jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-20 07:51:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9999c1faeb
openafs/doc/html/QuickStartUnix/auqbg007.htm
Chaskiel M Grundman 7303f3148e darwin-build-updates-20010910 
separate plist on per-version basis

1.4 is not yet supported
2001-09-10 21:07:32 +00:00

2375 lines
102 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
<HTML><HEAD>
<TITLE>Quick Beginnings</TITLE>
<!-- Begin Header Records ========================================== -->
<!-- /tmp/idwt3574/auqbg000.scr converted by idb2h R4.2 (359) ID -->
<!-- Workbench Version (AIX) on 2 Oct 2000 at 12:25:35 -->
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 12:25:35">
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 12:25:35">
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 12:25:35">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved -->
<BODY bgcolor="ffffff">
<!-- End Header Records ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>Quick Beginnings</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg006.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auqbg008.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
<P>
<A NAME="IDX2926"></A>
<A NAME="IDX2927"></A>
<HR><H1><A NAME="HDRWQ133" HREF="auqbg002.htm#ToC_115">Installing Additional Client Machines</A></H1>
<P>This chapter describes how to install AFS client machines
after you have installed the first AFS machine. Some parts of the
installation differ depending on whether or not the new client is of the same
AFS system type (uses the same AFS binaries) as a previously installed client
machine.
<A NAME="IDX2928"></A>
<HR><H2><A NAME="Header_116" HREF="auqbg002.htm#ToC_116">Summary of Procedures</A></H2>
<OL TYPE=1>
<P><LI>Incorporate AFS into the machine's kernel
<P><LI>Define the machine's cell membership
<P><LI>Define cache location and size
<P><LI>Create the <B>/usr/vice/etc/CellServDB</B> file, which determines
which foreign cells the client can access in addition to the local cell
<P><LI>Create the <B>/afs</B> directory and start the Cache Manager
<P><LI>Create and mount volumes for housing AFS client binaries (necessary only
for clients of a new system type)
<P><LI>Create a link from the local <B>/usr/afsws</B> directory to the AFS
directory housing the AFS client binaries
<P><LI>Modify the machine's authentication system to enable AFS users to
obtain tokens at login
</OL>
<A NAME="IDX2929"></A>
<A NAME="IDX2930"></A>
<A NAME="IDX2931"></A>
<A NAME="IDX2932"></A>
<A NAME="IDX2933"></A>
<A NAME="IDX2934"></A>
<A NAME="IDX2935"></A>
<HR><H2><A NAME="HDRWQ134" HREF="auqbg002.htm#ToC_117">Creating AFS Directories on the Local Disk</A></H2>
<P>Create the <B>/usr/vice/etc</B> directory on the local
disk, to house client binaries and configuration files. Subsequent
instructions copy files from the AFS CD-ROM into them. Create the
<B>/cdrom</B> directory as a mount point for the CD-ROM, if it does not
already exist.
<PRE>
# <B>mkdir /usr/vice</B>
# <B>mkdir /usr/vice/etc</B>
# <B>mkdir /cdrom</B>
</PRE>
<HR><H2><A NAME="HDRWQ135" HREF="auqbg002.htm#ToC_118">Performing Platform-Specific Procedures</A></H2>
<P>Every AFS client machine's kernel must incorporate AFS
modifications. Some system types use a dynamic kernel loader program,
whereas on other system types you build AFS modifications into a static
kernel. Some system types support both methods.
<P>Also modify the machine's authentication system so that users obtain
an AFS token as they log into the local file system. Using AFS is
simpler and more convenient for your users if you make the modifications on
all client machines. Otherwise, users must perform a two-step login
procedure (login to the local file system and then issue the <B>klog</B>
command). For further discussion of AFS authentication, see the chapter
in the <I>IBM AFS Administration Guide</I> about cell configuration and
administration issues.
<P>For convenience, the following sections group the two procedures by system
type. Proceed to the appropriate section.
<UL>
<P><LI><A HREF="#HDRWQ136">Getting Started on AIX Systems</A>
<P><LI><A HREF="#HDRWQ137">Getting Started on Digital UNIX Systems</A>
<P><LI><A HREF="#HDRWQ138">Getting Started on HP-UX Systems</A>
<P><LI><A HREF="#HDRWQ139">Getting Started on IRIX Systems</A>
<P><LI><A HREF="#HDRWQ143">Getting Started on Linux Systems</A>
<P><LI><A HREF="#HDRWQ144">Getting Started on Solaris Systems</A>
</UL>
<A NAME="IDX2936"></A>
<A NAME="IDX2937"></A>
<A NAME="IDX2938"></A>
<A NAME="IDX2939"></A>
<A NAME="IDX2940"></A>
<A NAME="IDX2941"></A>
<A NAME="IDX2942"></A>
<A NAME="IDX2943"></A>
<A NAME="IDX2944"></A>
<HR><H2><A NAME="HDRWQ136" HREF="auqbg002.htm#ToC_119">Getting Started on AIX Systems</A></H2>
<P>In this section you load AFS into the AIX kernel.
Then incorporate AFS modifications into the machine's secondary
authentication system, if you wish to enable AFS login.
<P><H3><A NAME="Header_120" HREF="auqbg002.htm#ToC_120">Loading AFS into the AIX Kernel</A></H3>
<P>The AIX kernel extension facility is the dynamic kernel loader provided
by IBM Corporation. AIX does not support incorporation of AFS
modifications during a kernel build.
<P>For AFS to function correctly, the kernel extension facility must run each
time the machine reboots, so the AFS initialization script (included in the
AFS distribution) invokes it automatically. In this section you copy
the script to the conventional location and edit it to select the appropriate
options depending on whether NFS is also to run.
<P>After editing the script, you run it to incorporate AFS into the
kernel. In a later section you verify that the script correctly
initializes the Cache Manager, then configure the AIX <B>inittab</B> file
so that the script runs automatically at reboot.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for AIX on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your AIX documentation. Then change directory as
indicated.
<PRE>
# <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
</PRE>
<P><LI>Copy the AFS kernel library files to the local
<B>/usr/vice/etc/dkload</B> directory, and the AFS initialization script
to the <B>/etc</B> directory.
<PRE>
# <B>cp -rp dkload /usr/vice/etc</B>
# <B>cp -p rc.afs /etc/rc.afs</B>
</PRE>
<P><LI>Edit the <B>/etc/rc.afs</B> script, setting the <TT>NFS</TT>
variable as indicated.
<P>If the machine is not to function as an NFS/AFS Translator, set the
<TT>NFS</TT> variable as follows.
<PRE>
NFS=$NFS_NONE
</PRE>
<P>If the machine is to function as an NFS/AFS Translator and is running AIX
4.2.1 or higher, set the <TT>NFS</TT> variable as
follows. Note that NFS must already be loaded into the kernel, which
happens automatically on systems running AIX 4.1.1 and later, as
long as the file <B>/etc/exports</B> exists.
<PRE>
NFS=$NFS_IAUTH
</PRE>
<P><LI>Invoke the <B>/etc/rc.afs</B> script to load AFS modifications
into the kernel. You can ignore any error messages about the inability
to start the BOS Server or the Cache Manager or AFS client.
<PRE>
# <B>/etc/rc.afs</B>
</PRE>
</OL>
<P><H3><A NAME="Header_121" HREF="auqbg002.htm#ToC_121">Enabling AFS Login on AIX Systems</A></H3>
<P>Now incorporate AFS into the AIX secondary authentication
system.
<OL TYPE=1>
<P><LI>Issue the <B>ls</B> command to verify that the
<B>afs_dynamic_auth</B> and <B>afs_dynamic_kerbauth</B> programs are
installed in the local <B>/usr/vice/etc</B> directory.
<PRE>
# <B>ls /usr/vice/etc</B>
</PRE>
<P>If the files do not exist, mount the AFS CD-ROM for AIX (if it is not
already), change directory as indicated, and copy them.
<PRE>
# <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
# <B>cp -p afs_dynamic* /usr/vice/etc</B>
</PRE>
<P><LI>Edit the local <B> /etc/security/user</B> file, making changes to the
indicated stanzas:
<UL>
<P><LI>In the default stanza, set the <TT>registry</TT> attribute to
<B>DCE</B> (not to <B>AFS</B>), as follows:
<PRE>
registry = DCE
</PRE>
<P><LI>In the default stanza, set the <TT>SYSTEM</TT> attribute as
indicated.
<P>If the machine is an AFS client only, set the following value:
<PRE>
SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
</PRE>
<P>If the machine is both an AFS and a DCE client, set the following value (it
must appear on a single line in the file):
<PRE>
SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL] \
AND compat[SUCCESS])"
</PRE>
<P><LI>In the <TT>root</TT> stanza, set the <TT>registry</TT> attribute as
follows. It enables the local superuser <B>root</B> to log into the
local file system only, based on the password listed in the local password
file.
<PRE>
root:
registry = files
</PRE>
</UL>
<P><LI>Edit the local <B>/etc/security/login.cfg</B> file, creating or
editing the indicated stanzas:
<UL>
<P><LI>In the <TT>DCE</TT> stanza, set the <TT>program</TT> attribute as
follows.
<P>If you use the AFS Authentication Server (<B>kaserver</B>
process):
<PRE>
DCE:
program = /usr/vice/etc/afs_dynamic_auth
</PRE>
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>
DCE:
program = /usr/vice/etc/afs_dynamic_kerbauth
</PRE>
<P><LI>In the <TT>AFS</TT> stanza, set the <TT>program</TT> attribute as
follows.
<P>If you use the AFS Authentication Server (<B>kaserver</B>
process):
<PRE>
AFS:
program = /usr/vice/etc/afs_dynamic_auth
</PRE>
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>
AFS:
program = /usr/vice/etc/afs_dynamic_kerbauth
</PRE>
</UL>
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
</OL>
<A NAME="IDX2945"></A>
<A NAME="IDX2946"></A>
<A NAME="IDX2947"></A>
<A NAME="IDX2948"></A>
<A NAME="IDX2949"></A>
<A NAME="IDX2950"></A>
<A NAME="IDX2951"></A>
<A NAME="IDX2952"></A>
<A NAME="IDX2953"></A>
<HR><H2><A NAME="HDRWQ137" HREF="auqbg002.htm#ToC_122">Getting Started on Digital UNIX Systems</A></H2>
<P>In this section you build AFS into the Digital UNIX
kernel. Then incorporate AFS modifications into the machine's
Security Integration Architecture (SIA) matrix, if you wish to enable AFS
login.
<P><H3><A NAME="Header_123" HREF="auqbg002.htm#ToC_123">Building AFS into the Digital UNIX Kernel</A></H3>
<P>On Digital UNIX systems, you must build AFS modifications into a new
static kernel; Digital UNIX does not support dynamic loading. If
the machine's hardware and software configuration exactly matches another
Digital UNIX machine on which AFS is already built into the kernel, you can
choose to copy the kernel from that machine to this one. In general,
however, it is better to build AFS modifications into the kernel on each
machine according to the following instructions.
<OL TYPE=1>
<P><LI>Create a copy called <B>AFS</B> of the basic kernel configuration file
included in the Digital UNIX distribution as
<B>/usr/sys/conf/</B><VAR>machine_name</VAR>, where <VAR>machine_name</VAR> is
the machine's hostname in all uppercase letters.
<PRE>
# <B>cd /usr/sys/conf</B>
# <B>cp</B> <VAR>machine_name</VAR> <B>AFS</B>
</PRE>
<P><LI>Add AFS to the list of options in the configuration file you created in
the previous step, so that the result looks like the following:
<PRE> . .
. .
options UFS
options NFS
options AFS
. .
. .
</PRE>
<P><LI>Add an entry for AFS to two places in the file
<B>/usr/sys/conf/files</B>.
<UL>
<P><LI>Add a line for AFS to the list of <TT>OPTIONS</TT>, so that the result
looks like the following:
<PRE> . . .
. . .
OPTIONS/nfs optional nfs
OPTIONS/afs optional afs
OPTIONS/nfs_server optional nfs_server
. . .
. . .
</PRE>
<P><LI>Add an entry for AFS to the list of <TT>MODULES</TT>, so that the result
looks like the following:
<PRE> . . . .
. . . .
#
MODULE/nfs_server optional nfs_server Binary
nfs/nfs_server.c module nfs_server optimize -g3
nfs/nfs3_server.c module nfs_server optimize -g3
#
MODULE/afs optional afs Binary
afs/libafs.c module afs
#
</PRE>
</UL>
<P><LI>Add an entry for AFS to two places in the file
<B>/usr/sys/vfs/vfs_conf.c</B>.
<UL>
<P><LI>Add AFS to the list of defined file systems, so that the result looks like
the following:
<PRE> . .
. .
#include &lt;afs.h>
#if defined(AFS) &amp;&amp; AFS
extern struct vfsops afs_vfsops;
#endif
. .
. .
</PRE>
<P><LI>Put a declaration for AFS in the <B>vfssw[]</B> table's
MOUNT_ADDON slot, so that the result looks like the following:
<PRE> . . .
. . .
&amp;fdfs_vfsops, "fdfs", /* 12 = MOUNT_FDFS */
#if defined(AFS)
&amp;afs_vfsops, "afs",
#else
(struct vfsops *)0, "", /* 13 = MOUNT_ADDON */
#endif
#if NFS &amp;&amp; INFS_DYNAMIC
&amp;nfs3_vfsops, "nfsv3", /* 14 = MOUNT_NFS3 */
</PRE>
</UL>
<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your Digital UNIX documentation. Then change
directory as indicated.
<PRE>
# <B>cd /cdrom/alpha_dux40/root.client</B>
</PRE>
<P><LI>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/sbin/init.d</B> on Digital
UNIX machines). Note the removal of the <B>.rc</B> extension
as you copy the script.
<PRE>
# <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
</PRE>
<P><LI>Copy the AFS kernel module to the local <B>/usr/sys/BINARY</B>
directory.
<P>If the machine's kernel supports NFS server functionality:
<PRE>
# <B>cp bin/libafs.o /usr/sys/BINARY/afs.mod</B>
</PRE>
<P>If the machine's kernel does not support NFS server
functionality:
<PRE>
# <B>cp bin/libafs.nonfs.o /usr/sys/BINARY/afs.mod</B>
</PRE>
<P><LI>Configure and build the kernel. Respond to any prompts by pressing
&lt;<B>Return</B>>. The resulting kernel resides in the file
<B>/sys/AFS/vmunix</B>.
<PRE>
# <B>doconfig -c AFS</B>
</PRE>
<P><LI>Rename the existing kernel file and copy the new, AFS-modified file to the
standard location.
<PRE>
# <B>mv /vmunix /vmunix_noafs</B>
# <B>cp /sys/AFS/vmunix /vmunix</B>
</PRE>
<P><LI>Reboot the machine to start using the new kernel, and login again as the
superuser <B>root</B>.
<PRE>
# <B>cd /</B>
# <B>shutdown -r now</B>
login: <B>root</B>
Password: <VAR>root_password</VAR>
</PRE>
</OL>
<P><H3><A NAME="Header_124" HREF="auqbg002.htm#ToC_124">Enabling AFS Login on Digital UNIX Systems</A></H3>
<P>On Digital UNIX systems, the AFS initialization script automatically
incorporates the AFS authentication library file into the Security Integration
Architecture (SIA) matrix on the machine, so that users with AFS accounts
obtain a token at login. In this section you copy the library file to
the appropriate location.
<P>For more information on SIA, see the Digital UNIX reference page for
<B>matrix.conf</B>, or consult the section on security in your
Digital UNIX documentation.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If the machine runs both the DCE and AFS client software, AFS must start
after DCE. Consult the AFS initialization script for suggested symbolic
links to create for correct ordering. Also, the system startup script
order must initialize SIA before any long-running process that uses
authentication.
</TD></TR></TABLE>
<P>Perform the following steps to enable AFS login.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
directory, if it is not already. Change directory as indicated.
<PRE>
# <B>cd /cdrom/alpha_dux40/lib/afs</B>
</PRE>
<P><LI>Copy the appropriate AFS authentication library file to the local
<B>/usr/shlib</B> directory.
<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
the cell:
<PRE>
# <B>cp libafssiad.so /usr/shlib</B>
</PRE>
<P>If you use a Kerberos implementation of AFS authentication, rename the
library file as you copy it:
<PRE>
# <B>cp libafssiad.krb.so /usr/shlib/libafssiad.so</B>
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
</OL>
<A NAME="IDX2954"></A>
<A NAME="IDX2955"></A>
<A NAME="IDX2956"></A>
<A NAME="IDX2957"></A>
<A NAME="IDX2958"></A>
<A NAME="IDX2959"></A>
<A NAME="IDX2960"></A>
<A NAME="IDX2961"></A>
<A NAME="IDX2962"></A>
<HR><H2><A NAME="HDRWQ138" HREF="auqbg002.htm#ToC_125">Getting Started on HP-UX Systems</A></H2>
<P>In this section you build AFS into the HP-UX kernel.
Then incorporate AFS modifications into the machine's Pluggable
Authentication Module (PAM) system, if you wish to enable AFS login.
<P><H3><A NAME="Header_126" HREF="auqbg002.htm#ToC_126">Building AFS into the HP-UX Kernel</A></H3>
<P>On HP-UX systems, you must build AFS modifications into a new static
kernel; HP-UX does not support dynamic loading. If the
machine's hardware and software configuration exactly matches another
HP-UX machine on which AFS is already built into the kernel, you can choose to
copy the kernel from that machine to this one. In general, however, it
is better to build AFS modifications into the kernel on each machine according
to the following instructions.
<OL TYPE=1>
<P><LI>Move the existing kernel-related files to a safe location.
<PRE>
# <B>cp /stand/vmunix /stand/vmunix.noafs</B>
# <B>cp /stand/system /stand/system.noafs</B>
</PRE>
<P><LI>Mount the AFS CD-ROM for HP-UX on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your HP-UX documentation. Then change directory
as indicated.
<PRE>
# <B>cd /cdrom/hp_ux110/root.client</B>
</PRE>
<P><LI>Copy the AFS initialization file to the local directory for initialization
files (by convention, <B>/sbin/init.d</B> on HP-UX
machines). Note the removal of the <B>.rc</B> extension as
you copy the file.
<PRE>
# <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
</PRE>
<P><LI>Copy the file <B>afs.driver</B> to the local
<B>/usr/conf/master.d</B> directory, changing its name to
<B>afs</B> as you do.
<PRE>
# <B>cp usr/vice/etc/afs.driver /usr/conf/master.d/afs</B>
</PRE>
<P><LI>Copy the AFS kernel module to the local <B>/usr/conf/lib</B>
directory.
<P>If the machine's kernel supports NFS server functionality:
<PRE>
# <B>cp bin/libafs.a /usr/conf/lib</B>
</PRE>
<P>If the machine's kernel does not support NFS server functionality,
change the file's name as you copy it:
<PRE>
# <B>cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a</B>
</PRE>
<P><LI>Incorporate the AFS driver into the kernel, either using the
<B>SAM</B> program or a series of individual commands.
<UL>
<P><LI>To use the <B>SAM</B> program:
<OL TYPE=a>
<P><LI>Invoke the <B>SAM</B> program, specifying the hostname of the local
machine as <VAR>local_hostname</VAR>. The <B>SAM</B> graphical user
interface pops up.
<PRE>
# <B>sam -display</B> <VAR>local_hostname</VAR><B>:0</B>
</PRE>
<P><LI>Choose the <B>Kernel Configuration</B> icon, then the
<B>Drivers</B> icon. From the list of drivers, select
<B>afs</B>.
<P><LI>Open the pull-down <B>Actions</B> menu and choose the <B>Add Driver
to Kernel</B> option.
<P><LI>Open the <B>Actions</B> menu again and choose the <B>Create a New
Kernel</B> option.
<P><LI>Confirm your choices by choosing <B>Yes</B> and <B>OK</B> when
prompted by subsequent pop-up windows. The <B>SAM</B> program
builds the kernel and reboots the system.
<P><LI>Login again as the superuser <B>root</B>.
<PRE>
login: <B>root</B>
Password: <VAR>root_password</VAR>
</PRE>
</OL>
<P><LI>To use individual commands:
<OL TYPE=a>
<P><LI>Edit the file <B>/stand/system</B>, adding an entry for <B>afs</B>
to the <TT>Subsystems</TT> section.
<P><LI>Change to the <B>/stand/build</B> directory and issue the
<B>mk_kernel</B> command to build the kernel.
<PRE>
# <B>cd /stand/build</B>
# <B>mk_kernel</B>
</PRE>
<P><LI>Move the new kernel to the standard location (<B>/stand/vmunix</B>),
reboot the machine to start using it, and login again as the superuser
<B>root</B>.
<PRE>
# <B>mv /stand/build/vmunix_test /stand/vmunix</B>
# <B>cd /</B>
# <B>shutdown -r now</B>
login: <B>root</B>
Password: <VAR>root_password</VAR>
</PRE>
</OL>
</UL>
</OL>
<P><H3><A NAME="Header_127" HREF="auqbg002.htm#ToC_127">Enabling AFS Login on HP-UX Systems</A></H3>
<P>At this point you incorporate AFS into the operating system's
Pluggable Authentication Module (PAM) scheme. PAM integrates all
authentication mechanisms on the machine, including login, to provide the
security infrastructure for authenticated access to and from the
machine.
<P>Explaining PAM is beyond the scope of this document. It is assumed
that you understand the syntax and meanings of settings in the PAM
configuration file (for example, how the <TT>other</TT> entry works, the
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
<TT>sufficient</TT>, and so on).
<P>The following instructions explain how to alter the entries in the PAM
configuration file for each service for which you wish to use AFS
authentication. Other configurations possibly also work, but the
instructions specify the recommended and tested configuration.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
<TT>optional</TT>. However, marking some modules as optional can mean
that they grant access to the corresponding service even when the user does
not meet all of the module's requirements. In some operating
system revisions, for example, if you mark as optional the module that
controls login via a dial-up connection, it allows users to login without
providing a password. See the <I>IBM AFS Release Notes</I> for a
discussion of any limitations that apply to this operating system.
<P>Also, with some operating system versions you must install patches for PAM
to interact correctly with certain authentication programs. For
details, see the <I>IBM AFS Release Notes</I>.
</TD></TR></TABLE>
<P>The recommended AFS-related entries in the PAM configuration file make use
of one or more of the following three attributes.
<DL>
<P><DT><B><TT>try_first_pass</TT>
</B><DD>This is a standard PAM attribute that can be included on entries after the
first one for a service; it directs the module to use the password that
was provided to the first module. For the AFS module, it means that AFS
authentication succeeds if the password provided to the module listed first is
the user's correct AFS password. For further discussion of this
attribute and its alternatives, see the operating system's PAM
documentation.
<P><DT><B><TT>ignore_root</TT>
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
only the local superuser <B> root</B>, but also any user with UID 0
(zero).
<P><DT><B><TT>setenv_password_expires</TT>
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
password, which is recorded in the Authentication Database.
</DL>
<P>Perform the following steps to enable AFS login.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for HP-UX on the <B>/cdrom</B> directory, if it
is not already. Then change directory as indicated.
<PRE>
# <B>cd /usr/lib/security</B>
</PRE>
<P><LI>Copy the AFS authentication library file to the
<B>/usr/lib/security</B> directory. Then create a symbolic link to
it whose name does not mention the version. Omitting the version
eliminates the need to edit the PAM configuration file if you later update the
library file.
<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
the cell:
<PRE>
# <B>cp /cdrom/hp_ux110/lib/pam_afs.so.1 .</B>
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
</PRE>
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>
#<B> cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1 .</B>
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
</PRE>
<P><LI>Edit the <TT>Authentication management</TT> section of the HP-UX PAM
configuration file, <B>/etc/pam.conf</B> by convention. The
entries in this section have the value <TT>auth</TT> in their second
field.
<P>First edit the standard entries, which refer to the HP-UX PAM module
(usually, the file <B>/usr/lib/security/libpam_unix.1</B>) in their
fourth field. For each service for which you want to use AFS
authentication, edit the third field of its entry to read
<TT>optional</TT>. The <B>pam.conf</B> file in the HP-UX
distribution usually includes standard entries for the <B>login</B> and
<B>ftp</B> services, for instance.
<P>If there are services for which you want to use AFS authentication, but for
which the <B>pam.conf</B> file does not already include a standard
entry, you must create that entry and place the value <TT>optional</TT> in
its third field. For instance, the HP-UX <B>pam.conf</B>
file does not usually include standard entries for the <B>remsh</B> or
<B>telnet</B> services.
<P>Then create an AFS-related entry for each service, placing it immediately
below the standard entry. The following example shows what the
<TT>Authentication Management</TT> section looks like after you have you
edited or created entries for the services mentioned previously. Note
that the example AFS entries appear on two lines only for legibility.
<PRE>
login auth optional /usr/lib/security/libpam_unix.1
login auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root setenv_password_expires
ftp auth optional /usr/lib/security/libpam_unix.1
ftp auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root
remsh auth optional /usr/lib/security/libpam_unix.1
remsh auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root
telnet auth optional /usr/lib/security/libpam_unix.1
telnet auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root setenv_password_expires
</PRE>
<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
users to obtain an AFS token as they log in, also add or edit the following
four entries in the <TT>Authentication management</TT> section. Note
that the AFS-related entries appear on two lines here only for
legibility.
<PRE>
dtlogin auth optional /usr/lib/security/libpam_unix.1
dtlogin auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root
dtaction auth optional /usr/lib/security/libpam_unix.1
dtaction auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
</OL>
<A NAME="IDX2963"></A>
<A NAME="IDX2964"></A>
<A NAME="IDX2965"></A>
<HR><H2><A NAME="HDRWQ139" HREF="auqbg002.htm#ToC_128">Getting Started on IRIX Systems</A></H2>
<P>In this section you incorporate AFS into the IRIX kernel,
choosing one of two methods:
<UL>
<P><LI>Dynamic loading using the <B>ml</B> program distributed by Silicon
Graphics, Incorporated (SGI).
<P><LI>Building a new static kernel.
</UL>
<P>Then see <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A> to read about integrated AFS login on IRIX systems.
<P>In preparation for either dynamic loading or kernel building, perform the
following procedures:
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for IRIX on the <B>/cdrom</B> directory.
For instructions on mounting CD-ROMs (either locally or remotely via NFS), see
your IRIX documentation. Then change directory as indicated.
<PRE>
# <B>cd /cdrom/sgi_65/root.client</B>
</PRE>
<P><LI>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/etc/init.d</B> on IRIX
machines). Note the removal of the <B>.rc</B> extension as
you copy the script.
<PRE>
# <B>cp -p usr/vice/etc/afs.rc /etc/init.d/afs</B>
</PRE>
<P><LI>Issue the <B>uname -m</B> command to determine the machine's CPU
board type. The <B>IP</B><VAR>xx</VAR> value in the output must match
one of the supported CPU board types listed in the <I>IBM AFS Release
Notes</I> for the current version of AFS.
<PRE>
# <B>uname -m</B>
</PRE>
<P><LI>Proceed to either <A HREF="#HDRWQ140">Loading AFS into the IRIX Kernel</A> or <A HREF="#HDRWQ141">Building AFS into the IRIX Kernel</A>.
</OL>
<A NAME="IDX2966"></A>
<A NAME="IDX2967"></A>
<A NAME="IDX2968"></A>
<A NAME="IDX2969"></A>
<A NAME="IDX2970"></A>
<A NAME="IDX2971"></A>
<A NAME="IDX2972"></A>
<P><H3><A NAME="HDRWQ140" HREF="auqbg002.htm#ToC_129">Loading AFS into the IRIX Kernel</A></H3>
<P>The <B>ml</B> program is the dynamic kernel loader
provided by SGI for IRIX systems. If you use it rather than building
AFS modifications into a static kernel, then for AFS to function correctly the
<B>ml</B> program must run each time the machine reboots.
Therefore, the AFS initialization script (included on the AFS CD-ROM) invokes
it automatically when the <B>afsml</B> configuration variable is
activated. In this section you activate the variable and run the
script.
<P>In a later section you verify that the script correctly initializes the
Cache Manager, then create the links that incorporate AFS into the IRIX
startup and shutdown sequence.
<OL TYPE=1>
<P><LI>Create the local <B>/usr/vice/etc/sgiload</B> directory to house the
AFS kernel library file.
<PRE>
# <B>mkdir /usr/vice/etc/sgiload</B>
</PRE>
<P><LI>Copy the appropriate AFS kernel library file to the
<B>/usr/vice/etc/sgiload</B> directory. The
<B>IP</B><VAR>xx</VAR> portion of the library file name must match the value
previously returned by the <B>uname -m</B> command. Also choose the
file appropriate to whether the machine's kernel supports NFS server
functionality (NFS must be supported for the machine to act as an NFS/AFS
Translator). Single- and multiprocessor machines use the same library
file.
<P>(You can choose to copy all of the kernel library files into the <B>
/usr/vice/etc/sgiload</B> directory, but they require a significant amount
of space.)
<P>If the machine's kernel supports NFS server functionality:
<PRE>
# <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.o /usr/vice/etc/sgiload</B>
</PRE>
<P>If the machine's kernel does not support NFS server
functionality:
<PRE>
# <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.nonfs.o</B> \
<B>/usr/vice/etc/sgiload</B>
</PRE>
<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afsml</B>
configuration variable.
<PRE>
# <B>/etc/chkconfig -f afsml on</B>
</PRE>
<P>If the machine is to function as an NFS/AFS Translator and the kernel
supports NFS server functionality, activate the <B>afsxnfs</B>
variable.
<PRE>
# <B>/etc/chkconfig -f afsxnfs on</B>
</PRE>
<P><LI>Run the <B>/etc/init.d/afs</B> script to load AFS extensions
into the kernel. The script invokes the <B>ml</B> command,
automatically determining which kernel library file to use based on this
machine's CPU type and the activation state of the <B>afsxnfs</B>
variable.
<P>You can ignore any error messages about the inability to start the BOS
Server or the Cache Manager or AFS client.
<PRE>
# <B>/etc/init.d/afs start</B>
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A>.
</OL>
<A NAME="IDX2973"></A>
<P><H3><A NAME="HDRWQ141" HREF="auqbg002.htm#ToC_130">Building AFS into the IRIX Kernel</A></H3>
<P>If you prefer to build a kernel, and the machine's
hardware and software configuration exactly matches another IRIX machine on
which AFS is already built into the kernel, you can choose to copy the kernel
from that machine to this one. In general, however, it is better to
build AFS modifications into the kernel on each machine according to the
following instructions.
<OL TYPE=1>
<P><LI>Copy the kernel initialization file <B>afs.sm</B> to the local
<B>/var/sysgen/system</B> directory, and the kernel master file
<B>afs</B> to the local <B>/var/sysgen/master.d</B>
directory.
<PRE>
# <B>cp -p bin/afs.sm /var/sysgen/system</B>
# <B>cp -p bin/afs /var/sysgen/master.d</B>
</PRE>
<P><LI>Copy the appropriate AFS kernel library file to the local file
<B>/var/sysgen/boot/afs.a</B>; the <B>IP</B><VAR>xx</VAR>
portion of the library file name must match the value previously returned by
the <B>uname -m</B> command. Also choose the file appropriate to
whether the machine's kernel supports NFS server functionality (NFS must
be supported for the machine to act as an NFS/AFS Translator). Single-
and multiprocessor machines use the same library file.
<P>If the machine's kernel supports NFS server functionality:
<PRE>
# <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.a /var/sysgen/boot/afs.a</B>
</PRE>
<P>If the machine's kernel does not support NFS server
functionality:
<PRE>
# <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.nonfs.a /var/sysgen/boot/afs.a</B>
</PRE>
<P><LI>Issue the <B>chkconfig</B> command to deactivate the <B>afsml</B>
configuration variable.
<PRE>
# <B>/etc/chkconfig -f afsml off</B>
</PRE>
<P>If the machine is to function as an NFS/AFS Translator and the kernel
supports NFS server functionality, activate the <B>afsxnfs</B>
variable.
<PRE>
# <B>/etc/chkconfig -f afsxnfs on</B>
</PRE>
<P><LI>Copy the existing kernel file, <B>/unix</B>, to a safe
location. Compile the new kernel, which is created in the file
<B>/unix.install</B>. It overwrites the existing
<B>/unix</B> file when the machine reboots in the next step.
<PRE>
# <B>cp /unix /unix_noafs</B>
# <B>autoconfig</B>
</PRE>
<P><LI>Reboot the machine to start using the new kernel, and login again as the
superuser <B>root</B>.
<PRE>
# <B>cd /</B>
# <B>shutdown -i6 -g0 -y</B>
login: <B>root</B>
Password: <VAR>root_password</VAR>
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A>.
</OL>
<A NAME="IDX2974"></A>
<A NAME="IDX2975"></A>
<A NAME="IDX2976"></A>
<P><H3><A NAME="HDRWQ142" HREF="auqbg002.htm#ToC_131">Enabling AFS Login on IRIX Systems</A></H3>
<P>The standard IRIX command-line <B>login</B> program and
the graphical <B>xdm</B> login program both automatically grant an AFS
token when AFS is incorporated into the machine's kernel. However,
some IRIX distributions use another login utility by default, and it does not
necessarily incorporate the required AFS modifications. If that is the
case, you must disable the default utility if you want AFS users to obtain AFS
tokens at login. For further discussion, see the <I>IBM AFS Release
Notes</I>.
<P>If you configure the machine to use an AFS-modified login utility, then the
<B>afsauthlib.so</B> and <B>afskauthlib.so</B> files
(included in the AFS distribution) must reside in the <B>/usr/vice/etc</B>
directory. Issue the <B>ls</B> command to verify.
<PRE>
# <B>ls /usr/vice/etc</B>
</PRE>
<P>If the files do not exist, mount the AFS CD-ROM for IRIX (if it is not
already), change directory as indicated, and copy them.
<PRE>
# <B>cd /cdrom/sgi_65/root.client/usr/vice/etc</B>
# <B>cp -p *authlib* /usr/vice/etc</B>
</PRE>
<P>After taking any necessary action, proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
<A NAME="IDX2977"></A>
<A NAME="IDX2978"></A>
<A NAME="IDX2979"></A>
<A NAME="IDX2980"></A>
<A NAME="IDX2981"></A>
<A NAME="IDX2982"></A>
<A NAME="IDX2983"></A>
<A NAME="IDX2984"></A>
<A NAME="IDX2985"></A>
<HR><H2><A NAME="HDRWQ143" HREF="auqbg002.htm#ToC_132">Getting Started on Linux Systems</A></H2>
<P>In this section you load AFS into the Linux kernel.
Then incorporate AFS modifications into the machine's Pluggable
Authentication Module (PAM) system, if you wish to enable AFS login.
<P><H3><A NAME="Header_133" HREF="auqbg002.htm#ToC_133">Loading AFS into the Linux Kernel</A></H3>
<P>The <B>insmod</B> program is the dynamic kernel loader for
Linux. Linux does not support incorporation of AFS modifications during
a kernel build.
<P>For AFS to function correctly, the <B>insmod</B> program must run each
time the machine reboots, so the AFS initialization script (included on the
AFS CD-ROM) invokes it automatically. The script also includes commands
that select the appropriate AFS library file automatically. In this
section you run the script.
<P>In a later section you also verify that the script correctly initializes
the Cache Manager, then activate a configuration variable, which results in
the script being incorporated into the Linux startup and shutdown
sequence.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Linux on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your Linux documentation. Then change directory
as indicated.
<PRE>
# <B>cd /cdrom/i386_linux22/root.client/usr/vice/etc</B>
</PRE>
<P><LI>Copy the AFS kernel library files to the local
<B>/usr/vice/etc/modload</B> directory. The filenames for the
libraries have the format
<B>libafs-</B><VAR>version</VAR><B>.o</B>, where <VAR>version</VAR>
indicates the kernel build level. The string <B>.mp</B> in
the <VAR>version</VAR> indicates that the file is appropriate for machines
running a multiprocessor kernel.
<PRE>
# <B>cp -rp modload /usr/vice/etc</B>
</PRE>
<P><LI>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/etc/rc.d/init.d</B>
on Linux machines). Note the removal of the <B>.rc</B>
extension as you copy the script.
<PRE>
# <B>cp -p afs.rc /etc/rc.d/init.d/afs</B>
</PRE>
<P><LI>Run the AFS initialization script to load AFS extensions into the
kernel. You can ignore any error messages about the inability to start
the BOS Server or the Cache Manager or AFS client.
<PRE>
# <B>/etc/rc.d/init.d/afs start</B>
</PRE>
</OL>
<P><H3><A NAME="Header_134" HREF="auqbg002.htm#ToC_134">Enabling AFS Login on Linux Systems</A></H3>
<P>At this point you incorporate AFS into the operating system's
Pluggable Authentication Module (PAM) scheme. PAM integrates all
authentication mechanisms on the machine, including login, to provide the
security infrastructure for authenticated access to and from the
machine.
<P>Explaining PAM is beyond the scope of this document. It is assumed
that you understand the syntax and meanings of settings in the PAM
configuration file (for example, how the <TT>other</TT> entry works, the
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
<TT>sufficient</TT>, and so on).
<P>The following instructions explain how to alter the entries in the PAM
configuration file for each service for which you wish to use AFS
authentication. Other configurations possibly also work, but the
instructions specify the recommended and tested configuration.
<P>The recommended AFS-related entries in the PAM configuration file make use
of one or more of the following three attributes.
<DL>
<h4><br>Authentication Management</h4>
<P><DT><B><TT>try_first_pass</TT>
</B><DD>This is a standard PAM attribute that can be included on entries after the
first one for a service; it directs the module to use the password that
was provided to the first module. For the AFS module, it means that AFS
authentication succeeds if the password provided to the module listed first is
the user's correct AFS password. For further discussion of this
attribute and its alternatives, see the operating system's PAM
documentation.
<P>
<P><DT><B><TT>ignore_root</TT>
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
only the local superuser <B> root</B>, but also any user with UID 0
(zero).
<P><DT><B><TT>ignore_uid <i>uid</i></TT>
</B><DD>This option is an extension of the &quot;ignore_root&quot; switch. The additional
parameter is a limit. Users with a uid up to the given parameter are ignored
by <i>pam_afs.so</i>. Thus, a system administrator still has the opportunity to
add local user accounts to his system by choosing between &quot;low&quot; and
&quot;high&quot; user ids.<br>
An example /etc/passwd file for &quot;ignore_uid 100&quot; may have entries like these:
<PRE>
.
.
afsuserone:x:99:100::/afs/afscell/u/afsuserone:/bin/bash
afsusertwo:x:100:100::/afs/afscell/u/afsusertwo:/bin/bash
localuserone:x:101:100::/home/localuserone:/bin/bash
localusertwo:x:102:100::/home/localusertwo:/bin/bash
.
.
</PRE><br>
AFS accounts should be locked in the file /etc/shadow like this:
<PRE>
.
.
afsuserone:!!:11500:0:99999:7:::
afsusertwo:!!:11500:0:99999:7:::
localuserone:&lt;thelocaluserone'skey&gt;:11500:0:99999:7:::
localusertwo:&lt;thelocalusertwo'skey&gt;:11500:0:99999:7:::
.
.
</PRE><br>
There is no need to store a local key in this file since the AFS
password is sent and verfied at the AFS cell server!
<P><DT><B><TT>setenv_password_expires</TT>
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
password, which is recorded in the Authentication Database.
<P><DT><B><TT>set_token</TT>
</B><DD>Some applications don't call <i>pam_setcred()</i> in order to retrieve the appropriate
credentials (here the AFS token) for their session. This switch sets the credentials
already in <i>pam_sm_authenticate()</i> obsoleting a call to <i>pam_setcred()</i>.<br>
<b>Caution: Don't use this switch for applications which do call <i>pam_setcred()</i>!</b>
One example for an application not calling <i>pam_setcred()</i> are older versions of
the samba server.<br>
Nevertheless, using applications with working pam session management is recommended as this
setup conforms better with the PAM definitions.
<P><DT><B><TT>refresh_token</TT>
</B><DD>This options is identical to &quot;set_token&quot; except that no new PAG is generated.
This is necessary to handle processes like xlock or xscreensaver. It is not enough to give
the screen and the keyboard free for the user who reactivated his screen typing in the
correct AFS password, but one may also need fresh tokens with full
livetime in order to work on, and the new token must be refreshed in the already existing PAG
for the processes that have been started. This is achieved using this option.
<P><DT><B><TT>use_klog</TT>
</B><DD>Activating this switch the authentication is done by calling the external program &quot;klog&quot;.
One program requiring this is for example <i>kdm</i> of KDE 2.x.<br></DD>
<P><DT><B><TT>dont_fork</TT>
</B><DD>Usually, the password verification and the establishment of the token is performed
in a sub process. Using this option pam_afs does not fork and performs all actions in a single
process. <b>Only use this options in case you notice serious problems caused by the sub process.</b>
This option has been developed in respect to the &quot;mod_auth_pam&quot;-project (see also
<A HREF="http://pam.sourceforge.net/mod_auth_pam/">mod_auth_pam</A>). The mod_auth_pam
module enables PAM authentication for the apache http server package.
<h4><br>Session Management</h4>
<P><DT><B><TT>no_unlog</TT>
</B><DD>Normally the tokens are deleted (in memory) after the session ends. Using this options the tokens are left
untouched. <b>This behaviour has been the default in pam_afs until openafs-1.1.1!</b>
<P><DT><B><TT>remainlifetime <i>sec</i></TT>
</B><DD>The tokens are kept active for <i>sec</i> seconds before they are deleted. X display managers
i.e. are used to inform the applications started in the X session before the logout and then
end themselves. If the token was deleted immediately the applications would have no chance to
write back their settings to i.e. the user's AFS home space. This option may help to avoid the
problem.<br>
</DL>
<P>Perform the following steps to enable AFS login.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Linux on the <B>/cdrom</B> directory, if it
is not already. Then change to the directory for PAM modules, which
depends on which Linux distribution you are using.
<P>If you are using a Linux distribution from Red Hat Software:
<PRE>
# <B>cd /lib/security</B>
</PRE>
<P>If you are using another Linux distribution:
<PRE>
# <B>cd /usr/lib/security</B>
</PRE>
<P><LI>Copy the appropriate AFS authentication library file to the directory to
which you changed in the previous step. Create a symbolic link whose
name does not mention the version. Omitting the version eliminates the
need to edit the PAM configuration file if you later update the library
file.
<P>If you use the AFS Authentication Server (<B>kaserver</B>
process):
<PRE>
# <B>cp /cdrom/i386_linux22/lib/pam_afs.so.1 .</B>
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
</PRE>
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>
# <B>cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1 .</B>
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
</PRE>
<P><LI>For each service with which you want to use AFS authentication, insert an
entry for the AFS PAM module into the <TT>auth</TT> section of the
service's PAM configuration file. (Linux uses a separate
configuration file for each service, unlike some other operating systems which
list all services in a single file.) Mark the entry as
<TT>sufficient</TT> in the second field.
<P>Place the AFS entry below any entries that impose conditions under which
you want the service to fail for a user who does not meet the entry's
requirements. Mark these entries <TT>required</TT>. Place the
AFS entry above any entries that need to execute only if AFS authentication
fails.
<P>Insert the following AFS entry if using the Red Hat distribution:
<PRE>
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
</PRE>
<P>Insert the following AFS entry if using another distribution:
<PRE>
auth sufficient /usr/lib/security/pam_afs.so try_first_pass ignore_root
</PRE>
<P>Check the PAM config files also for &quot;session&quot; entries. If there are
lines beginning with &quot;session&quot; then please insert this line too:
<PRE>
session optional /lib/security/pam_afs.so
</PRE>
<P>or
<PRE>
session optional /usr/lib/security/pam_afs.so
</PRE>
<P>This guaranties that the user's tokens are deleted from memory after his
session ends so that no other user coincidently gets those tokens without authorization!
The following examples illustrate the recommended configuration of the
configuration file for several services:<br>
<h4><br>Authentication Management</h4>
(<B>/etc/pam.d/login</B>)
<PRE>
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#This enables AFS authentication for every user but root
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session optional /lib/security/pam_afs.so
#Make sure tokens are deleted after the user logs out
session required /lib/security/pam_pwdb.so
</PRE><br>
(<b>/etc/pam.d/samba</b>)
<PRE>
auth required /lib/security/pam_afs.so ignore_uid 100 set_token
# ^^^^^^^^^^^^^^^^^^^^^^^^
#Here, users with uid&gt;100 are considered to belong to the AFS and users
#with uid&lt;=100 are ignored by pam_afs. The token is retrieved already in
#pam_sm_authenticate() (this is an example pam config for a samba version
#that does not call pam_setcred(), it also does no sense to include session
#entries here since they would be ignored by this version of samba ).
account required /lib/security/pam_pwdb.so
</PRE>
(<b>/etc/pam.d/xscreensaver</b>)
<PRE>
auth sufficient /lib/security/pam_afs.so ignore_uid 100 refresh_token
# ^^^^^^^^^^^^^
#Avoid generating a new PAG for the new tokens, use the already existing PAG and
#establish a fresh token in it.
auth required /lib/security/pam_pwdb.so try_first_pass
</PRE>
(<b>/etc/pam.d/httpd</b>)
<PRE>
auth required /lib/security/pam_afs.so ignore_uid 100 dont_fork
# ^^^^^^^^^
#Don't fork for the verification of the password.
</PRE>
<h4><br>Session Management</h4>
(<b>/etc/pam.d/su</b>)
<PRE>
auth sufficient /lib/security/pam_afs.so ignore_uid 100
auth required /lib/security/pam_pwdb.so try_first_pass
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so use_authtok
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_afs.so no_unlog
# ^^^^^^^^
#Don't delete the token in this case, since the user may still
#need it (for example if somebody logs in and changes to root
#afterwards he may still want to access his home space in AFS).
session required /lib/security/pam_login_access.so
session optional /lib/security/pam_xauth.so
</PRE>
(<b>/etc/pam.d/xdm</b>)
<PRE>
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_login_access.so
auth sufficient /lib/security/pam_afs.so ignore_uid 100 use_klog
auth required /lib/security/pam_pwdb.so try_first_pass
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session optional /lib/security/pam_afs.so remainlifetime 10
# ^^^^^^^^^^^^^^^^^
#Wait 10 seconds before deleting the AFS tokens in order to give
#the programs of the X session some time to save their settings
#to AFS.
session required /lib/security/pam_pwdb.so
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
</OL>
<A NAME="IDX2986"></A>
<A NAME="IDX2987"></A>
<A NAME="IDX2988"></A>
<A NAME="IDX2989"></A>
<A NAME="IDX2990"></A>
<A NAME="IDX2991"></A>
<A NAME="IDX2992"></A>
<A NAME="IDX2993"></A>
<A NAME="IDX2994"></A>
<A NAME="IDX2995"></A>
<A NAME="IDX2996"></A>
<A NAME="IDX2997"></A>
<HR><H2><A NAME="HDRWQ144" HREF="auqbg002.htm#ToC_135">Getting Started on Solaris Systems</A></H2>
<P>In this section you load AFS into the Solaris kernel.
Then incorporate AFS modifications into the machine's Pluggable
Authentication Module (PAM) system, if you wish to enable AFS login.
<P><H3><A NAME="Header_136" HREF="auqbg002.htm#ToC_136">Loading AFS into the Solaris Kernel</A></H3>
<P>The <B>modload</B> program is the dynamic kernel loader provided by
Sun Microsystems for Solaris systems. Solaris does not support
incorporation of AFS modifications during a kernel build.
<P>For AFS to function correctly, the <B>modload</B> program must run each
time the machine reboots, so the AFS initialization script (included on the
AFS CD-ROM) invokes it automatically. In this section you copy the
appropriate AFS library file to the location where the <B>modload</B>
program accesses it and then run the script.
<P>In a later section you verify that the script correctly initializes the
Cache Manager, then create the links that incorporate AFS into the Solaris
startup and shutdown sequence.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your Solaris documentation. Then change
directory as indicated.
<PRE>
# <B>cd /cdrom/sun4x_56/root.client/usr/vice/etc</B>
</PRE>
<P><LI>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/etc/init.d</B> on Solaris
machines). Note the removal of the <B>.rc</B> extension as
you copy the script.
<PRE>
# <B>cp -p afs.rc /etc/init.d/afs</B>
</PRE>
<P><LI>Copy the appropriate AFS kernel library file to the local file
<B>/kernel/fs/afs</B>.
<P>If the machine is running Solaris 2.6 or the 32-bit version of
Solaris 7, its kernel supports NFS server functionality, and the
<B>nfsd</B> process is running:
<PRE>
# <B>cp -p modload/libafs.o /kernel/fs/afs</B>
</PRE>
<P>If the machine is running Solaris 2.6 or the 32-bit version of
Solaris 7, and its kernel does not support NFS server functionality or the
<B>nfsd</B> process is not running:
<PRE>
# <B>cp -p modload/libafs.nonfs.o /kernel/fs/afs</B>
</PRE>
<P>If the machine is running the 64-bit version of Solaris 7, its kernel
supports NFS server functionality, and the <B>nfsd</B> process is
running:
<PRE>
# <B>cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</B>
</PRE>
<P>If the machine is running the 64-bit version of Solaris 7, and its
kernel does not support NFS server functionality or the <B>nfsd</B>
process is not running:
<PRE>
# <B>cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</B>
</PRE>
<P><LI>Run the AFS initialization script to load AFS modifications into the
kernel. You can ignore any error messages about the inability to start
the BOS Server or the Cache Manager or AFS client.
<PRE>
# <B>/etc/init.d/afs start</B>
</PRE>
<P>When an entry called <TT>afs</TT> does not already exist in the local
<B>/etc/name_to_sysnum</B> file, the script automatically creates it and
reboots the machine to start using the new version of the file. If this
happens, log in again as the superuser <B>root</B> after the reboot and
run the initialization script again. This time the required entry
exists in the <B>/etc/name_to_sysnum</B> file, and the <B>modload</B>
program runs.
<PRE>
login: <B>root</B>
Password: <VAR>root_password</VAR>
# <B>/etc/init.d/afs start</B>
</PRE>
</OL>
<P><H3><A NAME="Header_137" HREF="auqbg002.htm#ToC_137">Enabling AFS Login on Solaris Systems</A></H3>
<P>At this point you incorporate AFS into the operating system's
Pluggable Authentication Module (PAM) scheme. PAM integrates all
authentication mechanisms on the machine, including login, to provide the
security infrastructure for authenticated access to and from the
machine.
<P>Explaining PAM is beyond the scope of this document. It is assumed
that you understand the syntax and meanings of settings in the PAM
configuration file (for example, how the <TT>other</TT> entry works, the
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
<TT>sufficient</TT>, and so on).
<P>The following instructions explain how to alter the entries in the PAM
configuration file for each service for which you wish to use AFS
authentication. Other configurations possibly also work, but the
instructions specify the recommended and tested configuration.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
<TT>optional</TT>. However, marking some modules as optional can mean
that they grant access to the corresponding service even when the user does
not meet all of the module's requirements. In some operating
system revisions, for example, if you mark as optional the module that
controls login via a dial-up connection, it allows users to login without
providing a password. See the <I>IBM AFS Release Notes</I> for a
discussion of any limitations that apply to this operating system.
<P>Also, with some operating system versions you must install patches for PAM
to interact correctly with certain authentication programs. For
details, see the <I>IBM AFS Release Notes</I>.
</TD></TR></TABLE>
<P>The recommended AFS-related entries in the PAM configuration file make use
of one or more of the following three attributes.
<DL>
<h4><br>Authentication Management</h4>
<P><DT><B><TT>try_first_pass</TT>
</B><DD>This is a standard PAM attribute that can be included on entries after the
first one for a service; it directs the module to use the password that
was provided to the first module. For the AFS module, it means that AFS
authentication succeeds if the password provided to the module listed first is
the user's correct AFS password. For further discussion of this
attribute and its alternatives, see the operating system's PAM
documentation.
<P><DT><B><TT>ignore_root</TT>
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
only the local superuser <B> root</B>, but also any user with UID 0
(zero).
<P><DT><B><TT>setenv_password_expires</TT>
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
password, which is recorded in the Authentication Database.
</DL>
<P>Perform the following steps to enable AFS login.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B> directory, if it
is not already. Then change directory as indicated.
<PRE>
# <B>cd /usr/lib/security</B>
</PRE>
<P><LI>Copy the AFS authentication library file to the
<B>/usr/lib/security</B> directory. Then create a symbolic link to
it whose name does not mention the version. Omitting the version
eliminates the need to edit the PAM configuration file if you later update the
library file.
<P>If you use the AFS Authentication Server (<B>kaserver</B>
process):
<PRE>
#<B> cp /cdrom/sun4x_56/lib/pam_afs.so.1 .</B>
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
</PRE>
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>
# <B>cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .</B>
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
</PRE>
<P><LI>Edit the <TT>Authentication management</TT> section of the Solaris PAM
configuration file, <B>/etc/pam.conf</B> by convention. The
entries in this section have the value <TT>auth</TT> in their second
field.
<P>First edit the standard entries, which refer to the Solaris PAM module
(usually, the file <B>/usr/lib/security/pam_unix.so.1</B>)
in their fourth field. For each service for which you want to use AFS
authentication, edit the third field of its entry to read
<TT>optional</TT>. The <B>pam.conf</B> file in the Solaris
distribution usually includes standard entries for the <B>login</B>,
<B>rlogin</B>, and <B>rsh</B> services, for instance.
<P>If there are services for which you want to use AFS authentication, but for
which the <B>pam.conf</B> file does not already include a standard
entry, you must create that entry and place the value <TT>optional</TT> in
its third field. For instance, the Solaris <B>pam.conf</B>
file does not usually include standard entries for the <B>ftp</B> or
<B>telnet</B> services.
<P>Then create an AFS-related entry for each service, placing it immediately
below the standard entry. The following example shows what the
<TT>Authentication Management</TT> section looks like after you have you
edited or created entries for the services mentioned previously. Note
that the example AFS entries appear on two lines only for legibility.
<PRE>
login auth optional /usr/lib/security/pam_unix.so.1
login auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root setenv_password_expires
rlogin auth optional /usr/lib/security/pam_unix.so.1
rlogin auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root setenv_password_expires
rsh auth optional /usr/lib/security/pam_unix.so.1
rsh auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root
ftp auth optional /usr/lib/security/pam_unix.so.1
ftp auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root
telnet auth optional /usr/lib/security/pam_unix.so.1
telnet auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root setenv_password_expires
</PRE>
<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
users to obtain an AFS token as they log in, also add or edit the following
four entries in the <TT>Authentication management</TT> section. Note
that the AFS-related entries appear on two lines here only for
legibility.
<PRE>
dtlogin auth optional /usr/lib/security/pam_unix.so.1
dtlogin auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root
dtsession auth optional /usr/lib/security/pam_unix.so.1
dtsession auth optional /usr/lib/security/pam_afs.so \
try_first_pass ignore_root
</PRE>
<P><LI>Some Solaris distributions include a script that locates and removes
unneeded files from various file systems. Its conventional location is
<B>/usr/lib/fs/nfs/nfsfind</B>. The script generally uses an
argument to the <B>find</B> command to define which file systems to
search. In this step you modify the command to exclude the
<B>/afs</B> directory. Otherwise, the command traverses the AFS
filespace of every cell that is accessible from the machine, which can take
many hours. The following alterations are possibilities, but you must
verify that they are appropriate for your cell.
<P>The first possible alteration is to add the <B>-local</B> flag to the
existing command, so that it looks like the following:
<PRE>
find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;
</PRE>
<P>Another alternative is to exclude any directories whose names begin with
the lowercase letter <B>a</B> or a non-alphabetic character.
<PRE>
find /[A-Zb-z]* <VAR>remainder of existing command</VAR>
</PRE>
<P>Do not use the following command, which still searches under the
<B>/afs</B> directory, looking for a subdirectory of type
<B>4.2</B>.
<PRE>
find / -fstype 4.2 /* <VAR>do not use</VAR> */
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
</OL>
<A NAME="IDX2998"></A>
<A NAME="IDX2999"></A>
<A NAME="IDX3000"></A>
<A NAME="IDX3001"></A>
<A NAME="IDX3002"></A>
<A NAME="IDX3003"></A>
<A NAME="IDX3004"></A>
<A NAME="IDX3005"></A>
<A NAME="IDX3006"></A>
<A NAME="IDX3007"></A>
<A NAME="IDX3008"></A>
<A NAME="IDX3009"></A>
<HR><H2><A NAME="HDRWQ145" HREF="auqbg002.htm#ToC_138">Loading and Creating Client Files</A></H2>
<P>Now copy files from the AFS CD-ROM to the
<B>/usr/vice/etc</B> directory. On some platforms that use a
dynamic loader program to incorporate AFS modifications into the kernel, you
have already copied over some the files. Copying them again does no
harm.
<P>Every AFS client machine has a copy of the
<B>/usr/vice/etc/ThisCell</B> file on its local disk to define the
machine's cell membership for the AFS client programs that run on
it. Among other functions, this file determines the following:
<UL>
<P><LI>The cell in which users authenticate when they log onto the machine,
assuming it is using an AFS-modified login utility
<P><LI>The cell in which users authenticate by default when they issue the
<B>klog</B> command
<P><LI>The cell membership of the AFS server processes that the AFS command
interpreters on this machine contact by default
</UL>
<P>Similarly, the <B>/usr/vice/etc/CellServDB</B> file on a client
machine's local disk lists the database server machines in each cell that
the local Cache Manager can contact. If there is no entry in the file
for a cell, or the list of database server machines is wrong, then users
working on this machine cannot access the cell. The chapter in the
<I>IBM AFS Administration Guide</I> about administering client machines
explains how to maintain the file after creating it. A version of the
client <B>CellServDB</B> file was created during the installation of your
cell's first machine (in <A HREF="auqbg005.htm#HDRWQ66">Creating the Client CellServDB File</A>). It is probably also appropriate for use on this
machine.
<P>Remember that the Cache Manager consults the
<B>/usr/vice/etc/CellServDB</B> file only at reboot, when it copies the
information into the kernel. For the Cache Manager to perform properly,
the <B>CellServDB</B> file must be accurate at all times. Refer to
the chapter in the <I>IBM AFS Administration Guide</I> about administering
client machines for instructions on updating this file, with or without
rebooting.
<OL TYPE=1>
<P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
machine's system type, if it is not already. For instructions on
mounting CD-ROMs (either locally or remotely via NFS), consult the operating
system documentation.
<P><LI>Copy files to the local <B>/usr/vice/etc</B> directory.
<P>This step places a copy of the AFS initialization script (and related
files, if applicable) into the <B>/usr/vice/etc</B> directory. In
the preceding instructions for incorporating AFS into the kernel, you copied
the script directly to the operating system's conventional location for
initialization files. When you incorporate AFS into the machine's
startup sequence in a later step, you can choose to link the two files.
<P>On some system types that use a dynamic kernel loader program, you
previously copied AFS library files into a subdirectory of the
<B>/usr/vice/etc</B> directory. On other system types, you copied
the appropriate AFS library file directly to the directory where the operating
system accesses it. The following commands do not copy or recopy the
AFS library files into the <B>/usr/vice/etc</B> directory, because on some
system types the library files consume a large amount of space. If you
want to copy them, add the <B>-r</B> flag to the first <B>cp</B>
command and skip the second <B>cp</B> command.
<PRE>
# <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.client/usr/vice/etc</B>
# <B>cp -p * /usr/vice/etc</B>
# <B>cp -rp C /usr/vice/etc</B>
</PRE>
<P><LI>Create the <B>/usr/vice/etc/ThisCell</B> file.
<PRE>
# <B>echo "</B><VAR>cellname</VAR><B>" > /usr/vice/etc/ThisCell</B>
</PRE>
<P><LI>Create the <B>/usr/vice/etc/CellServDB</B> file. Use a network
file transfer program such as <B>ftp</B> or NFS to copy it from one of the
following sources, which are listed in decreasing order of preference:
<UL>
<P><LI>Your cell's central <B>CellServDB</B> source file (the
conventional location is
<B>/afs/</B><VAR>cellname</VAR><B>/common/etc/CellServDB</B>)
<P><LI>The global <B>CellServDB</B> file maintained by the AFS Product
Support group
<P><LI>An existing client machine in your cell
<P><LI>The <B>CellServDB.sample</B> file included in the
<VAR>sysname</VAR><B>/root.client/usr/vice/etc</B> directory of each
AFS CD-ROM; add an entry for the local cell by following the instructions
in <A HREF="auqbg005.htm#HDRWQ66">Creating the Client CellServDB File</A>
</UL>
</OL>
<A NAME="IDX3010"></A>
<A NAME="IDX3011"></A>
<A NAME="IDX3012"></A>
<A NAME="IDX3013"></A>
<A NAME="IDX3014"></A>
<A NAME="IDX3015"></A>
<A NAME="IDX3016"></A>
<A NAME="IDX3017"></A>
<A NAME="IDX3018"></A>
<A NAME="IDX3019"></A>
<A NAME="IDX3020"></A>
<A NAME="IDX3021"></A>
<A NAME="IDX3022"></A>
<A NAME="IDX3023"></A>
<A NAME="IDX3024"></A>
<A NAME="IDX3025"></A>
<HR><H2><A NAME="HDRWQ146" HREF="auqbg002.htm#ToC_139">Configuring the Cache</A></H2>
<P>The Cache Manager uses a cache on the local disk or in
machine memory to store local copies of files fetched from file server
machines. As the <B>afsd</B> program initializes the Cache Manager,
it sets basic cache configuration parameters according to definitions in the
local <B>/usr/vice/etc/cacheinfo</B> file. The file has three
fields:
<OL TYPE=1>
<P><LI>The first field names the local directory on which to mount the AFS
filespace. The conventional location is the <B>/afs</B>
directory.
<P><LI>The second field defines the local disk directory to use for the disk
cache. The conventional location is the <B>/usr/vice/cache</B>
directory, but you can specify an alternate directory if another partition has
more space available. There must always be a value in this field, but
the Cache Manager ignores it if the machine uses a memory cache.
<P><LI>The third field specifies the number of kilobyte (1024 byte) blocks to
allocate for the cache.
</OL>
<P>The values you define must meet the following requirements.
<UL>
<P><LI>On a machine using a disk cache, the Cache Manager expects always to be
able to use the amount of space specified in the third field. Failure
to meet this requirement can cause serious problems, some of which can be
repaired only by rebooting. You must prevent non-AFS processes from
filling up the cache partition. The simplest way is to devote a
partition to the cache exclusively.
<P><LI>The amount of space available in memory or on the partition housing the
disk cache directory imposes an absolute limit on cache size.
<P><LI>The maximum supported cache size can vary in each AFS release; see
the <I>IBM AFS Release Notes</I> for the current version.
<P><LI>For a disk cache, you cannot specify a value in the third field that
exceeds 95% of the space available on the partition mounted at the directory
named in the second field. If you violate this restriction, the
<B>afsd</B> program exits without starting the Cache Manager and prints an
appropriate message on the standard output stream. A value of 90% is
more appropriate on most machines. Some operating systems (such as AIX)
do not automatically reserve some space to prevent the partition from filling
completely; for them, a smaller value (say, 80% to 85% of the space
available) is more appropriate.
<P><LI>For a memory cache, you must leave enough memory for other processes and
applications to run. If you try to allocate more memory than is
actually available, the <B>afsd</B> program exits without initializing the
Cache Manager and produces the following message on the standard output
stream.
<PRE>
afsd: memCache allocation failure at <VAR>number</VAR> KB
</PRE>
<P>The <VAR>number</VAR> value is how many kilobytes were allocated just before
the failure, and so indicates the approximate amount of memory
available.
</UL>
<P>Within these hard limits, the factors that determine appropriate cache size
include the number of users working on the machine, the size of the files with
which they work, and (for a memory cache) the number of processes that run on
the machine. The higher the demand from these factors, the larger the
cache needs to be to maintain good performance.
<P>Disk caches smaller than 10 MB do not generally perform well.
Machines serving multiple users usually perform better with a cache of at
least 60 to 70 MB. The point at which enlarging the cache further does
not really improve performance depends on the factors mentioned previously and
is difficult to predict.
<P>Memory caches smaller than 1 MB are nonfunctional, and the performance of
caches smaller than 5 MB is usually unsatisfactory. Suitable upper
limits are similar to those for disk caches but are probably determined more
by the demands on memory from other sources on the machine (number of users
and processes). Machines running only a few processes possibly can use
a smaller memory cache.
<P><H3><A NAME="HDRWQ147" HREF="auqbg002.htm#ToC_140">Configuring a Disk Cache</A></H3>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types that an operating system supports
are necessarily supported for use as the cache partition. For possible
restrictions, see the <I>IBM AFS Release Notes</I>.
</TD></TR></TABLE>
<P>To configure the disk cache, perform the following procedures:
<OL TYPE=1>
<P><LI>Create the local directory to use for caching. The following
instruction shows the conventional location,
<B>/usr/vice/cache</B>. If you are devoting a partition exclusively
to caching, as recommended, you must also configure it, make a file system on
it, and mount it at the directory created in this step.
<PRE>
# <B>mkdir /usr/vice/cache</B>
</PRE>
<P><LI>Create the <B>cacheinfo</B> file to define the configuration
parameters discussed previously. The following instruction shows the
standard mount location, <B>/afs</B>, and the standard cache location,
<B>/usr/vice/cache</B>.
<PRE>
# <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
</PRE>
<P>The following example defines the disk cache size as 50,000 KB:
<PRE>
# <B>echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo</B>
</PRE>
</OL>
<P><H3><A NAME="HDRWQ148" HREF="auqbg002.htm#ToC_141">Configuring a Memory Cache</A></H3>
<P>To configure a memory cache, create the <B>cacheinfo</B>
file to define the configuration parameters discussed previously. The
following instruction shows the standard mount location, <B>/afs</B>, and
the standard cache location, <B>/usr/vice/cache</B> (though the exact
value of the latter is irrelevant for a memory cache).
<PRE>
# <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
</PRE>
<P>The following example allocates 25,000 KB of memory for the cache.
<PRE>
# <B>echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo</B>
</PRE>
<A NAME="IDX3026"></A>
<A NAME="IDX3027"></A>
<A NAME="IDX3028"></A>
<A NAME="IDX3029"></A>
<A NAME="IDX3030"></A>
<A NAME="IDX3031"></A>
<A NAME="IDX3032"></A>
<A NAME="IDX3033"></A>
<A NAME="IDX3034"></A>
<A NAME="IDX3035"></A>
<A NAME="IDX3036"></A>
<A NAME="IDX3037"></A>
<A NAME="IDX3038"></A>
<A NAME="IDX3039"></A>
<A NAME="IDX3040"></A>
<A NAME="IDX3041"></A>
<A NAME="IDX3042"></A>
<A NAME="IDX3043"></A>
<A NAME="IDX3044"></A>
<A NAME="IDX3045"></A>
<A NAME="IDX3046"></A>
<A NAME="IDX3047"></A>
<A NAME="IDX3048"></A>
<A NAME="IDX3049"></A>
<A NAME="IDX3050"></A>
<A NAME="IDX3051"></A>
<A NAME="IDX3052"></A>
<A NAME="IDX3053"></A>
<HR><H2><A NAME="HDRWQ149" HREF="auqbg002.htm#ToC_142">Configuring the Cache Manager</A></H2>
<P>By convention, the Cache Manager mounts the AFS filespace on
the local <B>/afs</B> directory. In this section you create that
directory.
<P>The <B>afsd</B> program sets several cache configuration parameters as
it initializes the Cache Manager, and starts daemons that improve
performance. You can use the <B>afsd</B> command's arguments
to override the parameters' default values and to change the number of
some of the daemons. Depending on the machine's cache size, its
amount of RAM, and how many people work on it, you can sometimes improve Cache
Manager performance by overriding the default values. For a discussion
of all of the <B>afsd</B> command's arguments, see its reference page
in the <I>IBM AFS Administration Reference</I>.
<P>The <B>afsd</B> command line in the AFS initialization script on each
system type includes an <TT>OPTIONS</TT> variable. You can use it to
set nondefault values for the command's arguments, in one of the
following ways:
<UL>
<P><LI>You can create an <B>afsd</B> <I>options file</I> that sets values
for arguments to the <B>afsd</B> command. If the file exists, its
contents are automatically substituted for the <TT>OPTIONS</TT> variable in
the AFS initialization script. The AFS distribution for some system
types includes an options file; on other system types, you must create
it.
<P>You use two variables in the AFS initialization script to specify the path
to the options file: <TT>CONFIG</TT> and <TT>AFSDOPT</TT>. On
system types that define a conventional directory for configuration files, the
<TT>CONFIG</TT> variable indicates it by default; otherwise, the
variable indicates an appropriate location.
<P>List the desired <B>afsd</B> options on a single line in the options
file, separating each option with one or more spaces. The following
example sets the <B>-stat</B> argument to 2500, the <B>-daemons</B>
argument to 4, and the <B>-volumes</B> argument to 100.
<PRE>
-stat 2500 -daemons 4 -volumes 100
</PRE>
<P><LI>On a machine that uses a disk cache, you can set the <TT>OPTIONS</TT>
variable in the AFS initialization script to one of <TT>$SMALL</TT>,
<TT>$MEDIUM</TT>, or <TT>$LARGE</TT>. The AFS initialization script
uses one of these settings if the <B>afsd</B> options file named by the
<TT>AFSDOPT</TT> variable does not exist. In the script as
distributed, the <TT>OPTIONS</TT> variable is set to the value
<TT>$MEDIUM</TT>.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not set the <TT>OPTIONS</TT> variable to <TT>$SMALL</TT>,
<TT>$MEDIUM</TT>, or <TT>$LARGE</TT> on a machine that uses a memory
cache. The arguments it sets are appropriate only on a machine that
uses a disk cache.
</TD></TR></TABLE>
<P>The script (or on some system types the <B>afsd</B> options file named
by the <TT>AFSDOPT</TT> variable) defines a value for each of
<TT>SMALL</TT>, <TT>MEDIUM</TT>, and <TT>LARGE</TT> that sets
<B>afsd</B> command arguments appropriately for client machines of
different sizes:
<UL>
<P><LI><TT>SMALL</TT> is suitable for a small machine that serves one or two
users and has approximately 8 MB of RAM and a 20-MB cache
<P><LI><TT>MEDIUM</TT> is suitable for a medium-sized machine that serves two
to six users and has 16 MB of RAM and a 40-MB cache
<P><LI><TT>LARGE</TT> is suitable for a large machine that serves five to ten
users and has 32 MB of RAM and a 100-MB cache
</UL>
<P><LI>You can choose not to create an <B>afsd</B> options file and to set
the <TT>OPTIONS</TT> variable in the initialization script to a null value
rather than to the default <TT>$MEDIUM</TT> value. You can then
either set arguments directly on the <B>afsd</B> command line in the
script, or set no arguments (and so accept default values for all Cache
Manager parameters).
</UL>
<OL TYPE=1>
<P><LI>Create the local directory on which to mount the AFS filespace, by
convention <B>/afs</B>. If the directory already exists, verify
that it is empty.
<PRE>
# <B>mkdir /afs</B>
</PRE>
<P><LI>On AIX systems, add the following line to the <B>/etc/vfs</B>
file. It enables AIX to unmount AFS correctly during shutdown.
<PRE>
afs 4 none none
</PRE>
<P><LI>On Linux systems, copy the <B>afsd</B> options file from the
<B>/usr/vice/etc</B> directory to the <B>/etc/sysconfig</B> directory,
removing the <B>.conf</B> extension as you do so.
<PRE>
# <B>cp /usr/vice/etc/afs.conf /etc/sysconfig/afs</B>
</PRE>
<P><LI>Edit the machine's AFS initialization script or <B>afsd</B>
options file to set appropriate values for <B>afsd</B> command
parameters. The appropriate file for each system type is as
follows:
<UL>
<P><LI>On AIX systems, <B>/etc/rc.afs</B>
<P><LI>On Digital UNIX systems, <B>/sbin/init.d/afs</B>
<P><LI>On HP-UX systems, <B>/sbin/init.d/afs</B>
<P><LI>On IRIX systems, <B>/etc/init.d/afs</B>
<P><LI>On Linux systems, <B>/etc/sysconfig/afs</B> (the <B>afsd</B>
options file)
<P><LI>On Solaris systems, <B>/etc/init.d/afs</B>
</UL>
<P>Use one of the methods described in the introduction to this section to add
the following flags to the <B>afsd</B> command line. Also set any
performance-related arguments you wish.
<UL>
<P><LI>Add the <B>-memcache</B> flag if the machine is to use a memory
cache.
<P><LI>Add the <B>-verbose</B> flag to display a trace of the Cache
Manager's initialization on the standard output stream.
</UL>
</OL>
<A NAME="IDX3054"></A>
<A NAME="IDX3055"></A>
<A NAME="IDX3056"></A>
<A NAME="IDX3057"></A>
<A NAME="IDX3058"></A>
<HR><H2><A NAME="HDRWQ150" HREF="auqbg002.htm#ToC_143">Starting the Cache Manager and Installing the AFS Initialization Script</A></H2>
<P>In this section you run the AFS initialization script to
start the Cache Manager. If the script works correctly, perform the
steps that incorporate it into the machine's startup and shutdown
sequence. If there are problems during the initialization, attempt to
resolve them. The AFS Product Support group can provide assistance if
necessary.
<P>On machines that use a disk cache, it can take a while for the
<B>afsd</B> program to run the first time on a machine, because it must
create all of the <B>V</B><VAR>n</VAR> files in the cache directory.
Subsequent Cache Manager initializations do not take nearly as long, because
the <B>V</B><VAR>n</VAR> files already exist.
<P>On system types that use a dynamic loader program, you must reboot the
machine before running the initialization script, so that it can freshly load
AFS modifications into the kernel.
<P>Proceed to the instructions for your system type:
<UL>
<P><LI><A HREF="#HDRWQ151">Running the Script on AIX Systems</A>
<P><LI><A HREF="#HDRWQ152">Running the Script on Digital UNIX Systems</A>
<P><LI><A HREF="#HDRWQ153">Running the Script on HP-UX Systems</A>
<P><LI><A HREF="#HDRWQ154">Running the Script on IRIX Systems</A>
<P><LI><A HREF="#HDRWQ155">Running the Script on Linux Systems</A>
<P><LI><A HREF="#HDRWQ156">Running the Script on Solaris Systems</A>
</UL>
<A NAME="IDX3059"></A>
<A NAME="IDX3060"></A>
<A NAME="IDX3061"></A>
<A NAME="IDX3062"></A>
<P><H3><A NAME="HDRWQ151" HREF="auqbg002.htm#ToC_144">Running the Script on AIX Systems</A></H3>
<OL TYPE=1>
<P><LI>Reboot the machine and log in again as the local superuser
<B>root</B>.
<PRE>
# <B>cd /</B>
# <B>shutdown -r now</B>
login: <B>root</B>
Password: <VAR>root_password</VAR>
</PRE>
<P><LI>Run the AFS initialization script.
<PRE>
# <B>/etc/rc.afs</B>
</PRE>
<P><LI>Edit the AIX initialization file, <B>/etc/inittab</B>, adding the
following line to invoke the AFS initialization script. Place it just
after the line that starts NFS daemons.
<PRE>
rcafs:2:wait:/etc/rc.afs > /dev/console 2>&amp;1 # Start AFS services
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/etc</B> directories.
If you want to avoid potential confusion by guaranteeing that they are always
the same, create a link between them. You can always retrieve the
original script from the AFS CD-ROM if necessary.
<PRE>
# <B>cd /usr/vice/etc</B>
# <B>rm rc.afs</B>
# <B>ln -s /etc/rc.afs</B>
</PRE>
<P><LI>If a volume for housing AFS binaries for this machine's system type
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
</OL>
<A NAME="IDX3063"></A>
<A NAME="IDX3064"></A>
<A NAME="IDX3065"></A>
<A NAME="IDX3066"></A>
<P><H3><A NAME="HDRWQ152" HREF="auqbg002.htm#ToC_145">Running the Script on Digital UNIX Systems</A></H3>
<OL TYPE=1>
<P><LI>Run the AFS initialization script.
<PRE>
# <B>/sbin/init.d/afs start</B>
</PRE>
<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
<B>ln -s</B> command to create symbolic links that incorporate the AFS
initialization script into the Digital UNIX startup and shutdown
sequence.
<PRE>
# <B>cd /sbin/init.d</B>
# <B>ln -s ../init.d/afs /sbin/rc3.d/S67afs</B>
# <B>ln -s ../init.d/afs /sbin/rc0.d/K66afs</B>
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
directories. If you want to avoid potential confusion by guaranteeing
that they are always the same, create a link between them. You can
always retrieve the original script from the AFS CD-ROM if necessary.
<PRE>
# <B>cd /usr/vice/etc</B>
# <B>rm afs.rc</B>
# <B>ln -s /sbin/init.d/afs afs.rc</B>
</PRE>
<P><LI>If a volume for housing AFS binaries for this machine's system type
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
</OL>
<A NAME="IDX3067"></A>
<A NAME="IDX3068"></A>
<A NAME="IDX3069"></A>
<P><H3><A NAME="HDRWQ153" HREF="auqbg002.htm#ToC_146">Running the Script on HP-UX Systems</A></H3>
<OL TYPE=1>
<P><LI>Run the AFS initialization script.
<PRE>
# <B>/sbin/init.d/afs start</B>
</PRE>
<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
<B>ln -s</B> command to create symbolic links that incorporate the AFS
initialization script into the HP-UX startup and shutdown sequence.
<PRE>
# <B>cd /sbin/init.d</B>
# <B>ln -s ../init.d/afs /sbin/rc2.d/S460afs</B>
# <B>ln -s ../init.d/afs /sbin/rc2.d/K800afs</B>
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
directories. If you want to avoid potential confusion by guaranteeing
that they are always the same, create a link between them. You can
always retrieve the original script from the AFS CD-ROM if necessary.
<PRE>
# <B>cd /usr/vice/etc</B>
# <B>rm afs.rc</B>
# <B>ln -s /sbin/init.d/afs afs.rc</B>
</PRE>
<P><LI>If a volume for housing AFS binaries for this machine's system type
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
</OL>
<A NAME="IDX3070"></A>
<A NAME="IDX3071"></A>
<A NAME="IDX3072"></A>
<A NAME="IDX3073"></A>
<A NAME="IDX3074"></A>
<A NAME="IDX3075"></A>
<A NAME="IDX3076"></A>
<P><H3><A NAME="HDRWQ154" HREF="auqbg002.htm#ToC_147">Running the Script on IRIX Systems</A></H3>
<OL TYPE=1>
<P><LI>If you have configured the machine to use the <B>ml</B> dynamic loader
program, reboot the machine and log in again as the local superuser
<B>root</B>.
<PRE>
# <B>cd /</B>
# <B>shutdown -i6 -g0 -y</B>
login: <B>root</B>
Password: <VAR>root_password</VAR>
</PRE>
<P><LI>Issue the <B>chkconfig</B> command to activate the
<B>afsclient</B> configuration variable.
<PRE>
# <B>/etc/chkconfig -f afsclient on</B>
</PRE>
<P><LI>Run the AFS initialization script.
<PRE>
# <B>/etc/init.d/afs start</B>
</PRE>
<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
<B>ln -s</B> command to create symbolic links that incorporate the AFS
initialization script into the IRIX startup and shutdown sequence.
<PRE>
# <B>cd /etc/init.d</B>
# <B>ln -s ../init.d/afs /etc/rc2.d/S35afs</B>
# <B>ln -s ../init.d/afs /etc/rc0.d/K35afs</B>
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
directories. If you want to avoid potential confusion by guaranteeing
that they are always the same, create a link between them. You can
always retrieve the original script from the AFS CD-ROM if necessary.
<PRE>
# <B>cd /usr/vice/etc</B>
# <B>rm afs.rc</B>
# <B>ln -s /etc/init.d/afs afs.rc</B>
</PRE>
<P><LI>If a volume for housing AFS binaries for this machine's system type
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
</OL>
<A NAME="IDX3077"></A>
<A NAME="IDX3078"></A>
<A NAME="IDX3079"></A>
<A NAME="IDX3080"></A>
<P><H3><A NAME="HDRWQ155" HREF="auqbg002.htm#ToC_148">Running the Script on Linux Systems</A></H3>
<OL TYPE=1>
<P><LI>Reboot the machine and log in again as the local superuser
<B>root</B>.
<PRE>
# <B>cd /</B>
# <B>shutdown -r now</B>
login: <B>root</B>
Password: <VAR>root_password</VAR>
</PRE>
<P><LI>Run the AFS initialization script.
<PRE>
# <B>/etc/rc.d/init.d/afs start</B>
</PRE>
<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afs</B>
configuration variable. Based on the instruction in the AFS
initialization file that begins with the string <TT>#chkconfig</TT>, the
command automatically creates the symbolic links that incorporate the script
into the Linux startup and shutdown sequence.
<PRE>
# <B>/sbin/chkconfig --add afs</B>
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and
<B>/etc/rc.d/init.d</B> directories, and copies of the
<B>afsd</B> options file in both the <B>/usr/vice/etc</B> and
<B>/etc/sysconfig</B> directories. If you want to avoid potential
confusion by guaranteeing that the two copies of each file are always the
same, create a link between them. You can always retrieve the original
script or options file from the AFS CD-ROM if necessary.
<PRE>
# <B>cd /usr/vice/etc</B>
# <B>rm afs.rc afs.conf</B>
# <B>ln -s /etc/rc.d/init.d/afs afs.rc</B>
# <B>ln -s /etc/sysconfig/afs afs.conf</B>
</PRE>
<P><LI>If a volume for housing AFS binaries for this machine's system type
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
</OL>
<A NAME="IDX3081"></A>
<A NAME="IDX3082"></A>
<A NAME="IDX3083"></A>
<P><H3><A NAME="HDRWQ156" HREF="auqbg002.htm#ToC_149">Running the Script on Solaris Systems</A></H3>
<OL TYPE=1>
<P><LI>Reboot the machine and log in again as the local superuser
<B>root</B>.
<PRE>
# <B>cd /</B>
# <B>shutdown -i6 -g0 -y</B>
login: <B>root</B>
Password: <VAR>root_password</VAR>
</PRE>
<P><LI>Run the AFS initialization script.
<PRE>
# <B>/etc/init.d/afs start</B>
</PRE>
<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
<B>ln -s</B> command to create symbolic links that incorporate the AFS
initialization script into the Solaris startup and shutdown sequence.
<PRE>
# <B>cd /etc/init.d</B>
# <B>ln -s ../init.d/afs /etc/rc3.d/S99afs</B>
# <B>ln -s ../init.d/afs /etc/rc0.d/K66afs</B>
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
directories. If you want to avoid potential confusion by guaranteeing
that they are always the same, create a link between them. You can
always retrieve the original script from the AFS CD-ROM if necessary.
<PRE>
# <B>cd /usr/vice/etc</B>
# <B>rm afs.rc</B>
# <B>ln -s /etc/init.d/afs afs.rc</B>
</PRE>
<P><LI>If a volume for housing AFS binaries for this machine's system type
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
</OL>
<A NAME="IDX3084"></A>
<A NAME="IDX3085"></A>
<A NAME="IDX3086"></A>
<A NAME="IDX3087"></A>
<A NAME="IDX3088"></A>
<A NAME="IDX3089"></A>
<HR><H2><A NAME="HDRWQ157" HREF="auqbg002.htm#ToC_150">Setting Up Volumes and Loading Binaries into AFS</A></H2>
<P>In this section, you link <B>/usr/afsws</B> on the local
disk to the directory in AFS that houses AFS binaries for this system
type. The conventional name for the AFS directory is
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>.
<P>If this machine is an existing system type, the AFS directory presumably
already exists. You can simply create a link from the local
<B>/usr/afsws</B> directory to it. Follow the instructions in <A HREF="#HDRWQ158">Linking /usr/afsws on an Existing System Type</A>.
<P>If this machine is a new system type (there are no AFS machines of this
type in your cell), you must first create and mount volumes to store its AFS
binaries, and then create the link from <B>/usr/afsws</B> to the new
directory. See <A HREF="#HDRWQ159">Creating Binary Volumes for a New System Type</A>.
<P>You can also store UNIX system binaries (the files normally stored in local
disk directories such as <B>/bin</B>, <B>/etc</B>, and
<B>/lib</B>) in volumes mounted under
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>. See <A HREF="auqbg005.htm#HDRWQ88">Storing System Binaries in AFS</A> .
<P><H3><A NAME="HDRWQ158" HREF="auqbg002.htm#ToC_151">Linking /usr/afsws on an Existing System Type</A></H3>
<P>If this client machine is an existing system type, there is
already a volume mounted in the AFS filespace that houses AFS client binaries
for it.
<OL TYPE=1>
<P><LI>Create <B>/usr/afsws</B> on the local disk as a symbolic link to the
directory <B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>.
You can specify the actual system name instead of <B>@sys</B> if you wish,
but the advantage of using <B>@sys</B> is that it remains valid if you
upgrade this machine to a different system type.
<PRE>
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
</PRE>
<P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
the AFS documents in a certain format via a local disk directory, create
<B>/usr/afsdoc</B> on the local disk as a symbolic link to the
documentation directory in AFS
(<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
<P>
<PRE>
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
</PRE>
<P>An alternative is to create a link in each user's home directory to
the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
directory.
</OL>
<P><H3><A NAME="HDRWQ159" HREF="auqbg002.htm#ToC_152">Creating Binary Volumes for a New System Type</A></H3>
<P>If this client machine is a new system type, you must create
and mount volumes for its binaries before you can link the local
<B>/usr/afsws</B> directory to an AFS directory.
<P>To create and mount the volumes, you use the <B>klog</B> command to
authenticate as an administrator and then issue commands from the
<B>vos</B> and <B>fs</B> command suites. However, the command
binaries are not yet available on this machine (by convention, they are
accessible via the <B>/usr/afsws</B> link that you are about to
create). You have two choices:
<UL>
<P><LI>Perform all steps except the last one (Step <A HREF="#LIWQ162">10</A>) on an existing AFS machine. On a file server
machine, the <B>klog</B>, <B>fs</B> and <B>vos</B> binaries reside
in the <B>/usr/afs/bin</B> directory. On client machines, the
<B>klog</B> and <B>fs</B> binaries reside in the
<B>/usr/afsws/bin</B> directory and the <B>vos</B> binary in the
<B>/usr/afsws/etc</B> directory. Depending on how your PATH
environment variable is set, you possibly need to precede the command names
with a pathname.
<P>If you work on another AFS machine, be sure to substitute the new system
type name for the <VAR>sysname</VAR> argument in the following commands, not the
system type of the machine on which you are issuing the commands.
<P><LI>Copy the necessary command binaries to a temporary location on the local
disk, which enables you to perform the steps on the local machine. The
following procedure installs them in the <B>/tmp</B> directory and removes
them at the end. Depending on how your PATH environment variable is
set, you possibly need to precede the command names with a pathname.
</UL>
<P>Perform the following steps to create a volume for housing AFS
binaries.
<OL TYPE=1>
<P><LI>Working either on the local machine or another AFS machine, mount the AFS
CD-ROM for the new system type on the <B>/cdrom</B> directory, if it is
not already. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), consult the operating system documentation.
<P><LI>If working on the local machine, copy the necessary binaries to a
temporary location on the local disk. Substitute a different directory
name for <B>/tmp</B> if you wish.
<PRE>
# <B>cd /cdrom/</B><VAR>new_sysname</VAR><B>/root.server/usr/afs/bin</B>
# <B>cp -p klog /tmp</B>
# <B>cp -p fs /tmp</B>
# <B>cp -p vos /tmp</B>
</PRE>
<P><LI>Authenticate as the user <B>admin</B>.
<PRE>
# <B>klog admin</B>
Password: <VAR>admin_password</VAR>
</PRE>
<P><LI><A NAME="LIWQ160"></A>Issue the <B>vos create</B> command to create volumes for
storing the AFS client binaries for this system type. The following
example instruction creates volumes called <VAR>sysname</VAR>,
<VAR>sysname</VAR>.<B>usr</B>, and
<VAR>sysname</VAR>.<B>usr.afsws</B>. Refer to the
<I>IBM AFS Release Notes</I> to learn the proper value of <VAR>sysname</VAR>
for this system type.
<PRE>
# <B>vos create</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <VAR>sysname</VAR>
# <B>vos create</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <VAR>sysname</VAR><B>.usr</B>
# <B>vos create</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <VAR>sysname</VAR><B>.usr.afsws</B>
</PRE>
<P><LI>Issue the <B>fs mkmount</B> command to mount the newly created
volumes. Because the <B>root.cell</B> volume is replicated,
you must precede the <I>cellname</I> part of the pathname with a period to
specify the read/write mount point, as shown. Then issue the <B>vos
release</B> command to release a new replica of the
<B>root.cell</B> volume, and the <B>fs checkvolumes</B> command
to force the local Cache Manager to access them.
<PRE>
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR> <B>-vol</B> <VAR>sysname</VAR>
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr</B>
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr.afsws</B>
# <B>vos release root.cell</B>
# <B>fs checkvolumes</B>
</PRE>
<P><LI>Issue the <B>fs setacl</B> command to grant the <B>l</B>
(<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
<B>system:anyuser</B> group on each new directory's ACL.
<PRE>
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>
# <B>fs setacl -dir . usr usr/afsws -acl system:anyuser rl</B>
</PRE>
<P><LI>Issue the <B>fs setquota</B> command to set an unlimited quota on the
volume mounted at the
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
directory. This enables you to copy all of the appropriate files from
the CD-ROM into the volume without exceeding the volume's quota.
<P>If you wish, you can set the volume's quota to a finite value after
you complete the copying operation. At that point, use the <B>vos
examine</B> command to determine how much space the volume is
occupying. Then issue the <B>fs setquota</B> command to set a quota
that is slightly larger.
<PRE>
# <B>fs setquota /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws 0</B>
</PRE>
<P><LI><A NAME="LIWQ161"></A>Copy the contents of the indicated directories from the CD-ROM
into the
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
directory.
<PRE>
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/bin .</B>
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/etc .</B>
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/include .</B>
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/lib .</B>
</PRE>
<P><LI>Issue the <B>fs setacl</B> command to set the ACL on each directory
appropriately. To comply with the terms of your AFS License agreement,
you must prevent unauthorized users from accessing AFS software. To
enable access for locally authenticated users only, set the ACL on the
<B>etc</B>, <B>include</B>, and <B>lib</B> subdirectories to grant
the <B>l</B> and <B>r</B> permissions to the
<B>system:authuser</B> group rather than the
<B>system:anyuser</B> group. The
<B>system:anyuser</B> group must retain the <B>l</B> and
<B>r</B> permissions on the <B>bin</B> subdirectory to enable
unauthenticated users to access the <B>klog</B> binary. To ensure
that unauthorized users are not accessing AFS software, check periodically
that the ACLs on these directories are set properly.
<PRE>
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
# <B>fs setacl -dir etc include lib -acl system:authuser rl</B> \
<B>system:anyuser none</B>
</PRE>
<P><LI><A NAME="LIWQ162"></A>Perform this step on the new client machine even if you have
performed the previous steps on another machine. Create
<B>/usr/afsws</B> on the local disk as a symbolic link to the directory
<B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>. You can
specify the actual system name instead of <B>@sys</B> if you wish, but the
advantage of using <B>@sys</B> is that it remains valid if you upgrade
this machine to a different system type.
<PRE>
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
</PRE>
<P><LI><B>(Optional)</B> To enable users to issue commands from the AFS
suites (such as <B>fs</B>) without having to specify a pathname to their
binaries, include the <B>/usr/afsws/bin</B> and <B>/usr/afsws/etc</B>
directories in the PATH environment variable you define in each user's
shell initialization file (such as <B>.cshrc</B>).
<P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
the AFS documents in a certain format via a local disk directory, create
<B>/usr/afsdoc</B> on the local disk as a symbolic link to the
documentation directory in AFS
(<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
<P>
<PRE>
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
</PRE>
<P>An alternative is to create a link in each user's home directory to
the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
directory.
<P><LI><B>(Optional)</B> If working on the local machine, remove the AFS
binaries from the temporary location. They are now accessible in the
<B>/usr/afsws</B> directory.
<PRE>
# <B>cd /tmp</B>
# <B>rm klog fs vos</B>
</PRE>
</OL>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg006.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auqbg008.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
<!-- Begin Footer Records ========================================== -->
<P><HR><B>
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
</B>
<!-- End Footer Records ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>
Reference in New Issue View Git Blame Copy Permalink