verify that the machine you
|
|
are installing is now registered as the cell's first database server
|
|
machine.
|
|
<PRE>
|
|
# <B>./bos listhosts</B> <<VAR>machine name</VAR>> <B>-noauth</B>
|
|
Cell name is <VAR>cell_name</VAR>
|
|
Host 1 is <VAR>machine_name</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2405"></A>
|
|
<A NAME="IDX2406"></A>
|
|
<A NAME="IDX2407"></A>
|
|
<A NAME="IDX2408"></A>
|
|
<A NAME="IDX2409"></A>
|
|
<A NAME="IDX2410"></A>
|
|
<A NAME="IDX2411"></A>
|
|
<A NAME="IDX2412"></A>
|
|
<A NAME="IDX2413"></A>
|
|
<A NAME="IDX2414"></A>
|
|
<A NAME="IDX2415"></A>
|
|
<A NAME="IDX2416"></A>
|
|
<A NAME="IDX2417"></A>
|
|
<A NAME="IDX2418"></A>
|
|
<A NAME="IDX2419"></A>
|
|
<A NAME="IDX2420"></A>
|
|
<A NAME="IDX2421"></A>
|
|
<A NAME="IDX2422"></A>
|
|
<A NAME="IDX2423"></A>
|
|
<A NAME="IDX2424"></A>
|
|
<A NAME="IDX2425"></A>
|
|
<A NAME="IDX2426"></A>
|
|
<A NAME="IDX2427"></A>
|
|
<A NAME="IDX2428"></A>
|
|
<A NAME="IDX2429"></A>
|
|
<HR><H2><A NAME="HDRWQ52" HREF="auqbg002.htm#ToC_65">Starting the Database Server Processes</A></H2>
|
|
<P>Next use the <B>bos create</B> command to create entries
|
|
for the four database server processes in the
|
|
<B>/usr/afs/local/BosConfig</B> file and start them running. The
|
|
four processes run on database server machines only:
|
|
<UL>
|
|
<P><LI>The Authentication Server (the <B>kaserver</B> process) maintains the
|
|
Authentication Database
|
|
<P><LI>The Backup Server (the <B>buserver</B> process) maintains the Backup
|
|
Database
|
|
<P><LI>The Protection Server (the <B>ptserver</B> process) maintains the
|
|
Protection Database
|
|
<P><LI>The Volume Location (VL) Server (the <B>vlserver</B> process)
|
|
maintains the Volume Location Database (VLDB)
|
|
</UL>
|
|
<A NAME="IDX2430"></A>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">AFS's authentication and authorization software is based on algorithms
|
|
and other procedures known as <I>Kerberos</I>, as originally developed by
|
|
Project Athena at the Massachusetts Institute of Technology. Some cells
|
|
choose to replace the AFS Authentication Server and other security-related
|
|
protocols with Kerberos as obtained directly from Project Athena or other
|
|
sources. If you wish to do this, contact the AFS Product Support group
|
|
now to learn about necessary modifications to the installation.
|
|
</TD></TR></TABLE>
|
|
<P>The remaining instructions in this chapter include the <B>-cell</B>
|
|
argument on all applicable commands. Provide the cell name you assigned
|
|
in <A HREF="#HDRWQ51">Defining Cell Name and Membership for Server Processes</A>. If a command appears on multiple lines, it is only
|
|
for legibility.
|
|
<A NAME="IDX2431"></A>
|
|
<A NAME="IDX2432"></A>
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>bos create</B> command to start the Authentication
|
|
Server. The current working directory is still
|
|
<B>/usr/afs/bin</B>.
|
|
<PRE>
|
|
# <B>./bos create</B> <<VAR>machine name</VAR>> <B>kaserver simple /usr/afs/bin/kaserver</B> \
|
|
<B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
</PRE>
|
|
<P>You can safely ignore the messages that tell you to add Kerberos to the
|
|
<B>/etc/services</B> file; AFS uses a default value that makes the
|
|
addition unnecessary. You can also ignore messages about the failure of
|
|
authentication.
|
|
<P><LI>Issue the <B>bos create</B> command to start the Backup Server.
|
|
<PRE>
|
|
# <B>./bos create</B> <<VAR>machine name</VAR>> <B>buserver simple /usr/afs/bin/buserver</B> \
|
|
<B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>bos create</B> command to start the Protection
|
|
Server.
|
|
<PRE>
|
|
# <B>./bos create</B> <<VAR>machine name</VAR>> <B>ptserver simple /usr/afs/bin/ptserver</B> \
|
|
<B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>bos create</B> command to start the VL Server.
|
|
<PRE>
|
|
# <B>./bos create</B> <<VAR>machine name</VAR>> <B>vlserver simple /usr/afs/bin/vlserver</B> \
|
|
<B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2433"></A>
|
|
<A NAME="IDX2434"></A>
|
|
<A NAME="IDX2435"></A>
|
|
<A NAME="IDX2436"></A>
|
|
<A NAME="IDX2437"></A>
|
|
<A NAME="IDX2438"></A>
|
|
<A NAME="IDX2439"></A>
|
|
<A NAME="IDX2440"></A>
|
|
<A NAME="IDX2441"></A>
|
|
<A NAME="IDX2442"></A>
|
|
<A NAME="IDX2443"></A>
|
|
<A NAME="IDX2444"></A>
|
|
<A NAME="IDX2445"></A>
|
|
<HR><H2><A NAME="HDRWQ53" HREF="auqbg002.htm#ToC_66">Initializing Cell Security</A></H2>
|
|
<P>Now initialize the cell's security mechanisms.
|
|
Begin by creating the following two initial entries in the Authentication
|
|
Database:
|
|
<UL>
|
|
<P><LI>A generic administrative account, called <B>admin</B> by
|
|
convention. If you choose to assign a different name, substitute it
|
|
throughout the remainder of this document.
|
|
<P>After you complete the installation of the first machine, you can continue
|
|
to have all administrators use the <B>admin</B> account, or you can create
|
|
a separate administrative account for each of them. The latter scheme
|
|
implies somewhat more overhead, but provides a more informative audit trail
|
|
for administrative operations.
|
|
<P><LI>The entry for AFS server processes, called <B>afs</B>. No user
|
|
logs in under this identity, but the Authentication Server's Ticket
|
|
Granting Service (TGS) module uses the associated key to encrypt the server
|
|
tickets that it grants to AFS clients for presentation to server processes
|
|
during mutual authentication. (The chapter in the <I>IBM AFS
|
|
Administration Guide</I> about cell configuration and administration
|
|
describes the role of server encryption keys in mutual authentication.)
|
|
<P>In Step <A HREF="#LIWQ58">7</A>, you also place the initial AFS server encryption key into
|
|
the <B>/usr/afs/etc/KeyFile</B> file. The AFS server processes
|
|
refer to this file to learn the server encryption key when they need to
|
|
decrypt server tickets.
|
|
</UL>
|
|
<P>You also issue several commands that enable the new <B>admin</B> user
|
|
to issue privileged commands in all of the AFS suites.
|
|
<P>The following instructions do not configure all of the security mechanisms
|
|
related to the AFS Backup System. See the chapter in the <I>IBM AFS
|
|
Administration Guide</I> about configuring the Backup System.
|
|
<OL TYPE=1>
|
|
<A NAME="IDX2446"></A>
|
|
<A NAME="IDX2447"></A>
|
|
<A NAME="IDX2448"></A>
|
|
<P><LI>Enter <B>kas</B> interactive mode. Because the machine is in
|
|
no-authorization checking mode, include the <B>-noauth</B> flag to
|
|
suppress the Authentication Server's usual prompt for a password.
|
|
<PRE>
|
|
# <B>kas -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
ka>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2449"></A>
|
|
<A NAME="IDX2450"></A>
|
|
<A NAME="IDX2451"></A>
|
|
<A NAME="IDX2452"></A>
|
|
<P><LI><A NAME="LIWQ54"></A>Issue the <B>kas create</B> command to create Authentication
|
|
Database entries called <B>admin</B> and <B>afs</B>.
|
|
<P>Do not provide passwords on the command line. Instead provide them
|
|
as <VAR>afs_passwd</VAR> and <VAR>admin_passwd</VAR> in response to the
|
|
<B>kas</B> command interpreter's prompts as shown, so that they do
|
|
not appear on the standard output stream.
|
|
<P>You need to enter the <VAR>afs_passwd</VAR> string only in this step and in
|
|
Step <A HREF="#LIWQ58">7</A>, so provide a value that is as long and complex as possible,
|
|
preferably including numerals, punctuation characters, and both uppercase and
|
|
lowercase letters. Also make the <VAR>admin_passwd</VAR> as long and
|
|
complex as possible, but keep in mind that administrators need to enter it
|
|
often. Both passwords must be at least six characters long.
|
|
<PRE>
|
|
ka> <B>create afs</B>
|
|
initial_password: <VAR>afs_passwd</VAR>
|
|
Verifying, please re-enter initial_password: <VAR>afs_passwd</VAR>
|
|
|
|
ka> <B>create admin</B>
|
|
initial_password: <VAR>admin_passwd</VAR>
|
|
Verifying, please re-enter initial_password: <VAR>admin_passwd</VAR>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2453"></A>
|
|
<A NAME="IDX2454"></A>
|
|
<A NAME="IDX2455"></A>
|
|
<P><LI><A NAME="LIWQ55"></A>Issue the <B>kas examine</B> command to display the
|
|
<B>afs</B> entry. The output includes a checksum generated by
|
|
encrypting a constant with the server encryption key derived from the
|
|
<VAR>afs_passwd</VAR> string. In Step <A HREF="#LIWQ59">8</A> you issue the <B>bos listkeys</B> command to verify
|
|
that the checksum in its output matches the checksum in this output.
|
|
<PRE>
|
|
ka> <B>examine afs</B>
|
|
User data for afs
|
|
key (0) cksum is <VAR>checksum</VAR> . . .
|
|
|
|
</PRE>
|
|
<A NAME="IDX2456"></A>
|
|
<A NAME="IDX2457"></A>
|
|
<A NAME="IDX2458"></A>
|
|
<P><LI><A NAME="LIWQ56"></A>Issue the <B>kas setfields</B> command to turn on the
|
|
<TT>ADMIN</TT> flag in the <B>admin</B> entry. This enables the
|
|
<B>admin</B> user to issue privileged <B>kas</B> commands. Then
|
|
issue the <B> kas examine</B> command to verify that the <TT>ADMIN</TT>
|
|
flag appears in parentheses on the first line of the output, as shown in the
|
|
example.
|
|
<PRE>
|
|
ka> <B>setfields admin -flags admin</B>
|
|
|
|
ka> <B>examine admin </B>
|
|
User data for admin (ADMIN) . . .
|
|
|
|
</PRE>
|
|
<A NAME="IDX2459"></A>
|
|
<A NAME="IDX2460"></A>
|
|
<A NAME="IDX2461"></A>
|
|
<P><LI>Issue the <B>kas quit</B> command to leave <B>kas</B> interactive
|
|
mode.
|
|
<PRE>
|
|
ka> <B>quit</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2462"></A>
|
|
<A NAME="IDX2463"></A>
|
|
<A NAME="IDX2464"></A>
|
|
<A NAME="IDX2465"></A>
|
|
<A NAME="IDX2466"></A>
|
|
<A NAME="IDX2467"></A>
|
|
<A NAME="IDX2468"></A>
|
|
<P><LI><A NAME="LIWQ57"></A>Issue the <B>bos adduser</B> command to add the
|
|
<B>admin</B> user to the <B>/usr/afs/etc/UserList</B> file.
|
|
This enables the <B>admin</B> user to issue privileged <B>bos</B> and
|
|
<B>vos</B> commands.
|
|
<PRE>
|
|
# <B>./bos adduser</B> <<VAR>machine name</VAR>> <B>admin -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2469"></A>
|
|
<A NAME="IDX2470"></A>
|
|
<A NAME="IDX2471"></A>
|
|
<A NAME="IDX2472"></A>
|
|
<P><LI><A NAME="LIWQ58"></A>Issue the <B>bos addkey</B> command to define the AFS server
|
|
encryption key in the <B>/usr/afs/etc/KeyFile</B> file.
|
|
<P>Do not provide the password on the command line. Instead provide it
|
|
as <VAR>afs_passwd</VAR> in response to the <B>bos</B> command
|
|
interpreter's prompts, as shown. Provide the same string as in
|
|
Step <A HREF="#LIWQ54">2</A>.
|
|
<PRE>
|
|
# <B>./bos addkey</B> <<VAR>machine name</VAR>> <B>-kvno 0 -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
Input key: <VAR>afs_passwd</VAR>
|
|
Retype input key: <VAR>afs_passwd</VAR>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2473"></A>
|
|
<A NAME="IDX2474"></A>
|
|
<A NAME="IDX2475"></A>
|
|
<P><LI><A NAME="LIWQ59"></A>Issue the <B>bos listkeys</B> command to verify that the
|
|
checksum for the new key in the <B>KeyFile</B> file is the same as the
|
|
checksum for the key in the Authentication Database's <B>afs</B>
|
|
entry, which you displayed in Step <A HREF="#LIWQ55">3</A>.
|
|
<PRE>
|
|
# <B>./bos listkeys</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
key 0 has cksum <VAR>checksum</VAR>
|
|
</PRE>
|
|
<P>You can safely ignore any error messages indicating that <B>bos</B>
|
|
failed to get tickets or that authentication failed.
|
|
<P>If the keys are different, issue the following commands, making sure that
|
|
the <VAR>afs_passwd</VAR> string is the same in each case. The
|
|
<VAR>checksum</VAR> strings reported by the <B>kas examine</B> and <B>bos
|
|
listkeys</B> commands must match; if they do not, repeat these
|
|
instructions until they do, using the <B>-kvno</B> argument to increment
|
|
the key version number each time.
|
|
<PRE>
|
|
# <B>./kas -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
ka> <B>setpassword afs -kvno 1</B>
|
|
new_password: <VAR>afs_passwd</VAR>
|
|
Verifying, please re-enter initial_password: <VAR>afs_passwd</VAR>
|
|
|
|
ka> <B>examine afs</B>
|
|
User data for afs
|
|
key (1) cksum is <VAR>checksum</VAR> . . .
|
|
|
|
ka> <B>quit</B>
|
|
|
|
# <B>./bos addkey</B> <<VAR>machine name</VAR>> <B>-kvno 1 -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
Input key: <VAR>afs_passwd</VAR>
|
|
Retype input key: <VAR>afs_passwd</VAR>
|
|
|
|
# <B>./bos listkeys</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
key 1 has cksum <VAR>checksum</VAR>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2476"></A>
|
|
<A NAME="IDX2477"></A>
|
|
<A NAME="IDX2478"></A>
|
|
<P><LI>Issue the <B>pts createuser</B> command to create a Protection
|
|
Database entry for the <B>admin</B> user.
|
|
<P>By default, the Protection Server assigns AFS UID 1 (one) to the
|
|
<B>admin</B> user, because it is the first user entry you are
|
|
creating. If the local password file (<B>/etc/passwd</B> or
|
|
equivalent) already has an entry for <B>admin</B> that assigns it a UNIX
|
|
UID other than 1, it is best to use the <B>-id</B> argument to the
|
|
<B>pts createuser</B> command to make the new AFS UID match the existing
|
|
UNIX UID. Otherwise, it is best to accept the default.
|
|
<PRE>
|
|
# <B>./pts createuser -name admin -cell</B> <<VAR>cell name</VAR>> [<B>-id</B> <<VAR>AFS UID</VAR>>] <B>-noauth</B>
|
|
User admin has id <VAR>AFS UID</VAR>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2479"></A>
|
|
<A NAME="IDX2480"></A>
|
|
<A NAME="IDX2481"></A>
|
|
<A NAME="IDX2482"></A>
|
|
<P><LI>Issue the <B>pts adduser</B> command to make the <B>admin</B> user
|
|
a member of the <B>system:administrators</B> group, and the <B>pts
|
|
membership</B> command to verify the new membership. Membership in
|
|
the group enables the <B>admin</B> user to issue privileged <B>pts</B>
|
|
commands and some privileged <B>fs</B> commands.
|
|
<PRE>
|
|
# <B>./pts adduser admin system:administrators -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
# <B>./pts membership admin -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
Groups admin (id: 1) is a member of:
|
|
system:administrators
|
|
|
|
</PRE>
|
|
<A NAME="IDX2483"></A>
|
|
<A NAME="IDX2484"></A>
|
|
<A NAME="IDX2485"></A>
|
|
<A NAME="IDX2486"></A>
|
|
<P><LI>Issue the <B>bos restart</B> command with the <B>-all</B> flag to
|
|
restart the database server processes, so that they start using the new server
|
|
encryption key.
|
|
<PRE>
|
|
# <B>./bos restart</B> <<VAR>machine name</VAR>> <B>-all -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2487"></A>
|
|
<A NAME="IDX2488"></A>
|
|
<A NAME="IDX2489"></A>
|
|
<A NAME="IDX2490"></A>
|
|
<A NAME="IDX2491"></A>
|
|
<A NAME="IDX2492"></A>
|
|
<A NAME="IDX2493"></A>
|
|
<A NAME="IDX2494"></A>
|
|
<A NAME="IDX2495"></A>
|
|
<A NAME="IDX2496"></A>
|
|
<A NAME="IDX2497"></A>
|
|
<A NAME="IDX2498"></A>
|
|
<HR><H2><A NAME="HDRWQ60" HREF="auqbg002.htm#ToC_67">Starting the File Server, Volume Server, and Salvager</A></H2>
|
|
<P>Start the <B>fs</B> process, which consists of the File
|
|
Server, Volume Server, and Salvager (<B>fileserver</B>,
|
|
<B>volserver</B> and <B>salvager</B> processes).
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>bos create</B> command to start the <B>fs</B>
|
|
process. The command appears here on multiple lines only for
|
|
legibility.
|
|
<PRE>
|
|
# <B>./bos create</B> <<VAR>machine name</VAR>> <B>fs fs /usr/afs/bin/fileserver</B> \
|
|
<B>/usr/afs/bin/volserver /usr/afs/bin/salvager</B> \
|
|
<B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
</PRE>
|
|
<P>Sometimes a message about Volume Location Database (VLDB) initialization
|
|
appears, along with one or more instances of an error message similar to the
|
|
following:
|
|
<PRE>
|
|
FSYNC_clientInit temporary failure (will retry)
|
|
</PRE>
|
|
<P>This message appears when the <B>volserver</B> process tries to start
|
|
before the <B>fileserver</B> process has completed its
|
|
initialization. Wait a few minutes after the last such message before
|
|
continuing, to guarantee that both processes have started successfully.
|
|
<A NAME="IDX2499"></A>
|
|
<A NAME="IDX2500"></A>
|
|
<P>You can verify that the <B>fs</B> process has started successfully by
|
|
issuing the <B>bos status</B> command. Its output mentions two
|
|
<TT>proc starts</TT>.
|
|
<PRE>
|
|
# <B>./bos status</B> <<VAR>machine name</VAR>> <B>fs -long -noauth</B>
|
|
|
|
</PRE>
|
|
<P><LI>Your next action depends on whether you have ever run AFS file server
|
|
machines in the cell:
|
|
<UL>
|
|
<A NAME="IDX2501"></A>
|
|
<A NAME="IDX2502"></A>
|
|
<A NAME="IDX2503"></A>
|
|
<A NAME="IDX2504"></A>
|
|
<A NAME="IDX2505"></A>
|
|
<P><LI>If you are installing the first AFS server machine ever in the cell (that
|
|
is, you are not upgrading the AFS software from a previous version), create
|
|
the first AFS volume, <B>root.afs</B>.
|
|
<P>For the <VAR>partition name</VAR> argument, substitute the name of one of
|
|
the machine's AFS server partitions (such as <B>/vicepa</B>).
|
|
<PRE>
|
|
# <B>./vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.afs</B> \
|
|
<B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
</PRE>
|
|
<P>The Volume Server produces a message confirming that it created the volume
|
|
on the specified partition. You can ignore error messages indicating
|
|
that tokens are missing, or that authentication failed.
|
|
<A NAME="IDX2506"></A>
|
|
<A NAME="IDX2507"></A>
|
|
<A NAME="IDX2508"></A>
|
|
<A NAME="IDX2509"></A>
|
|
<P><LI>If there are existing AFS file server machines and volumes in the cell,
|
|
issue the <B>vos syncvldb</B> and <B>vos syncserv</B> commands to
|
|
synchronize the VLDB with the actual state of volumes on the local
|
|
machine. To follow the progress of the synchronization operation, which
|
|
can take several minutes, use the <B>-verbose</B> flag.
|
|
<PRE>
|
|
# <B>./vos syncvldb</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-verbose -noauth</B>
|
|
|
|
# <B>./vos syncserv</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-verbose -noauth</B>
|
|
</PRE>
|
|
<P>You can ignore error messages indicating that tokens are missing, or that
|
|
authentication failed.
|
|
</UL>
|
|
</OL>
|
|
<A NAME="IDX2510"></A>
|
|
<A NAME="IDX2511"></A>
|
|
<A NAME="IDX2512"></A>
|
|
<A NAME="IDX2513"></A>
|
|
<A NAME="IDX2514"></A>
|
|
<A NAME="IDX2515"></A>
|
|
<A NAME="IDX2516"></A>
|
|
<A NAME="IDX2517"></A>
|
|
<HR><H2><A NAME="HDRWQ61" HREF="auqbg002.htm#ToC_68">Starting the Server Portion of the Update Server</A></H2>
|
|
<P>Start the server portion of the Update Server (the
|
|
<B>upserver</B> process), to distribute the contents of directories on
|
|
this machine to other server machines in the cell. It becomes active
|
|
when you configure the client portion of the Update Server on additional
|
|
server machines.
|
|
<P>Distributing the contents of its <B>/usr/afs/etc</B> directory makes
|
|
this machine the cell's <I>system control machine</I>. The
|
|
other server machines in the cell run the <B>upclientetc</B> process (an
|
|
instance of the client portion of the Update Server) to retrieve the
|
|
configuration files. Use the <B>-crypt</B> argument to the
|
|
<B>upserver</B> initialization command to specify that the Update Server
|
|
distributes the contents of the <B>/usr/afs/etc</B> directory only in
|
|
encrypted form, as shown in the following instruction. Several of the
|
|
files in the directory, particularly the <B>KeyFile</B> file, are crucial
|
|
to cell security and so must never cross the network unencrypted.
|
|
<P>(You can choose not to configure a system control machine, in which case
|
|
you must update the configuration files in each server machine's
|
|
<B>/usr/afs/etc</B> directory individually. The <B>bos</B>
|
|
commands used for this purpose also encrypt data before sending it across the
|
|
network.)
|
|
<P>Distributing the contents of its <B>/usr/afs/bin</B> directory to other
|
|
server machines of its system type makes this machine a <I>binary
|
|
distribution machine</I>. The other server machines of its system
|
|
type run the <B>upclientbin</B> process (an instance of the client portion
|
|
of the Update Server) to retrieve the binaries.
|
|
<P>The binaries in the <B>/usr/afs/bin</B> directory are not sensitive, so
|
|
it is not necessary to encrypt them before transfer across the network.
|
|
Include the <B>-clear</B> argument to the <B>upserver</B>
|
|
initialization command to specify that the Update Server distributes the
|
|
contents of the <B>/usr/afs/bin</B> directory in unencrypted form unless
|
|
an <B>upclientbin</B> process requests encrypted transfer.
|
|
<P>Note that the server and client portions of the Update Server always
|
|
mutually authenticate with one another, regardless of whether you use the
|
|
<B>-clear</B> or <B>-crypt</B> arguments. This protects their
|
|
communications from eavesdropping to some degree.
|
|
<P>For more information on the <B>upclient</B> and <B>upserver</B>
|
|
processes, see their reference pages in the <I>IBM AFS Administration
|
|
Reference</I>. The commands appear on multiple lines here only for
|
|
legibility.
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>bos create</B> command to start the <B>upserver</B>
|
|
process.
|
|
<PRE>
|
|
# <B>./bos create</B> <<VAR>machine name></VAR> <B>upserver simple</B> \
|
|
<B>"/usr/afs/bin/upserver -crypt /usr/afs/etc </B> \
|
|
<B>-clear /usr/afs/bin" -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2518"></A>
|
|
<A NAME="IDX2519"></A>
|
|
<A NAME="IDX2520"></A>
|
|
<A NAME="IDX2521"></A>
|
|
<A NAME="IDX2522"></A>
|
|
<A NAME="IDX2523"></A>
|
|
<HR><H2><A NAME="HDRWQ62" HREF="auqbg002.htm#ToC_69">Starting the Controller for NTPD</A></H2>
|
|
<P>Keeping the clocks on all server and client machines in your
|
|
cell synchronized is crucial to several functions, and in particular to the
|
|
correct operation of AFS's distributed database technology, Ubik.
|
|
The chapter in the <I>IBM AFS Administration Guide</I> about administering
|
|
server machines explains how time skew can disturb Ubik's performance and
|
|
cause service outages in your cell.
|
|
<P>The AFS distribution includes a version of the Network Time Protocol Daemon
|
|
(NTPD) for synchronizing the clocks on server machines. If a time
|
|
synchronization program is not already running on the machine, then in this
|
|
section you start the <B>runntp</B> process to configure NTPD for use with
|
|
AFS.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not run the <B>runntp</B> process if NTPD or another time
|
|
synchronization protocol is already running on the machine. Some
|
|
versions of some operating systems run a time synchronization program by
|
|
default, as detailed in the <I>IBM AFS Release Notes</I>.
|
|
<P>Attempting to run multiple instances of the NTPD causes an error.
|
|
Running NTPD together with another time synchronization protocol is
|
|
unnecessary and can cause instability in the clock setting.
|
|
</TD></TR></TABLE>
|
|
<P>If you run the <B>runntp</B> process and your cell has reliable network
|
|
connectivity to machines outside your cell, then it is conventional to
|
|
configure the first AFS machine to refer to a time source outside the
|
|
cell. When you later install the <B>runntp</B> program on other
|
|
server machines in the cell, it configures NTPD to choose a time source at
|
|
random from among the database server machines listed in the
|
|
<B>/usr/afs/etc/CellServDB</B> file. Time synchronization therefore
|
|
works in a chained manner: this database server machine refers to a time
|
|
source outside the cell, the database server machines refer to the machine
|
|
among them that has access to the most accurate time (NTPD itself includes
|
|
code for determining this), and each non-database server machine refers to a
|
|
local database server machine chosen at random from the
|
|
<B>/usr/afs/etc/CellServDB</B> file. If you ever decide to remove
|
|
database server functionality from this machine, it is best to transfer
|
|
responsibility for consulting an external time source to a remaining database
|
|
server machine.
|
|
<P>If your cell does not have network connectivity to external machines, or if
|
|
the connectivity is not reliable, include the <B>-localclock</B> flag to
|
|
the <B>runntp</B> command as indicated in the following
|
|
instructions. The flag tells NTPD to rely on the machine's
|
|
internal clock when all external time sources are inaccessible. The
|
|
<B>runntp</B> command has other arguments that are possibly useful given
|
|
your cell configuration; see the <I>IBM AFS Administration
|
|
Reference</I>.
|
|
<P>Choosing an appropriate external time source is important, but involves
|
|
more considerations than can be discussed here. If you need help in
|
|
selecting a source, contact the AFS Product Support group.
|
|
<P>As the <B>runntp</B> process initializes NTPD, trace messages sometimes
|
|
appear on the standard output stream. You can ignore them, but they can
|
|
be informative if you understand how NTPD works.
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>bos create</B> command to start the <B>runntp</B>
|
|
process. For the <VAR>host</VAR> argument, substitute the fully-qualified
|
|
hostname or IP address of one or more machines outside the cell that are to
|
|
serve as time sources. Separate each name with a space.
|
|
<UL>
|
|
<P><LI>If your cell usually has reliable network connectivity to an external time
|
|
source, use the following command:
|
|
<PRE>
|
|
# <B>./bos create </B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
|
|
<B>"/usr/afs/bin/runntp</B> <<VAR>host</VAR>>+<B>" -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
<P><LI>If your cell does not have network connectivity to an external time
|
|
source, use the following command:
|
|
<PRE>
|
|
# <B>./bos create</B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
|
|
<B>"/usr/afs/bin/runntp -localclock"</B> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
<P><LI>If your cell has network connectivity to an external time source, but the
|
|
network connection is frequently interrupted, use the following command:
|
|
<P>
|
|
<PRE>
|
|
# <B>./bos create</B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
|
|
<B>"/usr/afs/bin/runntp -localclock</B> <<VAR>host</VAR>>+<B>"</B> \
|
|
<B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
|
|
|
|
</PRE>
|
|
</UL>
|
|
</OL>
|
|
<A NAME="IDX2524"></A>
|
|
<A NAME="IDX2525"></A>
|
|
<A NAME="IDX2526"></A>
|
|
<HR><H2><A NAME="HDRWQ63" HREF="auqbg002.htm#ToC_70">Overview: Installing Client Functionality</A></H2>
|
|
<P>The machine you are installing is now an AFS file server
|
|
machine, database server machine, system control machine, and binary
|
|
distribution machine. Now make it a client machine by completing the
|
|
following tasks:
|
|
<OL TYPE=1>
|
|
<P><LI>Define the machine's cell membership for client processes
|
|
<P><LI>Create the client version of the <B>CellServDB</B> file
|
|
<P><LI>Define cache location and size
|
|
<P><LI>Create the <B>/afs</B> directory and start the Cache Manager
|
|
</OL>
|
|
<A NAME="IDX2527"></A>
|
|
<A NAME="IDX2528"></A>
|
|
<A NAME="IDX2529"></A>
|
|
<HR><H2><A NAME="HDRWQ64" HREF="auqbg002.htm#ToC_71">Copying Client Files to the Local Disk</A></H2>
|
|
<P>Before installing and configuring the AFS client, copy the
|
|
necessary files from the AFS CD-ROM to the local <B>/usr/vice/etc</B>
|
|
directory.
|
|
<OL TYPE=1>
|
|
<P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
|
|
machine's system type, if it is not already. For instructions on
|
|
mounting CD-ROMs (either locally or remotely via NFS), consult the operating
|
|
system documentation.
|
|
<P><LI>Copy files to the local <B>/usr/vice/etc</B> directory.
|
|
<P>This step places a copy of the AFS initialization script (and related
|
|
files, if applicable) into the <B>/usr/vice/etc</B> directory. In
|
|
the preceding instructions for incorporating AFS into the kernel, you copied
|
|
the script directly to the operating system's conventional location for
|
|
initialization files. When you incorporate AFS into the machine's
|
|
startup sequence in a later step, you can choose to link the two files.
|
|
<P>On some system types that use a dynamic kernel loader program, you
|
|
previously copied AFS library files into a subdirectory of the
|
|
<B>/usr/vice/etc</B> directory. On other system types, you copied
|
|
the appropriate AFS library file directly to the directory where the operating
|
|
system accesses it. The following commands do not copy or recopy the
|
|
AFS library files into the <B>/usr/vice/etc</B> directory, because on some
|
|
system types the library files consume a large amount of space. If you
|
|
want to copy them, add the <B>-r</B> flag to the first <B>cp</B>
|
|
command and skip the second <B>cp</B> command.
|
|
<PRE>
|
|
# <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.client/usr/vice/etc</B>
|
|
|
|
# <B>cp -p * /usr/vice/etc</B>
|
|
|
|
# <B>cp -rp C /usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2530"></A>
|
|
<A NAME="IDX2531"></A>
|
|
<A NAME="IDX2532"></A>
|
|
<A NAME="IDX2533"></A>
|
|
<A NAME="IDX2534"></A>
|
|
<A NAME="IDX2535"></A>
|
|
<A NAME="IDX2536"></A>
|
|
<HR><H2><A NAME="HDRWQ65" HREF="auqbg002.htm#ToC_72">Defining Cell Membership for Client Processes</A></H2>
|
|
<P>Every AFS client machine has a copy of the
|
|
<B>/usr/vice/etc/ThisCell</B> file on its local disk to define the
|
|
machine's cell membership for the AFS client programs that run on
|
|
it. The <B>ThisCell</B> file you created in the
|
|
<B>/usr/afs/etc</B> directory (in <A HREF="#HDRWQ51">Defining Cell Name and Membership for Server Processes</A>) is used only by server processes.
|
|
<P>Among other functions, the <B>ThisCell</B> file on a client machine
|
|
determines the following:
|
|
<UL>
|
|
<P><LI>The cell in which users authenticate when they log onto the machine,
|
|
assuming it is using an AFS-modified login utility
|
|
<P><LI>The cell in which users authenticate by default when they issue the
|
|
<B>klog</B> command
|
|
<P><LI>The cell membership of the AFS server processes that the AFS command
|
|
interpreters on this machine contact by default
|
|
</UL>
|
|
<OL TYPE=1>
|
|
<P><LI>Change to the <B>/usr/vice/etc</B> directory and remove the symbolic
|
|
link created in <A HREF="#HDRWQ50">Starting the BOS Server</A>.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm ThisCell</B>
|
|
|
|
</PRE>
|
|
<P><LI>Create the <B>ThisCell</B> file as a copy of the
|
|
<B>/usr/afs/etc/ThisCell</B> file. Defining the same local cell for
|
|
both server and client processes leads to the most consistent AFS
|
|
performance.
|
|
<PRE>
|
|
# <B>cp /usr/afs/etc/ThisCell ThisCell</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2537"></A>
|
|
<A NAME="IDX2538"></A>
|
|
<A NAME="IDX2539"></A>
|
|
<A NAME="IDX2540"></A>
|
|
<A NAME="IDX2541"></A>
|
|
<A NAME="IDX2542"></A>
|
|
<A NAME="IDX2543"></A>
|
|
<A NAME="IDX2544"></A>
|
|
<HR><H2><A NAME="HDRWQ66" HREF="auqbg002.htm#ToC_73">Creating the Client CellServDB File</A></H2>
|
|
<P>The <B>/usr/vice/etc/CellServDB</B> file on a client
|
|
machine's local disk lists the database server machines for each cell
|
|
that the local Cache Manager can contact. If there is no entry in the
|
|
file for a cell, or if the list of database server machines is wrong, then
|
|
users working on this machine cannot access the cell. The chapter in
|
|
the <I>IBM AFS Administration Guide</I> about administering client
|
|
machines explains how to maintain the file after creating it.
|
|
<P>As the <B>afsd</B> program initializes the Cache Manager, it copies the
|
|
contents of the <B>CellServDB</B> file into kernel memory. The
|
|
Cache Manager always consults the list in kernel memory rather than the
|
|
<B>CellServDB</B> file itself. Between reboots of the machine, you
|
|
can use the <B>fs newcell</B> command to update the list in kernel memory
|
|
directly; see the chapter in the <I>IBM AFS Administration Guide</I>
|
|
about administering client machines.
|
|
<P>The AFS distribution includes the file <B>CellServDB.sample</B>,
|
|
and you have already copied it to the <B>/usr/vice/etc</B>
|
|
directory. It includes an entry for all AFS cells that agreed to share
|
|
their database server machine information at the time your AFS CD-ROM was
|
|
created. The AFS Product Support group also maintains a copy of the
|
|
file, updating it as necessary. If you are interested in participating
|
|
in the global AFS namespace, it is a good policy to consult the file
|
|
occasionally for updates. Ask the AFS Product Support group for a
|
|
pointer to its location.
|
|
<P>The <B>CellServDB.sample</B> file can be a good basis for the
|
|
client <B>CellServDB</B> file, because all of the entries in it use the
|
|
correct format. You can add or remove cell entries as you see
|
|
fit. Later (in <A HREF="#HDRWQ91">Enabling Access to Foreign Cells</A>) you perform additional steps that enable the Cache
|
|
Manager actually to reach the cells.
|
|
<P>In this section, you add an entry for the local cell to the local
|
|
<B>CellServDB</B> file. The current working directory is still
|
|
<B>/usr/vice/etc</B>.
|
|
<OL TYPE=1>
|
|
<P><LI>Remove the symbolic link created in <A HREF="#HDRWQ50">Starting the BOS Server</A> and rename the <B>CellServDB.sample</B> file to
|
|
<B>CellServDB</B>.
|
|
<PRE>
|
|
# <B>rm CellServDB</B>
|
|
|
|
# <B>mv CellServDB.sample CellServDB</B>
|
|
|
|
</PRE>
|
|
<P><LI>Add an entry for the local cell to the <B>CellServDB</B> file.
|
|
One easy method is to use the <B>cat</B> command to append the contents of
|
|
the server <B>/usr/afs/etc/CellServDB</B> file to the client
|
|
version.
|
|
<PRE>
|
|
# <B>cat /usr/afs/etc/CellServDB >> CellServDB</B>
|
|
</PRE>
|
|
<P>Then open the file in a text editor to verify that there are no blank
|
|
lines, and that all entries have the required format, which is described just
|
|
following. The ordering of cells is not significant, but it can be
|
|
convenient to have the client machine's home cell at the top; move
|
|
it there now if you wish.
|
|
<UL>
|
|
<P><LI>The first line of a cell's entry has the following format:
|
|
<PRE>
|
|
><VAR>cell_name</VAR> #<VAR>organization</VAR>
|
|
</PRE>
|
|
<P>where <VAR>cell_name</VAR> is the cell's complete Internet domain name
|
|
(for example, <B>abc.com</B>) and <VAR>organization</VAR> is an
|
|
optional field that follows any number of spaces and the number sign
|
|
(<TT>#</TT>). By convention it names the organization to which the
|
|
cell corresponds (for example, the ABC Corporation).
|
|
<P><LI>After the first line comes a separate line for each database server
|
|
machine. Each line has the following format:
|
|
<PRE>
|
|
<VAR>IP_address</VAR> #<VAR>machine_name</VAR>
|
|
</PRE>
|
|
<P>where <VAR>IP_address</VAR> is the machine's IP address in dotted
|
|
decimal format (for example, 192.12.105.3).
|
|
Following any number of spaces and the number sign (<TT>#</TT>) is
|
|
<VAR>machine_name</VAR>, the machine's fully-qualified hostname (for
|
|
example, <B>db1.abc.com</B>). In this case, the
|
|
number sign does not indicate a comment; <VAR>machine_name</VAR> is a
|
|
required field.
|
|
</UL>
|
|
<P><LI>If the file includes cells that you do not wish users of this machine to
|
|
access, remove their entries.
|
|
</OL>
|
|
<P>The following example shows entries for two cells, each of which has three
|
|
database server machines:
|
|
<P>
|
|
<PRE>
|
|
>abc.com #ABC Corporation (home cell)
|
|
192.12.105.3 #db1.abc.com
|
|
192.12.105.4 #db2.abc.com
|
|
192.12.105.55 #db3.abc.com
|
|
>stateu.edu #State University cell
|
|
138.255.68.93 #serverA.stateu.edu
|
|
138.255.68.72 #serverB.stateu.edu
|
|
138.255.33.154 #serverC.stateu.edu
|
|
|
|
</PRE>
|
|
<A NAME="IDX2545"></A>
|
|
<A NAME="IDX2546"></A>
|
|
<A NAME="IDX2547"></A>
|
|
<A NAME="IDX2548"></A>
|
|
<HR><H2><A NAME="HDRWQ67" HREF="auqbg002.htm#ToC_74">Configuring the Cache</A></H2>
|
|
<P>The Cache Manager uses a cache on the local disk or in
|
|
machine memory to store local copies of files fetched from file server
|
|
machines. As the <B>afsd</B> program initializes the Cache Manager,
|
|
it sets basic cache configuration parameters according to definitions in the
|
|
local <B>/usr/vice/etc/cacheinfo</B> file. The file has three
|
|
fields:
|
|
<OL TYPE=1>
|
|
<P><LI>The first field names the local directory on which to mount the AFS
|
|
filespace. The conventional location is the <B>/afs</B>
|
|
directory.
|
|
<P><LI>The second field defines the local disk directory to use for the disk
|
|
cache. The conventional location is the <B>/usr/vice/cache</B>
|
|
directory, but you can specify an alternate directory if another partition has
|
|
more space available. There must always be a value in this field, but
|
|
the Cache Manager ignores it if the machine uses a memory cache.
|
|
<P><LI>The third field specifies the number of kilobyte (1024 byte) blocks to
|
|
allocate for the cache.
|
|
</OL>
|
|
<P>The values you define must meet the following requirements.
|
|
<UL>
|
|
<P><LI>On a machine using a disk cache, the Cache Manager expects always to be
|
|
able to use the amount of space specified in the third field. Failure
|
|
to meet this requirement can cause serious problems, some of which can be
|
|
repaired only by rebooting. You must prevent non-AFS processes from
|
|
filling up the cache partition. The simplest way is to devote a
|
|
partition to the cache exclusively.
|
|
<P><LI>The amount of space available in memory or on the partition housing the
|
|
disk cache directory imposes an absolute limit on cache size.
|
|
<P><LI>The maximum supported cache size can vary in each AFS release; see
|
|
the <I>IBM AFS Release Notes</I> for the current version.
|
|
<P><LI>For a disk cache, you cannot specify a value in the third field that
|
|
exceeds 95% of the space available on the partition mounted at the directory
|
|
named in the second field. If you violate this restriction, the
|
|
<B>afsd</B> program exits without starting the Cache Manager and prints an
|
|
appropriate message on the standard output stream. A value of 90% is
|
|
more appropriate on most machines. Some operating systems (such as AIX)
|
|
do not automatically reserve some space to prevent the partition from filling
|
|
completely; for them, a smaller value (say, 80% to 85% of the space
|
|
available) is more appropriate.
|
|
<P><LI>For a memory cache, you must leave enough memory for other processes and
|
|
applications to run. If you try to allocate more memory than is
|
|
actually available, the <B>afsd</B> program exits without initializing the
|
|
Cache Manager and produces the following message on the standard output
|
|
stream.
|
|
<PRE>
|
|
afsd: memCache allocation failure at <VAR>number</VAR> KB
|
|
</PRE>
|
|
<P>The <VAR>number</VAR> value is how many kilobytes were allocated just before
|
|
the failure, and so indicates the approximate amount of memory
|
|
available.
|
|
</UL>
|
|
<P>Within these hard limits, the factors that determine appropriate cache size
|
|
include the number of users working on the machine, the size of the files with
|
|
which they work, and (for a memory cache) the number of processes that run on
|
|
the machine. The higher the demand from these factors, the larger the
|
|
cache needs to be to maintain good performance.
|
|
<P>Disk caches smaller than 10 MB do not generally perform well.
|
|
Machines serving multiple users usually perform better with a cache of at
|
|
least 60 to 70 MB. The point at which enlarging the cache further does
|
|
not really improve performance depends on the factors mentioned previously and
|
|
is difficult to predict.
|
|
<P>Memory caches smaller than 1 MB are nonfunctional, and the performance of
|
|
caches smaller than 5 MB is usually unsatisfactory. Suitable upper
|
|
limits are similar to those for disk caches but are probably determined more
|
|
by the demands on memory from other sources on the machine (number of users
|
|
and processes). Machines running only a few processes possibly can use
|
|
a smaller memory cache.
|
|
<P><H3><A NAME="HDRWQ68" HREF="auqbg002.htm#ToC_75">Configuring a Disk Cache</A></H3>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types that an operating system supports are
|
|
necessarily supported for use as the cache partition. For possible
|
|
restrictions, see the <I>IBM AFS Release Notes</I>.
|
|
</TD></TR></TABLE>
|
|
<P>To configure the disk cache, perform the following procedures:
|
|
<OL TYPE=1>
|
|
<P><LI>Create the local directory to use for caching. The following
|
|
instruction shows the conventional location,
|
|
<B>/usr/vice/cache</B>. If you are devoting a partition exclusively
|
|
to caching, as recommended, you must also configure it, make a file system on
|
|
it, and mount it at the directory created in this step.
|
|
<PRE>
|
|
# <B>mkdir /usr/vice/cache</B>
|
|
|
|
</PRE>
|
|
<P><LI>Create the <B>cacheinfo</B> file to define the configuration
|
|
parameters discussed previously. The following instruction shows the
|
|
standard mount location, <B>/afs</B>, and the standard cache location,
|
|
<B>/usr/vice/cache</B>.
|
|
<PRE>
|
|
# <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
|
|
</PRE>
|
|
<P>The following example defines the disk cache size as 50,000 KB:
|
|
<PRE>
|
|
# <B>echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo</B>
|
|
</PRE>
|
|
</OL>
|
|
<P><H3><A NAME="HDRWQ69" HREF="auqbg002.htm#ToC_76">Configuring a Memory Cache</A></H3>
|
|
<P>To configure a memory cache, create the <B>cacheinfo</B>
|
|
file to define the configuration parameters discussed previously. The
|
|
following instruction shows the standard mount location, <B>/afs</B>, and
|
|
the standard cache location, <B>/usr/vice/cache</B> (though the exact
|
|
value of the latter is irrelevant for a memory cache).
|
|
<PRE>
|
|
# <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
|
|
</PRE>
|
|
<P>The following example allocates 25,000 KB of memory for the cache.
|
|
<PRE>
|
|
# <B>echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo</B>
|
|
</PRE>
|
|
<A NAME="IDX2549"></A>
|
|
<A NAME="IDX2550"></A>
|
|
<A NAME="IDX2551"></A>
|
|
<A NAME="IDX2552"></A>
|
|
<A NAME="IDX2553"></A>
|
|
<A NAME="IDX2554"></A>
|
|
<HR><H2><A NAME="HDRWQ70" HREF="auqbg002.htm#ToC_77">Configuring the Cache Manager</A></H2>
|
|
<P>By convention, the Cache Manager mounts the AFS filespace on
|
|
the local <B>/afs</B> directory. In this section you create that
|
|
directory.
|
|
<P>The <B>afsd</B> program sets several cache configuration parameters as
|
|
it initializes the Cache Manager, and starts daemons that improve
|
|
performance. You can use the <B>afsd</B> command's arguments
|
|
to override the parameters' default values and to change the number of
|
|
some of the daemons. Depending on the machine's cache size, its
|
|
amount of RAM, and how many people work on it, you can sometimes improve Cache
|
|
Manager performance by overriding the default values. For a discussion
|
|
of all of the <B>afsd</B> command's arguments, see its reference page
|
|
in the <I>IBM AFS Administration Reference</I>.
|
|
<P>The <B>afsd</B> command line in the AFS initialization script on each
|
|
system type includes an <TT>OPTIONS</TT> variable. You can use it to
|
|
set nondefault values for the command's arguments, in one of the
|
|
following ways:
|
|
<UL>
|
|
<P><LI>You can create an <B>afsd</B> <I>options file</I> that sets values
|
|
for arguments to the <B>afsd</B> command. If the file exists, its
|
|
contents are automatically substituted for the <TT>OPTIONS</TT> variable in
|
|
the AFS initialization script. The AFS distribution for some system
|
|
types includes an options file; on other system types, you must create
|
|
it.
|
|
<P>You use two variables in the AFS initialization script to specify the path
|
|
to the options file: <TT>CONFIG</TT> and <TT>AFSDOPT</TT>. On
|
|
system types that define a conventional directory for configuration files, the
|
|
<TT>CONFIG</TT> variable indicates it by default; otherwise, the
|
|
variable indicates an appropriate location.
|
|
<P>List the desired <B>afsd</B> options on a single line in the options
|
|
file, separating each option with one or more spaces. The following
|
|
example sets the <B>-stat</B> argument to 2500, the <B>-daemons</B>
|
|
argument to 4, and the <B>-volumes</B> argument to 100.
|
|
<PRE>
|
|
-stat 2500 -daemons 4 -volumes 100
|
|
|
|
</PRE>
|
|
<P><LI>On a machine that uses a disk cache, you can set the <TT>OPTIONS</TT>
|
|
variable in the AFS initialization script to one of <TT>$SMALL</TT>,
|
|
<TT>$MEDIUM</TT>, or <TT>$LARGE</TT>. The AFS initialization script
|
|
uses one of these settings if the <B>afsd</B> options file named by the
|
|
<TT>AFSDOPT</TT> variable does not exist. In the script as
|
|
distributed, the <TT>OPTIONS</TT> variable is set to the value
|
|
<TT>$MEDIUM</TT>.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not set the <TT>OPTIONS</TT> variable to <TT>$SMALL</TT>,
|
|
<TT>$MEDIUM</TT>, or <TT>$LARGE</TT> on a machine that uses a memory
|
|
cache. The arguments it sets are appropriate only on a machine that
|
|
uses a disk cache.
|
|
</TD></TR></TABLE>
|
|
<P>The script (or on some system types the <B>afsd</B> options file named
|
|
by the <TT>AFSDOPT</TT> variable) defines a value for each of
|
|
<TT>SMALL</TT>, <TT>MEDIUM</TT>, and <TT>LARGE</TT> that sets
|
|
<B>afsd</B> command arguments appropriately for client machines of
|
|
different sizes:
|
|
<UL>
|
|
<P><LI><TT>SMALL</TT> is suitable for a small machine that serves one or two
|
|
users and has approximately 8 MB of RAM and a 20-MB cache
|
|
<P><LI><TT>MEDIUM</TT> is suitable for a medium-sized machine that serves two
|
|
to six users and has 16 MB of RAM and a 40-MB cache
|
|
<P><LI><TT>LARGE</TT> is suitable for a large machine that serves five to ten
|
|
users and has 32 MB of RAM and a 100-MB cache
|
|
</UL>
|
|
<P><LI>You can choose not to create an <B>afsd</B> options file and to set
|
|
the <TT>OPTIONS</TT> variable in the initialization script to a null value
|
|
rather than to the default <TT>$MEDIUM</TT> value. You can then
|
|
either set arguments directly on the <B>afsd</B> command line in the
|
|
script, or set no arguments (and so accept default values for all Cache
|
|
Manager parameters).
|
|
</UL>
|
|
<OL TYPE=1>
|
|
<P><LI>Create the local directory on which to mount the AFS filespace, by
|
|
convention <B>/afs</B>. If the directory already exists, verify
|
|
that it is empty.
|
|
<PRE>
|
|
# <B>mkdir /afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>On AIX systems, add the following line to the <B>/etc/vfs</B>
|
|
file. It enables AIX to unmount AFS correctly during shutdown.
|
|
<PRE>
|
|
afs 4 none none
|
|
|
|
</PRE>
|
|
<P><LI>On Linux systems, copy the <B>afsd</B> options file from the
|
|
<B>/usr/vice/etc</B> directory to the <B>/etc/sysconfig</B> directory,
|
|
removing the <B>.conf</B> extension as you do so.
|
|
<PRE>
|
|
# <B>cp /usr/vice/etc/afs.conf /etc/sysconfig/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the machine's AFS initialization script or <B>afsd</B>
|
|
options file to set appropriate values for <B>afsd</B> command
|
|
parameters. The script resides in the indicated location on each system
|
|
type:
|
|
<UL>
|
|
<P><LI>On AIX systems, <B>/etc/rc.afs</B>
|
|
<P><LI>On Digital UNIX systems, <B>/sbin/init.d/afs</B>
|
|
<P><LI>On HP-UX systems, <B>/sbin/init.d/afs</B>
|
|
<P><LI>On IRIX systems, <B>/etc/init.d/afs</B>
|
|
<P><LI>On Linux systems, <B>/etc/sysconfig/afs</B> (the <B>afsd</B>
|
|
options file)
|
|
<P><LI>On Solaris systems, <B>/etc/init.d/afs</B>
|
|
</UL>
|
|
<P>Use one of the methods described in the introduction to this section to add
|
|
the following flags to the <B>afsd</B> command line. If you intend
|
|
for the machine to remain an AFS client, also set any performance-related
|
|
arguments you wish.
|
|
<UL>
|
|
<P><LI>Add the <B>-nosettime</B> flag, because this is a file server machine
|
|
that is also a client. The flag prevents the machine from picking a
|
|
file server machine in the cell as its source for the correct time, which
|
|
client machines normally do. File server machines instead use NTPD (as
|
|
controlled by the <B>runntp</B> process) or another protocol to
|
|
synchronize their clocks.
|
|
<P><LI>Add the <B>-memcache</B> flag if the machine is to use a memory
|
|
cache.
|
|
<P><LI>Add the <B>-verbose</B> flag to display a trace of the Cache
|
|
Manager's initialization on the standard output stream.
|
|
</UL>
|
|
</OL>
|
|
<A NAME="IDX2555"></A>
|
|
<A NAME="IDX2556"></A>
|
|
<HR><H2><A NAME="HDRWQ71" HREF="auqbg002.htm#ToC_78">Overview: Completing the Installation of the First AFS Machine</A></H2>
|
|
<P>The machine is now configured as an AFS file server and
|
|
client machine. In this final phase of the installation, you initialize
|
|
the Cache Manager and then create the upper levels of your AFS filespace,
|
|
among other procedures. The procedures are:
|
|
<OL TYPE=1>
|
|
<P><LI>Verify that the initialization script works correctly, and incorporate it
|
|
into the operating system's startup and shutdown sequence
|
|
<P><LI>Create and mount top-level volumes
|
|
<P><LI>Create and mount volumes to store system binaries in AFS
|
|
<P><LI>Enable access to foreign cells
|
|
<P><LI>Institute additional security measures
|
|
<P><LI>Remove client functionality if desired
|
|
</OL>
|
|
<A NAME="IDX2557"></A>
|
|
<A NAME="IDX2558"></A>
|
|
<A NAME="IDX2559"></A>
|
|
<A NAME="IDX2560"></A>
|
|
<A NAME="IDX2561"></A>
|
|
<HR><H2><A NAME="HDRWQ72" HREF="auqbg002.htm#ToC_79">Verifying the AFS Initialization Script</A></H2>
|
|
<P>At this point you run the AFS initialization script to verify
|
|
that it correctly invokes all of the necessary programs and AFS processes, and
|
|
that they start correctly. The following are the relevant
|
|
commands:
|
|
<UL>
|
|
<P><LI>The command that dynamically loads AFS modifications into the kernel, on
|
|
some system types (not applicable if the kernel has AFS modifications built
|
|
in)
|
|
<P><LI>The <B>bosserver</B> command, which starts the BOS Server; it in
|
|
turn starts the server processes for which you created entries in the
|
|
<B>/usr/afs/local/BosConfig</B> file
|
|
<P><LI>The <B>afsd</B> command, which initializes the Cache Manager
|
|
</UL>
|
|
<P>On system types that use a dynamic loader program, you must reboot the
|
|
machine before running the initialization script, so that it can freshly load
|
|
AFS modifications into the kernel.
|
|
<P>If there are problems during the initialization, attempt to resolve
|
|
them. The AFS Product Support group can provide assistance if
|
|
necessary.
|
|
<OL TYPE=1>
|
|
<A NAME="IDX2562"></A>
|
|
<A NAME="IDX2563"></A>
|
|
<P><LI>Issue the <B>bos shutdown</B> command to shut down the AFS server
|
|
processes other than the BOS Server. Include the <B>-wait</B> flag
|
|
to delay return of the command shell prompt until all processes shut down
|
|
completely.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/bos shutdown</B> <<VAR>machine name</VAR>> <B>-wait</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>ps</B> command to learn the <B>bosserver</B>
|
|
process's process ID number (PID), and then the <B>kill</B> command
|
|
to stop it.
|
|
<PRE>
|
|
# <B>ps</B> <VAR>appropriate_ps_options</VAR> <B>| grep bosserver</B>
|
|
|
|
# <B>kill</B> <VAR>bosserver_PID</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the appropriate commands to run the AFS initialization script for
|
|
this system type.
|
|
<A NAME="IDX2564"></A>
|
|
<P><B>On AIX systems:</B>
|
|
<OL TYPE=a>
|
|
<P><LI>Reboot the machine and log in again as the local superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/etc/rc.afs</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2565"></A>
|
|
<P><B>On Digital UNIX systems:</B>
|
|
<OL TYPE=a>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/sbin/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2566"></A>
|
|
<P><B>On HP-UX systems:</B>
|
|
<OL TYPE=a>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/sbin/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2567"></A>
|
|
<A NAME="IDX2568"></A>
|
|
<A NAME="IDX2569"></A>
|
|
<A NAME="IDX2570"></A>
|
|
<A NAME="IDX2571"></A>
|
|
<A NAME="IDX2572"></A>
|
|
<A NAME="IDX2573"></A>
|
|
<P><B>On IRIX systems:</B>
|
|
<OL TYPE=a>
|
|
<P><LI>If you have configured the machine to use the <B>ml</B> dynamic loader
|
|
program, reboot the machine and log in again as the local superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -i6 -g0 -y</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>chkconfig</B> command to activate the
|
|
<B>afsserver</B> and <B>afsclient</B> configuration variables.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsserver on</B>
|
|
|
|
# <B>/etc/chkconfig -f afsclient on</B>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/etc/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2574"></A>
|
|
<P><B>On Linux systems:</B>
|
|
<OL TYPE=a>
|
|
<P><LI>Reboot the machine and log in again as the local superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/etc/rc.d/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2575"></A>
|
|
<P><B>On Solaris systems:</B>
|
|
<OL TYPE=a>
|
|
<P><LI>Reboot the machine and log in again as the local superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -i6 -g0 -y</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/etc/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2576"></A>
|
|
<A NAME="IDX2577"></A>
|
|
<P><LI>Wait for the message that confirms that Cache Manager initialization is
|
|
complete.
|
|
<P>On machines that use a disk cache, it can take a while to initialize the
|
|
Cache Manager for the first time, because the <B>afsd</B> program must
|
|
create all of the <B>V</B><VAR>n</VAR> files in the cache directory.
|
|
Subsequent Cache Manager initializations do not take nearly as long, because
|
|
the <B>V</B><VAR>n</VAR> files already exist.
|
|
<P>As a basic test of correct AFS functioning, issue the <B>klog</B>
|
|
command to authenticate as the <B>admin</B> user. Provide the
|
|
password (<VAR>admin_passwd</VAR>) you defined in <A HREF="#HDRWQ53">Initializing Cell Security</A>.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/klog admin</B>
|
|
Password: <VAR>admin_passwd</VAR>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2578"></A>
|
|
<A NAME="IDX2579"></A>
|
|
<P><LI>Issue the <B>tokens</B> command to verify that the <B>klog</B>
|
|
command worked correctly. If it did, the output looks similar to the
|
|
following example for the <B>abc.com</B> cell, where
|
|
<B>admin</B>'s AFS UID is 1. If the output does not seem
|
|
correct, resolve the problem. Changes to the AFS initialization script
|
|
are possibly necessary. The AFS Product Support group can provide
|
|
assistance as necessary.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/tokens</B>
|
|
Tokens held by the Cache Manager:
|
|
|
|
User's (AFS ID 1) tokens for afs@abc.com [Expires May 22 11:52]
|
|
--End of list--
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>bos status</B> command to verify that the output for each
|
|
process reads <TT>Currently running normally</TT>.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/bos status</B> <<VAR>machine name</VAR>>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2580"></A>
|
|
<A NAME="IDX2581"></A>
|
|
<P><LI>Change directory to the local file system root (<B>/</B>) and issue
|
|
the <B>fs checkvolumes</B> command.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>/usr/afs/bin/fs checkvolumes</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2582"></A>
|
|
<A NAME="IDX2583"></A>
|
|
<A NAME="IDX2584"></A>
|
|
<A NAME="IDX2585"></A>
|
|
<HR><H2><A NAME="HDRWQ73" HREF="auqbg002.htm#ToC_80">Activating the AFS Initialization Script</A></H2>
|
|
<P>Now that you have confirmed that the AFS initialization
|
|
script works correctly, take the action necessary to have it run automatically
|
|
at each reboot. Proceed to the instructions for your system type:
|
|
<UL>
|
|
<P><LI><A HREF="#HDRWQ74">Activating the Script on AIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ75">Activating the Script on Digital UNIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ76">Activating the Script on HP-UX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ77">Activating the Script on IRIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ78">Activating the Script on Linux Systems</A>
|
|
<P><LI><A HREF="#HDRWQ79">Activating the Script on Solaris Systems</A>
|
|
</UL>
|
|
<A NAME="IDX2586"></A>
|
|
<P><H3><A NAME="HDRWQ74" HREF="auqbg002.htm#ToC_81">Activating the Script on AIX Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Edit the AIX initialization file, <B>/etc/inittab</B>, adding the
|
|
following line to invoke the AFS initialization script. Place it just
|
|
after the line that starts NFS daemons.
|
|
<PRE>
|
|
rcafs:2:wait:/etc/rc.afs > /dev/console 2>&1 # Start AFS services
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/etc</B> directories.
|
|
If you want to avoid potential confusion by guaranteeing that they are always
|
|
the same, create a link between them. You can always retrieve the
|
|
original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm rc.afs</B>
|
|
|
|
# <B>ln -s /etc/rc.afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
|
|
</OL>
|
|
<A NAME="IDX2587"></A>
|
|
<P><H3><A NAME="HDRWQ75" HREF="auqbg002.htm#ToC_82">Activating the Script on Digital UNIX Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
|
|
<B>ln -s</B> command to create symbolic links that incorporate the AFS
|
|
initialization script into the Digital UNIX startup and shutdown
|
|
sequence.
|
|
<PRE>
|
|
# <B>cd /sbin/init.d</B>
|
|
|
|
# <B>ln -s ../init.d/afs /sbin/rc3.d/S67afs</B>
|
|
|
|
# <B>ln -s ../init.d/afs /sbin/rc0.d/K66afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
|
|
directories. If you want to avoid potential confusion by guaranteeing
|
|
that they are always the same, create a link between them. You can
|
|
always retrieve the original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc</B>
|
|
|
|
# <B>ln -s /sbin/init.d/afs afs.rc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
|
|
</OL>
|
|
<A NAME="IDX2588"></A>
|
|
<P><H3><A NAME="HDRWQ76" HREF="auqbg002.htm#ToC_83">Activating the Script on HP-UX Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
|
|
<B>ln -s</B> command to create symbolic links that incorporate the AFS
|
|
initialization script into the HP-UX startup and shutdown sequence.
|
|
<PRE>
|
|
# <B>cd /sbin/init.d</B>
|
|
|
|
# <B>ln -s ../init.d/afs /sbin/rc2.d/S460afs</B>
|
|
|
|
# <B>ln -s ../init.d/afs /sbin/rc2.d/K800afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
|
|
directories. If you want to avoid potential confusion by guaranteeing
|
|
that they are always the same, create a link between them. You can
|
|
always retrieve the original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc</B>
|
|
|
|
# <B>ln -s /sbin/init.d/afs afs.rc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
|
|
</OL>
|
|
<A NAME="IDX2589"></A>
|
|
<P><H3><A NAME="HDRWQ77" HREF="auqbg002.htm#ToC_84">Activating the Script on IRIX Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
|
|
<B>ln -s</B> command to create symbolic links that incorporate the AFS
|
|
initialization script into the IRIX startup and shutdown sequence.
|
|
<PRE>
|
|
# <B>cd /etc/init.d</B>
|
|
|
|
# <B>ln -s ../init.d/afs /etc/rc2.d/S35afs</B>
|
|
|
|
# <B>ln -s ../init.d/afs /etc/rc0.d/K35afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
|
|
directories. If you want to avoid potential confusion by guaranteeing
|
|
that they are always the same, create a link between them. You can
|
|
always retrieve the original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc</B>
|
|
|
|
# <B>ln -s /etc/init.d/afs afs.rc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
|
|
</OL>
|
|
<A NAME="IDX2590"></A>
|
|
<P><H3><A NAME="HDRWQ78" HREF="auqbg002.htm#ToC_85">Activating the Script on Linux Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afs</B>
|
|
configuration variable. Based on the instruction in the AFS
|
|
initialization file that begins with the string <TT>#chkconfig</TT>, the
|
|
command automatically creates the symbolic links that incorporate the script
|
|
into the Linux startup and shutdown sequence.
|
|
<PRE>
|
|
# <B>/sbin/chkconfig --add afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and
|
|
<B>/etc/rc.d/init.d</B> directories, and copies of the
|
|
<B>afsd</B> options file in both the <B>/usr/vice/etc</B> and
|
|
<B>/etc/sysconfig</B> directories. If you want to avoid potential
|
|
confusion by guaranteeing that the two copies of each file are always the
|
|
same, create a link between them. You can always retrieve the original
|
|
script or options file from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc afs.conf</B>
|
|
|
|
# <B>ln -s /etc/rc.d/init.d/afs afs.rc</B>
|
|
|
|
# <B>ln -s /etc/sysconfig/afs afs.conf</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
|
|
</OL>
|
|
<A NAME="IDX2591"></A>
|
|
<P><H3><A NAME="HDRWQ79" HREF="auqbg002.htm#ToC_86">Activating the Script on Solaris Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
|
|
<B>ln -s</B> command to create symbolic links that incorporate the AFS
|
|
initialization script into the Solaris startup and shutdown sequence.
|
|
<PRE>
|
|
# <B>cd /etc/init.d</B>
|
|
|
|
# <B>ln -s ../init.d/afs /etc/rc3.d/S99afs</B>
|
|
|
|
# <B>ln -s ../init.d/afs /etc/rc0.d/K66afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
|
|
directories. If you want to avoid potential confusion by guaranteeing
|
|
that they are always the same, create a link between them. You can
|
|
always retrieve the original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc</B>
|
|
|
|
# <B>ln -s /etc/init.d/afs afs.rc</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2592"></A>
|
|
<A NAME="IDX2593"></A>
|
|
<HR><H2><A NAME="HDRWQ80" HREF="auqbg002.htm#ToC_87">Configuring the Top Levels of the AFS Filespace</A></H2>
|
|
<P>If you have not previously run AFS in your cell, you now
|
|
configure the top levels of your cell's AFS filespace. If you have
|
|
run a previous version of AFS, the filespace is already configured.
|
|
Proceed to <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A>.
|
|
<A NAME="IDX2594"></A>
|
|
<A NAME="IDX2595"></A>
|
|
<A NAME="IDX2596"></A>
|
|
<P>You created the <B>root.afs</B> volume in <A HREF="#HDRWQ60">Starting the File Server, Volume Server, and Salvager</A>, and the Cache Manager mounted it automatically on the local
|
|
<B>/afs</B> directory when you ran the AFS initialization script in <A HREF="#HDRWQ72">Verifying the AFS Initialization Script</A>. You now set the access control list (ACL) on the
|
|
<B>/afs</B> directory; creating, mounting, and setting the ACL are
|
|
the three steps required when creating any volume.
|
|
<P>After setting the ACL on the <B>root.afs</B> volume, you create
|
|
your cell's <B>root.cell</B> volume, mount it as a
|
|
subdirectory of the <B>/afs</B> directory, and set the ACL. Create
|
|
both a read/write and a regular mount point for the
|
|
<B>root.cell</B> volume. The read/write mount point enables
|
|
you to access the read/write version of replicated volumes when
|
|
necessary. Creating both mount points essentially creates separate
|
|
read-only and read-write copies of your filespace, and enables the Cache
|
|
Manager to traverse the filespace on a read-only path or read/write path as
|
|
appropriate. For further discussion of these concepts, see the chapter
|
|
in the <I>IBM AFS Administration Guide</I> about administering
|
|
volumes.
|
|
<A NAME="IDX2597"></A>
|
|
<A NAME="IDX2598"></A>
|
|
<A NAME="IDX2599"></A>
|
|
<P>Then replicate both the <B>root.afs</B> and
|
|
<B>root.cell</B> volumes. This is required if you want to
|
|
replicate any other volumes in your cell, because all volumes mounted above a
|
|
replicated volume must themselves be replicated in order for the Cache Manager
|
|
to access the replica.
|
|
<P>When the <B>root.afs</B> volume is replicated, the Cache Manager
|
|
is programmed to access its read-only version
|
|
(<B>root.afs.readonly</B>) whenever possible. To make
|
|
changes to the contents of the <B>root.afs</B> volume (when, for
|
|
example, you mount another cell's <B>root.cell</B> volume at
|
|
the second level in your filespace), you must mount the
|
|
<B>root.afs</B> volume temporarily, make the changes, release the
|
|
volume and remove the temporary mount point. For instructions, see <A HREF="#HDRWQ91">Enabling Access to Foreign Cells</A>.
|
|
<A NAME="IDX2600"></A>
|
|
<A NAME="IDX2601"></A>
|
|
<A NAME="IDX2602"></A>
|
|
<A NAME="IDX2603"></A>
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>fs setacl</B> command to edit the ACL on the
|
|
<B>/afs</B> directory. Add an entry that grants the <B>l</B>
|
|
(<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
|
|
<B>system:anyuser</B> group, to enable all AFS users who can reach
|
|
your cell to traverse through the directory. If you prefer to enable
|
|
access only to locally authenticated users, substitute the
|
|
<B>system:authuser</B> group.
|
|
<P>Note that there is already an ACL entry that grants all seven access rights
|
|
to the <B>system:administrators</B> group. It is a default
|
|
entry that AFS places on every new volume's root directory.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/fs setacl /afs system:anyuser rl</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2604"></A>
|
|
<A NAME="IDX2605"></A>
|
|
<A NAME="IDX2606"></A>
|
|
<A NAME="IDX2607"></A>
|
|
<A NAME="IDX2608"></A>
|
|
<A NAME="IDX2609"></A>
|
|
<A NAME="IDX2610"></A>
|
|
<P><LI><A NAME="LIWQ81"></A>Issue the <B>vos create</B> command to create the
|
|
<B>root.cell</B> volume. Then issue the <B>fs
|
|
mkmount</B> command to mount it as a subdirectory of the <B>/afs</B>
|
|
directory, where it serves as the root of your cell's local AFS
|
|
filespace. Finally, issue the <B>fs setacl</B> command to create an
|
|
ACL entry for the <B>system:anyuser</B> group (or
|
|
<B>system:authuser</B> group).
|
|
<P>For the <VAR>partition name</VAR> argument, substitute the name of one of the
|
|
machine's AFS server partitions (such as <B>/vicepa</B>). For
|
|
the <VAR>cellname</VAR> argument, substitute your cell's fully-qualified
|
|
Internet domain name (such as <B>abc.com</B>).
|
|
<PRE>
|
|
# <B>/usr/afs/bin/vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.cell</B>
|
|
|
|
# <B>/usr/afs/bin/fs mkmount /afs/</B><VAR>cellname</VAR> <B>root.cell</B>
|
|
|
|
# <B>/usr/afs/bin/fs setacl /afs/</B><VAR>cellname</VAR> <B>system:anyuser rl</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2611"></A>
|
|
<A NAME="IDX2612"></A>
|
|
<A NAME="IDX2613"></A>
|
|
<P><LI><B>(Optional)</B> Create a symbolic link to a shortened cell name, to
|
|
reduce the length of pathnames for users in the local cell. For
|
|
example, in the <B>abc.com</B> cell, <B>/afs/abc</B> is a link
|
|
to <B>/afs/abc.com</B>.
|
|
<PRE>
|
|
# <B>cd /afs</B>
|
|
|
|
# <B>ln -s</B> <VAR>full_cellname</VAR> <VAR>short_cellname</VAR>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2614"></A>
|
|
<A NAME="IDX2615"></A>
|
|
<A NAME="IDX2616"></A>
|
|
<P><LI>Issue the <B>fs mkmount</B> command to create a read/write mount point
|
|
for the <B>root.cell</B> volume (you created a regular mount point
|
|
in Step <A HREF="#LIWQ81">2</A>).
|
|
<P>By convention, the name of a read/write mount point begins with a period,
|
|
both to distinguish it from the regular mount point and to make it visible
|
|
only when the <B>-a</B> flag is used on the <B>ls</B> command.
|
|
<P>Change directory to <B>/usr/afs/bin</B> to make it easier to access the
|
|
command binaries.
|
|
<PRE>
|
|
# <B>cd /usr/afs/bin</B>
|
|
|
|
# <B>./fs mkmount /afs/.</B><VAR>cellname</VAR> <B>root.cell -rw</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2617"></A>
|
|
<A NAME="IDX2618"></A>
|
|
<A NAME="IDX2619"></A>
|
|
<A NAME="IDX2620"></A>
|
|
<P><LI><A NAME="LIWQ82"></A>Issue the <B>vos addsite</B> command to define a replication
|
|
site for both the <B>root.afs</B> and <B>root.cell</B>
|
|
volumes. In each case, substitute for the <VAR>partition name</VAR>
|
|
argument the partition where the volume's read/write version
|
|
resides. When you install additional file server machines, it is a good
|
|
idea to create replication sites on them as well.
|
|
<PRE>
|
|
# <B>./vos addsite</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.afs</B>
|
|
|
|
# <B>./vos addsite</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.cell</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2621"></A>
|
|
<A NAME="IDX2622"></A>
|
|
<P><LI>Issue the <B>fs examine</B> command to verify that the Cache Manager
|
|
can access both the <B>root.afs</B> and <B>root.cell</B>
|
|
volumes, before you attempt to replicate them. The output lists each
|
|
volume's name, volumeID number, quota, size, and the size of the
|
|
partition that houses them. If you get an error message instead, do not
|
|
continue before taking corrective action.
|
|
<PRE>
|
|
# <B>./fs examine /afs</B>
|
|
|
|
# <B>./fs examine /afs/</B><VAR>cellname</VAR>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2623"></A>
|
|
<A NAME="IDX2624"></A>
|
|
<A NAME="IDX2625"></A>
|
|
<A NAME="IDX2626"></A>
|
|
<P><LI>Issue the <B>vos release</B> command to release a replica of the
|
|
<B>root.afs</B> and <B>root.cell</B> volumes to the
|
|
sites you defined in Step <A HREF="#LIWQ82">5</A>.
|
|
<PRE>
|
|
# <B>./vos release root.afs</B>
|
|
|
|
# <B>./vos release root.cell</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2627"></A>
|
|
<A NAME="IDX2628"></A>
|
|
<P><LI>Issue the <B>fs checkvolumes</B> to force the Cache Manager to notice
|
|
that you have released read-only versions of the volumes, then issue the
|
|
<B>fs examine</B> command again. This time its output mentions the
|
|
read-only version of the volumes (<B>root.afs.readonly</B>
|
|
and <B>root.cell.readonly</B>) instead of the read/write
|
|
versions, because of the Cache Manager's bias to access the read-only
|
|
version of the <B>root.afs</B> volume if it exists.
|
|
<PRE>
|
|
# <B>./fs checkvolumes</B>
|
|
|
|
# <B>./fs examine /afs</B>
|
|
|
|
# <B>./fs examine /afs/</B><VAR>cellname</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<A NAME="IDX2629"></A>
|
|
<A NAME="IDX2630"></A>
|
|
<A NAME="IDX2631"></A>
|
|
<A NAME="IDX2632"></A>
|
|
<A NAME="IDX2633"></A>
|
|
<A NAME="IDX2634"></A>
|
|
<HR><H2><A NAME="HDRWQ83" HREF="auqbg002.htm#ToC_88">Storing AFS Binaries in AFS</A></H2>
|
|
<P>In the conventional configuration, you make AFS client
|
|
binaries and configuration files available in the subdirectories of the
|
|
<B>/usr/afsws</B> directory on client machines (<B>afsws</B> is an
|
|
acronym for <B>AFS
|
|
w</B><I>ork</I><B>s</B><I>tation</I>). You can conserve
|
|
local disk space by creating <B>/usr/afsws</B> as a link to an AFS volume
|
|
that houses the AFS client binaries and configuration files for this system
|
|
type.
|
|
<P>In this section you create the necessary volumes. The conventional
|
|
location to which to link <B>/usr/afsws</B> is
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>,
|
|
where <VAR>sysname</VAR> is the appropriate system type name as specified in the
|
|
<I>IBM AFS Release Notes</I>. The instructions in <A HREF="auqbg007.htm#HDRWQ133">Installing Additional Client Machines</A> assume that you have followed the instructions in this
|
|
section.
|
|
<P>If you have previously run AFS in the cell, the volumes possibly already
|
|
exist. If so, you need to perform Step <A HREF="#LIWQ86">8</A> only.
|
|
<P>The current working directory is still <B>/usr/afs/bin</B>, which
|
|
houses the <B>fs</B> and <B>vos</B> command suite binaries. In
|
|
the following commands, it is possible you still need to specify the pathname
|
|
to the commands, depending on how your PATH environment variable is
|
|
set.
|
|
<OL TYPE=1>
|
|
<A NAME="IDX2635"></A>
|
|
<A NAME="IDX2636"></A>
|
|
<P><LI><A NAME="LIWQ84"></A>Issue the <B>vos create</B> command to create volumes for
|
|
storing the AFS client binaries for this system type. The following
|
|
example instruction creates volumes called <VAR>sysname</VAR>,
|
|
<VAR>sysname</VAR>.<B>usr</B>, and
|
|
<VAR>sysname</VAR>.<B>usr.afsws</B>. Refer to the
|
|
<I>IBM AFS Release Notes</I> to learn the proper value of <VAR>sysname</VAR>
|
|
for this system type.
|
|
<PRE>
|
|
# <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR>
|
|
|
|
# <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr</B>
|
|
|
|
# <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr.afsws</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>fs mkmount</B> command to mount the newly created
|
|
volumes. Because the <B>root.cell</B> volume is replicated,
|
|
you must precede the <I>cellname</I> part of the pathname with a period to
|
|
specify the read/write mount point, as shown. Then issue the <B>vos
|
|
release</B> command to release a new replica of the
|
|
<B>root.cell</B> volume, and the <B>fs checkvolumes</B> command
|
|
to force the local Cache Manager to access them.
|
|
<PRE>
|
|
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR> <B>-vol</B> <VAR>sysname</VAR>
|
|
|
|
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr</B>
|
|
|
|
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr.afsws</B>
|
|
|
|
# <B>vos release root.cell</B>
|
|
|
|
# <B>fs checkvolumes</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>fs setacl</B> command to grant the <B>l</B>
|
|
(<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
|
|
<B>system:anyuser</B> group on each new directory's ACL.
|
|
<PRE>
|
|
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>
|
|
|
|
# <B>fs setacl -dir . usr usr/afsws -acl system:anyuser rl</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2637"></A>
|
|
<A NAME="IDX2638"></A>
|
|
<A NAME="IDX2639"></A>
|
|
<A NAME="IDX2640"></A>
|
|
<A NAME="IDX2641"></A>
|
|
<P><LI><A NAME="LIWQ85"></A>Issue the <B>fs setquota</B> command to set an unlimited
|
|
quota on the volume mounted at the
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
|
|
directory. This enables you to copy all of the appropriate files from
|
|
the CD-ROM into the volume without exceeding the volume's quota.
|
|
<P>If you wish, you can set the volume's quota to a finite value after
|
|
you complete the copying operation. At that point, use the <B>vos
|
|
examine</B> command to determine how much space the volume is
|
|
occupying. Then issue the <B>fs setquota</B> command to set a quota
|
|
that is slightly larger.
|
|
<PRE>
|
|
# <B>fs setquota /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws 0</B>
|
|
|
|
</PRE>
|
|
<P><LI>Mount the AFS CD-ROM for this machine's system type on the local
|
|
<B>/cdrom</B> directory, if it is not already. For instructions on
|
|
mounting CD-ROMs (either locally or remotely via NFS), consult the operating
|
|
system documentation.
|
|
<A NAME="IDX2642"></A>
|
|
<A NAME="IDX2643"></A>
|
|
<A NAME="IDX2644"></A>
|
|
<P><LI>Copy the contents of the indicated directories from the CD-ROM into the
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
|
|
directory.
|
|
<PRE>
|
|
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
|
|
|
|
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/bin .</B>
|
|
|
|
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/etc .</B>
|
|
|
|
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/include .</B>
|
|
|
|
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/lib .</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2645"></A>
|
|
<A NAME="IDX2646"></A>
|
|
<P><LI>Issue the <B>fs setacl</B> command to set the ACL on each directory
|
|
appropriately. To comply with the terms of your AFS License agreement,
|
|
you must prevent unauthorized users from accessing AFS software. To
|
|
enable access for locally authenticated users only, set the ACL on the
|
|
<B>etc</B>, <B>include</B>, and <B>lib</B> subdirectories to grant
|
|
the <B>l</B> and <B>r</B> permissions to the
|
|
<B>system:authuser</B> group rather than the
|
|
<B>system:anyuser</B> group. The
|
|
<B>system:anyuser</B> group must retain the <B>l</B> and
|
|
<B>r</B> permissions on the <B>bin</B> subdirectory to enable
|
|
unauthenticated users to access the <B>klog</B> binary. To ensure
|
|
that unauthorized users are not accessing AFS software, check periodically
|
|
that the ACLs on these directories are set properly.
|
|
<PRE>
|
|
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
|
|
|
|
# <B>fs setacl -dir etc include lib -acl system:authuser rl</B> \
|
|
<B>system:anyuser none</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2647"></A>
|
|
<A NAME="IDX2648"></A>
|
|
<P><LI><A NAME="LIWQ86"></A>Create <B>/usr/afsws</B> on the local disk as a symbolic
|
|
link to the directory
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>. You can
|
|
specify the actual system name instead of <B>@sys</B> if you wish, but the
|
|
advantage of using <B>@sys</B> is that it remains valid if you upgrade
|
|
this machine to a different system type.
|
|
<PRE>
|
|
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2649"></A>
|
|
<A NAME="IDX2650"></A>
|
|
<P><LI><B>(Optional)</B> To enable users to issue commands from the AFS
|
|
suites (such as <B>fs</B>) without having to specify a pathname to their
|
|
binaries, include the <B>/usr/afsws/bin</B> and <B>/usr/afsws/etc</B>
|
|
directories in the PATH environment variable you define in each user's
|
|
shell initialization file (such as <B>.cshrc</B>).
|
|
</OL>
|
|
<A NAME="IDX2651"></A>
|
|
<A NAME="IDX2652"></A>
|
|
<A NAME="IDX2653"></A>
|
|
<A NAME="IDX2654"></A>
|
|
<A NAME="IDX2655"></A>
|
|
<A NAME="IDX2656"></A>
|
|
<HR><H2><A NAME="HDRWQ87" HREF="auqbg002.htm#ToC_89">Storing AFS Documents in AFS</A></H2>
|
|
<P>The AFS distribution includes the following documents:
|
|
<UL>
|
|
<P><LI><I>IBM AFS Release Notes</I>
|
|
<P><LI><I>IBM AFS Quick Beginnings</I>
|
|
<P><LI><I>IBM AFS User Guide</I>
|
|
<P><LI><I>IBM AFS Administration Reference</I>
|
|
<P><LI><I>IBM AFS Administration Guide</I>
|
|
</UL>
|
|
<P>The AFS CD-ROM for each system type has a top-level
|
|
<B>Documentation</B> directory, with a subdirectory for each document
|
|
format provided. The different formats are suitable for online viewing,
|
|
printing, or both.
|
|
<P>This section explains how to create and mount a volume to house the
|
|
documents, making them available to your users. The recommended mount
|
|
point for the volume is
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc</B>. If you wish, you
|
|
can create a link to the mount point on each client machine's local disk,
|
|
called <B>/usr/afsdoc</B>. Alternatively, you can create a link to
|
|
the mount point in each user's home directory. You can also choose
|
|
to permit users to access only certain documents (most probably, the <I>IBM
|
|
AFS User Guide</I>) by creating different mount points or setting different
|
|
ACLs on different document directories.
|
|
<P>The current working directory is still <B>/usr/afs/bin</B>, which
|
|
houses the <B>fs</B> and <B>vos</B> command suite binaries you use to
|
|
create and mount volumes. In the following commands, it is possible you
|
|
still need to specify the pathname to the commands, depending on how your PATH
|
|
environment variable is set.
|
|
<OL TYPE=1>
|
|
<A NAME="IDX2657"></A>
|
|
<A NAME="IDX2658"></A>
|
|
<P><LI>Issue the <B>vos create</B> command to create a volume for storing the
|
|
AFS documentation. Include the <B>-maxquota</B> argument to set an
|
|
unlimited quota on the volume. This enables you to copy all of the
|
|
appropriate files from the CD-ROM into the volume without exceeding the
|
|
volume's quota.
|
|
<P>If you wish, you can set the volume's quota to a finite value after
|
|
you complete the copying operations. At that point, use the <B>vos
|
|
examine</B> command to determine how much space the volume is
|
|
occupying. Then issue the <B>fs setquota</B> command to set a quota
|
|
that is slightly larger.
|
|
<PRE>
|
|
# <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>afsdoc -maxquota 0</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>fs mkmount</B> command to mount the new volume.
|
|
Because the <B>root.cell</B> volume is replicated, you must precede
|
|
the <I>cellname</I> with a period to specify the read/write mount point,
|
|
as shown. Then issue the <B>vos release</B> command to release a
|
|
new replica of the <B>root.cell</B> volume, and the <B>fs
|
|
checkvolumes</B> command to force the local Cache Manager to access
|
|
them.
|
|
<PRE>
|
|
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/afsdoc</B> <B>-vol</B> <B>afsdoc</B>
|
|
|
|
# <B>vos release root.cell</B>
|
|
|
|
# <B>fs checkvolumes</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>fs setacl</B> command to grant the <B>rl</B>
|
|
permissions to the <B>system:anyuser</B> group on the new
|
|
directory's ACL.
|
|
<PRE>
|
|
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/afsdoc</B>
|
|
|
|
# <B>fs setacl . system:anyuser rl</B>
|
|
|
|
</PRE>
|
|
<P><LI>Mount the AFS CD-ROM for any system type on the local <B>/cdrom</B>
|
|
directory, if one is not already. For instructions on mounting CD-ROMs
|
|
(either locally or remotely via NFS), consult the operating system
|
|
documentation.
|
|
<A NAME="IDX2659"></A>
|
|
<A NAME="IDX2660"></A>
|
|
<A NAME="IDX2661"></A>
|
|
<A NAME="IDX2662"></A>
|
|
<A NAME="IDX2663"></A>
|
|
<P><LI>Copy the AFS documents in one or more formats from the CD-ROM into
|
|
subdirectories of the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc</B>
|
|
directory. Repeat the commands for each format.
|
|
<PRE>
|
|
# <B>mkdir</B> <VAR>format_name</VAR>
|
|
|
|
# <B>cd</B> <VAR>format_name</VAR>
|
|
|
|
# <B>cp -rp /cdrom/Documentation/</B><VAR>format</VAR> <B>.</B>
|
|
</PRE>
|
|
<P>If you choose to store the HTML version of the documents in AFS, note that
|
|
in addition to a subdirectory for each document there are several files with a
|
|
<B>.gif</B> extension, which enable readers to move easily between
|
|
sections of a document. The file called <B>index.htm</B> is
|
|
an introductory HTML page that contains a hyperlink to each of the
|
|
documents. For online viewing to work properly, these files must remain
|
|
in the top-level HTML directory (the one named, for example,
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/html</B>).
|
|
<P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
|
|
the AFS documents in a certain format via a local disk directory, create
|
|
<B>/usr/afsdoc</B> on the local disk as a symbolic link to the
|
|
documentation directory in AFS
|
|
(<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
|
|
<P>
|
|
<PRE>
|
|
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
|
|
</PRE>
|
|
<P>An alternative is to create a link in each user's home directory to
|
|
the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
|
|
directory.
|
|
</OL>
|
|
<A NAME="IDX2664"></A>
|
|
<A NAME="IDX2665"></A>
|
|
<A NAME="IDX2666"></A>
|
|
<A NAME="IDX2667"></A>
|
|
<HR><H2><A NAME="HDRWQ88" HREF="auqbg002.htm#ToC_90">Storing System Binaries in AFS</A></H2>
|
|
<P>You can also choose to store other system binaries in AFS
|
|
volumes, such as the standard UNIX programs conventionally located in local
|
|
disk directories such as <B>/etc</B>, <B>/bin</B>, and
|
|
<B>/lib</B>. Storing such binaries in an AFS volume not only frees
|
|
local disk space, but makes it easier to update binaries on all client
|
|
machines.
|
|
<P>The following is a suggested scheme for storing system binaries in
|
|
AFS. It does not include instructions, but you can use the instructions
|
|
in <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A> (which are for AFS-specific binaries) as a template.
|
|
<P>Some files must remain on the local disk for use when AFS is inaccessible
|
|
(during bootup and file server or network outages). The required
|
|
binaries include the following:
|
|
<UL>
|
|
<P><LI>A text editor, network commands, and so on
|
|
<P><LI>Files used during the boot sequence before the <B>afsd</B> program
|
|
runs, such as initialization and configuration files, and binaries for
|
|
commands that mount file systems
|
|
<P><LI>Files used by dynamic kernel loader programs
|
|
</UL>
|
|
<P>In most cases, it is more secure to enable only locally authenticated users
|
|
to access system binaries, by granting the <B>l</B> (<B>lookup</B>)
|
|
and <B>r</B> (<B>read</B>) permissions to the
|
|
<B>system:authuser</B> group on the ACLs of directories that contain
|
|
the binaries. If users need to access a binary while unauthenticated,
|
|
however, the ACL on its directory must grant those permissions to the
|
|
<B>system:anyuser</B> group.
|
|
<P>The following chart summarizes the suggested volume and mount point names
|
|
for storing system binaries. It uses a separate volume for each
|
|
directory. You already created a volume called <VAR>sysname</VAR> for
|
|
this machine's system type when you followed the instructions in <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A>.
|
|
<P>You can name volumes in any way you wish, and mount them at other locations
|
|
than those suggested here. However, this scheme has several
|
|
advantages:
|
|
<UL>
|
|
<P><LI>Volume names clearly identify volume contents
|
|
<P><LI>Using the <VAR>sysname</VAR> prefix on every volume makes it is easy to back
|
|
up all of the volumes together, because the AFS Backup System enables you to
|
|
define sets of volumes based on a string included in all of their names
|
|
<P><LI>It makes it easy to track related volumes, keeping them together on the
|
|
same file server machine if desired
|
|
<P><LI>There is a clear relationship between volume name and mount point name
|
|
</UL>
|
|
<BR>
|
|
<TABLE WIDTH="100%">
|
|
<TR>
|
|
<TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="30%"><B>Volume Name</B>
|
|
</TH><TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="70%"><B>Mount Point</B>
|
|
</TH></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>bin</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/bin</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>etc</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/etc</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.afsws</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/afsws</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.bin</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/bin</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.etc</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/etc</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.inc</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/include</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.lib</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/lib</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.loc</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/local</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.man</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/man</B>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.sys</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/sys</B>
|
|
</TD></TR></TABLE>
|
|
<P>
|
|
<A NAME="IDX2668"></A>
|
|
<A NAME="IDX2669"></A>
|
|
<A NAME="IDX2670"></A>
|
|
<A NAME="IDX2671"></A>
|
|
<A NAME="IDX2672"></A>
|
|
<A NAME="IDX2673"></A>
|
|
<A NAME="IDX2674"></A>
|
|
<HR><H2><A NAME="HDRWQ91" HREF="auqbg002.htm#ToC_91">Enabling Access to Foreign Cells</A></H2>
|
|
<P>In this section you create a mount point in your AFS
|
|
filespace for the <B>root.cell</B> volume of each foreign cell that
|
|
you want to enable your users to access. For users working on a client
|
|
machine to access the cell, there must in addition be an entry for it in the
|
|
client machine's local <B>/usr/vice/etc/CellServDB</B> file.
|
|
(The instructions in <A HREF="#HDRWQ66">Creating the Client CellServDB File</A> suggest that you use the <B>CellServDB.sample</B>
|
|
file included in the AFS distribution as the basis for your cell's client
|
|
<B>CellServDB</B> file. The sample file lists all of the cells that
|
|
had agreed to participate in the AFS global namespace at the time your AFS
|
|
CD-ROM was created. As mentioned in that section, the AFS Product
|
|
Support group also maintains a copy of the file, updating it as
|
|
necessary.)
|
|
<P>The chapter in the <I>IBM AFS Administration Guide</I> about cell
|
|
administration and configuration issues discusses the implications of
|
|
participating in the global AFS namespace. The chapter about
|
|
administering client machines explains how to maintain knowledge of foreign
|
|
cells on client machines, and includes suggestions for maintaining a central
|
|
version of the file in AFS.
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>fs mkmount</B> command to mount each foreign cell's
|
|
<B>root.cell</B> volume on a directory called
|
|
<B>/afs/</B><VAR>foreign_cell</VAR>. Because the
|
|
<B>root.afs</B> volume is replicated, you must create a temporary
|
|
mount point for its read/write version in a directory to which you have write
|
|
access (such as your cell's <B>/afs/.</B><VAR>cellname</VAR>
|
|
directory). Create the mount points, issue the <B>vos release</B>
|
|
command to release new replicas to the read-only sites for the
|
|
<B>root.afs</B> volume, and issue the <B>fs checkvolumes</B>
|
|
command to force the local Cache Manager to access the new replica.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">You need to issue the <B>fs mkmount</B> command only once for each
|
|
foreign cell's <B>root.cell</B> volume. You do not need
|
|
to repeat the command on each client machine.
|
|
</TD></TR></TABLE>
|
|
<P>Substitute your cell's name for <VAR>cellname</VAR>.
|
|
<PRE>
|
|
# <B>cd /afs/.</B><VAR>cellname</VAR>
|
|
|
|
# <B>/usr/afs/bin/fs mkmount temp root.afs</B>
|
|
</PRE>
|
|
<P>Repeat the <B>fs mkmount</B> command for each foreign cell you wish to
|
|
mount at this time.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/fs mkmount temp/</B><VAR>foreign_cell</VAR> <B>root.cell -c</B> <VAR>foreign_cell</VAR>
|
|
</PRE>
|
|
<P>Issue the following commands only once.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/fs rmmount temp</B>
|
|
|
|
# <B>/usr/afs/bin/vos release root.afs</B>
|
|
|
|
# <B>/usr/afs/bin/fs checkvolumes</B>
|
|
|
|
</PRE>
|
|
<A NAME="IDX2675"></A>
|
|
<A NAME="IDX2676"></A>
|
|
<P><LI><A NAME="LIWQ92"></A>If this machine is going to remain an AFS client after you
|
|
complete the installation, verify that the local
|
|
<B>/usr/vice/etc/CellServDB</B> file includes an entry for each foreign
|
|
cell.
|
|
<P>For each cell that does not already have an entry, complete the following
|
|
instructions:
|
|
<OL TYPE=a>
|
|
<P><LI>Create an entry in the <B>CellServDB</B> file. Be sure to
|
|
comply with the formatting instructions in <A HREF="#HDRWQ66">Creating the Client CellServDB File</A>.
|
|
<P><LI>Issue the <B>fs newcell</B> command to add an entry for the cell
|
|
directly to the list that the Cache Manager maintains in kernel memory.
|
|
Provide each database server machine's fully qualified hostname.
|
|
<PRE>
|
|
# <B>/usr/afs/bin/fs newcell</B> <<VAR>foreign_cell</VAR>> <<VAR>dbserver1></VAR> \
|
|
[<<VAR>dbserver2></VAR>] [<<VAR>dbserver3></VAR>]
|
|
|
|
</PRE>
|
|
<P><LI>If you plan to maintain a central version of the <B>CellServDB</B>
|
|
file (the conventional location is
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/common/etc/CellServDB</B>), create it
|
|
now as a copy of the local <B>/usr/vice/etc/CellServDB</B> file.
|
|
Verify that it includes an entry for each foreign cell you want your users to
|
|
be able to access.
|
|
<PRE>
|
|
# <B>mkdir common</B>
|
|
|
|
# <B>mkdir common/etc</B>
|
|
|
|
# <B>cp /usr/vice/etc/CellServDB common/etc</B>
|
|
|
|
# <B>/usr/afs/bin/vos release root.cell</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<P><LI>Issue the <B>ls</B> command to verify that the new cell's mount
|
|
point is visible in your filespace. The output lists the directories at
|
|
the top level of the new cell's AFS filespace.
|
|
<PRE>
|
|
# <B>ls /afs/</B><VAR>foreign_cell</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Please register your cell with the AFS Product Support group at this
|
|
time. If you do not want to participate in the global AFS namespace,
|
|
they list your cell in a private <B>CellServDB</B> file that is not
|
|
available to other AFS cells.
|
|
</OL>
|
|
<A NAME="IDX2677"></A>
|
|
<A NAME="IDX2678"></A>
|
|
<A NAME="IDX2679"></A>
|
|
<A NAME="IDX2680"></A>
|
|
<A NAME="IDX2681"></A>
|
|
<A NAME="IDX2682"></A>
|
|
<HR><H2><A NAME="HDRWQ93" HREF="auqbg002.htm#ToC_92">Improving Cell Security</A></H2>
|
|
<P>This section discusses ways to improve the security of AFS
|
|
data in your cell. Also see the chapter in the <I>IBM AFS
|
|
Administration Guide</I> about configuration and administration
|
|
issues.
|
|
<P><H3><A NAME="HDRWQ94" HREF="auqbg002.htm#ToC_93">Controlling root Access</A></H3>
|
|
<P>As on any machine, it is important to prevent unauthorized
|
|
users from logging onto an AFS server or client machine as the local superuser
|
|
<B>root</B>. Take care to keep the <B>root</B> password
|
|
secret.
|
|
<P>The local <B>root</B> superuser does not have special access to AFS
|
|
data through the Cache Manager (as members of the
|
|
<B>system:administrators</B> group do), but it does have the
|
|
following privileges:
|
|
<UL>
|
|
<P><LI>On client machines, the ability to issue commands from the <B>fs</B>
|
|
suite that affect AFS performance
|
|
<P><LI>On server machines, the ability to disable authorization checking, or to
|
|
install rogue process binaries
|
|
</UL>
|
|
<P><H3><A NAME="HDRWQ95" HREF="auqbg002.htm#ToC_94">Controlling System Administrator Access</A></H3>
|
|
<P>Following are suggestions for managing AFS administrative
|
|
privilege:
|
|
<UL>
|
|
<P><LI>Create an administrative account for each administrator named something
|
|
like <VAR>username</VAR><B>.admin</B>. Administrators
|
|
authenticate under these identities only when performing administrative tasks,
|
|
and destroy the administrative tokens immediately after finishing the task
|
|
(either by issuing the <B>unlog</B> command, or the <B>klog</B>
|
|
command to adopt their regular identity).
|
|
<P><LI>Set a short ticket lifetime for administrator accounts (for example, 20
|
|
minutes) by using the <B>-lifetime</B> argument to the <B>kas
|
|
setfields</B> command, which is described in the <I>IBM AFS Administration
|
|
Reference</I>. Do not however, use a short lifetime for users who
|
|
issue long-running <B>backup</B> commands.
|
|
<P><LI>Limit the number of system administrators in your cell, especially those
|
|
who belong to the <B>system:administrators</B> group. By
|
|
default they have all ACL rights on all directories in the local AFS
|
|
filespace, and therefore must be trusted not to examine private files.
|
|
<P><LI>Limit the use of system administrator accounts on machines in public
|
|
areas. It is especially important not to leave such machines unattended
|
|
without first destroying the administrative tokens.
|
|
<P><LI>Limit the use by administrators of standard UNIX commands that make
|
|
connections to remote machines (such as the <B>telnet</B> utility).
|
|
Many of these programs send passwords across the network without encrypting
|
|
them.
|
|
</UL>
|
|
<A NAME="IDX2683"></A>
|
|
<A NAME="IDX2684"></A>
|
|
<A NAME="IDX2685"></A>
|
|
<P><H3><A NAME="HDRWQ96" HREF="auqbg002.htm#ToC_95">Protecting Sensitive AFS Directories</A></H3>
|
|
<P>Some subdirectories of the <B>/usr/afs</B> directory
|
|
contain files crucial to cell security. Unauthorized users must not
|
|
read or write to these files because of the potential for misuse of the
|
|
information they contain.
|
|
<P>As the BOS Server initializes for the first time on a server machine, it
|
|
creates several files and directories (as mentioned in <A HREF="#HDRWQ50">Starting the BOS Server</A>). It sets their owner to the local superuser
|
|
<B>root</B> and sets their mode bits to enable writing by the owner
|
|
only; in some cases, it also restricts reading.
|
|
<P>At each subsequent restart, the BOS Server checks that the owner and mode
|
|
bits on these files are still set appropriately. If they are not, it
|
|
write the following message to the <B>/usr/afs/logs/BosLog</B> file:
|
|
<PRE>
|
|
Bosserver reports inappropriate access on server directories
|
|
</PRE>
|
|
<P>The BOS Server does not reset the mode bits, which enables you to set
|
|
alternate values if you wish.
|
|
<P>The following charts lists the expected mode bit settings. A
|
|
question mark indicates that the BOS Server does not check that mode
|
|
bit.
|
|
<BR>
|
|
<TABLE WIDTH="100%">
|
|
<TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/backup</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/bin</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/db</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc/KeyFile</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>-rw</TT>????<TT>---</TT>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc/UserList</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>-rw</TT>?????<TT>--</TT>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/local</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
|
|
</TD></TR><TR>
|
|
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/logs</B>
|
|
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
|
|
</TD></TR></TABLE>
|
|
<P>
|
|
<A NAME="IDX2686"></A>
|
|
<A NAME="IDX2687"></A>
|
|
<HR><H2><A NAME="HDRWQ98" HREF="auqbg002.htm#ToC_96">Removing Client Functionality</A></H2>
|
|
<P>Follow the instructions in this section only if you do not
|
|
wish this machine to remain an AFS client. Removing client
|
|
functionality means that you cannot use this machine to access AFS
|
|
files.
|
|
<OL TYPE=1>
|
|
<P><LI>Remove the files from the <B>/usr/vice/etc</B> directory. The
|
|
command does not remove the directory for files used by the dynamic kernel
|
|
loader program, if it exists on this system type. Those files are still
|
|
needed on a server-only machine.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm * </B>
|
|
|
|
# <B>rm -rf C</B>
|
|
|
|
</PRE>
|
|
<P><LI>Create symbolic links to the <B>ThisCell</B> and <B>CellServDB</B>
|
|
files in the <B>/usr/afs/etc</B> directory. This makes it possible
|
|
to issue commands from the AFS command suites (such as <B>bos</B> and
|
|
<B>fs</B>) on this machine.
|
|
<PRE>
|
|
# <B>ln -s /usr/afs/etc/ThisCell ThisCell</B>
|
|
|
|
# <B>ln -s /usr/afs/etc/CellServDB CellServDB</B>
|
|
|
|
</PRE>
|
|
<P><LI>On IRIX systems, issue the <B>chkconfig</B> command to deactivate the
|
|
<B>afsclient</B> configuration variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsclient off</B>
|
|
|
|
</PRE>
|
|
<P><LI>Reboot the machine. Most system types use the <B>shutdown</B>
|
|
command, but the appropriate options vary.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown</B> <VAR>appropriate_options</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auqbg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
|
|
<!-- Begin Footer Records ========================================== -->
|
|
<P><HR><B>
|
|
<br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
|
|
</B>
|
|
<!-- End Footer Records ============================================ -->
|
|
<A NAME="Bot_Of_Page"></A>
|
|
</BODY></HTML>
|