<li><a href="#3.02 Is there a version of xloc"> 3.02 Is there a version of xlock available with AFS authentication?</a></li>
<li><a href="#3.03 What is /afs/@cell?"> 3.03 What is /afs/@cell?</a></li>
<li><a href="#3.04 Given that AFS data is loc"> 3.04 Given that AFS data is location independent, how does an AFS client determine which server houses the data its user is attempting to access?</a></li>
- <li><a href="#3.05 Which protocols does AFS u"> 3.05 Which protocols does AFS use?</a></li>
- <li><a href="#3.06 Are setuid programs execut"> 3.06 Are setuid programs executable across AFS cell boundaries?</a></li>
- <li><a href="#3.07 How does AFS maintain cons"> 3.07 How does AFS maintain consistency on read-write files?</a></li>
- <li><a href="#3.08 How can I run daemons with"> 3.08 How can I run daemons with tokens that do not expire?</a></li>
- <li><a href="#3.09 Can I check my user's pass"> 3.09 Can I check my user's passwords for security purposes?</a></li>
- <li><a href="#3.10 Is there a way to automati"> 3.10 Is there a way to automatically balance disk usage across fileservers?</a></li>
- <li><a href="#3.11 Can I shutdown an AFS file"> 3.11 Can I shutdown an AFS fileserver without affecting users?</a></li>
- <li><a href="#3.12 How can I set up mail deli"> 3.12 How can I set up mail delivery to users with $HOMEs in AFS?</a></li>
- <li><a href="#3.13 Should I replicate a _Read"> 3.13 Should I replicate a ReadOnly volume on the same partition and server as the ReadWrite volume?</a></li>
- <li><a href="#3.14 Should I start AFS before"> 3.14 Should I start AFS before NFS in /etc/inittab?</a></li>
- <li><a href="#3.15 Will AFS run on a multi-ho"> 3.15 Will AFS run on a multi-homed fileserver?</a></li>
- <li><a href="#3.16 Can I replicate my user's"> 3.16 Can I replicate my user's home directory AFS volumes?</a></li>
- <li><a href="#3.17 Which TCP/IP ports and pro"> 3.17 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?</a></li>
+ <li><a href="#3.05 How does AFS maintain cons"> 3.05 How does AFS maintain consistency on read-write files?</a></li>
+ <li><a href="#3.06 Which protocols does AFS u"> 3.06 Which protocols does AFS use?</a></li>
+ <li><a href="#3.07 Which TCP/IP ports and pro"> 3.07 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?</a></li>
+ <li><a href="#3.08 Are setuid programs execut"> 3.08 Are setuid programs executable across AFS cell boundaries?</a></li>
+ <li><a href="#3.09 How can I run daemons with"> 3.09 How can I run daemons with tokens that do not expire?</a></li>
+ <li><a href="#3.10 Can I check my user's pass"> 3.10 Can I check my user's passwords for security purposes?</a></li>
+ <li><a href="#3.11 Is there a way to automati"> 3.11 Is there a way to automatically balance disk usage across fileservers?</a></li>
+ <li><a href="#3.12 Can I shutdown an AFS file"> 3.12 Can I shutdown an AFS fileserver without affecting users?</a></li>
+ <li><a href="#3.13 How can I set up mail deli"> 3.13 How can I set up mail delivery to users with $HOMEs in AFS?</a></li>
+ <li><a href="#3.14 Should I replicate a _Read"> 3.14 Should I replicate a ReadOnly volume on the same partition and server as the ReadWrite volume?</a></li>
+ <li><a href="#3.15 Should I start AFS before"> 3.15 Should I start AFS before NFS in /etc/inittab?</a></li>
+ <li><a href="#3.16 Will AFS run on a multi-ho"> 3.16 Will AFS run on a multi-homed fileserver?</a></li>
+ <li><a href="#3.17 Can I replicate my user's"> 3.17 Can I replicate my user's home directory AFS volumes?</a></li>
<li><a href="#3.18 What is the Andrew Benchma"> 3.18 What is the Andrew Benchmark?</a></li>
- <li><a href="#3.19 Is there a version of HP V"> 3.19 Is there a version of HP VUE login with AFS authentication?</a></li>
- <li><a href="#3.20 How can I list which clien"> 3.20 How can I list which clients have cached files from a server?</a></li>
- <li><a href="#3.21 Do Backup volumes require"> 3.21 Do Backup volumes require as much space as ReadWrite volumes?</a></li>
- <li><a href="#3.22 Should I run timed on my A"> 3.22 Should I run timed on my AFS client?</a></li>
- <li><a href="#3.23 Why should I keep /usr/vic"> 3.23 Why should I keep /usr/vice/etc/CellServDB current?</a></li>
- <li><a href="#3.24 How can I keep /usr/vice/e"> 3.24 How can I keep /usr/vice/etc/CellServDB current?</a></li>
- <li><a href="#3.25 How can I compute a list o"> 3.25 How can I compute a list of AFS fileservers?</a></li>
- <li><a href="#3.26 How can I set up anonymous"> 3.26 How can I set up anonymous FTP login to access /afs?</a></li>
- <li><a href="#3.27 Where can I find the Andre"> 3.27 Where can I find the Andrew Benchmark?</a></li>
+ <li><a href="#3.19 Where can I find the Andre"> 3.19 Where can I find the Andrew Benchmark?</a></li>
+ <li><a href="#3.20 Is there a version of HP V"> 3.20 Is there a version of HP VUE login with AFS authentication?</a></li>
+ <li><a href="#3.21 How can I list which clien"> 3.21 How can I list which clients have cached files from a server?</a></li>
+ <li><a href="#3.22 Do Backup volumes require"> 3.22 Do Backup volumes require as much space as ReadWrite volumes?</a></li>
+ <li><a href="#3.23 Should I run timed on my A"> 3.23 Should I run timed on my AFS client?</a></li>
+ <li><a href="#3.24 Why should I keep /usr/vic"> 3.24 Why should I keep /usr/vice/etc/CellServDB current?</a></li>
+ <li><a href="#3.25 How can I keep /usr/vice/e"> 3.25 How can I keep /usr/vice/etc/CellServDB current?</a></li>
+ <li><a href="#3.26 How can I compute a list o"> 3.26 How can I compute a list of AFS fileservers?</a></li>
+ <li><a href="#3.27 How can I set up anonymous"> 3.27 How can I set up anonymous FTP login to access /afs?</a></li>
<li><a href="#3.28 Is the data sent over the n"> 3.28 Is the data sent over the network encrypted in AFS ?</a></li>
<li><a href="#3.29 What underlying filesystems"> 3.29 What underlying filesystems can I use for AFS ?</a></li>
<li><a href="#3.30 Compiling _OpenAFS"> 3.30 Compiling OpenAFS</a></li>
<li><a href="#3.37 afs_krb_get_lrealm() using"> 3.37 afs_krb_get_lrealm() using /usr/afs/etc/krb.conf</a></li>
<li><a href="#3.38 Moving from kaserver to Hei"> 3.38 Moving from kaserver to Heimdal KDC</a></li>
<li><a href="#3.39 Moving from KTH-KRB4 to Hei"> 3.39 Moving from KTH-KRB4 to Heimdal KDC</a></li>
+ <li><a href="#3.40 What are those bos(1) -type"> 3.40 What are those bos(1) -type values simple and cron?</a></li>
+ <li><a href="#3.41 KDC listens on port 88 inst"> 3.41 KDC listens on port 88 instead of 750</a></li>
+ <li><a href="#3.42 afsd gives me "Error -1 in"> 3.42 afsd gives me "Error -1 in basic initialization." on startup</a></li>
+ <li><a href="#3.43 Although I get krb tickets,"> 3.43 Although I get krb tickets, afslog doesn't give me tokens, I see UDP packets to port 4444</a></li>
+ <li><a href="#3.44 I get error message trhough"> 3.44 I get error message trhough syslogd: "afs: Tokens for user of AFS id 0 for cell foo.bar.baz are discarded (rxkad error=19270407)"</a></li>
+ <li><a href="#3.45 I get tickets and tokens, b"> 3.45 I get tickets and tokens, but still get Permission denied.</a></li>
</ul>
</li>
</ul>
The Database Servers also house the Kerberos Authentication Database (encrypted user and server passwords), the Protection Database (user UID and protection group information) and the Backup Database (used by System Administrators to backup AFS file data to tape).
-### <a name="3.05 Which protocols does AFS u"></a> 3.05 Which protocols does AFS use?
+### <a name="3.05 How does AFS maintain cons"></a> 3.05 How does AFS maintain consistency on read-write files?
+
+AFS uses a mechanism called "callback".
+
+Callback is a promise from the fileserver that the cache version of a file/directory is up-to-date. It is established by the fileserver with the caching of a file.
+
+When a file is modified the fileserver breaks the callback. When the user accesses the file again the Cache Manager fetches a new copy if the callback has been broken.
+
+The following paragraphs describe AFS callback mechanism in more detail:
+
+If I open() fileA and start reading, and you then open() fileA, write() a change **\*\*and close() or fsync()\*\*** the file to get your changes back to the server - at the time the server accepts and writes your changes to the appropriate location on the server disk, the server also breaks callbacks to all clients to which it issued a copy of fileA.
+
+So my client receives a message to break the callback on fileA, which it dutifully does. But my application (editor, spreadsheet, whatever I'm using to read fileA) is still running, and doesn't really care that the callback has been broken.
+
+When something causes the application to read() more of the file the read() system call executes AFS cache manager code via the VFS switch, which does check the callback and therefore gets new copies of the data.
+
+Of course, the application may not re-read data that it has already read, but that would also be the case if you were both using the same host. So, for both AFS and local files, I may not see your changes.
+
+Now if I exit the application and start it again, or if the application does another open() on the file, then I will see the changes you've made.
+
+This information tends to cause tremendous heartache and discontent - but unnecessarily so. People imagine rampant synchronization problems. In practice this rarely happens and in those rare instances, the data in question is typically not critical enough to cause real problems or crashing and burning of applications. Since 1985, we've found that the synchronization algorithm has been more than adequate in practice - but people still like to worry!
+
+The source of worry is that, if I make changes to a file from my workstation, your workstation is not guaranteed to be notified until I close or fsync the file, at which point AFS guarantees that your workstation will be notified. This is a significant departure from NFS, in which no guarantees are provided.
+
+Partially because of the worry factor and largely because of Posix, this will change in DFS. DFS synchronization semantics are identical to local file system synchronization.
+
+[ DFS is the Distributed File System which is part of the Distributed ] [ Computing Environment (DCE). ]
+
+### <a name="3.06 Which protocols does AFS u"></a> 3.06 Which protocols does AFS use?
AFS may be thought of as a collection of protocols and software processes, nested one on top of the other. The constant interaction between and within these levels makes AFS a very sophisticated software system.
[ source: <ftp://ftp.transarc.com/pub/afsug/newsletter/apr91> ] [ Copyright 1991 Transarc Corporation ]
-### <a name="3.06 Are setuid programs execut"></a> 3.06 Are setuid programs executable across AFS cell boundaries?
+### <a name="3.07 Which TCP/IP ports and pro"></a> 3.07 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?
-By default, the setuid bit is ignored but the program may be run (without setuid privilege).
-
-It is possible to configure an AFS client to honour the setuid bit. This is achieved by root running:
-
- root@toontown # fs setcell -cell $cellname -suid
+Assuming you have already taken care of nameserving, you may wish to use an Internet timeserver for Network Time Protocol [[[NTP|Main/FurtherReading#NTP]]] and the question about [[timed|Main/WebHome#NTP]]:
-(where $cellname is the name of the foreign cell. Use with care!).
-
-NB: making a program setuid (or setgid) in AFS does **not** mean that the program will get AFS permissions of a user or group. To become AFS authenticated, you have to klog. If you are not authenticated, AFS treats you as "system:anyuser".
+ntp 123/udp
-### <a name="3.07 How does AFS maintain cons"></a> 3.07 How does AFS maintain consistency on read-write files?
+A list of NTP servers is available via anonymous FTP from:
-AFS uses a mechanism called "callback".
+- <http://www.eecis.udel.edu/~mills/ntp/servers.html>
-Callback is a promise from the fileserver that the cache version of a file/directory is up-to-date. It is established by the fileserver with the caching of a file.
+For further details on NTP see: <http://www.eecis.udel.edu/~ntp/>
-When a file is modified the fileserver breaks the callback. When the user accesses the file again the Cache Manager fetches a new copy if the callback has been broken.
+For a "minimal" AFS service which does not allow inbound or outbound klog:
-The following paragraphs describe AFS callback mechanism in more detail:
+ cachemanager 4711/udp (only if you use the arla-client instead of OpenAFS)
+ fileserver 7000/udp
+ cachemanager 7001/udp
+ ptserver 7002/udp
+ vlserver 7003/udp
+ kaserver 7004/udp
+ volserver 7005/udp
+ reserved 7006/udp
+ bosserver 7007/udp
-If I open() fileA and start reading, and you then open() fileA, write() a change **\*\*and close() or fsync()\*\*** the file to get your changes back to the server - at the time the server accepts and writes your changes to the appropriate location on the server disk, the server also breaks callbacks to all clients to which it issued a copy of fileA.
+(Ports in the 7020-7029 range are used by the AFS backup system, and won't be needed by external clients performing simple file accesses.)
-So my client receives a message to break the callback on fileA, which it dutifully does. But my application (editor, spreadsheet, whatever I'm using to read fileA) is still running, and doesn't really care that the callback has been broken.
+Additionally, for "klog" to work through the firewall you need to allow inbound and outbound UDP on ports >1024 (probably 1024<port<2048 would suffice depending on the number of simultaneous klogs).
-When something causes the application to read() more of the file the read() system call executes AFS cache manager code via the VFS switch, which does check the callback and therefore gets new copies of the data.
+See also: <http://www-archive.stanford.edu/lists/info-afs/hyper95/0874.html>
-Of course, the application may not re-read data that it has already read, but that would also be the case if you were both using the same host. So, for both AFS and local files, I may not see your changes.
+### <a name="3.08 Are setuid programs execut"></a> 3.08 Are setuid programs executable across AFS cell boundaries?
-Now if I exit the application and start it again, or if the application does another open() on the file, then I will see the changes you've made.
+By default, the setuid bit is ignored but the program may be run (without setuid privilege).
-This information tends to cause tremendous heartache and discontent - but unnecessarily so. People imagine rampant synchronization problems. In practice this rarely happens and in those rare instances, the data in question is typically not critical enough to cause real problems or crashing and burning of applications. Since 1985, we've found that the synchronization algorithm has been more than adequate in practice - but people still like to worry!
+It is possible to configure an AFS client to honour the setuid bit. This is achieved by root running:
-The source of worry is that, if I make changes to a file from my workstation, your workstation is not guaranteed to be notified until I close or fsync the file, at which point AFS guarantees that your workstation will be notified. This is a significant departure from NFS, in which no guarantees are provided.
+ root@toontown # fs setcell -cell $cellname -suid
-Partially because of the worry factor and largely because of Posix, this will change in DFS. DFS synchronization semantics are identical to local file system synchronization.
+(where $cellname is the name of the foreign cell. Use with care!).
-[ DFS is the Distributed File System which is part of the Distributed ] [ Computing Environment (DCE). ]
+NB: making a program setuid (or setgid) in AFS does **not** mean that the program will get AFS permissions of a user or group. To become AFS authenticated, you have to klog. If you are not authenticated, AFS treats you as "system:anyuser".
-### <a name="3.08 How can I run daemons with"></a> 3.08 How can I run daemons with tokens that do not expire?
+### <a name="3.09 How can I run daemons with"></a> 3.09 How can I run daemons with tokens that do not expire?
It is not a good idea to run with tokens that do not expire because this would weaken one of the security features of Kerberos.
Another option is [OpenPBS](http://www.openpbs.org/) and [Password Storage and Retrieval](http://www.lam-mpi.org/software/psr/) (PSR), where you encrypt your AFS password with a public key and put it in your home directory, and trusted machine(s) which have the private key on local disk then decrypt your password and run your job. MIT uses a variant of this (e.g. [a](http://web.mit.edu/longjobs/www/) & [b](http://mit.edu/longjobs-dev/notebook/)) that uses their own code (see [longjobs documentation](http://web.mit.edu/longjobs-dev/doc/netsec.txt) sections III and IV) instead of PSR.
-### <a name="3.09 Can I check my user's pass"></a> 3.09 Can I check my user's passwords for security purposes?
+### <a name="3.10 Can I check my user's pass"></a> 3.10 Can I check my user's passwords for security purposes?
Yes. Alec Muffett's Crack tool (at version 4.1f) has been converted to work on the Transarc kaserver database. This modified Crack (AFS Crack) is available via anonymous ftp from:
</tr>
</table>
-### <a name="3.10 Is there a way to automati"></a> 3.10 Is there a way to automatically balance disk usage across fileservers?
+### <a name="3.11 Is there a way to automati"></a> 3.11 Is there a way to automatically balance disk usage across fileservers?
Yes. There is a tool, balance, which does exactly this. It can be retrieved via anonymous ftp from:
Author: Dan Lovinger Contact: Derrick Brashear <shadow+@andrew.cmu.edu>
-### <a name="3.11 Can I shutdown an AFS file"></a> 3.11 Can I shutdown an AFS fileserver without affecting users?
+### <a name="3.12 Can I shutdown an AFS file"></a> 3.12 Can I shutdown an AFS fileserver without affecting users?
Yes, this is an example of the flexibility you have in managing AFS.
- If the system to be shutdown has the lowest IP address there may be a brief delay in authenticating because of timeout experienced before contacting a second kaserver.
-### <a name="3.12 How can I set up mail deli"></a> 3.12 How can I set up mail delivery to users with $HOMEs in AFS?
+### <a name="3.13 How can I set up mail deli"></a> 3.13 How can I set up mail delivery to users with $HOMEs in AFS?
There are many ways to do this. Here, only two methods are considered:
<file:///afs/transarc.com/public/afs-contrib/doc/faq/auth-sendmail.tar.Z> <ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/auth-sendmail.tar.Z>
-### <a name="3.13 Should I replicate a _Read"></a> 3.13 Should I replicate a [[ReadOnly]] volume on the same partition and server as the [[ReadWrite]] volume?
+### <a name="3.14 Should I replicate a _Read"></a> 3.14 Should I replicate a [[ReadOnly]] volume on the same partition and server as the [[ReadWrite]] volume?
Yes, Absolutely! It improves the robustness of your served volumes.
If you keep a "cheap replica", then by definition, if the RW is available, one of the RO's is also available, and clients will utilize that site.
-### <a name="3.14 Should I start AFS before"></a><a name="3.14 Should I start AFS before "></a> 3.14 Should I start AFS before NFS in /etc/inittab?
+### <a name="3.15 Should I start AFS before"></a><a name="3.15 Should I start AFS before "></a> 3.15 Should I start AFS before NFS in /etc/inittab?
Yes, it is possible to run both AFS and NFS on the same system but you should start AFS first.
${D}/cfgafs -a ${D}/afs.ext
/usr/afs/bin/bosserver &
-### <a name="3.15 Will AFS run on a multi-ho"></a> 3.15 Will AFS run on a multi-homed fileserver?
+### <a name="3.16 Will AFS run on a multi-ho"></a> 3.16 Will AFS run on a multi-homed fileserver?
(multi-homed = host has more than one network interface.)
At release 3.4 of AFS, it is possible to have multi-homed fileservers (but _not_ multi-homed database servers).
-### <a name="3.16 Can I replicate my user's"></a><a name="3.16 Can I replicate my user's "></a> 3.16 Can I replicate my user's home directory AFS volumes?
+### <a name="3.17 Can I replicate my user's"></a><a name="3.17 Can I replicate my user's "></a> 3.17 Can I replicate my user's home directory AFS volumes?
No.
The bottom line is: you cannot replicate $HOMEs across servers.
-### <a name="3.17 Which TCP/IP ports and pro"></a> 3.17 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?
-
-Assuming you have already taken care of nameserving, you may wish to use an Internet timeserver for Network Time Protocol [[[NTP|Main/FurtherReading#NTP]]] and question [[3.22|Main/WebHome#NTP]]:
-
-ntp 123/udp
-
-A list of NTP servers is available via anonymous FTP from:
-
-- <http://www.eecis.udel.edu/~mills/ntp/servers.html>
-
-For further details on NTP see: <http://www.eecis.udel.edu/~ntp/>
-
-For a "minimal" AFS service which does not allow inbound or outbound klog:
-
- cachemanager 4711/udp (only if you use the arla-client instead of OpenAFS)
- fileserver 7000/udp
- cachemanager 7001/udp
- ptserver 7002/udp
- vlserver 7003/udp
- kaserver 7004/udp
- volserver 7005/udp
- reserved 7006/udp
- bosserver 7007/udp
-
-(Ports in the 7020-7029 range are used by the AFS backup system, and won't be needed by external clients performing simple file accesses.)
-
-Additionally, for "klog" to work through the firewall you need to allow inbound and outbound UDP on ports >1024 (probably 1024<port<2048 would suffice depending on the number of simultaneous klogs).
-
-See also: <http://www-archive.stanford.edu/lists/info-afs/hyper95/0874.html>
-
### <a name="3.18 What is the Andrew Benchma"></a> 3.18 What is the Andrew Benchmark?
"It is a script that operates on a collection of files constituting an application program. The operations are intended to represent typical actions of an average user. The input to the benchmark is a source tree of about 70 files. The files total about 200 KB in size. The benchmark consists of five distinct phases:
Source: <file:///afs/transarc.com/public/afs-contrib/doc/benchmark/Andrew.Benchmark.ps> <ftp://ftp.transarc.com/pub/afs-contrib/doc/benchmark/Andrew.Benchmark.ps>
-### <a name="3.19 Is there a version of HP V"></a> 3.19 Is there a version of HP VUE login with AFS authentication?
+### <a name="3.19 Where can I find the Andre"></a> 3.19 Where can I find the Andrew Benchmark?
+
+From Daniel Joseph Barnhart Clark's [message](http://lists.openafs.org/pipermail/openafs-info/2004-April/012942.html):
+
+It's linked to from <http://www.citi.umich.edu/projects/linux-scalability/tools.html>; CITI also has some useful mods at <http://www.citi.umich.edu/projects/nfs-perf/results/cmarion/>.
+
+### <a name="3.20 Is there a version of HP V"></a> 3.20 Is there a version of HP VUE login with AFS authentication?
Yes, the availability of this is described in: <file:///afs/transarc.com/public/afs-contrib/pointers/HP-VUElogin.txt> <ftp://ftp.transarc.com/pub/afs-contrib/pointers/HP-VUElogin.txt>
If you don't have access to the above, please contact Rajeev Pandey of Hewlett Packard whose email address is <rpandey@cv.hp.com>.
-### <a name="3.20 How can I list which clien"></a> 3.20 How can I list which clients have cached files from a server?
+### <a name="3.21 How can I list which clien"></a> 3.21 How can I list which clients have cached files from a server?
By using the following script:
echo "$n ($ipaddr)"
done
-### <a name="3.21 Do Backup volumes require"></a><a name="3.21 Do Backup volumes require "></a> 3.21 Do Backup volumes require as much space as [[ReadWrite]] volumes?
+### <a name="3.22 Do Backup volumes require"></a><a name="3.22 Do Backup volumes require "></a> 3.22 Do Backup volumes require as much space as [[ReadWrite]] volumes?
No.
The space needed for the BK volume is directly related to the size of all files changed in the RW between runs of "vos backupsys".
-### <a name="3.22 Should I run timed on my A"></a> 3.22 Should I run timed on my AFS client?
+### <a name="3.23 Should I run timed on my A"></a> 3.23 Should I run timed on my AFS client?
No.
The default time setting behavior of the AFS client can be disabled by specifying the `-nosettime` argument to [afsd](http://www.transarc.ibm.com/Library/documentation/afs/3.5/unix/cmd/cmd53.htm). This is recommended for AFS servers which are also configured as clients (because servers normally run NTP daemons) and for clients that run NTP.
-### <a name="3.23 Why should I keep /usr/vic"></a> 3.23 Why should I keep /usr/vice/etc/CellServDB current?
+### <a name="3.24 Why should I keep /usr/vic"></a> 3.24 Why should I keep /usr/vice/etc/CellServDB current?
On AFS clients, /usr/vice/etc/CellservDB, defines the cells and (their servers) that can be accessed via /afs.
If a cell is added to [[CellServDB]] then the **client** must either be restared or you must the AFS command "fs newcell -cell .. -servers ... ...".
-### <a name="3.24 How can I keep /usr/vice/e"></a> 3.24 How can I keep /usr/vice/etc/CellServDB current?
+### <a name="3.25 How can I keep /usr/vice/e"></a> 3.25 How can I keep /usr/vice/etc/CellServDB current?
Do a daily copy from a master source and update the AFS kernel sitelist.
echo "zero length file: ${src}" >&2
fi
-### <a name="3.25 How can I compute a list o"></a> 3.25 How can I compute a list of AFS fileservers?
+### <a name="3.26 How can I compute a list o"></a> 3.26 How can I compute a list of AFS fileservers?
-Here is a Korn shell command to do it:
+Here is a Bourne shell command to do it (it will work in GNU bash and the Korn shell, too):
- stimpy@nick $ vos listvldb -cell $(cat /usr/vice/etc/ThisCell) \
+ stimpy@nick $ vos listvldb -cell `cat /usr/vice/etc/ThisCell` \\
| awk '(/server/) {print $2}' | sort -u
-### <a name="3.26 How can I set up anonymous"></a> 3.26 How can I set up anonymous FTP login to access /afs?
+### <a name="3.27 How can I set up anonymous"></a> 3.27 How can I set up anonymous FTP login to access /afs?
The easiest way on a primarily "normal" machine (where you don't want to have everything in AFS) is to actually mount root.cell under ~ftp, and then symlink /afs to ~ftp/afs or whatever. It's as simple as changing the mountpoint in /usr/vice/etc/cacheinfo and restarting afsd.
Unless you need to do authenticating ftp, you are _strongly_ recommended using wu-ftpdv2.4 (or better).
-### <a name="3.27 Where can I find the Andre"></a> 3.27 Where can I find the Andrew Benchmark?
-
-<file:///afs/transarc.com/public/afs-contrib/doc/faq/ab.tar.Z> [156k] <ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/ab.tar.Z> [156k]
-
-This is a tar archive of <file:///afs/cs.cmu.edu/user/satya/ftp/ab/>
-
### <a name="3.28 Is the data sent over the n"></a> 3.28 Is the data sent over the network encrypted in AFS ?
There is still no easy way to do this in Transarc AFS, but [[OpenAFS]] now has a "fs" subcommand to turn on encryption of regular file data sent and received by a client. This is a per client setting that persist until reboot. No server actions are needed to support this change. The syntax is:
You need to distinguish between the filesystem used by the file server to store the actual AFS data (by convention in /vicep?) and the filesystem used by the client cache manager to cache files.
-With the new namei file server you can basically use any filesystem you want. Tne namei file server does not do any fancy stuff behind the scenes but only accesses normal files (their names are a bit strange though).
+Fileserver is started by bosserver. It depends, what ./configure switches were used during compilation from sources. To be always on the safe side, use --enable-namei-fileserver configure flag. That will give you fileserver binary which can act on any /vicep? partition regardless it's filesystem type. With the new namei file server you can basically use any filesystem you want. The namei file server does not do any fancy stuff behind the scenes but only accesses normal files (their names are a bit strange though).
-But you cannot use SGI efs under [[OpenAFS]] at all.
+The opposite to namei fileserver is inode based nameserver. According to openafs-devel email list, it gave on some Solaris box 10% speedup over the namei based server. The namei based fileserver cannot run on every filesystem, as it stores some internal afs-specific data into the filesystem. Typically, /sbin/fsck distributed withthe operating system zaps these data. Inode based fileserver directly operates on the inodes of the underlying file system which therefore has to fully support the inode abstraction scheme. The the Administrators Guide for more details (they differ from system to system).
-It is a different story with the old inode based server. It directly operates on the inodes of the underlying file system which therefore has to fully support the inode abstraction scheme. The the Administrators Guide for more details (they differ from system to system).
-
-On the client side, you always have to use a file system supporting the inode abstraction for the cache (usually /usr/vice/cache) since the cache manager references files by their inode. Fortunately, it does not do such tricky stuff as the inode based server.
+On the client side where you run /usr/afs/etc/afsd as a kernel process, you always have to use a file system supporting the inode abstraction for the cache (usually /usr/vice/cache) since the cache manager references files by their inode. Fortunately, it does not do such tricky stuff as the inode based fileserver.
The following file systems have been reported _not_ to work for the AFS client cache:
- reiserfs
- vxfs (HP-UX)
- advfs (Tru64), it works but gives cachecurruption
-- efs (SGI) - IBM AFS does support efs, but openafs doesn't have a license for that
+- efs (SGI) - IBM AFS does support efs, but openafs doesn't have a license for that.
- Patch committed to cvs around 6/2003 will now enforce this in some cases and generate a warning to the user if the filesystem type is wrong.
The kernel parts on Solaris have to be compiled with Sun cc, same for other platforms, i.e. you need same compiler used to compile kernel to compile your afs modules. [[Tru64Unix]] doesn't support modules, so you have to edit kernel config files and link statically into kernel. Kernel module insertion works fine on Linux, Solaris, Irix ...
-$ ./configure --enable-transarc-paths=/usr/etc --with-afs-sysname=i386\_linux24
-
-$ make dest
-
-$ cd dest/i386\_linux24
+ ./configure --enable-transarc-paths=/usr/etc --with-afs-sysname=i386_linux24
+ make dest
+ cd dest/i386_linux24
... and continue the install process described in IBM AFS documentation. If you do "make install", you will end up with some stuff installed into /usr/local but something not, regardless the --enable-transarc-paths option ... "make install" it's messy.
cp src/viced/fileserver /usr/afs/bin (or wherever)
-bos restart calomys fs -local
+ bos restart calomys fs -local
... then attach with gdb
To debug if client running afsd kernel process talks to the servers from [[CellServDB]], do:
-tcpdump -vv -s 1500 port 7001
+ tcpdump -vv -s 1500 port 7001
Other ports are:
Use on afsd command line -chunk 17 or greater. Be carefull, with certain cache sizes afsd crashes on startup (Linux, [[Tru64Unix]] at least).
+ > So I ran the full suite of iozone tests (13), but at a single file size
+ > (128M) and one record size (64K). I set the AFS cache size to 80000K
+ > for both memcache and diskcache.
+
+ Note that memcache size and diskcache size are different things.
+ In the case of memcache, a fixed number of chunks are allocated
+ in memory, such that numChunks * chunkSize = memCacheSize. In
+ the case of disk cache, there are a lot more chunks, because the
+ disk cache assumes not every chunk will be filled (the underlying
+ filesystem handles disk block allocation for us). Thus, when you
+ have small file segments, they use up an entire chunk worth of
+ cache in the memcache case, but only their size worth of cache
+ in the diskcache cache.
+
+ -- kolya
+
### <a name="3.34 Settting up PAM with AFS"></a> 3.34 Settting up PAM with AFS
Solaris
callisto#bin/fs la /afs
Access list for /afs is
Normal rights:
+
system:administrators rlidwka
--------------------------------------------------------------------------------
afs.cell.name@REALM
krbtgt CELL.NAME@REALM
+If you use heimdal (or MIT krb5), do:
+
+echo "REALM" > /usr/afs/etc/krb.conf
+
### <a name="3.38 Moving from kaserver to Hei"></a> 3.38 Moving from kaserver to Heimdal KDC
> While converting all our administration tools, we have discovered that
The special thing for me is the use of "-D" in the (3) which seems to
cause conversion des-cbc-sha1 keys of old krb4 database entries to
des-cbc-md5.
+
+### <a name="3.40 What are those bos(1) -type"></a> 3.40 What are those bos(1) -type values simple and cron?
+
+Typically, admins do this once they configure new afs server:
+
+ bos create foo ptserver simple /usr/afs/bin/ptserver -cell bar.baz
+ bos create foo vlserver simple /usr/afs/bin/vlserver -cell bar.baz
+ bos create foo fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell bar.baz
+
+Type "simple" has one process. type "cron" gets forked at the appropriate time.
+
+### <a name="3.41 KDC listens on port 88 inst"></a> 3.41 KDC listens on port 88 instead of 750
+
+ "Kramer, Matthew" <mattkr@bu.edu> writes:
+
+ > Hello,
+ > Our Kerberos 4 environment listens on only port 750 and doesn't
+ > listen on port 88. For Win2K/XP machines this causes a problem in
+ > C:\openafs-1.2.8\src\kauth\user_nt.c line 144 when the Kerberos port is
+ > queried from the %systemroot%\system32\drivers\etc\services file. Win2K
+ > and XP both return 88 which is correct for Kerberos 5 but in our case
+ > not for Kerberos 4. Why doesn't it instead query for kerberos-iv which
+ > would return the correct value of 750?
+ >
+ > Y:\src\kauth>diff user_nt.c.orig user_nt.c
+ > 144c144
+ > < sp = getservbyname("kerberos", "udp");
+ > ---
+ > > sp = getservbyname("kerberos-iv", "udp");
+ >
+ A quick work around could be to use Loves requestforwarder found at
+
+ ftp://ftp.stacken.kth.se/pub/projects/krb-forward/krb-forward-0.1.tar.gz
+
+ /JockeF
+
+### <a name="3.42 afsd gives me "Error -1 in"></a><a name="3.42 afsd gives me "Error -1 in "></a> 3.42 afsd gives me "Error -1 in basic initialization." on startup
+
+When starting afsd, I get the following:
+
+ # /usr/vice/etc/afsd -nosettime -debug
+ afsd: My home cell is 'foo.bar.baz'
+ ParseCacheInfoFile: Opening cache info file '/usr/vice/etc/cacheinfo'...
+ ParseCacheInfoFile: Cache info file successfully parsed:
+ cacheMountDir: '/afs'
+ cacheBaseDir: '/usr/vice/cache'
+ cacheBlocks: 50000
+ afsd: 5000 inode_for_V entries at 0x8075078, 20000 bytes
+ SScall(137, 28, 17)=-1 afsd: Forking rx listener daemon.
+ afsd: Forking rx callback listener.
+ afsd: Forking rxevent daemon.
+ SScall(137, 28, 48)=-1 SScall(137, 28, 0)=-1 SScall(137, 28, 36)=-1 afsd: Error -1 in basic initialization.
+
+Solution: make sure you have kernel module loaded.
+
+### <a name="3.43 Although I get krb tickets,"></a> 3.43 Although I get krb tickets, afslog doesn't give me tokens, I see UDP packets to port 4444
+
+Using tcpdump I see the following traffic. What runs on the port 4444?
+
+ 15:16:54.815194 IP foo.bar.baz.32772 > foo.bar.baz.4444: UDP, length: 269
+ 15:16:54.815199 IP foo.bar.baz > foo.bar.baz: icmp 305: foo.bar.baz udp port 4444 unreachable
+
+This is the 5->4 ticket conversion service on UDP port 4444. Assuming your afs servers know how to deal with krb5 tickets (since openafs-1.2.10? and 1.3.6x?) include the following in /etc/krb5.conf:
+
+ [appdefaults]
+ libkafs = {
+ afs-use-524 = local
+ }
+
+### <a name="3.44 I get error message trhough"></a> 3.44 I get error message trhough syslogd: "afs: Tokens for user of AFS id 0 for cell foo.bar.baz are discarded (rxkad error=19270407)"
+
+Answer:
+
+ grep 19270407 /usr/afsws/include/rx/*
+ /usr/afsws/include/rx/rxkad.h:#define RXKADBADTICKET (19270407L)
+
+### <a name="3.45 I get tickets and tokens, b"></a> 3.45 I get tickets and tokens, but still get Permission denied.
+
+Answer: /usr/afs/etc/UserList accepts only krb4 syntax. Use `joe.admin` instead of `joe/admin`. See `https://lists.openafs.org/pipermail/openafs-devel/2002-December/008673.html` and the rest of the thread.
+
+[http://www.etoo.cn/zhaigao 窄告] [http://www.etoo.cn/sports 健身器材] [http://www.etoo.cn/stadium 场馆设备] [http://www.etoo.cn/21win-win 拓展训练] [http://www.paite.net 尖锐湿疣] [http://www.paite.net/1 尖锐湿疣] [http://www.wjmgy.com 脉管炎] [http://www.wjmgy.com/1 脉管炎] [http://www.wjmgy.com/hospitaljs.htm 脉管炎] [http://www.wjmgy.com/zhuankejs.htm 脉管炎] [http://www.wjmgy.com/zhuzhiys.htm 脉管炎] [http://www.wjmgy.com/conact.htm 脉管炎]
git://git.openafs.org / openafs-wiki.git / blobdiff