<li><a href="#3.37 afs_krb_get_lrealm() using"> 3.37 afs_krb_get_lrealm() using /usr/afs/etc/krb.conf</a></li>
<li><a href="#3.38 Moving from kaserver to Hei"> 3.38 Moving from kaserver to Heimdal KDC</a></li>
<li><a href="#3.39 Moving from KTH-KRB4 to Hei"> 3.39 Moving from KTH-KRB4 to Heimdal KDC</a></li>
+ <li><a href="#3.40 What are those bos(1) -type"> 3.40 What are those bos(1) -type values simple and cron?</a></li>
+ <li><a href="#3.41 KDC listens on port 88 inst"> 3.41 KDC listens on port 88 instead of 750</a></li>
+ <li><a href="#3.42 afsd gives me "Error -1 in"> 3.42 afsd gives me "Error -1 in basic initialization." on startup</a></li>
+ <li><a href="#3.43 Although I get krb tickets,"> 3.43 Although I get krb tickets, afslog doesn't give me tokens, I see UDP packets to port 4444</a></li>
+ <li><a href="#3.44 I get error message trhough"> 3.44 I get error message trhough syslogd: "afs: Tokens for user of AFS id 0 for cell foo.bar.baz are discarded (rxkad error=19270407)"</a></li>
+ <li><a href="#3.45 I get tickets and tokens, b"> 3.45 I get tickets and tokens, but still get Permission denied.</a></li>
+ <li><a href="#3.46 Recovering broken afs cache"> 3.46 Recovering broken afs cache on clients</a></li>
+ <li><a href="#3.47 What does it mean for a vol"> 3.47 What does it mean for a volume to not be in the VLDB?</a></li>
+ <li><a href="#3.48 What is a Volume Group?"> 3.48 What is a Volume Group?</a></li>
+ <li><a href="#3.49 What is a Clone?"> 3.49 What is a Clone?</a></li>
+ <li><a href="#3.50 What is a Shadow?"> 3.50 What is a Shadow?</a></li>
+ <li><a href="#3.51 Can I authenticate to my af"> 3.51 Can I authenticate to my afs cell using multiple kerberos Realms?</a></li>
+ <li><a href="#3.52 Is it a good idea to store"> 3.52 Is it a good idea to store mail in AFS?</a></li>
+ <li><a href="#3.53 How can I ensure that the"> 3.53 How can I ensure that the userids on client machines match the users' pts ids?</a></li>
+ <li><a href="#3.54 What is Fast Restart?"> 3.54 What is Fast Restart?</a></li>
+ <li><a href="#3.55 Reboot ?"> 3.55 Why does AFS reboot itself spontaneously at 4:00am every Sunday?</a></li>
</ul>
</li>
</ul>
</div>
+
- [[ResourcesFAQ]]
- [[AboutTheFAQ]]
- [[FurtherReading]]
- `fs setcrypt off`
- `fs getcrypt`
-Note that this only encrypts network traffic between the client and server. The data on the server's disk is not encrypted nor is the data in the client's disk cache. The encryption algorithm used is [fcrypt](http://tedanderson.home.mindspring.com/fcrypt-paper.txt), which is a DES variant.
+Note that this only encrypts network traffic between the client and server. The data on the server's disk is not encrypted nor is the data in the client's disk cache. The encryption algorithm used is [fcrypt](http://surfvi.com/~ota/fcrypt-paper.txt), which is a DES variant.
Getting encryption enabled by default:
You need to distinguish between the filesystem used by the file server to store the actual AFS data (by convention in /vicep?) and the filesystem used by the client cache manager to cache files.
-With the new namei file server you can basically use any filesystem you want. Tne namei file server does not do any fancy stuff behind the scenes but only accesses normal files (their names are a bit strange though).
-
-But you cannot use SGI efs under [[OpenAFS]] at all.
+Fileserver is started by bosserver. It depends, what ./configure switches were used during compilation from sources. To be always on the safe side, use --enable-namei-fileserver configure flag. That will give you fileserver binary which can act on any /vicep? partition regardless it's filesystem type. With the new namei file server you can basically use any filesystem you want. The namei file server does not do any fancy stuff behind the scenes but only accesses normal files (their names are a bit strange though).
-It is a different story with the old inode based server. It directly operates on the inodes of the underlying file system which therefore has to fully support the inode abstraction scheme. The the Administrators Guide for more details (they differ from system to system).
+The opposite to namei fileserver is inode based nameserver. According to openafs-devel email list, it gave on some Solaris box 10% speedup over the namei based server. The namei based fileserver cannot run on every filesystem, as it stores some internal afs-specific data into the filesystem. Typically, /sbin/fsck distributed withthe operating system zaps these data. Inode based fileserver directly operates on the inodes of the underlying file system which therefore has to fully support the inode abstraction scheme. The the Administrators Guide for more details (they differ from system to system).
-On the client side, you always have to use a file system supporting the inode abstraction for the cache (usually /usr/vice/cache) since the cache manager references files by their inode. Fortunately, it does not do such tricky stuff as the inode based server.
+On the client side where you run /usr/afs/etc/afsd as a kernel process, you always have to use a file system supporting the inode abstraction for the cache (usually /usr/vice/cache) since the cache manager references files by their inode. Fortunately, it does not do such tricky stuff as the inode based fileserver.
The following file systems have been reported _not_ to work for the AFS client cache:
- reiserfs
- vxfs (HP-UX)
- advfs (Tru64), it works but gives cachecurruption
-- efs (SGI) - IBM AFS does support efs, but openafs doesn't have a license for that
+- efs (SGI) - IBM AFS does support efs, but openafs doesn't have a license for that.
- Patch committed to cvs around 6/2003 will now enforce this in some cases and generate a warning to the user if the filesystem type is wrong.
### <a name="3.31 Upgrading _OpenAFS"></a> 3.31 Upgrading [[OpenAFS]]
+Upgrade of AFS on Linux
+
+ /etc/rc.d/init.d/afs stop
+ cd root.client/usr/vice/etc
+ tar cvf - . | (cd /usr/vice/etc; tar xfp -)
+ cp -p afs.rc /etc/rc.d/init.d/afs
+ cp ../../../../lib/pam_afs.krb.so.1 /lib/security
+ cd ../../../../root.server/usr/afs
+ tar cvf - . | (cd /usr/afs; tar xfp -)
+ # echo "auth sufficient /lib/security/pam_afs.so try_first_pass \
+ ignore_root" >> /etc/pam.d/login
+ cd /lib/security
+ vim /etc/sysconfig/afs
+ ln -s pam_afs.krb.so.1 pam_afs.so
+ cd /etc/rc3.d
+ ln -s ../init.d/afs S99afs
+ cd ../rc0.d
+ ln -s ../init.d/afs K01afs
+ cp /usr/vice/etc/afs.conf /etc/sysconfig/afs
+ /etc/rc.d/init.d/afs start
+
Upgrade of AFS on Solaris 2.6
cd /etc/rc3.d/
afsupdate 7008/udp # upserver (UPDATESERVICE)
afsrmtsys 7009/udp # RMTSYSSERVICE
+When tcpdump doesn't help, try:
+
+ fstrace setset cm -active; make your error happen; fstrace dump cm
+
### <a name="3.33 Tuning client cache for hug"></a> 3.33 Tuning client cache for huge data
-Use on afsd command line -chunk 17 or greater. Be carefull, with certain cache sizes afsd crashes on startup (Linux, [[Tru64Unix]] at least).
+Use on afsd command line -chunk 17 or greater. Be carefull, with certain cache sizes afsd crashes on startup (Linux, [[Tru64Unix]] at least). It is possibly when dcache is too small. Go for:
+
+ /usr/vice/etc/afsd -nosettime -stat 12384 -chunk 19
+
+ > So I ran the full suite of iozone tests (13), but at a single file
+ > size (128M) and one record size (64K). I set the AFS cache size to > 80000K for both memcache and diskcache.
+
+ Note that memcache size and diskcache size are different things.
+ In the case of memcache, a fixed number of chunks are allocated
+ in memory, such that numChunks * chunkSize = memCacheSize. In
+ the case of disk cache, there are a lot more chunks, because the
+ disk cache assumes not every chunk will be filled (the underlying
+ filesystem handles disk block allocation for us). Thus, when you
+ have small file segments, they use up an entire chunk worth of
+ cache in the memcache case, but only their size worth of cache
+ in the diskcache cache.
+
+ -- kolya
### <a name="3.34 Settting up PAM with AFS"></a> 3.34 Settting up PAM with AFS
callisto#bin/fs la /afs
Access list for /afs is
Normal rights:
+
system:administrators rlidwka
--------------------------------------------------------------------------------
afs.cell.name@REALM
krbtgt CELL.NAME@REALM
+If you use heimdal (or MIT krb5), do:
+
+echo "REALM" > /usr/afs/etc/krb.conf
+
### <a name="3.38 Moving from kaserver to Hei"></a> 3.38 Moving from kaserver to Heimdal KDC
> While converting all our administration tools, we have discovered that
The special thing for me is the use of "-D" in the (3) which seems to
cause conversion des-cbc-sha1 keys of old krb4 database entries to
des-cbc-md5.
+
+### <a name="3.40 What are those bos(1) -type"></a> 3.40 What are those bos(1) -type values simple and cron?
+
+Typically, admins do this once they configure new afs server:
+
+ bos create foo ptserver simple /usr/afs/bin/ptserver -cell bar.baz
+ bos create foo vlserver simple /usr/afs/bin/vlserver -cell bar.baz
+ bos create foo fs fs /usr/afs/bin/fileserver /usr/afs/bin/volserver /usr/afs/bin/salvager -cell bar.baz
+
+Type "simple" has one process. type "cron" gets forked at the appropriate time.
+
+### <a name="3.41 KDC listens on port 88 inst"></a> 3.41 KDC listens on port 88 instead of 750
+
+ "Kramer, Matthew" <mattkr@bu.edu> writes:
+
+ > Hello,
+ > Our Kerberos 4 environment listens on only port 750 and doesn't
+ > listen on port 88. For Win2K/XP machines this causes a problem in
+ > C:\openafs-1.2.8\src\kauth\user_nt.c line 144 when the Kerberos port is
+ > queried from the %systemroot%\system32\drivers\etc\services file. Win2K
+ > and XP both return 88 which is correct for Kerberos 5 but in our case
+ > not for Kerberos 4. Why doesn't it instead query for kerberos-iv which
+ > would return the correct value of 750?
+ >
+ > Y:\src\kauth>diff user_nt.c.orig user_nt.c
+ > 144c144
+ > < sp = getservbyname("kerberos", "udp");
+ > ---
+ > > sp = getservbyname("kerberos-iv", "udp");
+ >
+ A quick work around could be to use Loves requestforwarder found at
+
+ ftp://ftp.stacken.kth.se/pub/projects/krb-forward/krb-forward-0.1.tar.gz
+
+ /JockeF
+
+### <a name="3.42 afsd gives me "Error -1 in"></a><a name="3.42 afsd gives me "Error -1 in "></a> 3.42 afsd gives me "Error -1 in basic initialization." on startup
+
+When starting afsd, I get the following:
+
+ # /usr/vice/etc/afsd -nosettime -debug
+ afsd: My home cell is 'foo.bar.baz'
+ ParseCacheInfoFile: Opening cache info file '/usr/vice/etc/cacheinfo'...
+ ParseCacheInfoFile: Cache info file successfully parsed:
+ cacheMountDir: '/afs'
+ cacheBaseDir: '/usr/vice/cache'
+ cacheBlocks: 50000
+ afsd: 5000 inode_for_V entries at 0x8075078, 20000 bytes
+ SScall(137, 28, 17)=-1 afsd: Forking rx listener daemon.
+ afsd: Forking rx callback listener.
+ afsd: Forking rxevent daemon.
+ SScall(137, 28, 48)=-1 SScall(137, 28, 0)=-1 SScall(137, 28, 36)=-1 afsd: Error -1 in basic initialization.
+
+Solution: make sure you have kernel module loaded.
+
+### <a name="3.43 Although I get krb tickets,"></a> 3.43 Although I get krb tickets, afslog doesn't give me tokens, I see UDP packets to port 4444
+
+Using tcpdump I see the following traffic. What runs on the port 4444?
+
+ 15:16:54.815194 IP foo.bar.baz.32772 > foo.bar.baz.4444: UDP, length: 269
+ 15:16:54.815199 IP foo.bar.baz > foo.bar.baz: icmp 305: foo.bar.baz udp port 4444 unreachable
+
+This is the 5->4 ticket conversion service on UDP port 4444. Assuming your afs servers know how to deal with krb5 tickets (since openafs-1.2.10? and 1.3.6x?) include the following in /etc/krb5.conf:
+
+ [appdefaults]
+ afs-use-524 = local
+
+### <a name="3.44 I get error message trhough"></a> 3.44 I get error message trhough syslogd: "afs: Tokens for user of AFS id 0 for cell foo.bar.baz are discarded (rxkad error=19270407)"
+
+Answer:
+
+ grep 19270407 /usr/afsws/include/rx/*
+ /usr/afsws/include/rx/rxkad.h:#define RXKADBADTICKET (19270407L)
+
+Note that a common cause of this problem is the use of periods (".") in kerberos principals. If you have a kerberos principal such as my.name@REALM.COM and create the corresponding pts userid "my.name" you will get the cryptic error above. If you want to use such principal names and have OpenAFS 1.4.7 or later, you can pass the option -allow-dotted-principals to all server daemons to allow their use. See the -allow-dotted-principals option in the fileserver (or any server daemon) documentation for more information.
+
+### <a name="3.45 I get tickets and tokens, b"></a> 3.45 I get tickets and tokens, but still get Permission denied.
+
+Answer: /usr/afs/etc/UserList accepts only krb4 syntax. Use `joe.admin` instead of `joe/admin`. See `https://lists.openafs.org/pipermail/openafs-devel/2002-December/008673.html` and the rest of the thread.
+
+### <a name="3.46 Recovering broken afs cache"></a> 3.46 Recovering broken afs cache on clients
+
+ >> Does anyone have a trick to force AFS to refresh its cache (for a
+ >> particular directory or even for all files?) The only way I know
+ >> how to accomplish this is to reboot, stop in single user mode,
+ >> rm -rf the cache files and let AFS rebuild everything.
+ >
+ > fs flush and fs flushv have cured corruption problems in the past
+ > on some of our clients.
+
+ Thanks for the tip - I was not aware of the flush* subcommands.
+ Here's a little of what I saw today:
+
+ ls -la
+ /bin/ls: asso.S14Q00246.all.log: Bad address
+ /bin/ls: asso.S14Q00246.all.lst: Bad address
+ /bin/ls: chr14markers.txt: Bad address
+ /bin/ls: geno.summary.txt: Bad address
+ /bin/ls: global.ind.S14Q00246.all.txt: No such device
+ /bin/ls: global.S14Q00246.all.txt: No such device
+ total 103
+ [ other ls results as usual ]
+
+ Flushing a particular file had no effect (the same error as shown above appears). Flushvolume took a long time, but when it eventually completed, the ls -la behaved exactly as one would expect.
+
+### <a name="3.47 What does it mean for a vol"></a> 3.47 What does it mean for a volume to not be in the VLDB?
+
+If a volume is not in the VLDB, you will be unable to perform operations on it using its name; all "vos" operations will need to be done using its numerical id, server, and partition. Furthermore, if a volume is not in the VLDB, it cannot be reached via mountpoints.
+
+### <a name="3.48 What is a Volume Group?"></a> 3.48 What is a Volume Group?
+
+A volume group is a set of volumes whose volume id numbers differ only in the last three bits. This means that up to eight volumes may belong to a single volume group.
+
+Volumes which share storage on a partition (for example, a volume and its backup, or the r/w and r/o copy of a volume on the same partition) must be part of the same volume group.
+
+### <a name="3.49 What is a Clone?"></a> 3.49 What is a Clone?
+
+A clone of a volume is a read-only copy of that volume which shares on-disk storage with the original volume. Backup volumes are a particular kind of clone volume. Read-only replicas which reside on the same partition as their read-write volume are another particular kind of clone volume. In some other storage systems this kind of volume is called a "snapshot".
+
+Clone volumes must belong to the same volume group (see previous question) as the volume which they are a clone of.
+
+In addition to backup and readonly clones, you may create up to three additional clones of a volume. To do this, use "vos clone".
+
+When you "vos remove" a volume, its "backup" clone will also be removed automatically. However, clones created with "vos clone" are **not** removed automatically. Unfortunately, these "dangling clones" will no longer be in the VLDB (see question 3.47). They belong to a volume group whose leader (rw volume) no longer exists, which is a somewhat undefined state for AFS. Such volumes should be manually deleted as soon as possible.
+
+### <a name="3.50 What is a Shadow?"></a> 3.50 What is a Shadow?
+
+A shadow of a volume is a duplicate of that volume which resides on a different partition. Shadow volumes do not share storage with their original volumes (unlike clones). A readonly volume on a **different** partition than its readwrite volume could be considered one particular example of a shadow volume; however, in practice the term "shadow volume" is used to refer to volumes created with "vos shadow" and not to refer to readonly volumes.
+
+A shadow of any readwrite volume may be created using the "vos shadow" command. This will create a new volume which is a shadow of the original volume, and will copy the contents of the old volume to the new volume. This will also set a bit in the header of the new shadow volume that identifies it as a shadow volume. Shadow volumes do not appear in the VLDB (see question 3.47) -- "vos shadow" does not create a VLDB entry and "vos syncvldb" ignores shadow volumes.
+
+You can "refresh" a shadow volume from its original with "vos shadow -incremental". This operation will first check to make sure that the target of the operation is a shadow volume, to prevent the administrator from accidentally corrupting a non-shadow volume. However, if you shadow from a readwrite volume to some shadow of **another** volume, the shadow will be corrupted and will have to be deleted. Vos shadow will only copy data which has changed, so it is very efficient.
+
+You can remove the shadow bit from a volume's header with "vos syncvldb -force". This will remove the shadow bit and create a VLDB entry for the volume, deleting any previous entry for the rw volume. However, the rw volume itself will not be deleted; it will simply exist without a VLDB entry.
+
+Attempting to create shadows of two different rw volumes on the same partition with the same name is prohibited by the volserver. Technically it is possible to create two shadow volumes with the same name on different partitions; however, this is not advisable.
+
+### <a name="3.51 Can I authenticate to my af"></a> 3.51 Can I authenticate to my afs cell using multiple kerberos Realms?
+
+Yes. This can be usefull if your organization has multiple kerberos Realms with identical user entries: For example you might have an MIT Kerberos realm for Unix-like systems, and an Active Directory domain for windows with synchronized accounts.
+
+As long as you only need to support 2 realms, and one of them has the same name as the afs cell(or the uppercase of the name of the afs cell) you can do this without upgrading to a new version of AFS. If you need more Realms, or if neither Realm name matches your cell name, there is work to support this in the development tree.
+
+In order to make this work, you need to do 4 things.
+
+1) add a key for the afs service to the additional realm and store it in a keytab:
+
+ $ kadmin -q ank -e des-cbc-crc:v4 -kvno <new kvno> afs/your.cell.name@YOUR.SECOND.REALM.NAME
+ $ kadmin -q ktadd -e des-cbc-crc:v4 -k /path/to/afs.keytab afs/your.cell.name@YOUR.SECOND.REALM.NAME
+
+Note that a kvno must be specified for the key that is different than the kvno for your existing key(s) in the original realm. you can check on the kvno of the existing keys by running "asetkey list" on one of your servers. since keys must be in ascending order in the AFS [[KeyFile]] it will be easiest if you make the new kvno higher than any existing key's kvno.
+
+It's also worth noting that the process of adding the key to a keytab(at least with MIT krb5) actually creates a new key first, so your kvno will end up being higher than what you specified when you added the principal. you can check on the current kvno by using the "kadmin -q getprinc afs/your.cell.name@YOUR.SECOND.REALM.NAME" command.
+
+2) add the new key to the afs [[KeyFile]] on your afs servers:
+
+ $ asetkey add <kvno> /path/to/afs.keytab afs/your.cell.name@YOUR.SECOND.REALM.NAME
+
+note that the kvno here needs to be the same one as is reported by the kadmin getprinc command.
+
+3) create an afs krb.conf with your additional Realm's name in it, and place it on all of your AFS servers:
+
+ echo "YOUR.SECOND.REALM.NAME" > /usr/afs/etc/krb.conf
+
+4) restart you afs servers.
+
+at this point you should be able to run:
+
+ kinit you@YOUR.SECOND.REALM.NAME
+ aklog
+
+and recieve the same privileges as if you had run:
+
+ kinit you@YOUR.CELL.NAME
+ aklog
+
+### <a name="3.52 Is it a good idea to store"></a> 3.52 Is it a good idea to store mail in AFS?
+
+Some people have expressed the opinion that this is not a good idea. Assuming that a modern (one-file-per-message) format is being used, the concrete reasons to avoid storing mail in AFS include:
+
+1. AFS is not designed to provide good performance under the sort of concurrent accesses that occur when many mail server machines share a common space in AFS; see [this message](http://www.openafs.org/pipermail/openafs-info/2007-June/026621.html) for more information.
+ - This does not apply to situations where there is a single mail server for a particular user.
+ - This also may not apply if [Callback Extended Information](http://michigan-openafs-lists.central.org/archives/afs3-standardization/2008-May/000123.html) is implemented.
+
+### <a name="3.53 How can I ensure that the"></a><a name="3.53 How can I ensure that the "></a> 3.53 How can I ensure that the userids on client machines match the users' pts ids?
+
+You can use [libnss-afs](http://www.hcoop.net/~megacz/software/libnss-afs.html) for this.
+
+### <a name="3.54 What is Fast Restart?"></a> 3.54 What is Fast Restart?
+
+When compiled with --enable-fast-restart, the file server will start up immediately, without first salvaging any volumes which cannot be attached.
+
+Disadvantages to Fast Restart, [as noted here](http://lists.openafs.org/pipermail/openafs-info/2008-May/029386.html) include:
+
+1. Volumes in need of salvage remain offline until an administrator intervenes manually
+2. On an inode-based fileserver, salvaging a single volume crawls every inode; therefore, salvaging volumes individually (rather than partition-at-a-time) duplicates work.
+
+### <a name="#3.55 Reboot ?"></a> 3.55 Why does AFS reboot itself spontaneously at 4:00am every Sunday?
+
+Nobody's really sure why this behavior is the default, but you can disable it with
+
+ bos setrestart $SERVER_NAME never
+ bos setrestart $SERVER_NAME -newbinary never
git://git.openafs.org / openafs-wiki.git / blobdiff