mirror of
https://git.openafs.org/openafs.git
synced 2025-01-22 17:00:15 +00:00
7303f3148e
separate plist on per-version basis 1.4 is not yet supported
2375 lines
102 KiB
HTML
2375 lines
102 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
|
|
<HTML><HEAD>
|
|
<TITLE>Quick Beginnings</TITLE>
|
|
<!-- Begin Header Records ========================================== -->
|
|
<!-- /tmp/idwt3574/auqbg000.scr converted by idb2h R4.2 (359) ID -->
|
|
<!-- Workbench Version (AIX) on 2 Oct 2000 at 12:25:35 -->
|
|
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 12:25:35">
|
|
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 12:25:35">
|
|
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 12:25:35">
|
|
</HEAD><BODY>
|
|
<!-- (C) IBM Corporation 2000. All Rights Reserved -->
|
|
<BODY bgcolor="ffffff">
|
|
<!-- End Header Records ============================================ -->
|
|
<A NAME="Top_Of_Page"></A>
|
|
<H1>Quick Beginnings</H1>
|
|
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg006.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auqbg008.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
|
|
<P>
|
|
<A NAME="IDX2926"></A>
|
|
<A NAME="IDX2927"></A>
|
|
<HR><H1><A NAME="HDRWQ133" HREF="auqbg002.htm#ToC_115">Installing Additional Client Machines</A></H1>
|
|
<P>This chapter describes how to install AFS client machines
|
|
after you have installed the first AFS machine. Some parts of the
|
|
installation differ depending on whether or not the new client is of the same
|
|
AFS system type (uses the same AFS binaries) as a previously installed client
|
|
machine.
|
|
<A NAME="IDX2928"></A>
|
|
<HR><H2><A NAME="Header_116" HREF="auqbg002.htm#ToC_116">Summary of Procedures</A></H2>
|
|
<OL TYPE=1>
|
|
<P><LI>Incorporate AFS into the machine's kernel
|
|
<P><LI>Define the machine's cell membership
|
|
<P><LI>Define cache location and size
|
|
<P><LI>Create the <B>/usr/vice/etc/CellServDB</B> file, which determines
|
|
which foreign cells the client can access in addition to the local cell
|
|
<P><LI>Create the <B>/afs</B> directory and start the Cache Manager
|
|
<P><LI>Create and mount volumes for housing AFS client binaries (necessary only
|
|
for clients of a new system type)
|
|
<P><LI>Create a link from the local <B>/usr/afsws</B> directory to the AFS
|
|
directory housing the AFS client binaries
|
|
<P><LI>Modify the machine's authentication system to enable AFS users to
|
|
obtain tokens at login
|
|
</OL>
|
|
<A NAME="IDX2929"></A>
|
|
<A NAME="IDX2930"></A>
|
|
<A NAME="IDX2931"></A>
|
|
<A NAME="IDX2932"></A>
|
|
<A NAME="IDX2933"></A>
|
|
<A NAME="IDX2934"></A>
|
|
<A NAME="IDX2935"></A>
|
|
<HR><H2><A NAME="HDRWQ134" HREF="auqbg002.htm#ToC_117">Creating AFS Directories on the Local Disk</A></H2>
|
|
<P>Create the <B>/usr/vice/etc</B> directory on the local
|
|
disk, to house client binaries and configuration files. Subsequent
|
|
instructions copy files from the AFS CD-ROM into them. Create the
|
|
<B>/cdrom</B> directory as a mount point for the CD-ROM, if it does not
|
|
already exist.
|
|
<PRE>
|
|
# <B>mkdir /usr/vice</B>
|
|
|
|
# <B>mkdir /usr/vice/etc</B>
|
|
|
|
# <B>mkdir /cdrom</B>
|
|
|
|
</PRE>
|
|
<HR><H2><A NAME="HDRWQ135" HREF="auqbg002.htm#ToC_118">Performing Platform-Specific Procedures</A></H2>
|
|
<P>Every AFS client machine's kernel must incorporate AFS
|
|
modifications. Some system types use a dynamic kernel loader program,
|
|
whereas on other system types you build AFS modifications into a static
|
|
kernel. Some system types support both methods.
|
|
<P>Also modify the machine's authentication system so that users obtain
|
|
an AFS token as they log into the local file system. Using AFS is
|
|
simpler and more convenient for your users if you make the modifications on
|
|
all client machines. Otherwise, users must perform a two-step login
|
|
procedure (login to the local file system and then issue the <B>klog</B>
|
|
command). For further discussion of AFS authentication, see the chapter
|
|
in the <I>IBM AFS Administration Guide</I> about cell configuration and
|
|
administration issues.
|
|
<P>For convenience, the following sections group the two procedures by system
|
|
type. Proceed to the appropriate section.
|
|
<UL>
|
|
<P><LI><A HREF="#HDRWQ136">Getting Started on AIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ137">Getting Started on Digital UNIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ138">Getting Started on HP-UX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ139">Getting Started on IRIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ143">Getting Started on Linux Systems</A>
|
|
<P><LI><A HREF="#HDRWQ144">Getting Started on Solaris Systems</A>
|
|
</UL>
|
|
<A NAME="IDX2936"></A>
|
|
<A NAME="IDX2937"></A>
|
|
<A NAME="IDX2938"></A>
|
|
<A NAME="IDX2939"></A>
|
|
<A NAME="IDX2940"></A>
|
|
<A NAME="IDX2941"></A>
|
|
<A NAME="IDX2942"></A>
|
|
<A NAME="IDX2943"></A>
|
|
<A NAME="IDX2944"></A>
|
|
<HR><H2><A NAME="HDRWQ136" HREF="auqbg002.htm#ToC_119">Getting Started on AIX Systems</A></H2>
|
|
<P>In this section you load AFS into the AIX kernel.
|
|
Then incorporate AFS modifications into the machine's secondary
|
|
authentication system, if you wish to enable AFS login.
|
|
<P><H3><A NAME="Header_120" HREF="auqbg002.htm#ToC_120">Loading AFS into the AIX Kernel</A></H3>
|
|
<P>The AIX kernel extension facility is the dynamic kernel loader provided
|
|
by IBM Corporation. AIX does not support incorporation of AFS
|
|
modifications during a kernel build.
|
|
<P>For AFS to function correctly, the kernel extension facility must run each
|
|
time the machine reboots, so the AFS initialization script (included in the
|
|
AFS distribution) invokes it automatically. In this section you copy
|
|
the script to the conventional location and edit it to select the appropriate
|
|
options depending on whether NFS is also to run.
|
|
<P>After editing the script, you run it to incorporate AFS into the
|
|
kernel. In a later section you verify that the script correctly
|
|
initializes the Cache Manager, then configure the AIX <B>inittab</B> file
|
|
so that the script runs automatically at reboot.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for AIX on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your AIX documentation. Then change directory as
|
|
indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS kernel library files to the local
|
|
<B>/usr/vice/etc/dkload</B> directory, and the AFS initialization script
|
|
to the <B>/etc</B> directory.
|
|
<PRE>
|
|
# <B>cp -rp dkload /usr/vice/etc</B>
|
|
|
|
# <B>cp -p rc.afs /etc/rc.afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the <B>/etc/rc.afs</B> script, setting the <TT>NFS</TT>
|
|
variable as indicated.
|
|
<P>If the machine is not to function as an NFS/AFS Translator, set the
|
|
<TT>NFS</TT> variable as follows.
|
|
<PRE>
|
|
NFS=$NFS_NONE
|
|
</PRE>
|
|
<P>If the machine is to function as an NFS/AFS Translator and is running AIX
|
|
4.2.1 or higher, set the <TT>NFS</TT> variable as
|
|
follows. Note that NFS must already be loaded into the kernel, which
|
|
happens automatically on systems running AIX 4.1.1 and later, as
|
|
long as the file <B>/etc/exports</B> exists.
|
|
<PRE>
|
|
NFS=$NFS_IAUTH
|
|
|
|
</PRE>
|
|
<P><LI>Invoke the <B>/etc/rc.afs</B> script to load AFS modifications
|
|
into the kernel. You can ignore any error messages about the inability
|
|
to start the BOS Server or the Cache Manager or AFS client.
|
|
<PRE>
|
|
# <B>/etc/rc.afs</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<P><H3><A NAME="Header_121" HREF="auqbg002.htm#ToC_121">Enabling AFS Login on AIX Systems</A></H3>
|
|
<P>Now incorporate AFS into the AIX secondary authentication
|
|
system.
|
|
<OL TYPE=1>
|
|
<P><LI>Issue the <B>ls</B> command to verify that the
|
|
<B>afs_dynamic_auth</B> and <B>afs_dynamic_kerbauth</B> programs are
|
|
installed in the local <B>/usr/vice/etc</B> directory.
|
|
<PRE>
|
|
# <B>ls /usr/vice/etc</B>
|
|
</PRE>
|
|
<P>If the files do not exist, mount the AFS CD-ROM for AIX (if it is not
|
|
already), change directory as indicated, and copy them.
|
|
<PRE>
|
|
# <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
|
|
|
|
# <B>cp -p afs_dynamic* /usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the local <B> /etc/security/user</B> file, making changes to the
|
|
indicated stanzas:
|
|
<UL>
|
|
<P><LI>In the default stanza, set the <TT>registry</TT> attribute to
|
|
<B>DCE</B> (not to <B>AFS</B>), as follows:
|
|
<PRE>
|
|
registry = DCE
|
|
|
|
</PRE>
|
|
<P><LI>In the default stanza, set the <TT>SYSTEM</TT> attribute as
|
|
indicated.
|
|
<P>If the machine is an AFS client only, set the following value:
|
|
<PRE>
|
|
SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
|
|
</PRE>
|
|
<P>If the machine is both an AFS and a DCE client, set the following value (it
|
|
must appear on a single line in the file):
|
|
<PRE>
|
|
SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL] \
|
|
AND compat[SUCCESS])"
|
|
|
|
</PRE>
|
|
<P><LI>In the <TT>root</TT> stanza, set the <TT>registry</TT> attribute as
|
|
follows. It enables the local superuser <B>root</B> to log into the
|
|
local file system only, based on the password listed in the local password
|
|
file.
|
|
<PRE>
|
|
root:
|
|
registry = files
|
|
|
|
</PRE>
|
|
</UL>
|
|
<P><LI>Edit the local <B>/etc/security/login.cfg</B> file, creating or
|
|
editing the indicated stanzas:
|
|
<UL>
|
|
<P><LI>In the <TT>DCE</TT> stanza, set the <TT>program</TT> attribute as
|
|
follows.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B>
|
|
process):
|
|
<PRE>
|
|
DCE:
|
|
program = /usr/vice/etc/afs_dynamic_auth
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
DCE:
|
|
program = /usr/vice/etc/afs_dynamic_kerbauth
|
|
|
|
</PRE>
|
|
<P><LI>In the <TT>AFS</TT> stanza, set the <TT>program</TT> attribute as
|
|
follows.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B>
|
|
process):
|
|
<PRE>
|
|
AFS:
|
|
program = /usr/vice/etc/afs_dynamic_auth
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
AFS:
|
|
program = /usr/vice/etc/afs_dynamic_kerbauth
|
|
|
|
</PRE>
|
|
</UL>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
|
|
</OL>
|
|
<A NAME="IDX2945"></A>
|
|
<A NAME="IDX2946"></A>
|
|
<A NAME="IDX2947"></A>
|
|
<A NAME="IDX2948"></A>
|
|
<A NAME="IDX2949"></A>
|
|
<A NAME="IDX2950"></A>
|
|
<A NAME="IDX2951"></A>
|
|
<A NAME="IDX2952"></A>
|
|
<A NAME="IDX2953"></A>
|
|
<HR><H2><A NAME="HDRWQ137" HREF="auqbg002.htm#ToC_122">Getting Started on Digital UNIX Systems</A></H2>
|
|
<P>In this section you build AFS into the Digital UNIX
|
|
kernel. Then incorporate AFS modifications into the machine's
|
|
Security Integration Architecture (SIA) matrix, if you wish to enable AFS
|
|
login.
|
|
<P><H3><A NAME="Header_123" HREF="auqbg002.htm#ToC_123">Building AFS into the Digital UNIX Kernel</A></H3>
|
|
<P>On Digital UNIX systems, you must build AFS modifications into a new
|
|
static kernel; Digital UNIX does not support dynamic loading. If
|
|
the machine's hardware and software configuration exactly matches another
|
|
Digital UNIX machine on which AFS is already built into the kernel, you can
|
|
choose to copy the kernel from that machine to this one. In general,
|
|
however, it is better to build AFS modifications into the kernel on each
|
|
machine according to the following instructions.
|
|
<OL TYPE=1>
|
|
<P><LI>Create a copy called <B>AFS</B> of the basic kernel configuration file
|
|
included in the Digital UNIX distribution as
|
|
<B>/usr/sys/conf/</B><VAR>machine_name</VAR>, where <VAR>machine_name</VAR> is
|
|
the machine's hostname in all uppercase letters.
|
|
<PRE>
|
|
# <B>cd /usr/sys/conf</B>
|
|
|
|
# <B>cp</B> <VAR>machine_name</VAR> <B>AFS</B>
|
|
|
|
</PRE>
|
|
<P><LI>Add AFS to the list of options in the configuration file you created in
|
|
the previous step, so that the result looks like the following:
|
|
<PRE> . .
|
|
. .
|
|
options UFS
|
|
options NFS
|
|
options AFS
|
|
. .
|
|
. .
|
|
|
|
</PRE>
|
|
<P><LI>Add an entry for AFS to two places in the file
|
|
<B>/usr/sys/conf/files</B>.
|
|
<UL>
|
|
<P><LI>Add a line for AFS to the list of <TT>OPTIONS</TT>, so that the result
|
|
looks like the following:
|
|
<PRE> . . .
|
|
. . .
|
|
OPTIONS/nfs optional nfs
|
|
OPTIONS/afs optional afs
|
|
OPTIONS/nfs_server optional nfs_server
|
|
. . .
|
|
. . .
|
|
|
|
</PRE>
|
|
<P><LI>Add an entry for AFS to the list of <TT>MODULES</TT>, so that the result
|
|
looks like the following:
|
|
<PRE> . . . .
|
|
. . . .
|
|
#
|
|
MODULE/nfs_server optional nfs_server Binary
|
|
nfs/nfs_server.c module nfs_server optimize -g3
|
|
nfs/nfs3_server.c module nfs_server optimize -g3
|
|
#
|
|
MODULE/afs optional afs Binary
|
|
afs/libafs.c module afs
|
|
#
|
|
|
|
</PRE>
|
|
</UL>
|
|
<P><LI>Add an entry for AFS to two places in the file
|
|
<B>/usr/sys/vfs/vfs_conf.c</B>.
|
|
<UL>
|
|
<P><LI>Add AFS to the list of defined file systems, so that the result looks like
|
|
the following:
|
|
<PRE> . .
|
|
. .
|
|
#include <afs.h>
|
|
#if defined(AFS) && AFS
|
|
extern struct vfsops afs_vfsops;
|
|
#endif
|
|
. .
|
|
. .
|
|
|
|
</PRE>
|
|
<P><LI>Put a declaration for AFS in the <B>vfssw[]</B> table's
|
|
MOUNT_ADDON slot, so that the result looks like the following:
|
|
<PRE> . . .
|
|
. . .
|
|
&fdfs_vfsops, "fdfs", /* 12 = MOUNT_FDFS */
|
|
#if defined(AFS)
|
|
&afs_vfsops, "afs",
|
|
#else
|
|
(struct vfsops *)0, "", /* 13 = MOUNT_ADDON */
|
|
#endif
|
|
#if NFS && INFS_DYNAMIC
|
|
&nfs3_vfsops, "nfsv3", /* 14 = MOUNT_NFS3 */
|
|
|
|
</PRE>
|
|
</UL>
|
|
<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your Digital UNIX documentation. Then change
|
|
directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/alpha_dux40/root.client</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/sbin/init.d</B> on Digital
|
|
UNIX machines). Note the removal of the <B>.rc</B> extension
|
|
as you copy the script.
|
|
<PRE>
|
|
# <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS kernel module to the local <B>/usr/sys/BINARY</B>
|
|
directory.
|
|
<P>If the machine's kernel supports NFS server functionality:
|
|
<PRE>
|
|
# <B>cp bin/libafs.o /usr/sys/BINARY/afs.mod</B>
|
|
</PRE>
|
|
<P>If the machine's kernel does not support NFS server
|
|
functionality:
|
|
<PRE>
|
|
# <B>cp bin/libafs.nonfs.o /usr/sys/BINARY/afs.mod</B>
|
|
|
|
</PRE>
|
|
<P><LI>Configure and build the kernel. Respond to any prompts by pressing
|
|
<<B>Return</B>>. The resulting kernel resides in the file
|
|
<B>/sys/AFS/vmunix</B>.
|
|
<PRE>
|
|
# <B>doconfig -c AFS</B>
|
|
|
|
</PRE>
|
|
<P><LI>Rename the existing kernel file and copy the new, AFS-modified file to the
|
|
standard location.
|
|
<PRE>
|
|
# <B>mv /vmunix /vmunix_noafs</B>
|
|
|
|
# <B>cp /sys/AFS/vmunix /vmunix</B>
|
|
|
|
</PRE>
|
|
<P><LI>Reboot the machine to start using the new kernel, and login again as the
|
|
superuser <B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<P><H3><A NAME="Header_124" HREF="auqbg002.htm#ToC_124">Enabling AFS Login on Digital UNIX Systems</A></H3>
|
|
<P>On Digital UNIX systems, the AFS initialization script automatically
|
|
incorporates the AFS authentication library file into the Security Integration
|
|
Architecture (SIA) matrix on the machine, so that users with AFS accounts
|
|
obtain a token at login. In this section you copy the library file to
|
|
the appropriate location.
|
|
<P>For more information on SIA, see the Digital UNIX reference page for
|
|
<B>matrix.conf</B>, or consult the section on security in your
|
|
Digital UNIX documentation.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If the machine runs both the DCE and AFS client software, AFS must start
|
|
after DCE. Consult the AFS initialization script for suggested symbolic
|
|
links to create for correct ordering. Also, the system startup script
|
|
order must initialize SIA before any long-running process that uses
|
|
authentication.
|
|
</TD></TR></TABLE>
|
|
<P>Perform the following steps to enable AFS login.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
|
|
directory, if it is not already. Change directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/alpha_dux40/lib/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS authentication library file to the local
|
|
<B>/usr/shlib</B> directory.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
|
|
the cell:
|
|
<PRE>
|
|
# <B>cp libafssiad.so /usr/shlib</B>
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication, rename the
|
|
library file as you copy it:
|
|
<PRE>
|
|
# <B>cp libafssiad.krb.so /usr/shlib/libafssiad.so</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
|
|
</OL>
|
|
<A NAME="IDX2954"></A>
|
|
<A NAME="IDX2955"></A>
|
|
<A NAME="IDX2956"></A>
|
|
<A NAME="IDX2957"></A>
|
|
<A NAME="IDX2958"></A>
|
|
<A NAME="IDX2959"></A>
|
|
<A NAME="IDX2960"></A>
|
|
<A NAME="IDX2961"></A>
|
|
<A NAME="IDX2962"></A>
|
|
<HR><H2><A NAME="HDRWQ138" HREF="auqbg002.htm#ToC_125">Getting Started on HP-UX Systems</A></H2>
|
|
<P>In this section you build AFS into the HP-UX kernel.
|
|
Then incorporate AFS modifications into the machine's Pluggable
|
|
Authentication Module (PAM) system, if you wish to enable AFS login.
|
|
<P><H3><A NAME="Header_126" HREF="auqbg002.htm#ToC_126">Building AFS into the HP-UX Kernel</A></H3>
|
|
<P>On HP-UX systems, you must build AFS modifications into a new static
|
|
kernel; HP-UX does not support dynamic loading. If the
|
|
machine's hardware and software configuration exactly matches another
|
|
HP-UX machine on which AFS is already built into the kernel, you can choose to
|
|
copy the kernel from that machine to this one. In general, however, it
|
|
is better to build AFS modifications into the kernel on each machine according
|
|
to the following instructions.
|
|
<OL TYPE=1>
|
|
<P><LI>Move the existing kernel-related files to a safe location.
|
|
<PRE>
|
|
# <B>cp /stand/vmunix /stand/vmunix.noafs</B>
|
|
|
|
# <B>cp /stand/system /stand/system.noafs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Mount the AFS CD-ROM for HP-UX on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your HP-UX documentation. Then change directory
|
|
as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/hp_ux110/root.client</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization file to the local directory for initialization
|
|
files (by convention, <B>/sbin/init.d</B> on HP-UX
|
|
machines). Note the removal of the <B>.rc</B> extension as
|
|
you copy the file.
|
|
<PRE>
|
|
# <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the file <B>afs.driver</B> to the local
|
|
<B>/usr/conf/master.d</B> directory, changing its name to
|
|
<B>afs</B> as you do.
|
|
<PRE>
|
|
# <B>cp usr/vice/etc/afs.driver /usr/conf/master.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS kernel module to the local <B>/usr/conf/lib</B>
|
|
directory.
|
|
<P>If the machine's kernel supports NFS server functionality:
|
|
<PRE>
|
|
# <B>cp bin/libafs.a /usr/conf/lib</B>
|
|
</PRE>
|
|
<P>If the machine's kernel does not support NFS server functionality,
|
|
change the file's name as you copy it:
|
|
<PRE>
|
|
# <B>cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a</B>
|
|
|
|
</PRE>
|
|
<P><LI>Incorporate the AFS driver into the kernel, either using the
|
|
<B>SAM</B> program or a series of individual commands.
|
|
<UL>
|
|
<P><LI>To use the <B>SAM</B> program:
|
|
<OL TYPE=a>
|
|
<P><LI>Invoke the <B>SAM</B> program, specifying the hostname of the local
|
|
machine as <VAR>local_hostname</VAR>. The <B>SAM</B> graphical user
|
|
interface pops up.
|
|
<PRE>
|
|
# <B>sam -display</B> <VAR>local_hostname</VAR><B>:0</B>
|
|
|
|
</PRE>
|
|
<P><LI>Choose the <B>Kernel Configuration</B> icon, then the
|
|
<B>Drivers</B> icon. From the list of drivers, select
|
|
<B>afs</B>.
|
|
<P><LI>Open the pull-down <B>Actions</B> menu and choose the <B>Add Driver
|
|
to Kernel</B> option.
|
|
<P><LI>Open the <B>Actions</B> menu again and choose the <B>Create a New
|
|
Kernel</B> option.
|
|
<P><LI>Confirm your choices by choosing <B>Yes</B> and <B>OK</B> when
|
|
prompted by subsequent pop-up windows. The <B>SAM</B> program
|
|
builds the kernel and reboots the system.
|
|
<P><LI>Login again as the superuser <B>root</B>.
|
|
<PRE>
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<P><LI>To use individual commands:
|
|
<OL TYPE=a>
|
|
<P><LI>Edit the file <B>/stand/system</B>, adding an entry for <B>afs</B>
|
|
to the <TT>Subsystems</TT> section.
|
|
<P><LI>Change to the <B>/stand/build</B> directory and issue the
|
|
<B>mk_kernel</B> command to build the kernel.
|
|
<PRE>
|
|
# <B>cd /stand/build</B>
|
|
|
|
# <B>mk_kernel</B>
|
|
|
|
</PRE>
|
|
<P><LI>Move the new kernel to the standard location (<B>/stand/vmunix</B>),
|
|
reboot the machine to start using it, and login again as the superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>mv /stand/build/vmunix_test /stand/vmunix</B>
|
|
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
</OL>
|
|
</UL>
|
|
</OL>
|
|
<P><H3><A NAME="Header_127" HREF="auqbg002.htm#ToC_127">Enabling AFS Login on HP-UX Systems</A></H3>
|
|
<P>At this point you incorporate AFS into the operating system's
|
|
Pluggable Authentication Module (PAM) scheme. PAM integrates all
|
|
authentication mechanisms on the machine, including login, to provide the
|
|
security infrastructure for authenticated access to and from the
|
|
machine.
|
|
<P>Explaining PAM is beyond the scope of this document. It is assumed
|
|
that you understand the syntax and meanings of settings in the PAM
|
|
configuration file (for example, how the <TT>other</TT> entry works, the
|
|
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
|
|
<TT>sufficient</TT>, and so on).
|
|
<P>The following instructions explain how to alter the entries in the PAM
|
|
configuration file for each service for which you wish to use AFS
|
|
authentication. Other configurations possibly also work, but the
|
|
instructions specify the recommended and tested configuration.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
|
|
<TT>optional</TT>. However, marking some modules as optional can mean
|
|
that they grant access to the corresponding service even when the user does
|
|
not meet all of the module's requirements. In some operating
|
|
system revisions, for example, if you mark as optional the module that
|
|
controls login via a dial-up connection, it allows users to login without
|
|
providing a password. See the <I>IBM AFS Release Notes</I> for a
|
|
discussion of any limitations that apply to this operating system.
|
|
<P>Also, with some operating system versions you must install patches for PAM
|
|
to interact correctly with certain authentication programs. For
|
|
details, see the <I>IBM AFS Release Notes</I>.
|
|
</TD></TR></TABLE>
|
|
<P>The recommended AFS-related entries in the PAM configuration file make use
|
|
of one or more of the following three attributes.
|
|
<DL>
|
|
<P><DT><B><TT>try_first_pass</TT>
|
|
</B><DD>This is a standard PAM attribute that can be included on entries after the
|
|
first one for a service; it directs the module to use the password that
|
|
was provided to the first module. For the AFS module, it means that AFS
|
|
authentication succeeds if the password provided to the module listed first is
|
|
the user's correct AFS password. For further discussion of this
|
|
attribute and its alternatives, see the operating system's PAM
|
|
documentation.
|
|
<P><DT><B><TT>ignore_root</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
|
|
only the local superuser <B> root</B>, but also any user with UID 0
|
|
(zero).
|
|
<P><DT><B><TT>setenv_password_expires</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
|
|
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
|
|
password, which is recorded in the Authentication Database.
|
|
</DL>
|
|
<P>Perform the following steps to enable AFS login.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for HP-UX on the <B>/cdrom</B> directory, if it
|
|
is not already. Then change directory as indicated.
|
|
<PRE>
|
|
# <B>cd /usr/lib/security</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS authentication library file to the
|
|
<B>/usr/lib/security</B> directory. Then create a symbolic link to
|
|
it whose name does not mention the version. Omitting the version
|
|
eliminates the need to edit the PAM configuration file if you later update the
|
|
library file.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
|
|
the cell:
|
|
<PRE>
|
|
# <B>cp /cdrom/hp_ux110/lib/pam_afs.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
#<B> cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the <TT>Authentication management</TT> section of the HP-UX PAM
|
|
configuration file, <B>/etc/pam.conf</B> by convention. The
|
|
entries in this section have the value <TT>auth</TT> in their second
|
|
field.
|
|
<P>First edit the standard entries, which refer to the HP-UX PAM module
|
|
(usually, the file <B>/usr/lib/security/libpam_unix.1</B>) in their
|
|
fourth field. For each service for which you want to use AFS
|
|
authentication, edit the third field of its entry to read
|
|
<TT>optional</TT>. The <B>pam.conf</B> file in the HP-UX
|
|
distribution usually includes standard entries for the <B>login</B> and
|
|
<B>ftp</B> services, for instance.
|
|
<P>If there are services for which you want to use AFS authentication, but for
|
|
which the <B>pam.conf</B> file does not already include a standard
|
|
entry, you must create that entry and place the value <TT>optional</TT> in
|
|
its third field. For instance, the HP-UX <B>pam.conf</B>
|
|
file does not usually include standard entries for the <B>remsh</B> or
|
|
<B>telnet</B> services.
|
|
<P>Then create an AFS-related entry for each service, placing it immediately
|
|
below the standard entry. The following example shows what the
|
|
<TT>Authentication Management</TT> section looks like after you have you
|
|
edited or created entries for the services mentioned previously. Note
|
|
that the example AFS entries appear on two lines only for legibility.
|
|
<PRE>
|
|
login auth optional /usr/lib/security/libpam_unix.1
|
|
login auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
ftp auth optional /usr/lib/security/libpam_unix.1
|
|
ftp auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
remsh auth optional /usr/lib/security/libpam_unix.1
|
|
remsh auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
telnet auth optional /usr/lib/security/libpam_unix.1
|
|
telnet auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
|
|
</PRE>
|
|
<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
|
|
users to obtain an AFS token as they log in, also add or edit the following
|
|
four entries in the <TT>Authentication management</TT> section. Note
|
|
that the AFS-related entries appear on two lines here only for
|
|
legibility.
|
|
<PRE>
|
|
dtlogin auth optional /usr/lib/security/libpam_unix.1
|
|
dtlogin auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
dtaction auth optional /usr/lib/security/libpam_unix.1
|
|
dtaction auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
|
|
</OL>
|
|
<A NAME="IDX2963"></A>
|
|
<A NAME="IDX2964"></A>
|
|
<A NAME="IDX2965"></A>
|
|
<HR><H2><A NAME="HDRWQ139" HREF="auqbg002.htm#ToC_128">Getting Started on IRIX Systems</A></H2>
|
|
<P>In this section you incorporate AFS into the IRIX kernel,
|
|
choosing one of two methods:
|
|
<UL>
|
|
<P><LI>Dynamic loading using the <B>ml</B> program distributed by Silicon
|
|
Graphics, Incorporated (SGI).
|
|
<P><LI>Building a new static kernel.
|
|
</UL>
|
|
<P>Then see <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A> to read about integrated AFS login on IRIX systems.
|
|
<P>In preparation for either dynamic loading or kernel building, perform the
|
|
following procedures:
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for IRIX on the <B>/cdrom</B> directory.
|
|
For instructions on mounting CD-ROMs (either locally or remotely via NFS), see
|
|
your IRIX documentation. Then change directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/sgi_65/root.client</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/etc/init.d</B> on IRIX
|
|
machines). Note the removal of the <B>.rc</B> extension as
|
|
you copy the script.
|
|
<PRE>
|
|
# <B>cp -p usr/vice/etc/afs.rc /etc/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>uname -m</B> command to determine the machine's CPU
|
|
board type. The <B>IP</B><VAR>xx</VAR> value in the output must match
|
|
one of the supported CPU board types listed in the <I>IBM AFS Release
|
|
Notes</I> for the current version of AFS.
|
|
<PRE>
|
|
# <B>uname -m</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to either <A HREF="#HDRWQ140">Loading AFS into the IRIX Kernel</A> or <A HREF="#HDRWQ141">Building AFS into the IRIX Kernel</A>.
|
|
</OL>
|
|
<A NAME="IDX2966"></A>
|
|
<A NAME="IDX2967"></A>
|
|
<A NAME="IDX2968"></A>
|
|
<A NAME="IDX2969"></A>
|
|
<A NAME="IDX2970"></A>
|
|
<A NAME="IDX2971"></A>
|
|
<A NAME="IDX2972"></A>
|
|
<P><H3><A NAME="HDRWQ140" HREF="auqbg002.htm#ToC_129">Loading AFS into the IRIX Kernel</A></H3>
|
|
<P>The <B>ml</B> program is the dynamic kernel loader
|
|
provided by SGI for IRIX systems. If you use it rather than building
|
|
AFS modifications into a static kernel, then for AFS to function correctly the
|
|
<B>ml</B> program must run each time the machine reboots.
|
|
Therefore, the AFS initialization script (included on the AFS CD-ROM) invokes
|
|
it automatically when the <B>afsml</B> configuration variable is
|
|
activated. In this section you activate the variable and run the
|
|
script.
|
|
<P>In a later section you verify that the script correctly initializes the
|
|
Cache Manager, then create the links that incorporate AFS into the IRIX
|
|
startup and shutdown sequence.
|
|
<OL TYPE=1>
|
|
<P><LI>Create the local <B>/usr/vice/etc/sgiload</B> directory to house the
|
|
AFS kernel library file.
|
|
<PRE>
|
|
# <B>mkdir /usr/vice/etc/sgiload</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS kernel library file to the
|
|
<B>/usr/vice/etc/sgiload</B> directory. The
|
|
<B>IP</B><VAR>xx</VAR> portion of the library file name must match the value
|
|
previously returned by the <B>uname -m</B> command. Also choose the
|
|
file appropriate to whether the machine's kernel supports NFS server
|
|
functionality (NFS must be supported for the machine to act as an NFS/AFS
|
|
Translator). Single- and multiprocessor machines use the same library
|
|
file.
|
|
<P>(You can choose to copy all of the kernel library files into the <B>
|
|
/usr/vice/etc/sgiload</B> directory, but they require a significant amount
|
|
of space.)
|
|
<P>If the machine's kernel supports NFS server functionality:
|
|
<PRE>
|
|
# <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.o /usr/vice/etc/sgiload</B>
|
|
</PRE>
|
|
<P>If the machine's kernel does not support NFS server
|
|
functionality:
|
|
<PRE>
|
|
# <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.nonfs.o</B> \
|
|
<B>/usr/vice/etc/sgiload</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afsml</B>
|
|
configuration variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsml on</B>
|
|
</PRE>
|
|
<P>If the machine is to function as an NFS/AFS Translator and the kernel
|
|
supports NFS server functionality, activate the <B>afsxnfs</B>
|
|
variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsxnfs on</B>
|
|
|
|
</PRE>
|
|
<P><LI>Run the <B>/etc/init.d/afs</B> script to load AFS extensions
|
|
into the kernel. The script invokes the <B>ml</B> command,
|
|
automatically determining which kernel library file to use based on this
|
|
machine's CPU type and the activation state of the <B>afsxnfs</B>
|
|
variable.
|
|
<P>You can ignore any error messages about the inability to start the BOS
|
|
Server or the Cache Manager or AFS client.
|
|
<PRE>
|
|
# <B>/etc/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A>.
|
|
</OL>
|
|
<A NAME="IDX2973"></A>
|
|
<P><H3><A NAME="HDRWQ141" HREF="auqbg002.htm#ToC_130">Building AFS into the IRIX Kernel</A></H3>
|
|
<P>If you prefer to build a kernel, and the machine's
|
|
hardware and software configuration exactly matches another IRIX machine on
|
|
which AFS is already built into the kernel, you can choose to copy the kernel
|
|
from that machine to this one. In general, however, it is better to
|
|
build AFS modifications into the kernel on each machine according to the
|
|
following instructions.
|
|
<OL TYPE=1>
|
|
<P><LI>Copy the kernel initialization file <B>afs.sm</B> to the local
|
|
<B>/var/sysgen/system</B> directory, and the kernel master file
|
|
<B>afs</B> to the local <B>/var/sysgen/master.d</B>
|
|
directory.
|
|
<PRE>
|
|
# <B>cp -p bin/afs.sm /var/sysgen/system</B>
|
|
|
|
# <B>cp -p bin/afs /var/sysgen/master.d</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS kernel library file to the local file
|
|
<B>/var/sysgen/boot/afs.a</B>; the <B>IP</B><VAR>xx</VAR>
|
|
portion of the library file name must match the value previously returned by
|
|
the <B>uname -m</B> command. Also choose the file appropriate to
|
|
whether the machine's kernel supports NFS server functionality (NFS must
|
|
be supported for the machine to act as an NFS/AFS Translator). Single-
|
|
and multiprocessor machines use the same library file.
|
|
<P>If the machine's kernel supports NFS server functionality:
|
|
<PRE>
|
|
# <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.a /var/sysgen/boot/afs.a</B>
|
|
</PRE>
|
|
<P>If the machine's kernel does not support NFS server
|
|
functionality:
|
|
<PRE>
|
|
# <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.nonfs.a /var/sysgen/boot/afs.a</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>chkconfig</B> command to deactivate the <B>afsml</B>
|
|
configuration variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsml off</B>
|
|
</PRE>
|
|
<P>If the machine is to function as an NFS/AFS Translator and the kernel
|
|
supports NFS server functionality, activate the <B>afsxnfs</B>
|
|
variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsxnfs on</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the existing kernel file, <B>/unix</B>, to a safe
|
|
location. Compile the new kernel, which is created in the file
|
|
<B>/unix.install</B>. It overwrites the existing
|
|
<B>/unix</B> file when the machine reboots in the next step.
|
|
<PRE>
|
|
# <B>cp /unix /unix_noafs</B>
|
|
|
|
# <B>autoconfig</B>
|
|
|
|
</PRE>
|
|
<P><LI>Reboot the machine to start using the new kernel, and login again as the
|
|
superuser <B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -i6 -g0 -y</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A>.
|
|
</OL>
|
|
<A NAME="IDX2974"></A>
|
|
<A NAME="IDX2975"></A>
|
|
<A NAME="IDX2976"></A>
|
|
<P><H3><A NAME="HDRWQ142" HREF="auqbg002.htm#ToC_131">Enabling AFS Login on IRIX Systems</A></H3>
|
|
<P>The standard IRIX command-line <B>login</B> program and
|
|
the graphical <B>xdm</B> login program both automatically grant an AFS
|
|
token when AFS is incorporated into the machine's kernel. However,
|
|
some IRIX distributions use another login utility by default, and it does not
|
|
necessarily incorporate the required AFS modifications. If that is the
|
|
case, you must disable the default utility if you want AFS users to obtain AFS
|
|
tokens at login. For further discussion, see the <I>IBM AFS Release
|
|
Notes</I>.
|
|
<P>If you configure the machine to use an AFS-modified login utility, then the
|
|
<B>afsauthlib.so</B> and <B>afskauthlib.so</B> files
|
|
(included in the AFS distribution) must reside in the <B>/usr/vice/etc</B>
|
|
directory. Issue the <B>ls</B> command to verify.
|
|
<PRE>
|
|
# <B>ls /usr/vice/etc</B>
|
|
</PRE>
|
|
<P>If the files do not exist, mount the AFS CD-ROM for IRIX (if it is not
|
|
already), change directory as indicated, and copy them.
|
|
<PRE>
|
|
# <B>cd /cdrom/sgi_65/root.client/usr/vice/etc</B>
|
|
|
|
# <B>cp -p *authlib* /usr/vice/etc</B>
|
|
</PRE>
|
|
<P>After taking any necessary action, proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
|
|
<A NAME="IDX2977"></A>
|
|
<A NAME="IDX2978"></A>
|
|
<A NAME="IDX2979"></A>
|
|
<A NAME="IDX2980"></A>
|
|
<A NAME="IDX2981"></A>
|
|
<A NAME="IDX2982"></A>
|
|
<A NAME="IDX2983"></A>
|
|
<A NAME="IDX2984"></A>
|
|
<A NAME="IDX2985"></A>
|
|
<HR><H2><A NAME="HDRWQ143" HREF="auqbg002.htm#ToC_132">Getting Started on Linux Systems</A></H2>
|
|
<P>In this section you load AFS into the Linux kernel.
|
|
Then incorporate AFS modifications into the machine's Pluggable
|
|
Authentication Module (PAM) system, if you wish to enable AFS login.
|
|
<P><H3><A NAME="Header_133" HREF="auqbg002.htm#ToC_133">Loading AFS into the Linux Kernel</A></H3>
|
|
<P>The <B>insmod</B> program is the dynamic kernel loader for
|
|
Linux. Linux does not support incorporation of AFS modifications during
|
|
a kernel build.
|
|
<P>For AFS to function correctly, the <B>insmod</B> program must run each
|
|
time the machine reboots, so the AFS initialization script (included on the
|
|
AFS CD-ROM) invokes it automatically. The script also includes commands
|
|
that select the appropriate AFS library file automatically. In this
|
|
section you run the script.
|
|
<P>In a later section you also verify that the script correctly initializes
|
|
the Cache Manager, then activate a configuration variable, which results in
|
|
the script being incorporated into the Linux startup and shutdown
|
|
sequence.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Linux on the local <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your Linux documentation. Then change directory
|
|
as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/i386_linux22/root.client/usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS kernel library files to the local
|
|
<B>/usr/vice/etc/modload</B> directory. The filenames for the
|
|
libraries have the format
|
|
<B>libafs-</B><VAR>version</VAR><B>.o</B>, where <VAR>version</VAR>
|
|
indicates the kernel build level. The string <B>.mp</B> in
|
|
the <VAR>version</VAR> indicates that the file is appropriate for machines
|
|
running a multiprocessor kernel.
|
|
<PRE>
|
|
# <B>cp -rp modload /usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/etc/rc.d/init.d</B>
|
|
on Linux machines). Note the removal of the <B>.rc</B>
|
|
extension as you copy the script.
|
|
<PRE>
|
|
# <B>cp -p afs.rc /etc/rc.d/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script to load AFS extensions into the
|
|
kernel. You can ignore any error messages about the inability to start
|
|
the BOS Server or the Cache Manager or AFS client.
|
|
<PRE>
|
|
# <B>/etc/rc.d/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<P><H3><A NAME="Header_134" HREF="auqbg002.htm#ToC_134">Enabling AFS Login on Linux Systems</A></H3>
|
|
<P>At this point you incorporate AFS into the operating system's
|
|
Pluggable Authentication Module (PAM) scheme. PAM integrates all
|
|
authentication mechanisms on the machine, including login, to provide the
|
|
security infrastructure for authenticated access to and from the
|
|
machine.
|
|
<P>Explaining PAM is beyond the scope of this document. It is assumed
|
|
that you understand the syntax and meanings of settings in the PAM
|
|
configuration file (for example, how the <TT>other</TT> entry works, the
|
|
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
|
|
<TT>sufficient</TT>, and so on).
|
|
<P>The following instructions explain how to alter the entries in the PAM
|
|
configuration file for each service for which you wish to use AFS
|
|
authentication. Other configurations possibly also work, but the
|
|
instructions specify the recommended and tested configuration.
|
|
<P>The recommended AFS-related entries in the PAM configuration file make use
|
|
of one or more of the following three attributes.
|
|
<DL>
|
|
<h4><br>Authentication Management</h4>
|
|
<P><DT><B><TT>try_first_pass</TT>
|
|
</B><DD>This is a standard PAM attribute that can be included on entries after the
|
|
first one for a service; it directs the module to use the password that
|
|
was provided to the first module. For the AFS module, it means that AFS
|
|
authentication succeeds if the password provided to the module listed first is
|
|
the user's correct AFS password. For further discussion of this
|
|
attribute and its alternatives, see the operating system's PAM
|
|
documentation.
|
|
<P>
|
|
<P><DT><B><TT>ignore_root</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
|
|
only the local superuser <B> root</B>, but also any user with UID 0
|
|
(zero).
|
|
<P><DT><B><TT>ignore_uid <i>uid</i></TT>
|
|
</B><DD>This option is an extension of the "ignore_root" switch. The additional
|
|
parameter is a limit. Users with a uid up to the given parameter are ignored
|
|
by <i>pam_afs.so</i>. Thus, a system administrator still has the opportunity to
|
|
add local user accounts to his system by choosing between "low" and
|
|
"high" user ids.<br>
|
|
An example /etc/passwd file for "ignore_uid 100" may have entries like these:
|
|
<PRE>
|
|
.
|
|
.
|
|
afsuserone:x:99:100::/afs/afscell/u/afsuserone:/bin/bash
|
|
afsusertwo:x:100:100::/afs/afscell/u/afsusertwo:/bin/bash
|
|
localuserone:x:101:100::/home/localuserone:/bin/bash
|
|
localusertwo:x:102:100::/home/localusertwo:/bin/bash
|
|
.
|
|
.
|
|
</PRE><br>
|
|
AFS accounts should be locked in the file /etc/shadow like this:
|
|
<PRE>
|
|
.
|
|
.
|
|
afsuserone:!!:11500:0:99999:7:::
|
|
afsusertwo:!!:11500:0:99999:7:::
|
|
localuserone:<thelocaluserone'skey>:11500:0:99999:7:::
|
|
localusertwo:<thelocalusertwo'skey>:11500:0:99999:7:::
|
|
.
|
|
.
|
|
</PRE><br>
|
|
There is no need to store a local key in this file since the AFS
|
|
password is sent and verfied at the AFS cell server!
|
|
|
|
<P><DT><B><TT>setenv_password_expires</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
|
|
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
|
|
password, which is recorded in the Authentication Database.
|
|
<P><DT><B><TT>set_token</TT>
|
|
</B><DD>Some applications don't call <i>pam_setcred()</i> in order to retrieve the appropriate
|
|
credentials (here the AFS token) for their session. This switch sets the credentials
|
|
already in <i>pam_sm_authenticate()</i> obsoleting a call to <i>pam_setcred()</i>.<br>
|
|
<b>Caution: Don't use this switch for applications which do call <i>pam_setcred()</i>!</b>
|
|
One example for an application not calling <i>pam_setcred()</i> are older versions of
|
|
the samba server.<br>
|
|
Nevertheless, using applications with working pam session management is recommended as this
|
|
setup conforms better with the PAM definitions.
|
|
<P><DT><B><TT>refresh_token</TT>
|
|
</B><DD>This options is identical to "set_token" except that no new PAG is generated.
|
|
This is necessary to handle processes like xlock or xscreensaver. It is not enough to give
|
|
the screen and the keyboard free for the user who reactivated his screen typing in the
|
|
correct AFS password, but one may also need fresh tokens with full
|
|
livetime in order to work on, and the new token must be refreshed in the already existing PAG
|
|
for the processes that have been started. This is achieved using this option.
|
|
<P><DT><B><TT>use_klog</TT>
|
|
</B><DD>Activating this switch the authentication is done by calling the external program "klog".
|
|
One program requiring this is for example <i>kdm</i> of KDE 2.x.<br></DD>
|
|
<P><DT><B><TT>dont_fork</TT>
|
|
</B><DD>Usually, the password verification and the establishment of the token is performed
|
|
in a sub process. Using this option pam_afs does not fork and performs all actions in a single
|
|
process. <b>Only use this options in case you notice serious problems caused by the sub process.</b>
|
|
This option has been developed in respect to the "mod_auth_pam"-project (see also
|
|
<A HREF="http://pam.sourceforge.net/mod_auth_pam/">mod_auth_pam</A>). The mod_auth_pam
|
|
module enables PAM authentication for the apache http server package.
|
|
|
|
<h4><br>Session Management</h4>
|
|
|
|
<P><DT><B><TT>no_unlog</TT>
|
|
</B><DD>Normally the tokens are deleted (in memory) after the session ends. Using this options the tokens are left
|
|
untouched. <b>This behaviour has been the default in pam_afs until openafs-1.1.1!</b>
|
|
<P><DT><B><TT>remainlifetime <i>sec</i></TT>
|
|
</B><DD>The tokens are kept active for <i>sec</i> seconds before they are deleted. X display managers
|
|
i.e. are used to inform the applications started in the X session before the logout and then
|
|
end themselves. If the token was deleted immediately the applications would have no chance to
|
|
write back their settings to i.e. the user's AFS home space. This option may help to avoid the
|
|
problem.<br>
|
|
|
|
</DL>
|
|
<P>Perform the following steps to enable AFS login.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Linux on the <B>/cdrom</B> directory, if it
|
|
is not already. Then change to the directory for PAM modules, which
|
|
depends on which Linux distribution you are using.
|
|
<P>If you are using a Linux distribution from Red Hat Software:
|
|
<PRE>
|
|
# <B>cd /lib/security</B>
|
|
</PRE>
|
|
<P>If you are using another Linux distribution:
|
|
<PRE>
|
|
# <B>cd /usr/lib/security</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS authentication library file to the directory to
|
|
which you changed in the previous step. Create a symbolic link whose
|
|
name does not mention the version. Omitting the version eliminates the
|
|
need to edit the PAM configuration file if you later update the library
|
|
file.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B>
|
|
process):
|
|
<PRE>
|
|
# <B>cp /cdrom/i386_linux22/lib/pam_afs.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
# <B>cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
|
|
|
|
</PRE>
|
|
<P><LI>For each service with which you want to use AFS authentication, insert an
|
|
entry for the AFS PAM module into the <TT>auth</TT> section of the
|
|
service's PAM configuration file. (Linux uses a separate
|
|
configuration file for each service, unlike some other operating systems which
|
|
list all services in a single file.) Mark the entry as
|
|
<TT>sufficient</TT> in the second field.
|
|
<P>Place the AFS entry below any entries that impose conditions under which
|
|
you want the service to fail for a user who does not meet the entry's
|
|
requirements. Mark these entries <TT>required</TT>. Place the
|
|
AFS entry above any entries that need to execute only if AFS authentication
|
|
fails.
|
|
<P>Insert the following AFS entry if using the Red Hat distribution:
|
|
<PRE>
|
|
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
|
|
</PRE>
|
|
<P>Insert the following AFS entry if using another distribution:
|
|
<PRE>
|
|
auth sufficient /usr/lib/security/pam_afs.so try_first_pass ignore_root
|
|
</PRE>
|
|
<P>Check the PAM config files also for "session" entries. If there are
|
|
lines beginning with "session" then please insert this line too:
|
|
<PRE>
|
|
session optional /lib/security/pam_afs.so
|
|
</PRE>
|
|
<P>or
|
|
<PRE>
|
|
session optional /usr/lib/security/pam_afs.so
|
|
</PRE>
|
|
<P>This guaranties that the user's tokens are deleted from memory after his
|
|
session ends so that no other user coincidently gets those tokens without authorization!
|
|
The following examples illustrate the recommended configuration of the
|
|
configuration file for several services:<br>
|
|
|
|
<h4><br>Authentication Management</h4>
|
|
|
|
(<B>/etc/pam.d/login</B>)
|
|
<PRE>
|
|
#%PAM-1.0
|
|
auth required /lib/security/pam_securetty.so
|
|
auth required /lib/security/pam_nologin.so
|
|
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
#This enables AFS authentication for every user but root
|
|
auth required /lib/security/pam_pwdb.so shadow nullok
|
|
account required /lib/security/pam_pwdb.so
|
|
password required /lib/security/pam_cracklib.so
|
|
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
|
session optional /lib/security/pam_afs.so
|
|
#Make sure tokens are deleted after the user logs out
|
|
session required /lib/security/pam_pwdb.so
|
|
|
|
</PRE><br>
|
|
(<b>/etc/pam.d/samba</b>)
|
|
<PRE>
|
|
auth required /lib/security/pam_afs.so ignore_uid 100 set_token
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^
|
|
#Here, users with uid>100 are considered to belong to the AFS and users
|
|
#with uid<=100 are ignored by pam_afs. The token is retrieved already in
|
|
#pam_sm_authenticate() (this is an example pam config for a samba version
|
|
#that does not call pam_setcred(), it also does no sense to include session
|
|
#entries here since they would be ignored by this version of samba ).
|
|
account required /lib/security/pam_pwdb.so
|
|
</PRE>
|
|
(<b>/etc/pam.d/xscreensaver</b>)
|
|
<PRE>
|
|
auth sufficient /lib/security/pam_afs.so ignore_uid 100 refresh_token
|
|
# ^^^^^^^^^^^^^
|
|
#Avoid generating a new PAG for the new tokens, use the already existing PAG and
|
|
#establish a fresh token in it.
|
|
auth required /lib/security/pam_pwdb.so try_first_pass
|
|
</PRE>
|
|
(<b>/etc/pam.d/httpd</b>)
|
|
<PRE>
|
|
auth required /lib/security/pam_afs.so ignore_uid 100 dont_fork
|
|
# ^^^^^^^^^
|
|
#Don't fork for the verification of the password.
|
|
</PRE>
|
|
|
|
<h4><br>Session Management</h4>
|
|
|
|
(<b>/etc/pam.d/su</b>)
|
|
<PRE>
|
|
auth sufficient /lib/security/pam_afs.so ignore_uid 100
|
|
auth required /lib/security/pam_pwdb.so try_first_pass
|
|
account required /lib/security/pam_pwdb.so
|
|
password required /lib/security/pam_cracklib.so
|
|
password required /lib/security/pam_pwdb.so use_authtok
|
|
session required /lib/security/pam_pwdb.so
|
|
session optional /lib/security/pam_afs.so no_unlog
|
|
# ^^^^^^^^
|
|
#Don't delete the token in this case, since the user may still
|
|
#need it (for example if somebody logs in and changes to root
|
|
#afterwards he may still want to access his home space in AFS).
|
|
session required /lib/security/pam_login_access.so
|
|
session optional /lib/security/pam_xauth.so
|
|
</PRE>
|
|
(<b>/etc/pam.d/xdm</b>)
|
|
<PRE>
|
|
auth required /lib/security/pam_nologin.so
|
|
auth required /lib/security/pam_login_access.so
|
|
auth sufficient /lib/security/pam_afs.so ignore_uid 100 use_klog
|
|
auth required /lib/security/pam_pwdb.so try_first_pass
|
|
account required /lib/security/pam_pwdb.so
|
|
password required /lib/security/pam_cracklib.so
|
|
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
|
session optional /lib/security/pam_afs.so remainlifetime 10
|
|
# ^^^^^^^^^^^^^^^^^
|
|
#Wait 10 seconds before deleting the AFS tokens in order to give
|
|
#the programs of the X session some time to save their settings
|
|
#to AFS.
|
|
session required /lib/security/pam_pwdb.so
|
|
</PRE>
|
|
|
|
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
|
|
</OL>
|
|
<A NAME="IDX2986"></A>
|
|
<A NAME="IDX2987"></A>
|
|
<A NAME="IDX2988"></A>
|
|
<A NAME="IDX2989"></A>
|
|
<A NAME="IDX2990"></A>
|
|
<A NAME="IDX2991"></A>
|
|
<A NAME="IDX2992"></A>
|
|
<A NAME="IDX2993"></A>
|
|
<A NAME="IDX2994"></A>
|
|
<A NAME="IDX2995"></A>
|
|
<A NAME="IDX2996"></A>
|
|
<A NAME="IDX2997"></A>
|
|
<HR><H2><A NAME="HDRWQ144" HREF="auqbg002.htm#ToC_135">Getting Started on Solaris Systems</A></H2>
|
|
<P>In this section you load AFS into the Solaris kernel.
|
|
Then incorporate AFS modifications into the machine's Pluggable
|
|
Authentication Module (PAM) system, if you wish to enable AFS login.
|
|
<P><H3><A NAME="Header_136" HREF="auqbg002.htm#ToC_136">Loading AFS into the Solaris Kernel</A></H3>
|
|
<P>The <B>modload</B> program is the dynamic kernel loader provided by
|
|
Sun Microsystems for Solaris systems. Solaris does not support
|
|
incorporation of AFS modifications during a kernel build.
|
|
<P>For AFS to function correctly, the <B>modload</B> program must run each
|
|
time the machine reboots, so the AFS initialization script (included on the
|
|
AFS CD-ROM) invokes it automatically. In this section you copy the
|
|
appropriate AFS library file to the location where the <B>modload</B>
|
|
program accesses it and then run the script.
|
|
<P>In a later section you verify that the script correctly initializes the
|
|
Cache Manager, then create the links that incorporate AFS into the Solaris
|
|
startup and shutdown sequence.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B>
|
|
directory. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), see your Solaris documentation. Then change
|
|
directory as indicated.
|
|
<PRE>
|
|
# <B>cd /cdrom/sun4x_56/root.client/usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS initialization script to the local directory for
|
|
initialization files (by convention, <B>/etc/init.d</B> on Solaris
|
|
machines). Note the removal of the <B>.rc</B> extension as
|
|
you copy the script.
|
|
<PRE>
|
|
# <B>cp -p afs.rc /etc/init.d/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the appropriate AFS kernel library file to the local file
|
|
<B>/kernel/fs/afs</B>.
|
|
<P>If the machine is running Solaris 2.6 or the 32-bit version of
|
|
Solaris 7, its kernel supports NFS server functionality, and the
|
|
<B>nfsd</B> process is running:
|
|
<PRE>
|
|
# <B>cp -p modload/libafs.o /kernel/fs/afs</B>
|
|
</PRE>
|
|
<P>If the machine is running Solaris 2.6 or the 32-bit version of
|
|
Solaris 7, and its kernel does not support NFS server functionality or the
|
|
<B>nfsd</B> process is not running:
|
|
<PRE>
|
|
# <B>cp -p modload/libafs.nonfs.o /kernel/fs/afs</B>
|
|
</PRE>
|
|
<P>If the machine is running the 64-bit version of Solaris 7, its kernel
|
|
supports NFS server functionality, and the <B>nfsd</B> process is
|
|
running:
|
|
<PRE>
|
|
# <B>cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</B>
|
|
</PRE>
|
|
<P>If the machine is running the 64-bit version of Solaris 7, and its
|
|
kernel does not support NFS server functionality or the <B>nfsd</B>
|
|
process is not running:
|
|
<PRE>
|
|
# <B>cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script to load AFS modifications into the
|
|
kernel. You can ignore any error messages about the inability to start
|
|
the BOS Server or the Cache Manager or AFS client.
|
|
<PRE>
|
|
# <B>/etc/init.d/afs start</B>
|
|
</PRE>
|
|
<P>When an entry called <TT>afs</TT> does not already exist in the local
|
|
<B>/etc/name_to_sysnum</B> file, the script automatically creates it and
|
|
reboots the machine to start using the new version of the file. If this
|
|
happens, log in again as the superuser <B>root</B> after the reboot and
|
|
run the initialization script again. This time the required entry
|
|
exists in the <B>/etc/name_to_sysnum</B> file, and the <B>modload</B>
|
|
program runs.
|
|
<PRE>
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
# <B>/etc/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<P><H3><A NAME="Header_137" HREF="auqbg002.htm#ToC_137">Enabling AFS Login on Solaris Systems</A></H3>
|
|
<P>At this point you incorporate AFS into the operating system's
|
|
Pluggable Authentication Module (PAM) scheme. PAM integrates all
|
|
authentication mechanisms on the machine, including login, to provide the
|
|
security infrastructure for authenticated access to and from the
|
|
machine.
|
|
<P>Explaining PAM is beyond the scope of this document. It is assumed
|
|
that you understand the syntax and meanings of settings in the PAM
|
|
configuration file (for example, how the <TT>other</TT> entry works, the
|
|
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
|
|
<TT>sufficient</TT>, and so on).
|
|
<P>The following instructions explain how to alter the entries in the PAM
|
|
configuration file for each service for which you wish to use AFS
|
|
authentication. Other configurations possibly also work, but the
|
|
instructions specify the recommended and tested configuration.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
|
|
<TT>optional</TT>. However, marking some modules as optional can mean
|
|
that they grant access to the corresponding service even when the user does
|
|
not meet all of the module's requirements. In some operating
|
|
system revisions, for example, if you mark as optional the module that
|
|
controls login via a dial-up connection, it allows users to login without
|
|
providing a password. See the <I>IBM AFS Release Notes</I> for a
|
|
discussion of any limitations that apply to this operating system.
|
|
<P>Also, with some operating system versions you must install patches for PAM
|
|
to interact correctly with certain authentication programs. For
|
|
details, see the <I>IBM AFS Release Notes</I>.
|
|
</TD></TR></TABLE>
|
|
<P>The recommended AFS-related entries in the PAM configuration file make use
|
|
of one or more of the following three attributes.
|
|
<DL>
|
|
<h4><br>Authentication Management</h4>
|
|
<P><DT><B><TT>try_first_pass</TT>
|
|
</B><DD>This is a standard PAM attribute that can be included on entries after the
|
|
first one for a service; it directs the module to use the password that
|
|
was provided to the first module. For the AFS module, it means that AFS
|
|
authentication succeeds if the password provided to the module listed first is
|
|
the user's correct AFS password. For further discussion of this
|
|
attribute and its alternatives, see the operating system's PAM
|
|
documentation.
|
|
<P><DT><B><TT>ignore_root</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
|
|
only the local superuser <B> root</B>, but also any user with UID 0
|
|
(zero).
|
|
<P><DT><B><TT>setenv_password_expires</TT>
|
|
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
|
|
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
|
|
password, which is recorded in the Authentication Database.
|
|
</DL>
|
|
<P>Perform the following steps to enable AFS login.
|
|
<OL TYPE=1>
|
|
<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B> directory, if it
|
|
is not already. Then change directory as indicated.
|
|
<PRE>
|
|
# <B>cd /usr/lib/security</B>
|
|
|
|
</PRE>
|
|
<P><LI>Copy the AFS authentication library file to the
|
|
<B>/usr/lib/security</B> directory. Then create a symbolic link to
|
|
it whose name does not mention the version. Omitting the version
|
|
eliminates the need to edit the PAM configuration file if you later update the
|
|
library file.
|
|
<P>If you use the AFS Authentication Server (<B>kaserver</B>
|
|
process):
|
|
<PRE>
|
|
#<B> cp /cdrom/sun4x_56/lib/pam_afs.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.so.1 pam_afs.so</B>
|
|
</PRE>
|
|
<P>If you use a Kerberos implementation of AFS authentication:
|
|
<PRE>
|
|
# <B>cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .</B>
|
|
|
|
# <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the <TT>Authentication management</TT> section of the Solaris PAM
|
|
configuration file, <B>/etc/pam.conf</B> by convention. The
|
|
entries in this section have the value <TT>auth</TT> in their second
|
|
field.
|
|
<P>First edit the standard entries, which refer to the Solaris PAM module
|
|
(usually, the file <B>/usr/lib/security/pam_unix.so.1</B>)
|
|
in their fourth field. For each service for which you want to use AFS
|
|
authentication, edit the third field of its entry to read
|
|
<TT>optional</TT>. The <B>pam.conf</B> file in the Solaris
|
|
distribution usually includes standard entries for the <B>login</B>,
|
|
<B>rlogin</B>, and <B>rsh</B> services, for instance.
|
|
<P>If there are services for which you want to use AFS authentication, but for
|
|
which the <B>pam.conf</B> file does not already include a standard
|
|
entry, you must create that entry and place the value <TT>optional</TT> in
|
|
its third field. For instance, the Solaris <B>pam.conf</B>
|
|
file does not usually include standard entries for the <B>ftp</B> or
|
|
<B>telnet</B> services.
|
|
<P>Then create an AFS-related entry for each service, placing it immediately
|
|
below the standard entry. The following example shows what the
|
|
<TT>Authentication Management</TT> section looks like after you have you
|
|
edited or created entries for the services mentioned previously. Note
|
|
that the example AFS entries appear on two lines only for legibility.
|
|
<PRE>
|
|
login auth optional /usr/lib/security/pam_unix.so.1
|
|
login auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
rlogin auth optional /usr/lib/security/pam_unix.so.1
|
|
rlogin auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
rsh auth optional /usr/lib/security/pam_unix.so.1
|
|
rsh auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
ftp auth optional /usr/lib/security/pam_unix.so.1
|
|
ftp auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
telnet auth optional /usr/lib/security/pam_unix.so.1
|
|
telnet auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root setenv_password_expires
|
|
|
|
</PRE>
|
|
<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
|
|
users to obtain an AFS token as they log in, also add or edit the following
|
|
four entries in the <TT>Authentication management</TT> section. Note
|
|
that the AFS-related entries appear on two lines here only for
|
|
legibility.
|
|
<PRE>
|
|
dtlogin auth optional /usr/lib/security/pam_unix.so.1
|
|
dtlogin auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
dtsession auth optional /usr/lib/security/pam_unix.so.1
|
|
dtsession auth optional /usr/lib/security/pam_afs.so \
|
|
try_first_pass ignore_root
|
|
|
|
</PRE>
|
|
<P><LI>Some Solaris distributions include a script that locates and removes
|
|
unneeded files from various file systems. Its conventional location is
|
|
<B>/usr/lib/fs/nfs/nfsfind</B>. The script generally uses an
|
|
argument to the <B>find</B> command to define which file systems to
|
|
search. In this step you modify the command to exclude the
|
|
<B>/afs</B> directory. Otherwise, the command traverses the AFS
|
|
filespace of every cell that is accessible from the machine, which can take
|
|
many hours. The following alterations are possibilities, but you must
|
|
verify that they are appropriate for your cell.
|
|
<P>The first possible alteration is to add the <B>-local</B> flag to the
|
|
existing command, so that it looks like the following:
|
|
<PRE>
|
|
find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;
|
|
</PRE>
|
|
<P>Another alternative is to exclude any directories whose names begin with
|
|
the lowercase letter <B>a</B> or a non-alphabetic character.
|
|
<PRE>
|
|
find /[A-Zb-z]* <VAR>remainder of existing command</VAR>
|
|
</PRE>
|
|
<P>Do not use the following command, which still searches under the
|
|
<B>/afs</B> directory, looking for a subdirectory of type
|
|
<B>4.2</B>.
|
|
<PRE>
|
|
find / -fstype 4.2 /* <VAR>do not use</VAR> */
|
|
|
|
</PRE>
|
|
<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
|
|
</OL>
|
|
<A NAME="IDX2998"></A>
|
|
<A NAME="IDX2999"></A>
|
|
<A NAME="IDX3000"></A>
|
|
<A NAME="IDX3001"></A>
|
|
<A NAME="IDX3002"></A>
|
|
<A NAME="IDX3003"></A>
|
|
<A NAME="IDX3004"></A>
|
|
<A NAME="IDX3005"></A>
|
|
<A NAME="IDX3006"></A>
|
|
<A NAME="IDX3007"></A>
|
|
<A NAME="IDX3008"></A>
|
|
<A NAME="IDX3009"></A>
|
|
<HR><H2><A NAME="HDRWQ145" HREF="auqbg002.htm#ToC_138">Loading and Creating Client Files</A></H2>
|
|
<P>Now copy files from the AFS CD-ROM to the
|
|
<B>/usr/vice/etc</B> directory. On some platforms that use a
|
|
dynamic loader program to incorporate AFS modifications into the kernel, you
|
|
have already copied over some the files. Copying them again does no
|
|
harm.
|
|
<P>Every AFS client machine has a copy of the
|
|
<B>/usr/vice/etc/ThisCell</B> file on its local disk to define the
|
|
machine's cell membership for the AFS client programs that run on
|
|
it. Among other functions, this file determines the following:
|
|
<UL>
|
|
<P><LI>The cell in which users authenticate when they log onto the machine,
|
|
assuming it is using an AFS-modified login utility
|
|
<P><LI>The cell in which users authenticate by default when they issue the
|
|
<B>klog</B> command
|
|
<P><LI>The cell membership of the AFS server processes that the AFS command
|
|
interpreters on this machine contact by default
|
|
</UL>
|
|
<P>Similarly, the <B>/usr/vice/etc/CellServDB</B> file on a client
|
|
machine's local disk lists the database server machines in each cell that
|
|
the local Cache Manager can contact. If there is no entry in the file
|
|
for a cell, or the list of database server machines is wrong, then users
|
|
working on this machine cannot access the cell. The chapter in the
|
|
<I>IBM AFS Administration Guide</I> about administering client machines
|
|
explains how to maintain the file after creating it. A version of the
|
|
client <B>CellServDB</B> file was created during the installation of your
|
|
cell's first machine (in <A HREF="auqbg005.htm#HDRWQ66">Creating the Client CellServDB File</A>). It is probably also appropriate for use on this
|
|
machine.
|
|
<P>Remember that the Cache Manager consults the
|
|
<B>/usr/vice/etc/CellServDB</B> file only at reboot, when it copies the
|
|
information into the kernel. For the Cache Manager to perform properly,
|
|
the <B>CellServDB</B> file must be accurate at all times. Refer to
|
|
the chapter in the <I>IBM AFS Administration Guide</I> about administering
|
|
client machines for instructions on updating this file, with or without
|
|
rebooting.
|
|
<OL TYPE=1>
|
|
<P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
|
|
machine's system type, if it is not already. For instructions on
|
|
mounting CD-ROMs (either locally or remotely via NFS), consult the operating
|
|
system documentation.
|
|
<P><LI>Copy files to the local <B>/usr/vice/etc</B> directory.
|
|
<P>This step places a copy of the AFS initialization script (and related
|
|
files, if applicable) into the <B>/usr/vice/etc</B> directory. In
|
|
the preceding instructions for incorporating AFS into the kernel, you copied
|
|
the script directly to the operating system's conventional location for
|
|
initialization files. When you incorporate AFS into the machine's
|
|
startup sequence in a later step, you can choose to link the two files.
|
|
<P>On some system types that use a dynamic kernel loader program, you
|
|
previously copied AFS library files into a subdirectory of the
|
|
<B>/usr/vice/etc</B> directory. On other system types, you copied
|
|
the appropriate AFS library file directly to the directory where the operating
|
|
system accesses it. The following commands do not copy or recopy the
|
|
AFS library files into the <B>/usr/vice/etc</B> directory, because on some
|
|
system types the library files consume a large amount of space. If you
|
|
want to copy them, add the <B>-r</B> flag to the first <B>cp</B>
|
|
command and skip the second <B>cp</B> command.
|
|
<PRE>
|
|
# <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.client/usr/vice/etc</B>
|
|
|
|
# <B>cp -p * /usr/vice/etc</B>
|
|
|
|
# <B>cp -rp C /usr/vice/etc</B>
|
|
|
|
</PRE>
|
|
<P><LI>Create the <B>/usr/vice/etc/ThisCell</B> file.
|
|
<PRE>
|
|
# <B>echo "</B><VAR>cellname</VAR><B>" > /usr/vice/etc/ThisCell</B>
|
|
|
|
</PRE>
|
|
<P><LI>Create the <B>/usr/vice/etc/CellServDB</B> file. Use a network
|
|
file transfer program such as <B>ftp</B> or NFS to copy it from one of the
|
|
following sources, which are listed in decreasing order of preference:
|
|
<UL>
|
|
<P><LI>Your cell's central <B>CellServDB</B> source file (the
|
|
conventional location is
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/common/etc/CellServDB</B>)
|
|
<P><LI>The global <B>CellServDB</B> file maintained by the AFS Product
|
|
Support group
|
|
<P><LI>An existing client machine in your cell
|
|
<P><LI>The <B>CellServDB.sample</B> file included in the
|
|
<VAR>sysname</VAR><B>/root.client/usr/vice/etc</B> directory of each
|
|
AFS CD-ROM; add an entry for the local cell by following the instructions
|
|
in <A HREF="auqbg005.htm#HDRWQ66">Creating the Client CellServDB File</A>
|
|
</UL>
|
|
</OL>
|
|
<A NAME="IDX3010"></A>
|
|
<A NAME="IDX3011"></A>
|
|
<A NAME="IDX3012"></A>
|
|
<A NAME="IDX3013"></A>
|
|
<A NAME="IDX3014"></A>
|
|
<A NAME="IDX3015"></A>
|
|
<A NAME="IDX3016"></A>
|
|
<A NAME="IDX3017"></A>
|
|
<A NAME="IDX3018"></A>
|
|
<A NAME="IDX3019"></A>
|
|
<A NAME="IDX3020"></A>
|
|
<A NAME="IDX3021"></A>
|
|
<A NAME="IDX3022"></A>
|
|
<A NAME="IDX3023"></A>
|
|
<A NAME="IDX3024"></A>
|
|
<A NAME="IDX3025"></A>
|
|
<HR><H2><A NAME="HDRWQ146" HREF="auqbg002.htm#ToC_139">Configuring the Cache</A></H2>
|
|
<P>The Cache Manager uses a cache on the local disk or in
|
|
machine memory to store local copies of files fetched from file server
|
|
machines. As the <B>afsd</B> program initializes the Cache Manager,
|
|
it sets basic cache configuration parameters according to definitions in the
|
|
local <B>/usr/vice/etc/cacheinfo</B> file. The file has three
|
|
fields:
|
|
<OL TYPE=1>
|
|
<P><LI>The first field names the local directory on which to mount the AFS
|
|
filespace. The conventional location is the <B>/afs</B>
|
|
directory.
|
|
<P><LI>The second field defines the local disk directory to use for the disk
|
|
cache. The conventional location is the <B>/usr/vice/cache</B>
|
|
directory, but you can specify an alternate directory if another partition has
|
|
more space available. There must always be a value in this field, but
|
|
the Cache Manager ignores it if the machine uses a memory cache.
|
|
<P><LI>The third field specifies the number of kilobyte (1024 byte) blocks to
|
|
allocate for the cache.
|
|
</OL>
|
|
<P>The values you define must meet the following requirements.
|
|
<UL>
|
|
<P><LI>On a machine using a disk cache, the Cache Manager expects always to be
|
|
able to use the amount of space specified in the third field. Failure
|
|
to meet this requirement can cause serious problems, some of which can be
|
|
repaired only by rebooting. You must prevent non-AFS processes from
|
|
filling up the cache partition. The simplest way is to devote a
|
|
partition to the cache exclusively.
|
|
<P><LI>The amount of space available in memory or on the partition housing the
|
|
disk cache directory imposes an absolute limit on cache size.
|
|
<P><LI>The maximum supported cache size can vary in each AFS release; see
|
|
the <I>IBM AFS Release Notes</I> for the current version.
|
|
<P><LI>For a disk cache, you cannot specify a value in the third field that
|
|
exceeds 95% of the space available on the partition mounted at the directory
|
|
named in the second field. If you violate this restriction, the
|
|
<B>afsd</B> program exits without starting the Cache Manager and prints an
|
|
appropriate message on the standard output stream. A value of 90% is
|
|
more appropriate on most machines. Some operating systems (such as AIX)
|
|
do not automatically reserve some space to prevent the partition from filling
|
|
completely; for them, a smaller value (say, 80% to 85% of the space
|
|
available) is more appropriate.
|
|
<P><LI>For a memory cache, you must leave enough memory for other processes and
|
|
applications to run. If you try to allocate more memory than is
|
|
actually available, the <B>afsd</B> program exits without initializing the
|
|
Cache Manager and produces the following message on the standard output
|
|
stream.
|
|
<PRE>
|
|
afsd: memCache allocation failure at <VAR>number</VAR> KB
|
|
</PRE>
|
|
<P>The <VAR>number</VAR> value is how many kilobytes were allocated just before
|
|
the failure, and so indicates the approximate amount of memory
|
|
available.
|
|
</UL>
|
|
<P>Within these hard limits, the factors that determine appropriate cache size
|
|
include the number of users working on the machine, the size of the files with
|
|
which they work, and (for a memory cache) the number of processes that run on
|
|
the machine. The higher the demand from these factors, the larger the
|
|
cache needs to be to maintain good performance.
|
|
<P>Disk caches smaller than 10 MB do not generally perform well.
|
|
Machines serving multiple users usually perform better with a cache of at
|
|
least 60 to 70 MB. The point at which enlarging the cache further does
|
|
not really improve performance depends on the factors mentioned previously and
|
|
is difficult to predict.
|
|
<P>Memory caches smaller than 1 MB are nonfunctional, and the performance of
|
|
caches smaller than 5 MB is usually unsatisfactory. Suitable upper
|
|
limits are similar to those for disk caches but are probably determined more
|
|
by the demands on memory from other sources on the machine (number of users
|
|
and processes). Machines running only a few processes possibly can use
|
|
a smaller memory cache.
|
|
<P><H3><A NAME="HDRWQ147" HREF="auqbg002.htm#ToC_140">Configuring a Disk Cache</A></H3>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types that an operating system supports
|
|
are necessarily supported for use as the cache partition. For possible
|
|
restrictions, see the <I>IBM AFS Release Notes</I>.
|
|
</TD></TR></TABLE>
|
|
<P>To configure the disk cache, perform the following procedures:
|
|
<OL TYPE=1>
|
|
<P><LI>Create the local directory to use for caching. The following
|
|
instruction shows the conventional location,
|
|
<B>/usr/vice/cache</B>. If you are devoting a partition exclusively
|
|
to caching, as recommended, you must also configure it, make a file system on
|
|
it, and mount it at the directory created in this step.
|
|
<PRE>
|
|
# <B>mkdir /usr/vice/cache</B>
|
|
|
|
</PRE>
|
|
<P><LI>Create the <B>cacheinfo</B> file to define the configuration
|
|
parameters discussed previously. The following instruction shows the
|
|
standard mount location, <B>/afs</B>, and the standard cache location,
|
|
<B>/usr/vice/cache</B>.
|
|
<PRE>
|
|
# <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
|
|
</PRE>
|
|
<P>The following example defines the disk cache size as 50,000 KB:
|
|
<PRE>
|
|
# <B>echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo</B>
|
|
</PRE>
|
|
</OL>
|
|
<P><H3><A NAME="HDRWQ148" HREF="auqbg002.htm#ToC_141">Configuring a Memory Cache</A></H3>
|
|
<P>To configure a memory cache, create the <B>cacheinfo</B>
|
|
file to define the configuration parameters discussed previously. The
|
|
following instruction shows the standard mount location, <B>/afs</B>, and
|
|
the standard cache location, <B>/usr/vice/cache</B> (though the exact
|
|
value of the latter is irrelevant for a memory cache).
|
|
<PRE>
|
|
# <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
|
|
</PRE>
|
|
<P>The following example allocates 25,000 KB of memory for the cache.
|
|
<PRE>
|
|
# <B>echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo</B>
|
|
</PRE>
|
|
<A NAME="IDX3026"></A>
|
|
<A NAME="IDX3027"></A>
|
|
<A NAME="IDX3028"></A>
|
|
<A NAME="IDX3029"></A>
|
|
<A NAME="IDX3030"></A>
|
|
<A NAME="IDX3031"></A>
|
|
<A NAME="IDX3032"></A>
|
|
<A NAME="IDX3033"></A>
|
|
<A NAME="IDX3034"></A>
|
|
<A NAME="IDX3035"></A>
|
|
<A NAME="IDX3036"></A>
|
|
<A NAME="IDX3037"></A>
|
|
<A NAME="IDX3038"></A>
|
|
<A NAME="IDX3039"></A>
|
|
<A NAME="IDX3040"></A>
|
|
<A NAME="IDX3041"></A>
|
|
<A NAME="IDX3042"></A>
|
|
<A NAME="IDX3043"></A>
|
|
<A NAME="IDX3044"></A>
|
|
<A NAME="IDX3045"></A>
|
|
<A NAME="IDX3046"></A>
|
|
<A NAME="IDX3047"></A>
|
|
<A NAME="IDX3048"></A>
|
|
<A NAME="IDX3049"></A>
|
|
<A NAME="IDX3050"></A>
|
|
<A NAME="IDX3051"></A>
|
|
<A NAME="IDX3052"></A>
|
|
<A NAME="IDX3053"></A>
|
|
<HR><H2><A NAME="HDRWQ149" HREF="auqbg002.htm#ToC_142">Configuring the Cache Manager</A></H2>
|
|
<P>By convention, the Cache Manager mounts the AFS filespace on
|
|
the local <B>/afs</B> directory. In this section you create that
|
|
directory.
|
|
<P>The <B>afsd</B> program sets several cache configuration parameters as
|
|
it initializes the Cache Manager, and starts daemons that improve
|
|
performance. You can use the <B>afsd</B> command's arguments
|
|
to override the parameters' default values and to change the number of
|
|
some of the daemons. Depending on the machine's cache size, its
|
|
amount of RAM, and how many people work on it, you can sometimes improve Cache
|
|
Manager performance by overriding the default values. For a discussion
|
|
of all of the <B>afsd</B> command's arguments, see its reference page
|
|
in the <I>IBM AFS Administration Reference</I>.
|
|
<P>The <B>afsd</B> command line in the AFS initialization script on each
|
|
system type includes an <TT>OPTIONS</TT> variable. You can use it to
|
|
set nondefault values for the command's arguments, in one of the
|
|
following ways:
|
|
<UL>
|
|
<P><LI>You can create an <B>afsd</B> <I>options file</I> that sets values
|
|
for arguments to the <B>afsd</B> command. If the file exists, its
|
|
contents are automatically substituted for the <TT>OPTIONS</TT> variable in
|
|
the AFS initialization script. The AFS distribution for some system
|
|
types includes an options file; on other system types, you must create
|
|
it.
|
|
<P>You use two variables in the AFS initialization script to specify the path
|
|
to the options file: <TT>CONFIG</TT> and <TT>AFSDOPT</TT>. On
|
|
system types that define a conventional directory for configuration files, the
|
|
<TT>CONFIG</TT> variable indicates it by default; otherwise, the
|
|
variable indicates an appropriate location.
|
|
<P>List the desired <B>afsd</B> options on a single line in the options
|
|
file, separating each option with one or more spaces. The following
|
|
example sets the <B>-stat</B> argument to 2500, the <B>-daemons</B>
|
|
argument to 4, and the <B>-volumes</B> argument to 100.
|
|
<PRE>
|
|
-stat 2500 -daemons 4 -volumes 100
|
|
|
|
</PRE>
|
|
<P><LI>On a machine that uses a disk cache, you can set the <TT>OPTIONS</TT>
|
|
variable in the AFS initialization script to one of <TT>$SMALL</TT>,
|
|
<TT>$MEDIUM</TT>, or <TT>$LARGE</TT>. The AFS initialization script
|
|
uses one of these settings if the <B>afsd</B> options file named by the
|
|
<TT>AFSDOPT</TT> variable does not exist. In the script as
|
|
distributed, the <TT>OPTIONS</TT> variable is set to the value
|
|
<TT>$MEDIUM</TT>.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not set the <TT>OPTIONS</TT> variable to <TT>$SMALL</TT>,
|
|
<TT>$MEDIUM</TT>, or <TT>$LARGE</TT> on a machine that uses a memory
|
|
cache. The arguments it sets are appropriate only on a machine that
|
|
uses a disk cache.
|
|
</TD></TR></TABLE>
|
|
<P>The script (or on some system types the <B>afsd</B> options file named
|
|
by the <TT>AFSDOPT</TT> variable) defines a value for each of
|
|
<TT>SMALL</TT>, <TT>MEDIUM</TT>, and <TT>LARGE</TT> that sets
|
|
<B>afsd</B> command arguments appropriately for client machines of
|
|
different sizes:
|
|
<UL>
|
|
<P><LI><TT>SMALL</TT> is suitable for a small machine that serves one or two
|
|
users and has approximately 8 MB of RAM and a 20-MB cache
|
|
<P><LI><TT>MEDIUM</TT> is suitable for a medium-sized machine that serves two
|
|
to six users and has 16 MB of RAM and a 40-MB cache
|
|
<P><LI><TT>LARGE</TT> is suitable for a large machine that serves five to ten
|
|
users and has 32 MB of RAM and a 100-MB cache
|
|
</UL>
|
|
<P><LI>You can choose not to create an <B>afsd</B> options file and to set
|
|
the <TT>OPTIONS</TT> variable in the initialization script to a null value
|
|
rather than to the default <TT>$MEDIUM</TT> value. You can then
|
|
either set arguments directly on the <B>afsd</B> command line in the
|
|
script, or set no arguments (and so accept default values for all Cache
|
|
Manager parameters).
|
|
</UL>
|
|
<OL TYPE=1>
|
|
<P><LI>Create the local directory on which to mount the AFS filespace, by
|
|
convention <B>/afs</B>. If the directory already exists, verify
|
|
that it is empty.
|
|
<PRE>
|
|
# <B>mkdir /afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>On AIX systems, add the following line to the <B>/etc/vfs</B>
|
|
file. It enables AIX to unmount AFS correctly during shutdown.
|
|
<PRE>
|
|
afs 4 none none
|
|
|
|
</PRE>
|
|
<P><LI>On Linux systems, copy the <B>afsd</B> options file from the
|
|
<B>/usr/vice/etc</B> directory to the <B>/etc/sysconfig</B> directory,
|
|
removing the <B>.conf</B> extension as you do so.
|
|
<PRE>
|
|
# <B>cp /usr/vice/etc/afs.conf /etc/sysconfig/afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the machine's AFS initialization script or <B>afsd</B>
|
|
options file to set appropriate values for <B>afsd</B> command
|
|
parameters. The appropriate file for each system type is as
|
|
follows:
|
|
<UL>
|
|
<P><LI>On AIX systems, <B>/etc/rc.afs</B>
|
|
<P><LI>On Digital UNIX systems, <B>/sbin/init.d/afs</B>
|
|
<P><LI>On HP-UX systems, <B>/sbin/init.d/afs</B>
|
|
<P><LI>On IRIX systems, <B>/etc/init.d/afs</B>
|
|
<P><LI>On Linux systems, <B>/etc/sysconfig/afs</B> (the <B>afsd</B>
|
|
options file)
|
|
<P><LI>On Solaris systems, <B>/etc/init.d/afs</B>
|
|
</UL>
|
|
<P>Use one of the methods described in the introduction to this section to add
|
|
the following flags to the <B>afsd</B> command line. Also set any
|
|
performance-related arguments you wish.
|
|
<UL>
|
|
<P><LI>Add the <B>-memcache</B> flag if the machine is to use a memory
|
|
cache.
|
|
<P><LI>Add the <B>-verbose</B> flag to display a trace of the Cache
|
|
Manager's initialization on the standard output stream.
|
|
</UL>
|
|
</OL>
|
|
<A NAME="IDX3054"></A>
|
|
<A NAME="IDX3055"></A>
|
|
<A NAME="IDX3056"></A>
|
|
<A NAME="IDX3057"></A>
|
|
<A NAME="IDX3058"></A>
|
|
<HR><H2><A NAME="HDRWQ150" HREF="auqbg002.htm#ToC_143">Starting the Cache Manager and Installing the AFS Initialization Script</A></H2>
|
|
<P>In this section you run the AFS initialization script to
|
|
start the Cache Manager. If the script works correctly, perform the
|
|
steps that incorporate it into the machine's startup and shutdown
|
|
sequence. If there are problems during the initialization, attempt to
|
|
resolve them. The AFS Product Support group can provide assistance if
|
|
necessary.
|
|
<P>On machines that use a disk cache, it can take a while for the
|
|
<B>afsd</B> program to run the first time on a machine, because it must
|
|
create all of the <B>V</B><VAR>n</VAR> files in the cache directory.
|
|
Subsequent Cache Manager initializations do not take nearly as long, because
|
|
the <B>V</B><VAR>n</VAR> files already exist.
|
|
<P>On system types that use a dynamic loader program, you must reboot the
|
|
machine before running the initialization script, so that it can freshly load
|
|
AFS modifications into the kernel.
|
|
<P>Proceed to the instructions for your system type:
|
|
<UL>
|
|
<P><LI><A HREF="#HDRWQ151">Running the Script on AIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ152">Running the Script on Digital UNIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ153">Running the Script on HP-UX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ154">Running the Script on IRIX Systems</A>
|
|
<P><LI><A HREF="#HDRWQ155">Running the Script on Linux Systems</A>
|
|
<P><LI><A HREF="#HDRWQ156">Running the Script on Solaris Systems</A>
|
|
</UL>
|
|
<A NAME="IDX3059"></A>
|
|
<A NAME="IDX3060"></A>
|
|
<A NAME="IDX3061"></A>
|
|
<A NAME="IDX3062"></A>
|
|
<P><H3><A NAME="HDRWQ151" HREF="auqbg002.htm#ToC_144">Running the Script on AIX Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Reboot the machine and log in again as the local superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/etc/rc.afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>Edit the AIX initialization file, <B>/etc/inittab</B>, adding the
|
|
following line to invoke the AFS initialization script. Place it just
|
|
after the line that starts NFS daemons.
|
|
<PRE>
|
|
rcafs:2:wait:/etc/rc.afs > /dev/console 2>&1 # Start AFS services
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/etc</B> directories.
|
|
If you want to avoid potential confusion by guaranteeing that they are always
|
|
the same, create a link between them. You can always retrieve the
|
|
original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm rc.afs</B>
|
|
|
|
# <B>ln -s /etc/rc.afs</B>
|
|
|
|
</PRE>
|
|
<P><LI>If a volume for housing AFS binaries for this machine's system type
|
|
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
|
|
</OL>
|
|
<A NAME="IDX3063"></A>
|
|
<A NAME="IDX3064"></A>
|
|
<A NAME="IDX3065"></A>
|
|
<A NAME="IDX3066"></A>
|
|
<P><H3><A NAME="HDRWQ152" HREF="auqbg002.htm#ToC_145">Running the Script on Digital UNIX Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/sbin/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
|
|
<B>ln -s</B> command to create symbolic links that incorporate the AFS
|
|
initialization script into the Digital UNIX startup and shutdown
|
|
sequence.
|
|
<PRE>
|
|
# <B>cd /sbin/init.d</B>
|
|
|
|
# <B>ln -s ../init.d/afs /sbin/rc3.d/S67afs</B>
|
|
|
|
# <B>ln -s ../init.d/afs /sbin/rc0.d/K66afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
|
|
directories. If you want to avoid potential confusion by guaranteeing
|
|
that they are always the same, create a link between them. You can
|
|
always retrieve the original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc</B>
|
|
|
|
# <B>ln -s /sbin/init.d/afs afs.rc</B>
|
|
|
|
</PRE>
|
|
<P><LI>If a volume for housing AFS binaries for this machine's system type
|
|
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
|
|
</OL>
|
|
<A NAME="IDX3067"></A>
|
|
<A NAME="IDX3068"></A>
|
|
<A NAME="IDX3069"></A>
|
|
<P><H3><A NAME="HDRWQ153" HREF="auqbg002.htm#ToC_146">Running the Script on HP-UX Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/sbin/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
|
|
<B>ln -s</B> command to create symbolic links that incorporate the AFS
|
|
initialization script into the HP-UX startup and shutdown sequence.
|
|
<PRE>
|
|
# <B>cd /sbin/init.d</B>
|
|
|
|
# <B>ln -s ../init.d/afs /sbin/rc2.d/S460afs</B>
|
|
|
|
# <B>ln -s ../init.d/afs /sbin/rc2.d/K800afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
|
|
directories. If you want to avoid potential confusion by guaranteeing
|
|
that they are always the same, create a link between them. You can
|
|
always retrieve the original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc</B>
|
|
|
|
# <B>ln -s /sbin/init.d/afs afs.rc</B>
|
|
|
|
</PRE>
|
|
<P><LI>If a volume for housing AFS binaries for this machine's system type
|
|
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
|
|
</OL>
|
|
<A NAME="IDX3070"></A>
|
|
<A NAME="IDX3071"></A>
|
|
<A NAME="IDX3072"></A>
|
|
<A NAME="IDX3073"></A>
|
|
<A NAME="IDX3074"></A>
|
|
<A NAME="IDX3075"></A>
|
|
<A NAME="IDX3076"></A>
|
|
<P><H3><A NAME="HDRWQ154" HREF="auqbg002.htm#ToC_147">Running the Script on IRIX Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>If you have configured the machine to use the <B>ml</B> dynamic loader
|
|
program, reboot the machine and log in again as the local superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -i6 -g0 -y</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>chkconfig</B> command to activate the
|
|
<B>afsclient</B> configuration variable.
|
|
<PRE>
|
|
# <B>/etc/chkconfig -f afsclient on</B>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/etc/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
|
|
<B>ln -s</B> command to create symbolic links that incorporate the AFS
|
|
initialization script into the IRIX startup and shutdown sequence.
|
|
<PRE>
|
|
# <B>cd /etc/init.d</B>
|
|
|
|
# <B>ln -s ../init.d/afs /etc/rc2.d/S35afs</B>
|
|
|
|
# <B>ln -s ../init.d/afs /etc/rc0.d/K35afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
|
|
directories. If you want to avoid potential confusion by guaranteeing
|
|
that they are always the same, create a link between them. You can
|
|
always retrieve the original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc</B>
|
|
|
|
# <B>ln -s /etc/init.d/afs afs.rc</B>
|
|
|
|
</PRE>
|
|
<P><LI>If a volume for housing AFS binaries for this machine's system type
|
|
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
|
|
</OL>
|
|
<A NAME="IDX3077"></A>
|
|
<A NAME="IDX3078"></A>
|
|
<A NAME="IDX3079"></A>
|
|
<A NAME="IDX3080"></A>
|
|
<P><H3><A NAME="HDRWQ155" HREF="auqbg002.htm#ToC_148">Running the Script on Linux Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Reboot the machine and log in again as the local superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -r now</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/etc/rc.d/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afs</B>
|
|
configuration variable. Based on the instruction in the AFS
|
|
initialization file that begins with the string <TT>#chkconfig</TT>, the
|
|
command automatically creates the symbolic links that incorporate the script
|
|
into the Linux startup and shutdown sequence.
|
|
<PRE>
|
|
# <B>/sbin/chkconfig --add afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and
|
|
<B>/etc/rc.d/init.d</B> directories, and copies of the
|
|
<B>afsd</B> options file in both the <B>/usr/vice/etc</B> and
|
|
<B>/etc/sysconfig</B> directories. If you want to avoid potential
|
|
confusion by guaranteeing that the two copies of each file are always the
|
|
same, create a link between them. You can always retrieve the original
|
|
script or options file from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc afs.conf</B>
|
|
|
|
# <B>ln -s /etc/rc.d/init.d/afs afs.rc</B>
|
|
|
|
# <B>ln -s /etc/sysconfig/afs afs.conf</B>
|
|
|
|
</PRE>
|
|
<P><LI>If a volume for housing AFS binaries for this machine's system type
|
|
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
|
|
</OL>
|
|
<A NAME="IDX3081"></A>
|
|
<A NAME="IDX3082"></A>
|
|
<A NAME="IDX3083"></A>
|
|
<P><H3><A NAME="HDRWQ156" HREF="auqbg002.htm#ToC_149">Running the Script on Solaris Systems</A></H3>
|
|
<OL TYPE=1>
|
|
<P><LI>Reboot the machine and log in again as the local superuser
|
|
<B>root</B>.
|
|
<PRE>
|
|
# <B>cd /</B>
|
|
|
|
# <B>shutdown -i6 -g0 -y</B>
|
|
|
|
login: <B>root</B>
|
|
Password: <VAR>root_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI>Run the AFS initialization script.
|
|
<PRE>
|
|
# <B>/etc/init.d/afs start</B>
|
|
|
|
</PRE>
|
|
<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
|
|
<B>ln -s</B> command to create symbolic links that incorporate the AFS
|
|
initialization script into the Solaris startup and shutdown sequence.
|
|
<PRE>
|
|
# <B>cd /etc/init.d</B>
|
|
|
|
# <B>ln -s ../init.d/afs /etc/rc3.d/S99afs</B>
|
|
|
|
# <B>ln -s ../init.d/afs /etc/rc0.d/K66afs</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
|
|
in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
|
|
directories. If you want to avoid potential confusion by guaranteeing
|
|
that they are always the same, create a link between them. You can
|
|
always retrieve the original script from the AFS CD-ROM if necessary.
|
|
<PRE>
|
|
# <B>cd /usr/vice/etc</B>
|
|
|
|
# <B>rm afs.rc</B>
|
|
|
|
# <B>ln -s /etc/init.d/afs afs.rc</B>
|
|
|
|
</PRE>
|
|
<P><LI>If a volume for housing AFS binaries for this machine's system type
|
|
does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
|
|
</OL>
|
|
<A NAME="IDX3084"></A>
|
|
<A NAME="IDX3085"></A>
|
|
<A NAME="IDX3086"></A>
|
|
<A NAME="IDX3087"></A>
|
|
<A NAME="IDX3088"></A>
|
|
<A NAME="IDX3089"></A>
|
|
<HR><H2><A NAME="HDRWQ157" HREF="auqbg002.htm#ToC_150">Setting Up Volumes and Loading Binaries into AFS</A></H2>
|
|
<P>In this section, you link <B>/usr/afsws</B> on the local
|
|
disk to the directory in AFS that houses AFS binaries for this system
|
|
type. The conventional name for the AFS directory is
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>.
|
|
<P>If this machine is an existing system type, the AFS directory presumably
|
|
already exists. You can simply create a link from the local
|
|
<B>/usr/afsws</B> directory to it. Follow the instructions in <A HREF="#HDRWQ158">Linking /usr/afsws on an Existing System Type</A>.
|
|
<P>If this machine is a new system type (there are no AFS machines of this
|
|
type in your cell), you must first create and mount volumes to store its AFS
|
|
binaries, and then create the link from <B>/usr/afsws</B> to the new
|
|
directory. See <A HREF="#HDRWQ159">Creating Binary Volumes for a New System Type</A>.
|
|
<P>You can also store UNIX system binaries (the files normally stored in local
|
|
disk directories such as <B>/bin</B>, <B>/etc</B>, and
|
|
<B>/lib</B>) in volumes mounted under
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>. See <A HREF="auqbg005.htm#HDRWQ88">Storing System Binaries in AFS</A> .
|
|
<P><H3><A NAME="HDRWQ158" HREF="auqbg002.htm#ToC_151">Linking /usr/afsws on an Existing System Type</A></H3>
|
|
<P>If this client machine is an existing system type, there is
|
|
already a volume mounted in the AFS filespace that houses AFS client binaries
|
|
for it.
|
|
<OL TYPE=1>
|
|
<P><LI>Create <B>/usr/afsws</B> on the local disk as a symbolic link to the
|
|
directory <B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>.
|
|
You can specify the actual system name instead of <B>@sys</B> if you wish,
|
|
but the advantage of using <B>@sys</B> is that it remains valid if you
|
|
upgrade this machine to a different system type.
|
|
<PRE>
|
|
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
|
|
the AFS documents in a certain format via a local disk directory, create
|
|
<B>/usr/afsdoc</B> on the local disk as a symbolic link to the
|
|
documentation directory in AFS
|
|
(<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
|
|
<P>
|
|
<PRE>
|
|
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
|
|
</PRE>
|
|
<P>An alternative is to create a link in each user's home directory to
|
|
the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
|
|
directory.
|
|
</OL>
|
|
<P><H3><A NAME="HDRWQ159" HREF="auqbg002.htm#ToC_152">Creating Binary Volumes for a New System Type</A></H3>
|
|
<P>If this client machine is a new system type, you must create
|
|
and mount volumes for its binaries before you can link the local
|
|
<B>/usr/afsws</B> directory to an AFS directory.
|
|
<P>To create and mount the volumes, you use the <B>klog</B> command to
|
|
authenticate as an administrator and then issue commands from the
|
|
<B>vos</B> and <B>fs</B> command suites. However, the command
|
|
binaries are not yet available on this machine (by convention, they are
|
|
accessible via the <B>/usr/afsws</B> link that you are about to
|
|
create). You have two choices:
|
|
<UL>
|
|
<P><LI>Perform all steps except the last one (Step <A HREF="#LIWQ162">10</A>) on an existing AFS machine. On a file server
|
|
machine, the <B>klog</B>, <B>fs</B> and <B>vos</B> binaries reside
|
|
in the <B>/usr/afs/bin</B> directory. On client machines, the
|
|
<B>klog</B> and <B>fs</B> binaries reside in the
|
|
<B>/usr/afsws/bin</B> directory and the <B>vos</B> binary in the
|
|
<B>/usr/afsws/etc</B> directory. Depending on how your PATH
|
|
environment variable is set, you possibly need to precede the command names
|
|
with a pathname.
|
|
<P>If you work on another AFS machine, be sure to substitute the new system
|
|
type name for the <VAR>sysname</VAR> argument in the following commands, not the
|
|
system type of the machine on which you are issuing the commands.
|
|
<P><LI>Copy the necessary command binaries to a temporary location on the local
|
|
disk, which enables you to perform the steps on the local machine. The
|
|
following procedure installs them in the <B>/tmp</B> directory and removes
|
|
them at the end. Depending on how your PATH environment variable is
|
|
set, you possibly need to precede the command names with a pathname.
|
|
</UL>
|
|
<P>Perform the following steps to create a volume for housing AFS
|
|
binaries.
|
|
<OL TYPE=1>
|
|
<P><LI>Working either on the local machine or another AFS machine, mount the AFS
|
|
CD-ROM for the new system type on the <B>/cdrom</B> directory, if it is
|
|
not already. For instructions on mounting CD-ROMs (either locally or
|
|
remotely via NFS), consult the operating system documentation.
|
|
<P><LI>If working on the local machine, copy the necessary binaries to a
|
|
temporary location on the local disk. Substitute a different directory
|
|
name for <B>/tmp</B> if you wish.
|
|
<PRE>
|
|
# <B>cd /cdrom/</B><VAR>new_sysname</VAR><B>/root.server/usr/afs/bin</B>
|
|
|
|
# <B>cp -p klog /tmp</B>
|
|
|
|
# <B>cp -p fs /tmp</B>
|
|
|
|
# <B>cp -p vos /tmp</B>
|
|
|
|
</PRE>
|
|
<P><LI>Authenticate as the user <B>admin</B>.
|
|
<PRE>
|
|
# <B>klog admin</B>
|
|
Password: <VAR>admin_password</VAR>
|
|
|
|
</PRE>
|
|
<P><LI><A NAME="LIWQ160"></A>Issue the <B>vos create</B> command to create volumes for
|
|
storing the AFS client binaries for this system type. The following
|
|
example instruction creates volumes called <VAR>sysname</VAR>,
|
|
<VAR>sysname</VAR>.<B>usr</B>, and
|
|
<VAR>sysname</VAR>.<B>usr.afsws</B>. Refer to the
|
|
<I>IBM AFS Release Notes</I> to learn the proper value of <VAR>sysname</VAR>
|
|
for this system type.
|
|
<PRE>
|
|
# <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR>
|
|
|
|
# <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr</B>
|
|
|
|
# <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr.afsws</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>fs mkmount</B> command to mount the newly created
|
|
volumes. Because the <B>root.cell</B> volume is replicated,
|
|
you must precede the <I>cellname</I> part of the pathname with a period to
|
|
specify the read/write mount point, as shown. Then issue the <B>vos
|
|
release</B> command to release a new replica of the
|
|
<B>root.cell</B> volume, and the <B>fs checkvolumes</B> command
|
|
to force the local Cache Manager to access them.
|
|
<PRE>
|
|
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR> <B>-vol</B> <VAR>sysname</VAR>
|
|
|
|
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr</B>
|
|
|
|
# <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr.afsws</B>
|
|
|
|
# <B>vos release root.cell</B>
|
|
|
|
# <B>fs checkvolumes</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>fs setacl</B> command to grant the <B>l</B>
|
|
(<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
|
|
<B>system:anyuser</B> group on each new directory's ACL.
|
|
<PRE>
|
|
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>
|
|
|
|
# <B>fs setacl -dir . usr usr/afsws -acl system:anyuser rl</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>fs setquota</B> command to set an unlimited quota on the
|
|
volume mounted at the
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
|
|
directory. This enables you to copy all of the appropriate files from
|
|
the CD-ROM into the volume without exceeding the volume's quota.
|
|
<P>If you wish, you can set the volume's quota to a finite value after
|
|
you complete the copying operation. At that point, use the <B>vos
|
|
examine</B> command to determine how much space the volume is
|
|
occupying. Then issue the <B>fs setquota</B> command to set a quota
|
|
that is slightly larger.
|
|
<PRE>
|
|
# <B>fs setquota /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws 0</B>
|
|
|
|
</PRE>
|
|
<P><LI><A NAME="LIWQ161"></A>Copy the contents of the indicated directories from the CD-ROM
|
|
into the
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
|
|
directory.
|
|
<PRE>
|
|
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
|
|
|
|
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/bin .</B>
|
|
|
|
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/etc .</B>
|
|
|
|
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/include .</B>
|
|
|
|
# <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/lib .</B>
|
|
|
|
</PRE>
|
|
<P><LI>Issue the <B>fs setacl</B> command to set the ACL on each directory
|
|
appropriately. To comply with the terms of your AFS License agreement,
|
|
you must prevent unauthorized users from accessing AFS software. To
|
|
enable access for locally authenticated users only, set the ACL on the
|
|
<B>etc</B>, <B>include</B>, and <B>lib</B> subdirectories to grant
|
|
the <B>l</B> and <B>r</B> permissions to the
|
|
<B>system:authuser</B> group rather than the
|
|
<B>system:anyuser</B> group. The
|
|
<B>system:anyuser</B> group must retain the <B>l</B> and
|
|
<B>r</B> permissions on the <B>bin</B> subdirectory to enable
|
|
unauthenticated users to access the <B>klog</B> binary. To ensure
|
|
that unauthorized users are not accessing AFS software, check periodically
|
|
that the ACLs on these directories are set properly.
|
|
<PRE>
|
|
# <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
|
|
|
|
# <B>fs setacl -dir etc include lib -acl system:authuser rl</B> \
|
|
<B>system:anyuser none</B>
|
|
|
|
</PRE>
|
|
<P><LI><A NAME="LIWQ162"></A>Perform this step on the new client machine even if you have
|
|
performed the previous steps on another machine. Create
|
|
<B>/usr/afsws</B> on the local disk as a symbolic link to the directory
|
|
<B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>. You can
|
|
specify the actual system name instead of <B>@sys</B> if you wish, but the
|
|
advantage of using <B>@sys</B> is that it remains valid if you upgrade
|
|
this machine to a different system type.
|
|
<PRE>
|
|
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
|
|
|
|
</PRE>
|
|
<P><LI><B>(Optional)</B> To enable users to issue commands from the AFS
|
|
suites (such as <B>fs</B>) without having to specify a pathname to their
|
|
binaries, include the <B>/usr/afsws/bin</B> and <B>/usr/afsws/etc</B>
|
|
directories in the PATH environment variable you define in each user's
|
|
shell initialization file (such as <B>.cshrc</B>).
|
|
<P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
|
|
the AFS documents in a certain format via a local disk directory, create
|
|
<B>/usr/afsdoc</B> on the local disk as a symbolic link to the
|
|
documentation directory in AFS
|
|
(<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
|
|
<P>
|
|
<PRE>
|
|
# <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
|
|
</PRE>
|
|
<P>An alternative is to create a link in each user's home directory to
|
|
the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
|
|
directory.
|
|
<P><LI><B>(Optional)</B> If working on the local machine, remove the AFS
|
|
binaries from the temporary location. They are now accessible in the
|
|
<B>/usr/afsws</B> directory.
|
|
<PRE>
|
|
# <B>cd /tmp</B>
|
|
|
|
# <B>rm klog fs vos</B>
|
|
|
|
</PRE>
|
|
</OL>
|
|
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg006.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auqbg008.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
|
|
<!-- Begin Footer Records ========================================== -->
|
|
<P><HR><B>
|
|
<br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
|
|
</B>
|
|
<!-- End Footer Records ============================================ -->
|
|
<A NAME="Bot_Of_Page"></A>
|
|
</BODY></HTML>
|