From b8479afaacf65b223230b41a95ec265798045a50 Mon Sep 17 00:00:00 2001 From: Caitlyn Marko Date: Mon, 6 Nov 2017 09:45:07 -0500 Subject: [PATCH 1/1] Remove unused FAQ pages --- admin/GuidesAndInfo.mdwn | 42 ++ general/AFSFrequentlyAskedQuestions.mdwn | 18 - general/AboutTheFAQ.mdwn | 110 ---- general/AdminFAQ.mdwn | 868 ------------------------------- general/FrequentlyAskedQuestions.mdwn | 12 - general/GeneralFAQ.mdwn | 386 -------------- general/PreambleFAQ.mdwn | 90 ---- general/ResourcesFAQ.mdwn | 77 --- general/UsageFAQ.mdwn | 393 -------------- 9 files changed, 42 insertions(+), 1954 deletions(-) create mode 100644 admin/GuidesAndInfo.mdwn delete mode 100644 general/AFSFrequentlyAskedQuestions.mdwn delete mode 100644 general/AboutTheFAQ.mdwn delete mode 100644 general/AdminFAQ.mdwn delete mode 100644 general/FrequentlyAskedQuestions.mdwn delete mode 100644 general/GeneralFAQ.mdwn delete mode 100644 general/PreambleFAQ.mdwn delete mode 100644 general/ResourcesFAQ.mdwn delete mode 100644 general/UsageFAQ.mdwn diff --git a/admin/GuidesAndInfo.mdwn b/admin/GuidesAndInfo.mdwn new file mode 100644 index 0000000..d6e6af7 --- /dev/null +++ b/admin/GuidesAndInfo.mdwn @@ -0,0 +1,42 @@ +Guides and information about setting up and using OpenAFS. + +## Installation + +*Guides for Linux* + +* [[Server and client installation on RHEL|InstallingOpenAFSonRHEL]] +* [[Client installation notes for Linux|InstallOpenAFSClient]] +* [[Installing the OpenAFS kernel module with DKMS|RpmClientInstallationWithDKMS]] +* [[Installing OpenAFS in Lightweight LXC containers|InstallingOpenAFSinLXC]] +* [[Notes on Linux's built-in kAFS support|LinuxKAFSNotes]] + +*Guides for Windows* + +* [[Windows quick start guide|WindowsEndUserQuickStartGuide]] +* [[Windows kerberos 5 AFS service principal|WindowsK5AfsServicePrincipal]] +* [[How to setup OpenAFS with Windows 2008 R2 AD server|Win2008R2ADasKDC]] + +*Guides for Solaris* + +* [[Solaris and OpenIndiana quick start guide|SolarisQuickStart]] + +*Additional information* + +* [[Backup methods|BackupMethods]] +* [[Ports used by OpenAFS|AFSServicePorts]] + +## External Documents + +Guides on creating a new AFS cell on various platforms can be found in these +external documents: + +* [An OpenAFS Tutorial for Debian](http://openafs.dk/doku.php?id=server:start) +* [The Gentoo OpenAFS Guide](http://www.gentoo.org/doc/en/openafs.xml) +* [Using NetBSD to provide AFS and Kerberos services](http://kula.tproa.net/talks/afsbpw2005) +* [Using OS X to provide AFS and Kerberos services](http://kula.tproa.net/talks/afsbpw2006) + +General information about AFS and OpenAFS can be found in the following external documents. + +* [Stanford AFS Introduction](http://www.stanford.edu/services/afs/intro/) +* [IBM Developerworks AFS Introduction](http://www.ibm.com/developerworks/opensource/library/os-openafs-kerberos5/index.html) + diff --git a/general/AFSFrequentlyAskedQuestions.mdwn b/general/AFSFrequentlyAskedQuestions.mdwn deleted file mode 100644 index ef652f1..0000000 --- a/general/AFSFrequentlyAskedQuestions.mdwn +++ /dev/null @@ -1,18 +0,0 @@ -# AFS frequently asked questions - -This Wiki document is based on afs-faq, version 1.113, dated 19:50 Thursday 9th -July 1998, by Paul Blackburn . While some of the content in it is -indeed still quite old, we are working on cleaning it up and bringing it more up -to date. - -It was divided into seven topics for easier editing. Feel free to make -improvements. - -- [[PreambleFAQ]] -- [[GeneralFAQ]] -- [[UsageFAQ]] -- [[AdminFAQ]] -- [[ResourcesFAQ]] -- [[AboutTheFAQ]] -- [[FurtherReading]] - diff --git a/general/AboutTheFAQ.mdwn b/general/AboutTheFAQ.mdwn deleted file mode 100644 index a09e3e3..0000000 --- a/general/AboutTheFAQ.mdwn +++ /dev/null @@ -1,110 +0,0 @@ -## 5 About the AFS faq - -About the [[AFSFrequentlyAskedQuestions]]. - -- [[PreambleFAQ]] -- [[GeneralFAQ]] -- [[UsageFAQ]] -- [[AdminFAQ]] -- [[ResourcesFAQ]] - -
- -
- -- [[FurtherReading]] - -I started compiling the FAQ after attending an AFS administrators class and while waiting for the distribution tape to arrive from Transarc (back in July 93). The initial goal was to assist users at my site to understand AFS issues. - -The FAQ seemed to be a more widely useful resource so it was made generally available. - -I hope you have found the AFS FAQ useful. - -Your criticism or suggestions for improving it are welcome, so please don't hesitate to email your views (or just say "hello"). - -This compilation is dedicated to my AFS teacher and all those who inspire through good humour, enthusiasm, wit and wisdom. --Paul Blackburn - -### 5.01 How can I get a copy of the AFS faq? - -If you do make a copy, please be aware that this compilation changes over time: you will need to do a periodic re-copy to keep your copy up-to-date. - -There are two reference sources: - - 1) The text only version, available via AFS from: - file:///afs/transarc.com/public/afs-contrib/doc/faq/afs.faq - - 2) The World Wide Web (HTML) version, available via URL: - http://www.angelfire.com/hi/plutonic/afs-faq.html - -There are several other ways to get a copy. - -via AFS: - -via FTP: - -via WWW: - -via Wiki: - -via USENET news: - -From time to time this faq will be posted to the USENET newsgroups: [alt.filesystems.afs](news:alt.filesystems.afs) [alt.answers](news:alt.answers) [news.answers](news:news.answers) - -via CD-ROM: - -The AFS faq is now available in the file $cd\_mount\_point/faqs/alt/filesystems.afs on CD-ROM "Internet Info" (containing 17,420 documents including other FAQs, RFCs, IENs, etc) from: - - Walnut Creek CDROM phone: 1 800 786-9907 (US tollfree) - 4041 Pike Lane, Ste D-www +1 510 674-0783 - Concord, CA 94250 fax: +1 510 674-0821 - United States of America email: orders@cdrom.com - WWW: http://www.cdrom.com/ - -### 5.02 How can I get my question (and answer) into the AFS faq? - -Comments and contributions are welcome, please send to: - -I am looking for reviewers to help me check the material here, please let me know if you would like to help. - -### 5.03 How can I access the AFS faq via the World Wide Web? - -To access the World Wide Web you either need your own browser or have telnet access to WWW servers. - -WWW browsers exist for most machines. Here's a list of some browsers; - - - - - - - - - - - - - - - - - -
Name System/requirements Available from (among others)
Mosaic X windows, MS-Windows, Mac ftp://ftp.ncsa.uiuc.edu/Web/
lynx vt100 ftp://ftp.wustl.edu/packages/www/lynx/
- -From your own browser, OPEN or GO to the following document: - - - -It is much better to run your own browser but if this is not possible there are several WWW servers accessible via telnet: - -\* telnet info.cern.ch then type: go - -\* telnet www.njit.edu (login: www) then type: g - -\* telnet ukanaix.cc.ukans.edu (login: www, needs vt100) then type: ghttp://www.angelfire.com/hi/plutonic/afs-faq.html diff --git a/general/AdminFAQ.mdwn b/general/AdminFAQ.mdwn deleted file mode 100644 index 387fbc4..0000000 --- a/general/AdminFAQ.mdwn +++ /dev/null @@ -1,868 +0,0 @@ -## 3 AFS administration - -The Administration Section of the [[AFSFrequentlyAskedQuestions]]. - -[[PreambleFAQ]] - -[[GeneralFAQ]] - -[[UsageFAQ]] - -
-

3 AFS administration

- -
- -[[ResourcesFAQ]] - -[[AboutTheFAQ]] - -[[FurtherReading]] - -### 3.01 Is there a version of _program_ available with AFS authentication? - -In general, not specifically; modern systems use authentication frameworks, so that an e.g. AFS plugin can be added to the framework and all programs will thereby be able to use it without modification. On many systems, the authentication framework is PAM (Pluggable Authentication Modules). Acquiring AFS tokens via PAM can be done by several different PAM modules, including Russ Allbery's [pam-afs-session](http://www.eyrie.org/~eagle/software/pam-afs-session/) and Red Hat's `pam_krb5afs`. - -### 3.02 What is `/afs/@cell`? - -It is a commonly created symbolic link pointing at `/afs/$your_cell_name`. `@cell` is not something that is provided by AFS. You may decide it is useful in your cell and wish to create it yourself. - -`/afs/@cell` is useful because: - -- If you look after more than one AFS cell, you could create the link in each cell then set your `$PATH` as: - - PATH=$PATH:/afs/@cell/@sys/local/bin - -- For most cells, it shortens the path names to be typed in, thus reducing typos and saving time. - -A disadvantage of using this convention is that when you `cd` into `/afs/@cell` then type `pwd` you see `/afs/@cell` instead of the full name of your cell. This may appear confusing if a user wants to tell a user in another cell the pathname to a file. - -You could create your own `/afs/@cell` with the following script (usable in `ksh` or any POSIX shell): - - #/bin/ksh - - # author: mpb - [ -L /afs/@cell ] && echo We already have @cell! && exit - cell=$(cat /usr/vice/etc/ThisCell) - cd /afs/.${cell} && fs mkm temp root.afs - cd temp - ln -s /afs/${cell} @cell - ln -s /afs/.${cell} .@cell # .@cell for RW path - cd /afs/.${cell} && fs rmm temp - vos release root.afs; fs checkv - - - -### 3.03 Given that AFS data is location independent, how does an AFS client determine which server houses the data its user is attempting to access? - -The Volume Location Database (VLDB) is stored on AFS Database Servers and is ideally replicated across 3 or more Database Server machines. Replication of the Database ensures high availability and load balances the requests for the data. The VLDB maintains information regarding the current physical location of all volume data (files and directories) in the cell, including the IP address of the [[FileServer]], and the name of the disk partition the data is stored on. - -A list of a cell's Database Servers is stored on the local disk of each AFS Client machine as `/usr/vice/etc/CellServDB` - -The Database Servers also house the Protection Database (user UID and protection group information) and the Backup Database (used by System Administrators to backup AFS file data to tape), and in older sites the Kerberos Authentication Database (encrypted user and server passwords). - -### 3.04 How does AFS maintain consistency on read-write files? - -AFS uses a mechanism called "callbacks". - -A callback is a promise from the fileserver that the cache version of a file/directory is up-to-date. It is established by the fileserver with the caching of a file. - -When a file is modified, the fileserver breaks the callback. When the user accesses the file again the Cache Manager fetches a new copy if the callback has been broken or it has expired (after 2 hours by default). - -The following paragraphs describe the AFS callback mechanism in more detail: - -If I `open()` `fileA` and start reading, and you then `open()` `fileA`, `write()` a change **\*\*and `close()` or `fsync()`\*\*** the file to get your changes back to the server - at the time the server accepts and writes your changes to the appropriate location on the server disk, the server also breaks callbacks to all clients to which it issued a copy of `fileA`. - -So my client receives a message to break the callback on `fileA`, which it dutifully does. But my application (editor, spreadsheet, whatever I'm using to read fileA) is still running, and doesn't really care that the callback has been broken. - -When something causes the application to `read()` more of the file, the `read()` system call executes AFS cache manager code via the VFS switch, which does check the callback and therefore gets new copies of the data. - -Of course, the application may not re-read data that it has already read, but that would also be the case if you were both using the same host. So, for both AFS and local files, I may not see your changes. - -Now if I exit the application and start it again, or if the application does another `open()` on the file, then I will see the changes you've made. - -This information tends to cause tremendous heartache and discontent - but unnecessarily so. People imagine rampant synchronization problems. In practice this rarely happens and in those rare instances, the data in question is typically not critical enough to cause real problems or crashing and burning of applications. Since 1985, we've found that the synchronization algorithm has been more than adequate in practice - but people still like to worry! - -The source of worry is that, if I make changes to a file from my workstation, your workstation is not guaranteed to be notified until I `close` or `fsync` the file, at which point AFS guarantees that your workstation will be notified. This is a significant departure from NFS, in which no guarantees are provided. - -### 3.05 Which protocols does AFS use? - -AFS may be thought of as a collection of protocols and software processes, nested one on top of the other. The constant interaction between and within these levels makes AFS a very sophisticated software system. - -At the lowest level is the UDP protocol. UDP is the connection to the actual network wire. The next protocol level is the remote procedure call (RPC). In general, RPCs allow the developer to build applications using the client/server model, hiding the underlying networking mechanisms. AFS uses Rx, an RPC protocol developed specifically for AFS during its development phase at Carnegie Mellon University. - -Above the RPC is a series of server processes and interfaces that all use Rx for communication between machines. Fileserver, volserver, upserver, upclient, and bosserver are server processes that export RPC interfaces to allow their user interface commands to request actions and get information. For example, a bos status command will examine the bos server process on the indicated file server machine. - -Database servers use ubik, a replicated database mechanism which is implemented using RPC. Ubik guarantees that the copies of AFS databases of multiple server machines remain consistent. It provides an application programming interface (API) for database reads and writes, and uses RPCs to keep the database synchronized. The database server processes, `vlserver` and `ptserver`, reside above ubik. These processes export an RPC interface which allows user commands to control their operation. For instance, the `pts` command is used to communicate with the `ptserver`, while the command `vos` uses the `vlserver`'s RPC interface. - -Some application programs are quite complex, and draw on RPC interfaces for communication with an assortment of processes. Scout utilizes the RPC interface to file server processes to display and monitor the status of file servers. The `uss` command interfaces with `ptserver`, `volserver`, and `vlserver` to create new user accounts. - -The Cache Manager also exports an RPC interface. This interface is used principally by file server machines to break callbacks. It can also be used to obtain Cache Manager status information. The program `cmdebug` shows the status of a Cache Manager using this interface. - -For additional information, Section 1.5 of the AFS System Administrator's Guide and the April 1990 Cache Update contain more information on ubik. Udebug information and short descriptions of all debugging tools were included in the January 1991 Cache Update. Future issues will discuss other debugging tools in more detail. - -[source: ] [Copyright 1991 Transarc Corporation] - -### 3.06 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall? - -Outbound destination ports for a client: - - kerberos 88/udp 88/tcp - ntp 123/udp - afs3-fileserver 7000/udp - afs3-ptserver 7002/udp - afs3-vlserver 7003/udp - afs3-volserver 7005/udp - -If you also plan to control AFS servers from a client, you will also need - - afs3-bosserver 7007/udp - -You will also need to allow an inbound port - - afs3-callback 7001/udp - -or if you are using Arla - - cachemanager 4711/udp - -(Note: if you are using NAT, you should try to to arrange for the UDP NAT timeout on port 7001 to be at least two hours. Recent [[OpenAFS]] server and client versions will try to send keepalives to keep the callback NAT entry open, but some consumer router/WiFi/NAT devices may have a timeout that is too short even for this keepalive. If the NAT entry expires, your cache manager will not be [[notified of file changes on the server|AdminFAQ#callbacks]] and you will only find out about file changes approximately after two hours, when the callback expires.) - -You will also need to allow various ephemeral UDP source ports for outbound connections, but you will need to do this for DNS and [[NTP|AdminFAQ#ntp]] anyway. - -### 3.07 Are setuid programs executable across AFS cell boundaries? - -By default, the setuid bit is ignored but the program may be run (without setuid privilege). It would be bad to allow arbitrary setuid programs in remote cells to run; consider that someone could put a setuid copy of `bash` in a personal cell, arrange for that to be visible via DNS `SRV` records, and then `fs mkmount` a reference to it in their AFS space on e.g. a school machine. - -It is possible to configure an AFS client to honor the setuid bit. This is achieved by `root` (only) running: - - root@toontown # fs setcell -cell $cellname -suid - -where `$cellname` is the name of the foreign cell. Use with care! - -Note that making a program setuid (or setgid) in AFS does **not** mean that the program will get AFS permissions of a user or group. To become AFS authenticated, you have to `aklog`. If you are not authenticated to AFS, AFS treats you as `system:anyuser`. setuid only affects local Unix permissions (and is meaningless on Windows clients). - -### 3.08 How can I run daemons with tokens that do not expire? - -It is not a good idea to run with tokens that do not expire because this would weaken one of the security features of Kerberos. A (slightly) better approach is to re-authenticate just before the token expires. (Even more preferable would be to get a token for a particular operation, preferably from the user performing some operation, but this is not always possible, especially with services that are not aware of Kerberos.) - -The most common way to achieve this these days is to generate a keytab containing the credentials you want the daemon to have, and use a program like [k5start](http://www.eyrie.org/~eagle/software/kstart/) to run the daemon with those credentials. - -### 3.09 Can I check my users' passwords for security purposes? - -The major Kerberos implementations (MIT Kerberos and Heimdal) all include ways to do password strength checking when a user chooses a password. There are not currently any (public!) utilities to check keys in a KDC (which are generated from passwords) against dictionaries; and you cannot (generally) generate an unencrypted KDC dump to check them (the KDC keys are double-encrypted: not only are they stored as encrypted keys instead of the original plaintext passwords, but the entire record is encrypted with the KDC's own master key). - -### 3.10 Is there a way to automatically balance disk usage across fileservers? - -Yes. There is a tool, balance, which does exactly this. It can be retrieved via anonymous ftp from . (It does not appear to have been updated since late 2003). - -Actually, it is possible to write arbitrary balancing algorithms for this tool. The default set of "agents" provided for the current version of balance balance by usage, # of volumes, and activity per week, the latter currently requiring a source patch to the AFS volserver. Balance is highly configurable. - -Author: Dan Lovinger Contact: Derrick Brashear <shadow+@andrew.cmu.edu> - -### 3.11 Can I shutdown an AFS fileserver without affecting users? - -Yes, this is an example of the flexibility you have in managing AFS. - -Before attempting to shutdown an AFS fileserver you have to make some arrangements that any services that were being provided are moved to another AFS fileserver: - -1. Move all AFS volumes to another fileserver. (Check you have the space!) This can be done "live" while users are actively using files in those volumes with no detrimental effects. - -1. Make sure that critical services have been replicated on one (or more) other fileserver(s). Such services include: - - `vlserver` - Volume Location server - - `ptserver` - Protection server - - `buserver` - Backup server - - `kaserver` - Old Kerberos Authentication server - - `fileserver` - - Kerberos KDCs, or `kaserver` on older installations - -It is simple to test this before the real shutdown by issuing: - - bos shutdown $server $service - -where `$server` is the name of the server to be shutdown and `$service` is `-all` or the specific service to be shut down. Note that a service instance may *not* be the same as the service name; use `bos status $server` to check. (One common configuration uses short names like `pts` or even `pt` for the `ptserver` service, for example.) - -Kerberos services are usually not managed via `bos`; check the OS's services manager for `krb5kdc`, `kadmind`, `kpasswdd`, and similar. (Different Kerberos implementations will have different service daemons.) - -Other points to bear in mind: - -- `vos remove` any RO volumes on the server to be shutdown. Create corresponding RO volumes on the 2nd fileserver after moving the RW. There are two reasons for this: - 1. An RO on the same partition ("cheap replica") requires less space than a full-copy RO. - 2. Because AFS always accesses RO volumes in preference to RW, traffic will be directed to the RO and therefore quiesce the load on the fileserver to be shutdown. -- If you are still using `kaserver` and the system to be shutdown has the lowest IP address, there may be a brief delay in authenticating because of timeout experienced before contacting a second `kaserver`. - -### 3.12 How can I set up mail delivery to users with `$HOME`s in AFS? - -Preferably, don't. This has been found to scale poorly because of high load on read-write servers; mail clients check for new mail every few minutes (or even seconds) and this will cause problems for any file server. Additionally, as the mail server cannot authenticate to AFS as the receiving user, you need to carefully manage permissions on the receiving directory tree to avoid mail being lost or the directory being used as a general dropbox with potential security implications. - -See [this message](http://www.openafs.org/pipermail/openafs-info/2007-June/026621.html) for more information about the scalability of mail delivery onto a shared fileserver. (Something to think about: very similar considerations are why the recommendation for Exchange mail servers is to only have a small number of users on each mailbox server.) - -If you absolutely must do this for some reason, here's one way to do it. - -First, you must have your mail delivery daemon AFS authenticated (probably as "`postman`" or similar). [`kstart`](http://www.eyrie.org/~eagle/software/kstart/) can be used to do this. (Note that the mail delivery agent cannot authenticate as the actual user! To do so, it would need access to keytabs for each possible recipient; and it is almost certainly a bad idea to give it access to such keytabs.) - -Second, you need to set up the ACLs so that "`postman`" has lookup rights down to the user's `$HOME` and "`lik`" on the destination directory (for this example, we'll use `$HOME/Mail`). - -### 3.13 Should I replicate a [[ReadOnly]] volume on the same partition and server as the [[ReadWrite]] volume? - -Yes, Absolutely! It improves the robustness of your served volumes. - -If [[ReadOnly]] volumes _exist_ (_not_ just "are available"), Cache Managers will not utilize the [[ReadWrite]] version of the volume except via an explicit [[ReadWrite]] mountpoint. This means if **all** RO copies are on dead servers, are offline, are behind a network partition, etc, then clients will not be able to get the data, even if the RW version of the volume is healthy, on a healthy server and in a healthy network. - -However, you are **very** strongly encouraged to keep one RO copy of a volume on the _same server and partition_ as the RW. There are two reasons for this: - -1. The RO that is on the same server and partition as the RW is a clone (just a copy of the header, not a full copy of each file). It therefore is very small, but provides access to the same set of files that all other (full copy) [[ReadOnly]] volumes do. Transarc trainers referred to this as the "cheap replica"; some admins call it a "shadow", but this is not the same as a [[shadow volume|AdminFAQ#shadow volume]]. -2. To prevent the frustration that occurs when all your ROs are unavailable but a perfectly healthy RW was accessible but not used. - -If you keep a "cheap replica", then by definition, if the RW is available, one of the ROs is also available, and clients will utilize that site. - -### 3.14 Will AFS run on a multi-homed fileserver? - -(multi-homed = host has more than one network interface.) - -Yes, it will. Older AFS assumed that there is one address per host, but modern [[OpenAFS]] identifies servers ad clients by UUIDs (universally unique identifiers) so that a fileserver will be recognized by any of its registered addresses. - -See the documentation for the [`NetInfo`](http://docs.openafs.org/Reference/5/NetInfo.html) and [`NetRestrict`](http://docs.openafs.org/Reference/5/NetRestrict.html) files. The UUID for a fileserver is generated when the [`sysid`](http://docs.openafs.org/Reference/5/sysid.html) file is created. - -If you have multiple addresses and must use only one of them (say, multiple addresses on the same subnet), you may need to use the `-rxbind` option to the network server processes `bosserver`, `kaserver`, `ptserver`, `vlserver`, `volserver`, `fileserver` as appropriate. (Note that some of these do not currently document `-rxbind`, notably `kaserver` because it is not being maintained. Again, the preferred solution here is to migrate off of `kaserver`, but the `rxbind` option _will_ work if needed.) - -Database servers can *not* safely operate multihomed; the Ubik replication protocol assumes a 1-to-1 mapping between addresses and servers. Use the [`NetInfo`](http://docs.openafs.org/Reference/5/NetInfo.html) and [`NetRestrict`](http://docs.openafs.org/Reference/5/NetRestrict.html) files to associate database servers with a single address. - -### 3.15 Can I replicate my user's home directory AFS volumes? - -No. - -Users with `$HOME`s in `/afs` normally have an AFS [[ReadWrite]] volume mounted in their home directory. You can replicate a RW volume, but only as a [[ReadOnly]] volume; there can only be one instance of a [[ReadWrite]] volume. - -In theory you could have RO copies of a user's RW volume on a second server, but in practice this won't work for the following reasons: - -a) AFS has a bias to always access the RO copy of a RW volume if one exists. So the user would have a [[ReadOnly]] `$HOME`, which is not very useful. (You could use an RW mountpoint to avoid this.) -b) [[ReadOnly]] volumes are not automatically updated; you would need to manually update each user volume (e.g. `vos release user.fred; fs checkv`). - -The bottom line is: you cannot usefully replicate `$HOME`s across servers. - -(That said, there is one potentially useful case: if there is an extended fileserver outage, you can use `vos convertROtoRW` to promote a [[ReadOnly]] volume to [[ReadWrite]]. You should only do this if the alternative is restoring the entire contents of the downed fileserver from a backup; should the fileserver return to service, the attempt to re-register additional [[ReadWrite]] volume instances will fail. As such, *if* you make sure to use a [[ReadWrite]] mountpoint for user volumes, replicating a user's `$HOME` may prove useful as an online backup.) - -### 3.16 How can I list which clients have cached files from a server? - -By using the following script, which should work in a POSIX-compliant shell, `ksh` or `bash` (but check the path to `rxdebug`, and you need `nslookup` to be installed): - - #!/bin/ksh - - # - # NAME afsclients - # AUTHOR Rainer Toebbicke - # DATE June 1994 - # PURPOSE Display AFS clients which have grabbed files from a server - - if [ $# = 0 ]; then - echo "Usage: $0 ... " - exit 1 - fi - for n; do - /usr/afsws/etc/rxdebug -servers $n -allconn - done | - grep '^Connection' | - while read x y z ipaddr rest; do - echo $ipaddr - done | - sort -u | - while read ipaddr; do - ipaddr=${ipaddr%%,} - n="`nslookup $ipaddr`" - n="${n##*Name: }" - n="${n%%Address:*}" - n="${n##*([ ])}" - n="${n%?}" - echo "$n ($ipaddr)" - done - -An alternative in Perl (still requires `rxdebug` but not `nslookup`): - - #! /usr/bin/perl -w - use strict; - use warnings; - use Socket; - - my %client; - for my $fs (@ARGV) { - open my $rx, '-|', "rxdebug -server \Q$fs\E -allconn" or die "rxdebug: $!"; - while (<$rx>) { - /^Connection from host (\S+),/ and $client{$1} = 1; - } - } - for my $ip (keys %client) { - my ($ia, $host); - $ia = inet_aton($ip); - if (defined ($host = gethostbyaddr($ia, AF_INET))) { - $client{$ip} = "$host ($ip)"; - } else { - $client{$ip} = $ip; - } - } - for my $host (sort values %client) { - print $host, "\n"; - } - -### 3.17 Do Backup volumes require as much space as [[ReadWrite]] volumes? - -Occasionally, but usually not. A backup volume consists of copy-on-write clones of the files in the original volume; if the file in the original is then modified, it will be copied first, leaving the backup volume pointing at the original version. The BK volume is re-synchronised with the RW next time a `vos backup` or `vos backupsys` is run. - -The space needed for the BK volume is directly related to the size of all files changed in the RW between runs of `vos backupsys`. - -### 3.18 Should I run `ntpd` on my AFS client? - -Yes. You should not rely on older time services such as `timed` or programs such as `ntpdate`, and should not use the legacy `settime` functionality of the AFS client. You should also avoid using automatic time synchronization provided by virtual machine hypervisors (indeed, VMware specifically recommends disabling its time synchronization on Linux and using `ntpd`). - -The AFS Servers make use of NTP [[[NTP|FurtherReading#NTP]]] to synchronise time each other and typically with one or more external NTP servers. By default, clients synchronize their time with one of the servers in the local cell. Thus all the machines participating in the AFS cell have an accurate view of the time. - -For further details on NTP see . The latest version is 4.2.6, dated December 2011, which is **much** more recent that the version packaged with Transarc AFS. OpenAFS no longer ships with `timed`, since it is assumed that all sites use NTP. - -A list of NTP servers is available from . Note that you should prefer to have one or more master local servers sync to one of the "pool" servers for your continent, and other local clients sync to the master local server(s). - -The default time setting behavior of the AFS client can be disabled by specifying the `-nosettime` argument to [afsd](http://www.transarc.ibm.com/Library/documentation/afs/3.5/unix/cmd/cmd53.htm). It is **strongly** recommended that you run NTP and use `-nosettime` on all machines (clients *and* servers). - -### 3.19 Why and how should I keep `/usr/vice/etc/CellServDB` current? - -On AFS clients, `/usr/vice/etc/CellServDB` defines the cells (and their db servers) that can be accessed via `/afs`. Over time, site details change: servers are added/removed or moved onto new network addresses; new cells appear. While some of this can be handled by means of DNS `AFSDB` or `SRV` records, you must know about a cell to even be able to ask about it; the [[CellServDB]] acts as a central directory of cell. (Of course, it is sometimes a good idea to not advertise some internal cells; but that also means not putting them in public-facing DNS, so you will likely want a local [[CellServDB]].) - -In order to keep up-to-date with such changes, the [[CellServDB]] file on each AFS client should be kept consistent with some master copy (at your site). - -As well as updating [[CellServDB]], your AFS administrator should ensure that new cells are mounted in your cell's `root.afs` volume. If a cell is added to [[CellServDB]], either the **client** must be restarted or you must use [`fs newcell`](http://docs.openafs.org/Reference/1/fs_newcell.html) to register the new cell information with the running client. - -The official public master [[CellServDB]] is maintained at `grand.central.org`, from or . You can send updates for this to . - -The client [[CellServDB]] file must not reside under `/afs` (since it needs to exist before the client starts!) and is best located in local filespace. - -After obtaining an updated [[CellServDB]] and distributing to clients, you will want to run a script similar to this Perl script. (It could be written in shell, but not comprehensibly. Feel free to reimplement in your preferred language.) - - #! /usr/bin/perl - use strict; - use warnings; - - # - # Given a CellServDB file (may be local, may be master), issue "fs newcell" for each listed - # cell. We don't bother checking for changes, as that's much more expensive than making an - # unnecessary change. - # - # Expected usage via puppet: rather than making it the restart/reconfigure action for the - # client (or server) we depend on an exec stanza which does so. No point in running it if - # what changed is something else that requires a full restart. - # - - my $cell; - my @srv = (); - - while (<>) { - chomp; - if (/^>(\S+)(?:\s|\Z)/) { - if (defined $cell and @srv) { - system 'fs', 'newcell', $cell, @srv and die "fs newcell failed"; - } - $cell = $1; - @srv = (); - } - # same rules as afsd: if the name doesn't resolve, use the IP - elsif (defined $cell and /(^\d+\.\d+\.\d+\.\d+)\s*#(\S+)\s*$/) { - if (defined gethostbyname($2)) { - push @srv, $2; - } else { - push @srv, $1; - } - } - else { - warn "line $ {.}: can't parse \"$_\"\n"; - } - } - # last entry - if (defined $cell and @srv) { - system 'fs', 'newcell', $cell, @srv and die "fs newcell failed"; - } else { - warn "line $ {.}: no valid cells found\n"; - } - -### 3.20 How can I compile a list of AFS fileservers? - -Here is a Bourne shell command to do it (it will work in GNU bash and the Korn shell, too, and even `csh`): - - stimpy@nick $ vos listvldb -cell `cat /usr/vice/etc/ThisCell` | awk '/server/ {print $2}' | sort -u - -### 3.21 How can I set up anonymous FTP login to access `/afs`? - -The easiest way on a primarily "normal" machine (where you don't want to have everything in AFS) is to actually mount `root.cell` under `~ftp`, and then symlink `/afs` to `~ftp/afs` or whatever. It's as simple as changing the mountpoint in `/usr/vice/etc/cacheinfo` and restarting `afsd`. - -Note that when you do this, anon ftp users can go anywhere `system:anyuser` can (or worse, if you're using IP-based ACLs and the ftp host is listed in any PTS groups). The only "polite" solution I've arrived at is to have the ftp host machine run a minimal [[CellServDB]] and police my ACLs tightly. - -Alternatively, you can make `~ftp` an AFS volume and just mount whatever you need under that - this works well if you can keep everything in AFS, and you don't have the same problems with anonymous "escapes" into `/afs`. (Note that you can often use host `tmpfs` mounts onto AFS directories to hide things or provide host-specific paths.) - -Note that similar considerations apply to web access; it used to be not uncommon for accidental misconfigurations of MIT's web hosts to result in people's home directories showing up in Google searches. This **will** annoy people who do not think of their [[OpenAFS]] home directory as being world-visible! (even though they should realize it and set their ACL appropriately) - -### 3.22 Is the data sent over the network encrypted in AFS? - -[[OpenAFS]] has an `fs` subcommand to turn on encryption of regular file data sent and received by a client. This is a per client setting that persists until reboot. No server actions are needed to support this change. The syntax is: - - fs setcrypt on - fs setcrypt off - fs getcrypt - -Note that this only encrypts network traffic between the client and server. The data on the server's disk is not encrypted, nor is the data in the client's disk cache. The encryption algorithm used is [fcrypt](http://surfvi.com/~ota/fcrypt-paper.txt), which is a DES variant. Additionally, data read/written without a token is not encrypted over the wire. This (and the use of DES variants, both here and in general) is a shortcoming of AFS's security protocols and is being addressed by the development of a new `rxgk` protocol. - -Enabling encryption by default: - -- [[RedHat]] Linux: ([src](https://lists.openafs.org/pipermail/openafs-info/2002-July/005085.html)) change the last line of `/etc/sysconfig/afs` to `AFS_POST_INIT="/usr/bin/fs setcrypt on"` -- Windows ([src](https://lists.openafs.org/pipermail/openafs-info/2003-June/009416.html)) set the following registry value named `SecurityLevel` under `HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` to 2. - -### 3.23 What underlying filesystems can I use for AFS? - -See also [[SupportedConfigurations]]. - -What filesystems can be used for fileserver partitions depends on what `configure` switches were used during compilation from sources. To be always on the safe side, use the `--enable-namei-fileserver` configure flag; that will give you a `fileserver` binary which can act on any `/vicep*` partition regardless of its filesystem type. With the namei file server, you can basically use any filesystem you want. The namei file server does not do any fancy stuff behind the scenes but only accesses normal files (their names are a bit strange though). - -Older versions of AFS also provided an inode fileserver. On older Solaris it once gave a 10% speedup over the namei fileserver; but with modern operating systems and disks, the performance difference is negligible. The inode fileserver cannot run on every filesystem, as it abuses the filesystem internals to store AFS metadata and opens files directly by inode number instead of going through the normal filesystem access methanisms. The `fsck` distributed with the operating system will consider these inode-accessed files to be "dangling" and either link them into `lost+found` or delete them entirely; it will also often corrupt the AFS metadata, which it doesn't know about. As of [[OpenAFS]] 1.6, inode fileservers are no longer supported; you can still build from source with inode support, but it has bugs and should only be used in a read-only configuration to copy volumes to a namei fileserver host. - -On the client side, the cache partition requires a filesystem supporting the inode abstraction for the cache (usually `/var/vice/cache`) since the cache manager references files by their inode. Fortunately, it does not store metadata in "unused" parts of the filesystem, and cache creation always provides proper names for the cache files so they won't be damaged by `fsck`. - -The following file systems have been reported _not_ to work for the AFS client cache: - -- [[ReiserFS]] -- vxfs (HP-UX) -- advfs (Tru64), it initially works but eventually corrupts the cache -- efs (SGI) - Transarc AFS supported efs, but [[OpenAFS]] doesn't have a license to use the efs code -- zfs (Solaris, FreeBSD, other ports) - you can however use a zvolume with a ufs or other supported filesystem - -On certain OSes, the OpenAFS cache manager has some checks for unsupported filesystem types and will refuse to start, but these checks are not 100% reliable. - -The following file systems have been reported to work for the AFS client cache: - -- ext2 -- ext3 -- hfs (HP-UX) -- xfs (at least on IRIX 6.5) -- ufs (Solaris, [[Tru64Unix]]) - -### 3.24 Compiling [[OpenAFS]] from source - -(Modern [[OpenAFS]] supports proper packaging for various systems; these notes are still somewhat applicable but mostly relevant for 1.2.x.) - -The kernel component of [[OpenAFS]] must be compiled by the same kernel used to compile the kernel, e.g. Solaris must use the cc from SUNWspro and not gcc. [[Tru64Unix]] doesn't support modules, so you have to edit kernel config files and link statically into kernel. Dynamically loaded Kernel modules work on Linux, Solaris, Irix ... - - ./configure --enable-transarc-paths=/usr/etc --with-afs-sysname=i386_linux24 - make dest - cd dest/i386_linux24 - -... and continue the install process described in IBM AFS documentation. If you do "make install", you will end up with some stuff installed into /usr/local but something not, regardless the --enable-transarc-paths option ... "make install" it's messy. - -### 3.25 Upgrading [[OpenAFS]] - -(Modern [[OpenAFS]] supports proper packaging for various systems; these notes are still somewhat applicable but mostly relevant for 1.2.x.) - -These instructions assume a "dest" tree (the output of `make dest`, and the contents of the official binary distribution tarballs). It is generally preferable to use native packages when they exist; the packaging will handle most of the details of upgrading for you. - -#### Upgrade of AFS on Linux - - /etc/rc.d/init.d/afs stop - cd root.client/usr/vice/etc - tar cvf - . | (cd /usr/vice/etc; tar xfp -) - cp -p afs.rc /etc/rc.d/init.d/afs - cp ../../../../lib/pam_afs.krb.so.1 /lib/security - cd ../../../../root.server/usr/afs - tar cvf - . | (cd /usr/afs; tar xfp -) - # echo "auth sufficient /lib/security/pam_afs.so try_first_pass \ - ignore_root" >> /etc/pam.d/login - cd /lib/security - vim /etc/sysconfig/afs - ln -s pam_afs.krb.so.1 pam_afs.so - cd /etc/rc3.d - ln -s ../init.d/afs S99afs - cd ../rc0.d - ln -s ../init.d/afs K01afs - cp /usr/vice/etc/afs.conf /etc/sysconfig/afs - /etc/rc.d/init.d/afs start - -#### Upgrade of AFS on Solaris 2.6 - - cd /etc/rc3.d/ - mv S20afs aS20afs - init 6 - cd root.server/usr/afs - tar cvf - ./bin | (cd /usr/afs; tar xfp -) - cd ../../.. - cp root.client/usr/vice/etc/modload/libafs.nonfs.o /kernel/fs/afs - cp root.server/etc/vfsck /usr/lib/fs/afs/fsck - cd root.client/usr/vice - tar cvf - ./etc | (cd /usr/vice; tar xf -) - cd ../../.. - cp lib/pam_afs.krb.so.1 /usr/lib/security - cp lib/pam_afs.so.1 /usr/lib/security - cd /etc/rc3.d - mv aS20afs S20afs - init 6 - -#### Upgrade of AFS on Irix 6.5 - - /etc/chkconfig -f afsserver off - /etc/chkconfig -f afsclient off - /etc/chkconfig -f afsml off - /etc/chkconfig -f afsxnfs off - /etc/reboot - cd root.server/usr/afs - tar cvf - ./bin | (cd /usr/afs; tar xfp -) - cd ../../.. - cp root.client/usr/vice/etc/sgiload/libafs.IP22.nonfs.o /usr/vice/etc/sgiload - echo "AFS will be compiled statically into kernel" - echo "otherwise skip following lines and use chkconfig afsml on" - cp root.client/bin/afs.sm /var/sysgen/system - cp root.client/bin/afs /var/sysgen/master.d - echo "The next file comes from openafs-*/src/libafs/STATIC.*" - cp root.client/bin/libafs.IP22.nonfs.a /var/sysgen/boot/afs.a - cp /unix /unix_orig - /etc/autoconfig - echo "end of static kernel modifications" - cd root.client/usr/vice/etc - echo "Delete any of the modload/ files which don't fit your platform if you need space" - echo "These files originate from openafs-*/src/libafs/MODLOAD.*" - tar cvf - . | (cd /usr/vice/etc; tar xf -) - /etc/chkconfig -f afsserver on - /etc/chkconfig -f afsclient on - # /etc/chkconfig -f afsml on - afs is compiled statically into kernel, so leave afsml off - /etc/chkconfig -f afsml off - /etc/chkconfig -f afsxnfs off - /etc/reboot - -#### Upgrade of AFS on [[Tru64Unix]] - - cd root.server/usr/afs/ - tar cvf - ./bin | (cd /usr/afs; tar xfp -) - cd ../../../root.client/bin - cp ./libafs.nonfs.o /usr/sys/BINARY/afs.mod - ls -la /usr/sys/BINARY/afs.mod - doconfig -c FOO - cd ../../root.client/usr/vice - cp etc/afsd /usr/vice/etc/afsd - cp etc/C/afszcm.cat /usr/vice/etc/C/afszcm.cat - -### 3.26 Notes on debugging [[OpenAFS]] - -In case of troubles when you need only `fileserver` process to run (to be able to debug), run the `lwp` fileserver instead of the `pthreads` fileserver (`src/viced/fileserver` instead of `src/tviced/fileserver` if you have a buildtree handy): - - cp src/viced/fileserver /usr/afs/bin (or wherever) - bos restart localhost fs -local - -then attach with `gdb`. (This may be less necessary with recent `gdb`; its `pthreads` support used to be quite abysmal. [*ed.*]) - -To debug if client running `afsd` kernel process talks to the servers from [[CellServDB]], do: - - tcpdump -vv -s 1500 port 7001 - -Other ports are: - - afs3-fileserver 7000/udp # file server itself - afs3-callback 7001/udp # callbacks to cache managers - afs3-prserver 7002/udp # users & groups database - afs3-vlserver 7003/udp # volume location database - afs3-kaserver 7004/udp # AFS/Kerberos authentication service - afs3-volser 7005/udp # volume managment server - afs3-errors 7006/udp # error interpretation service - afs3-bos 7007/udp # basic overseer process - afs3-update 7008/udp # server-to-server updater - afs3-rmtsys 7009/udp # remote cache manager service - -When `tcpdump` doesn't help, try: - - fstrace setset cm -active - # make your error happen - fstrace dump cm - -### 3.27 Tuning client cache for huge data - -Use on afsd command line -chunk 17 or greater. Be carefull, with certain cache sizes afsd crashes on startup (Linux, [[Tru64Unix]] at least). It is possibly when dcache is too small. Go for: - - /usr/vice/etc/afsd -nosettime -stat 12384 -chunk 19 - - > So I ran the full suite of iozone tests (13), but at a single file - > size (128M) and one record size (64K). I set the AFS cache size to > 80000K for both memcache and diskcache. - - Note that memcache size and diskcache size are different things. - In the case of memcache, a fixed number of chunks are allocated - in memory, such that numChunks * chunkSize = memCacheSize. In - the case of disk cache, there are a lot more chunks, because the - disk cache assumes not every chunk will be filled (the underlying - filesystem handles disk block allocation for us). Thus, when you - have small file segments, they use up an entire chunk worth of - cache in the memcache case, but only their size worth of cache - in the diskcache cache. - - -- kolya - -### 3.28 Settting up PAM with AFS - -Solaris - - auth sufficient /lib/security/pam_afs.so debug try_first_pass ignore_root debug - auth required /lib/security/pam_env.so - auth sufficient /lib/security/pam_unix.so likeauth nullok - auth required /lib/security/pam_deny.so - - account required /lib/security/pam_unix.so - - password required /lib/security/pam_cracklib.so retry=3 type= - password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow - password required /lib/security/pam_deny.so - - session sufficient /lib/security/pam_afs.so set_token - session required /lib/security/pam_limits.so - session required /lib/security/pam_unix.so - - # reafslog is to unlock dtlogin's screensaver - other auth sufficient /usr/athena/lib/pam_krb4.so reafslog - -### 3.29 How can I have a Kerberos realm different from the AFS cell name? How can I use an AFS cell across multiple Kerberos realms? - -OpenAFS defaults to using a Kerberos realm generated from the cell name by uppercasing. You can instead tell it the Kerberos realm to use with a truncated `krb.conf` file: - - /usr/afs/etc/krb.conf # Transarc paths - /etc/openafs/server/krb.conf # FHS paths - -You do not list any KDCs in this file, just space-separated realms on a single line. See also [[below|AdminFAQ#multirealm]]. You can list a maximum of 2 realms in this file in older AFS, but [[OpenAFS]] 1.6 and later allow any number of realms. - -### 3.30 What are the `bos` instance types? How do I use them? - -There are, as of this writing, 4 types of [`bos`](http://docs.openafs.org/Reference/8/bos_create.html) server: - -* `simple` - a single program which will be kept running as needed. -* `cron` - a single program, plus a time at which it will be automatically run; typically used for cell backups. - The time looks like `04:00` to run every day at a given time, or `sun 04:00` to run once a week. Times may be specified in 24-hour or 12-hour (with am/pm suffix); weekdays may be full or abbreviated to 3 characters. Case is ignored. (A legacy usage allows the string `now` to be used; use [`bos exec`](http://docs.openafs.org/Reference/8/bos_exec.html) instead.) -* `fs` - a standard fileserver which has three programs that must be run together in a particular way. The `fs` server type will take care of starting, stopping, and restarting these programs in order to keep them working together. -* `dafs` - demand attach fileservers are similar to standard fileservers, but have an additional component program to be synchronized. The `dafs` server type will ensure these are started, stopped, and restarted correctly while maintaining synchronization. - -### 3.31 afsd gives me "`Error -1 in basic initialization.`" on startup - -When starting afsd, I get the following: - - # /usr/vice/etc/afsd -nosettime -debug - afsd: My home cell is 'foo.bar.baz' - ParseCacheInfoFile: Opening cache info file '/usr/vice/etc/cacheinfo'... - ParseCacheInfoFile: Cache info file successfully parsed: - cacheMountDir: '/afs' - cacheBaseDir: '/usr/vice/cache' - cacheBlocks: 50000 - afsd: 5000 inode_for_V entries at 0x8075078, 20000 bytes - SScall(137, 28, 17)=-1 afsd: Forking rx listener daemon. - afsd: Forking rx callback listener. - afsd: Forking rxevent daemon. - SScall(137, 28, 48)=-1 SScall(137, 28, 0)=-1 SScall(137, 28, 36)=-1 afsd: Error -1 in basic initialization. - -Make sure the kernel module has been loaded. Modern [[OpenAFS]] startup scripts should ensure this and report an error if it cannot be loaded, but startup scripts from older versions or on systems which can't use loadable kernel modules (requiring the kernel to be relinked) will not catch this and you will get these errors from `SScall`. - -### 3.32 Error "`afs: Tokens for user of AFS id 0 for cell foo.bar.baz are discarded (rxkad error=19270407)`" - - elmer@toontown ~$ translate_et 19270407 - 19270407 (rxk).7 = security object was passed a bad ticket - -or alternately - - elmer@toontown ~$ grep 19270407 /usr/afsws/include/rx/* - /usr/afsws/include/rx/rxkad.h:#define RXKADBADTICKET (19270407L) - -A common cause of this problem (error 19270407) is the use of periods ("`.`") in Kerberos V principals. If you have a Kerberos principal such as `my.name@REALM.COM` and create the corresponding `pts` userid `my.name`, you will get the cryptic error above. If you want to use such principal names and have OpenAFS 1.4.7 or later, you can pass the option `-allow-dotted-principals` to all server daemons to allow their use. See the `-allow-dotted-principals` option in the fileserver (or any server daemon) documentation for more information. (The problem here is that for compatibility reasons, [[OpenAFS]] uses Kerberos 4 name rules internally; while "`.`" was the name component separator in Kerberos 4, in [[Kerberos5]] it is "`/`" so [[OpenAFS]] translates `.` to `/` when passing names to Kerberos for verification. This means that a Kerberos 5 name with an embedded period cannot be used directly without disabling the translation; but with the translation disabled, you cannot easily use Kerberos 5 names with components. There is ongoing work in this area because `rxgk` requires proper support for these names.) - -In general, the `translate_et` utility can be used to find out what an AFS error number means. This only works for AFS errors; some utilities may also report Kerberos errors in this way, and `translate_et` will not work for these. Some sites have alternative utilities that understand Kerberos as well as AFS errors (see for example (here)[file:///afs/sinenomine.net/user/ballbery/public/translate_err]). - -### 3.33 I have tickets and tokens, but still get `Permission denied` for some operations. - -This can be caused by the above, or by not being in a server `UserList` (`/usr/afs/etc/UserList` or `/etc/openafs/server/UserList`). - -Also beware that, as described [[above|AdminFAQ#translate_et]], `UserList` accepts only Kerberos 4 name syntax: use `joe.admin` instead of `joe/admin`. See `https://lists.openafs.org/pipermail/openafs-devel/2002-December/008673.html` and the rest of the thread. - -### 3.34 Recovering broken AFS cache on clients - - >> Does anyone have a trick to force AFS to refresh its cache (for a - >> particular directory or even for all files?) The only way I know - >> how to accomplish this is to reboot, stop in single user mode, - >> rm -rf the cache files and let AFS rebuild everything. - > - > fs flush and fs flushv have cured corruption problems in the past - > on some of our clients. - - Thanks for the tip - I was not aware of the flush* subcommands. - Here's a little of what I saw today: - - ls -la - /bin/ls: asso.S14Q00246.all.log: Bad address - /bin/ls: asso.S14Q00246.all.lst: Bad address - /bin/ls: chr14markers.txt: Bad address - /bin/ls: geno.summary.txt: Bad address - /bin/ls: global.ind.S14Q00246.all.txt: No such device - /bin/ls: global.S14Q00246.all.txt: No such device - total 103 - [ other ls results as usual ] - - Flushing a particular file had no effect (the same error as shown above appears). Flushvolume took a long time, but when it eventually completed, the ls -la behaved exactly as one would expect. - -Recent [[OpenAFS]] (1.6.4 and newer) has an [`fs flushall`](http://docs.openafs.org/Reference/1/fs_flushall.html) command in addition to the `flush` and `flushvol` commands. - -Older AFS versions sometimes corrupted their cache filesystems in ways that `fs flushvol` cannot fix. Sometimes this can be corrected with - - root@toontown ~# fs setca 1; fs setca 0 - -(set the cache to minimum size, and then back to normal; beware that in most versions of Transarc AFS, you will have to specify the actual cache size instead of `0`!). If this does not work, you can force a cache rebuild by shutting down [[OpenAFS]] and removing `/var/vice/cache/CacheItems` (it is not necessary to remove all cache files), although you may want to remake the filesystem (`mkfs` or `newfs`) instead in case there is actual filesystem corruption. - -If this happens regularly, please file an OpenAFS bug. - -### 3.35 What does it mean for a volume to not be in the VLDB? - -If a volume is not in the VLDB, you will be unable to perform operations on it using its name; all "vos" operations will need to be done using its numerical id, server, and partition. Furthermore, if a volume is not in the VLDB, it cannot be reached via mountpoints. - -### 3.36 What is a Volume Group? - -You can think of a Volume Group as an RW volume, and all of the clones of that RW (its RO clone, BK clone, and any other clones). All of the volumes in a Volume Group on the same fileserver can share storage for data that is the same between all of them. This is why, for example, an RO clone usually takes up very little disk space; since an RW and its RO clone are in the same Volume Group, they can share storage for unchanged data. - -All of the volumes in a group usually have very similar volume ID numbers. For example, if an RW volume has ID 536870915, its RO clone will typically be 536870916. However, this is not required, as volume ID numbers can be almost anything. You can even manually specify what volume ID number you want for a volume when you create the volume with "`vos create`". - -Currently, you can only have about 8 volumes in a Volume Group. However, this limitation is due to technical details of the fileserver "namei" disk backend. If that backend is improved in the future, or if different backends are developed, the number of volumes in a volume group could be much greater. - -Some low-level documentation may refer to a "volume group ID". This is always the same as the RW volume ID. - -### 3.37 What is a Clone? - -A clone of a volume is a read-only copy of that volume which shares on-disk storage with the original volume. Backup volumes are a particular kind of clone volume. Read-only replicas which reside on the same partition as their read-write volume are another particular kind of clone volume. In some other storage systems this kind of volume is called a "snapshot". - -Clone volumes must belong to the same volume group (see [[previous question|AdminFAQ#volumegroup]]) as the volume which they are a clone of. - -In addition to backup and readonly clones, you may create up to three additional clones of a volume. To do this, use "`vos clone`". - -When you "`vos remove`" a volume, its "backup" clone will also be removed automatically. However, clones created with "`vos clone`" are **not** removed automatically. Unfortunately, these "dangling clones" will no longer be in the VLDB (see [[above|AdminFAQ#notinvldb]]). They belong to a volume group whose leader (RW volume) no longer exists, which is a somewhat undefined state for AFS. Such volumes should be manually deleted as soon as possible. - -### 3.38 What is a Shadow? - -A shadow of a volume is a duplicate of that volume which resides on a different partition. Shadow volumes do not share storage with their original volumes (unlike clones). A readonly volume on a **different** partition than its readwrite volume could be considered one particular example of a shadow volume; however, in practice the term "shadow volume" is used to refer to volumes created with "vos shadow" and not to refer to readonly volumes. - -A shadow of any readwrite volume may be created using the "vos shadow" command. This will create a new volume which is a shadow of the original volume, and will copy the contents of the old volume to the new volume. This will also set a bit in the header of the new volume that identifies it as a shadow volume. Shadow volumes do not appear in the VLDB (see [[above|AdminFAQ#notinvldb]]) -- "`vos shadow`" does not create a VLDB entry and "`vos syncvldb`" ignores shadow volumes. - -You can "refresh" a shadow volume from its original with "`vos shadow -incremental`". This operation will first check to make sure that the target of the operation is a shadow volume, to prevent the administrator from accidentally corrupting a non-shadow volume. However, if you shadow from a readwrite volume to some shadow of **another** volume, the shadow will be corrupted and will have to be deleted. `vos shadow` will only copy data which has changed, so it is very efficient. - -You can remove the shadow bit from a volume's header with "`vos syncvldb -force`". This will remove the shadow bit and create a VLDB entry for the volume, deleting any previous entry for the RW volume. However, the RW volume itself will not be deleted; it will simply exist without a VLDB entry. - -Attempting to create shadows of two different RW volumes on the same partition with the same name is prohibited by the `volserver`. Technically it is possible to create two shadow volumes with the same name on different partitions; however, this is not advisable and may lead to undefined behavior. - -(Some AFS administrators may refer to an RO clone of an RW volume on the same server/partition as a "shadow"; this terminology predates the existence of shadow volumes and should be avoided.) - -### 3.39 Can I authenticate to my AFS cell using multiple Kerberos realms? - -Yes. This can be useful if your organization has multiple Kerberos realms with identical user entries: For example you might have an MIT Kerberos realm for Unix-like systems, and an Active Directory domain for Windows with synchronized accounts. - -In order to make this work, you need to do 4 things. - -1. Add a key for the `afs` service to the additional realm and store it in a keytab: - - $ kadmin -q ank -e des-cbc-crc:v4 -kvno afs/your.cell.name@YOUR.SECOND.REALM.NAME - $ kadmin -q ktadd -e des-cbc-crc:v4 -k /path/to/afs.keytab afs/your.cell.name@YOUR.SECOND.REALM.NAME - - Note that a kvno must be specified for the key that is different than the kvno for your existing key(s) in the original realm. You can check on the kvno of the existing keys by running "`asetkey list`" on one of your servers. Since keys must be in ascending order in the AFS [[KeyFile]], it will be easiest if you make the new kvno higher than any existing key's kvno. - - It's also worth noting that the process of adding the key to a keytab (at least with MIT krb5) actually creates a new key first, so your kvno will end up being higher than what you specified when you added the principal. You can check on the current kvno by using the command "`kadmin -q getprinc afs/your.cell.name@YOUR.SECOND.REALM.NAME`". - -2. Add the new key to the [[KeyFile]] on your AFS servers: - - $ asetkey add /path/to/afs.keytab afs/your.cell.name@YOUR.SECOND.REALM.NAME - - Note that the kvno here needs to be the same one as is reported by the `kadmin getprinc` command. - -3. Create an AFS `krb.conf` with your additional realm's name in it, and place it on all of your AFS servers; see [[above|AdminFAQ#afskrbconf]]. - -4. Restart your AFS servers. - -At this point you should be able to run: - - kinit you@YOUR.SECOND.REALM.NAME - aklog - -and receive the same privileges as if you had run: - - kinit you@YOUR.CELL.NAME - aklog - -### 3.40 How can I ensure that the userids on client machines match the users' `pts` ids? - -You can use [libnss-afs](http://www.megacz.com/software/libnss-afs.html) for this. - -### 3.41 What is Fast Restart? - -When compiled with `--enable-fast-restart`, the file server will start up immediately, without first salvaging any volumes which cannot be attached. - -Disadvantages to Fast Restart, [as noted here](http://lists.openafs.org/pipermail/openafs-info/2008-May/029386.html) include: - -1. Volumes in need of salvage remain offline until an administrator intervenes manually -2. On an inode-based fileserver, salvaging a single volume crawls every inode; therefore, salvaging volumes individually (rather than partition-at-a-time) duplicates work. - -In [[OpenAFS]] 1.6 there is a [[demand attach fileserver|DemandAttach]] which provides even faster restart while reducing the drawbacks; you should use it instead. - -### 3.42 Why does AFS reboot itself spontaneously at 4:00am every Sunday? - -This was made to be the default behavior back in the days when OpenAFS servers had problems with leaking memory and other resources. These days, it is generally seen as not necessary. - -You can disable this behavior with: - - bos setrestart $SERVER_NAME never - bos setrestart $SERVER_NAME -newbinary never - -Newer versions of [[OpenAFS]] do not enable this by default. - -### 3.43 Why do I get an error -1765328370 when authenticating? - - tweety@toontown ~$ translate_err -1765328370 - krb5 error -1765328370 = KRB5KDC_ERR_ETYPE_NOSUPP - -(See [[here|AdminFAQ#translate_et]] for `translate_err`.) Usually this means that your KDC has support for `des-cbc-crc` and other weaker encryption types turned off. Re-enable support for DES encryption types and you will get further. - -Check `/etc/krb5.conf` and make sure it has something like the following in it: - - [libdefaults] - allow_weak_crypto = true - -Also check `kdc.conf` (possibly located in `/var/kerberos/krb5kdc`; check the documentation for your Kerberos packages) and make sure that `des-cbc-crc:normal` is in the `supported_enctypes` list. - -There is ongoing work to remove the need for DES enctypes. - diff --git a/general/FrequentlyAskedQuestions.mdwn b/general/FrequentlyAskedQuestions.mdwn deleted file mode 100644 index 2cd8217..0000000 --- a/general/FrequentlyAskedQuestions.mdwn +++ /dev/null @@ -1,12 +0,0 @@ -There are several FAQ web pages for AFS, the first is sort of official but old, dated 9 July 1998. - -- [[AFSFrequentlyAskedQuestions]] -- -- [AFS Question of the Week (from old Transarc site)](http://maben.homeip.net/static/computers/aix/afs/AFS%20Question%20of%20the%20Week.htm) -- Auf Deutsch - ----- - -Useful topics: [[SettingUpAuthentication]], [[CellAdministration]], [[CrossRealmAuthentication]], [[WWWtoAFS]] - --- Ted Anderson - 22 Jan, 14 Feb 2002 diff --git a/general/GeneralFAQ.mdwn b/general/GeneralFAQ.mdwn deleted file mode 100644 index 2d87b6d..0000000 --- a/general/GeneralFAQ.mdwn +++ /dev/null @@ -1,386 +0,0 @@ -[[!toc levels=3]] - - -## 1 General - -The General Section of the [[AFSFrequentlyAskedQuestions]]. - -- [[PreambleFAQ]] -- [[UsageFAQ]] -- [[AdminFAQ]] -- [[ResourcesFAQ]] -- [[AboutTheFAQ]] -- [[FurtherReading]] - -### 1.01 What is AFS? - -AFS is a distributed filesystem that enables co-operating hosts (clients and servers) to efficiently share filesystem resources across both local area and wide area networks. - -AFS is based on a distributed file system originally developed at the Information Technology Center at Carnegie-Mellon University that was called the "Andrew File System". - -"Andrew" was the name of the research project at CMU - honouring the founders of the University. A spin-off company, Transarc Corporation (now part of IBM), started producing and marketing a commercial version of AFS in 1989. - -In November, 2000, IBM Open-Sourced AFS, creating [[OpenAFS]]. [[OpenAFS]] is under active development; as of this writing, the 1.6.4 release is being prepared for Unix-like platforms, and the 1.7 series for Windows is updated regularly. - -### 1.02 Who supplies AFS? - -[[OpenAFS]] is available from the [[OpenAFS]] website. An independent open source project, Arla, supports some clients that [[OpenAFS]] does not, but has not been updated since release 0.90 in early 2007; the release of [[OpenAFS]] largely removed the reasons for the development of Arla and its sister project Milka (an open source AFS server). - -There is also an incomplete kernel-based AFS client (only) for Linux, maintained by Red Hat Software. - -IBM no longer markets AFS and has declared an end-of-life for support. - - - - - - - - - - - - - - -
[[OpenAFS]]WWW: http://www.openafs.org/
Arla WWW: http://www.stacken.kth.se/projekt/arla/
kAFS see Documentation/filesystems/afs.txt in the Linux kernel source tree
- -### 1.03 What is `/afs`? - -The root of the AFS filetree is `/afs`. If you execute `ls /afs`, you will see directories that correspond to AFS cells (see below). These cells may be local (on same LAN) or remote (e.g. halfway around the world). - -With AFS you can access all the filesystem space under `/afs` with commands you already use (e.g. `cd`, `cp`, `rm`, and so on) provided you have been granted permission (see AFS ACL below). - -### 1.04 What is an AFS cell? - -An AFS cell is a collection of servers grouped together administratively and presenting a single, cohesive filesystem. Typically, an AFS cell is a set of hosts that use the same Internet domain name. - -Normally, a variation of the domain name is used as the AFS cell name. - -Users log into AFS client workstations which request information and files from the cell's servers on behalf of the users. - -### 1.05 What are the benefits of using AFS? - -The main strengths of AFS are its: - -- caching facility -- security features -- simplicity of addressing -- scalability -- communications protocol - -Here are some of the advantages of using AFS in more detail: - -#### 1.05.a Cache Manager - -AFS client machines run a Cache Manager process. The Cache Manager maintains information about the identities of the users logged into the machine, finds and requests data on their behalf, and keeps chunks of retrieved files on local disk. - -The effect of this is that as soon as a remote file is accessed a chunk of that file gets copied to local disk and so subsequent accesses (warm reads) are almost as fast as to local disk and considerably faster than a cold read (across the network). - -Local caching also significantly reduces the amount of network traffic, improving performance when a cold read is necessary. - -Many modern NFS implementations provide metadata caching, but this caching is limited and the protocol support for it is somewhat weak, with the result that cached NFS can get out of sync with the server. NFS does not support file data caching at all, although some operating systems can be configured to make use of a separate cache filesystem module which must be configured separately from NFS on each client workstation and for each NFS mountpoint. As this cache is separate, it can only avoid becoming out of sync with the remote filesystem at the price of extra validation and additional network traffic to detect updates every time the file is accessed (or, if there is a delay set to minimize this traffic, it will "miss" remote changes made within that window); [[OpenAFS]]'s integrated cache, by comparison, will be notified of changes on the fileserver (by means of "callback breaking") and only needs to check explicitly for remote updates if the callback has expired (roughly 2 hours). In addition, for files on a read-only volume, it is sufficient to check for a volume update to revalidate all locally cached files on that volume. - -#### 1.05.b Location independence - -Unlike NFS, which makes use of a per-client mount table (such as `/etc/filesystems` on AIX or `/etc/fstab` on Linux) to map (mount) between a local directory name and a remote filesystem, AFS does its mapping (filename to location) at the server. This has the tremendous advantage of making the served filespace location independent. - -Location independence means that a user does not need to know which fileserver holds the file, the user only needs to know the pathname of a file. Of course, the user does need to know the name of the AFS cell to which the file belongs. Use of the AFS cellname as the second part of the pathname (e.g. `/afs/$AFSCELL/somefile`) is helpful to distinguish between file namespaces of local and non-local AFS cells. - -To understand why such location independence is useful, consider having 20 clients and 2 servers. Let's say you had to move a filesystem `/home` from server `a` to server `b`. - -Using NFS, you would have to change the `/etc/fstab` file on 20 clients and take `/home` off-line while you moved it between servers. - -With AFS, you simply move the AFS volume(s) which constitute `/home` between the servers. You do this "on-line" while users are actively using files in `/home` with no disruption to their work. - -(Actually, the AFS equivalent of `/home` would be `/afs/$AFSCELL/home`, where `$AFSCELL` is the AFS cellname.) - -#### 1.05.c Scalability - -With location independence comes scalability. An architectural goal of the AFS designers was client/server ratios of 200:1; some sites exceed this ratio. Exactly what ratio your cell can use depends on many factors including: - -- number of AFS files -- size of AFS files -- rate at which changes are made -- rate at which file are being accessed -- speed of server's processor(s) -- I/O rates -- network bandwidth - -AFS cells can range from the small (1 server/client) to the massive (with hundreds of servers and thousands of clients). Cells can be dynamic: it is simple to add new fileservers or clients and grow the computing resources to meet new user requirements. - -#### 1.05.d Improved security - -Firstly, AFS makes use of Kerberos to authenticate users. This improves security for several reasons: - -- passwords do not pass across the network in plaintext - -- encrypted passwords no longer need to be visible - - You don't have to use NIS, aka yellow pages, to distribute /etc/passwd - thus "ypcat passwd" can be eliminated. - - If you do choose to use NIS, you can replace the password field with "X" so the encrypted password is not visible. (These issues are discussed in detail in [[[AdminGuide|FurtherReading#AdminGuide]]]). - -- AFS uses mutual authentication - both the service provider and service requester prove their identities - -Secondly, AFS uses access control lists (ACLs) to enable users to restrict access to their own directories. - -Some (not all) implmentations of NFS version 3 can use Kerberos authentication; NFS version 4 adds ACLs, but not all NFS4 implementations interoperate well. Additionally, configuring NFS to use Kerberos, even when it is supported, is often painful and can lead to interoperability problems. - -#### 1.05.e Single systems image (SSI) - -Establishing the same view of filestore from each client and server in a network of systems (that comprise an AFS cell) is an order of magnitude simpler with AFS than it is with, say, NFS. - -This is useful to do because it enables users to move from workstation to workstation and still have the same view of filestore. It also simplifies part of the systems management workload. - -In addition, because AFS works well over wide area networks, the SSI is also accessible remotely. - -As an example, consider a company with two widespread divisions (and two AFS cells): `ny.acme.com` and `sf.acme.com`. Mr. Fudd, based in the New York office, is visiting the San Francisco office. - -Mr. Fudd can then use any AFS client workstation in the San Francisco office that he can log into (a unprivileged guest account would suffice). He could authenticate himself to the `ny.acme.com` cell and securely access his New York filespace, and he doesn't need to remember a different path even though he's working from a remote cell. - -For example: - -The following shows a guest in the `sf.acme.com` AFS cell: - -1. add AFS executables directory to `PATH` -2. obtaining a PAG with `pagsh` command (see 2.06) -3. use `kinit` and `aklog` to authenticate into the `ny.acme.com` AFS cell -4. making a `HOME` away from home -5. invoking a homely `.profile` - - guest@toontown.sf.acme.com $ PATH=/usr/afsws/bin:$PATH; export PATH # {1} - guest@toontown.sf.acme.com $ pagsh # {2} - $ kinit elmer@NY.ACME.COM # {3} - Password for elmer@NY.ACME.COM: - $ aklog -cell ny.acme.com - $ HOME=/afs/ny.acme.com/user/elmer; export HOME # {4} - $ cd - $ . .profile # {5} - you have new mail - guest@toontown $ _ - -It is not necessary for the San Francisco system administrator to give Mr. Fudd an AFS account in the `sf.acme.com` cell. Mr. Fudd only needs to be able to log into an AFS client that is: - -1. on the same network as his cell and -2. his `ny.acme.com` cell is mounted in the `sf.acme.com` cell (as would certainly be the case in a company with two cells). - -#### 1.05.f Replicated AFS volumes - -AFS files are stored in structures called volumes. These volumes reside on the disks of the AFS file server machines. Volumes containing frequently accessed data can be read-only replicated on several servers. - -Cache managers (on users client workstations) will make use of replicate volumes to load balance. If accessing data from one replicate copy, and that copy becomes unavailable due to server or network problems, AFS will automatically start accessing the same data from a different replicate copy. - -An AFS client workstation will access the closest volume copy. By placing replicate volumes on servers closer to clients (eg on same physical LAN) access to those resources is improved and network traffic reduced. - -#### 1.05.g Improved robustness to server crash - -The Cache Manager maintains local copies of remotely accessed files. This is accomplished in the cache by breaking files into chunks of up to 64k (default chunk size). So, for a large file, there may be several chunks in the cache but a small file will occupy a single chunk (which will be only as big as is needed). - -A "working set" of files that have been accessed on the client is established locally in the client's cache (copied from fileserver(s)). - -If a fileserver crashes, the client's locally cached file copies remain readable but updates to cached files fail while the server is down. - -Also, if the AFS configuration has included replicated read-only volumes then alternate fileservers can satisfy requests for files from those volumes. - -#### 1.05.h "Easy to use" networking - -Accessing remote file resources via the network becomes much simpler when using AFS. Users have much less to worry about: want to move a file from a remote site? Just copy it to a different part of /afs. - -Once you have wide-area AFS in place, you don't have to keep local copies of files. Let AFS fetch and cache those files when you need them. - -#### 1.05.i Communications protocol - -The AFS communications protocol is optimized for Wide Area Networks. Retransmitting only the single bad packet in a batch of packets and allowing the number of unacknowledged packets to be higher (than in other protocols, see [[[Johnson90|FurtherReading#Johnson90]]]). - -#### 1.05.j Improved system management capability - -Systems administrators are able to make configuration changes from any client in the AFS cell (it is not necessary to login to a fileserver). - -With AFS it is simple to effect changes without having to take systems off-line. - -Example: - -A department (with its own AFS cell) was relocated to another office. The cell had several fileservers and many clients. How could they move their systems without causing disruption? - -First, the network infrastructure was established to the new location. The AFS volumes on one fileserver were migrated to the other fileservers. The "freed up" fileserver was moved to the new office and connected to the network. - -A second fileserver was "freed up" by moving its AFS volumes across the network to the first fileserver at the new office. The second fileserver was then moved. - -This process was repeated until all the fileservers were moved. - -All this happened with users on client workstations continuing to use the cell's filespace. Unless a user saw a fileserver being physically moved (s)he would have no way to tell the change had taken place. - -Finally, the AFS clients were moved - this was noticed! - -### 1.06 Which systems is AFS available for? - -[[OpenAFS]], as of the 1.6.2 release for Unix and 1.7.24 for Windows, is currently available in binary releases for: - -- IBM AIX 5.3, 6.1 -- Fedora Core 15, 16, 17, 18 (Intel) -- [[FreeBSD]] 8.2, 8.3, 9.0, 9.1 (Intel) -- [[MacOS]] X 10.6-10.8 (Intel) (Snow Leopard, Lion, Mountain Lion) -- RHEL 5, 6 (Intel) -- SuSE Enterprise 10, 11 (Intel) -- Solaris 10, 11 (Sparc and Intel) -- Windows 2000/XP/2003/Vista/7 - -These are only the platforms for which official binary releases are prepared; it can be built from source for a large number of additional platforms including HP-UX, SGI, OpenBSD, NetBSD, and older releases and other CPU architectures of supported platforms. - -### 1.07 What does `ls /afs` display in the Internet AFS filetree? - -Essentially this displays the AFS cells that co-operate in the Internet AFS filetree. - -Note that the output of this will depend on the cell you do it from; a given cell may not have all the publicly advertised cells available, and it may have some cells that aren't advertised outside of the given site. - -The definitive source for this information is [[/afs/grand.central.org/service/CellServDB|file:///afs/grand.central.org/service/CellServDB]]. - -Note that it is also possible to use AFS "behind the firewall" within the confines of your organization's network - you don't have to participate in the Internet AFS filetree. - -Indeed, there are lots of benefits of using AFS on a local area network without using the WAN capabilities. - -### 1.08 Why does AFS use Kerberos authentication? - -It improves security. - -Kerberos uses the idea of a trusted third party to prove identification. This is a bit like using a letter of introduction or quoting a referee who will vouch for you. - -When a user authenticates using the klog command (s)he is prompted for a password. If the password is accepted the Kerberos server provides the user with an encrypted token (containing a "ticket granting ticket"). - -From that point on, it is the encrypted token that is used to prove the user's identity. These tokens have a limited lifetime (typically a day) and are useless when expired. - -In AFS, it is possible to authenticate into multiple AFS cells. A summary of the current set of tokens held can be displayed by using the "tokens" command. - -For example: - - elmer@toontown $ tokens - - Tokens held by the Cache Manager: - - User's (AFS ID 9997) tokens for afs@ny.acme.com [Expires Sep 15 06:50] - User's (AFS ID 5391) tokens for afs@sf.acme.com [Expires Sep 15 06:48] - --End of list-- - -Kerberos improves security because a users's password need only be entered once (at `kinit` time). - -AFS uses Kerberos to do complex mutual authentication which means that both the service requester and the service provider have to prove their identities before a service is granted. - -Originally AFS shipped with its own version of Kerberos 4, called `kaserver`. `kaserver` still ships at this time (1.6.2 release), but is deprecated in favor of using a true Kerberos 5 implementation. [[OpenAFS]] does not currently ship with a Kerberos 5 implementation; it is up to the administrator(s) to choose a version (MIT krb5, Heimdal, Active Directory, etc) and install it. [[OpenAFS]] will happily work with any KDC. - -For more detail on this and other Kerberos issues see the faq for Kerberos (posted to `news.answers` and `comp.protocols.kerberos`) [[[Jaspan|FurtherReading#Jaspan]]]. (Also, see [[[Miller87|FurtherReading#Miller87]]], [[[Bryant88|FurtherReading#Bryant88]]], [[[Bellovin90|FurtherReading#Bellovin90]]], [[[Steiner88|FurtherReading#Steiner88]]]) - -### 1.09 Does AFS work over protocols other than UDP? - -No. AFS was designed to work over UDP, and does not use TCP. - -There is some work being done (see -[here](http://conferences.inf.ed.ac.uk/eakc2012/slides/201210_eakc_oob.pdf)) to -allow AFS to make use of other network transports, including TCP, but this is -still experimental and undergoing development. - -### 1.10 How can I access AFS from my PC? - -You can use [[OpenAFS]] for Windows client. In the past year it has become very stable and robust. [[OAfW]] works with Kerberos for Windows in much the same way the Unix clients work with Kerberos. - -There is also [[Samba|http://www.samba.org]], an SMB server for UNIX. There are several ways to integrate AFS with Samba. See [[SMBtoAFS]]. - -Mac OS X and Linux users might find [[`sshfs`|http://en.wikipedia.org/wiki/SSHFS]] useful in some circumstances. - -### 1.11 How does AFS compare with NFS? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  AFS NFS
File Access Common name space from all workstations Different file names from different workstations
File Location Tracking Automatic tracking by file system processes and databases Mountpoints to files set by administrators and users
Performance Client caching to reduce network load; callbacks to maintain cache consistency No local disk caching without local configuration of `cachefs`; limited cache consistency
Andrew Benchmark (5 phases, 8 clients) Average time of 210 seconds/client Average time of 280 seconds/client
Scaling capabilities Maintains performance in small and very large installations Best in small to mid-size installations
  Excellent performance on wide-area configuration Best in local-area configurations
Security Kerberos mutual authentication Security based on unencrypted user ID's
  Access control lists on directories for user and group access No access control lists
Availability Replicates read-mostly data and AFS system information No replication
Backup Operation No system downtime with specially developed AFS Backup System Standard UNIX backup system
Reconfiguration By volumes (groups of files) Per-file movement
  No user impact; files remain accessible during moves, and file names do not change Users lose access to files and filenames change (mountpoints need to be reset)
System Management Most tasks performed from any workstation Frequently involves telnet to other workstations
Autonomous Architecture Autonomous administrative units called cells, in addition to file servers and clients File servers and clients
  No trust required between cells No security distinctions between sites
- [ source: ftp://ftp.transarc.com/pub/afsps/doc/afs-nfs.comparison ]
- -Other points: - -- Some vendors offer more secure versions of NFS but implementations vary. Many NFS ports have no extra security features (such as Kerberos). - -- The AFS Cache Manager can be configured to work with a RAM (memory) based cache. This offers signifigant performance benefits over a disk based cache. NFS has no such feature. Imagine how much faster it is to access files cached into RAM! - -- The Andrew benchmark demonstrates that AFS has better performance than NFS as the number of clients increases. A graph of this (taken from Andrew benchmark report) is available in: - - ![20050131\_graph\_afs\_nfs.jpg](http://i.imgur.com/Ir6YS.jpg) - diff --git a/general/PreambleFAQ.mdwn b/general/PreambleFAQ.mdwn deleted file mode 100644 index 63ba845..0000000 --- a/general/PreambleFAQ.mdwn +++ /dev/null @@ -1,90 +0,0 @@ -## 0 Preamble - -The Preamble of the [[AFSFrequentlyAskedQuestions]]. - - - -- [[GeneralFAQ]] -- [[UsageFAQ]] -- [[AdminFAQ]] -- [[ResourcesFAQ]] -- [[AboutTheFAQ]] -- [[FurtherReading]] - -### 0.01 Purpose and audience - -The aim of this compilation is to provide information about AFS including: - -- A brief introduction -- Answers to some often asked questions -- Pointers to further information - -Definitive and detailed information on AFS is provided in Transarc's AFS manuals ([[[UserGuide|FurtherReading#UserGuide]]], [[[CommandsRef|FurtherReading#CommandsRef]]], [[[AdminGuide|FurtherReading#AdminGuide]]]). - -The intended audience ranges from people who know little of the subject and want to know more to those who have experience with AFS and wish to share useful information by contributing to the faq. - -### 0.02 Acknowledgements - -The information presented here has been gleaned from many sources. Some material has been directly contributed by people listed below. - -- I would like to thank the following for contributing: - - Pierette Maniago VanRyzin (Transarc) - - Lyle Seaman (Transarc) - - Joseph Jackson (Transarc) - - Dan Lovinger (Microsoft) - - Lucien Van Elsen (IBM) - - Jim Rees (University of Michigan) - - Derrick J. Brashear (Carnegie Mellon University) - - Hans-Werner Paulsen (MPI fuer Astrophysik, Garching) - - Margo Hikida (Hewlett Packard) - - Michael Fagan (IBM) - - Robert Malick (National Institute of Health, USA) - - Rainer Toebbicke (European Laboratory for Particle Physics, CERN) - - Mic Bowman (Transarc) - - Mike Prince (IBM) - - Bob Oesterlin (IBM) - - Pat Wilson (Dartmouth College) - - Cristian Espinoza (Pontificia Universidad Catolica de Chile) - - Mary Ann DelBusso (Transarc) - - Michael Niksch (IBM) - - Kelly Chambers (Transarc) - -- Thanks also to indirect contributors: - - Ken Paquette (IBM) - - Lance Pickup (IBM) - - Lisa Chavez (IBM) - - Dawn E. Johnson (Transarc) - - David Snearline (University of Michigan Engineering) - - Rens Troost (New Century Systems) - - Anton Knaus (Carnegie Mellon University) - - Mike Shaddock (SAS Institute Inc.) - -If this compilation has any merit then much credit belongs to Pierette for giving inspiration, support, answers, and proof-reading. - -### 0.03 Disclaimer - -I make no representation about the suitability of this information for any purpose. - -While every effort is made to keep the information in this document accurate and current, it is provided "as is" with no warranty expressed or implied. - -### 0.04 Release Notes - -This compilation contains material used with permission of Transarc Corporation. Permission to copy is given provided any copyright notices and acknowledgements are retained. - ----- - -### 0.05 Quote - - "'Tis true; there's magic in the web of it;" Othello, Act 3 Scene 4 - --William Shakespeare (1564-1616) diff --git a/general/ResourcesFAQ.mdwn b/general/ResourcesFAQ.mdwn deleted file mode 100644 index 499a2c1..0000000 --- a/general/ResourcesFAQ.mdwn +++ /dev/null @@ -1,77 +0,0 @@ -[[!toc levels=3]] - -## 4 Getting more information - -The Administration Section of the [[AFSFrequentlyAskedQuestions]]. - -- [[PreambleFAQ]] -- [[GeneralFAQ]] -- [[UsageFAQ]] -- [[AdminFAQ]] -- [[AboutTheFAQ]] -- [[FurtherReading]] - -### 4.03 Where can I get training in AFS? - -IBM/Transarc has provided user and administrator courses. Those who have obtained it recently say that IBM is reluctant to provide training but will do so for a lot of money. - -Training in AFS has been offered recently at the LISA conference and at the AFS Best Practices Workshops, both offered annually. Keep an eye on for news about future training in these venues. - -### 4.04 Where can I find AFS resources in World Wide Web (WWW)? - -Here are some I have found (please let me know if you find more): - -- A collection of AFS information maintained by Derrick Brashear at CMU:
(Also accessible in: /afs/andrew.cmu.edu/usr/shadow/www) - -- AFS Tutorial (ALW/NIH):
[http://www.alw.nih.gov/Documentation/AFS\_tutorial.html](http://www.alw.nih.gov/Documentation/AFS_tutorial.html) - -- NCSA AFS User Guide:
- -- Transarc AFS Product Information:
[http://web.archive.org/web/20010604011953/www.transarc.ibm.com/Library/documentation/afs\_doc.html](http://web.archive.org/web/20010604011953/www.transarc.ibm.com/Library/documentation/afs_doc.html) - -- CERN AFS User's Guide:
- -- MIT SIPB's Inessential AFS:
- -- Linux AFS FAQ:
- -- Gentoo Linux Documentation:
- -### 4.05 Is there a mailing list for AFS topics? - -There are a bunch of [[OpenAFS]] mailing lists. A list is available at . - -The [[OpenAFS]]-Info and [[OpenAFS]]-devel lists are probably the most active. - -### 4.06 Where can I find an archive of ? - -There is a web archive at: - -### 4.09 Gibt es eine deutsche AFS Benutzer Gruppe? - -Ja, wenn Sie mitmachen wollen, schicken Sie bitte eine E-Mail an: - - - -Ueber diese Adresse werden "subscribe" und "unsubscribe" Requests bearbeitet. - -### 4.10 Donde puedo encontrar informacion en Espanol sobre AFS? - -Hay algunas notas en Espanol sobre AFS en: - -### 4.11 Are there books on AFS? - -"Managing AFS: The Andrew File System" by Richard Campbell was published by Prentice-Hall in February, 1998. It is supposedly out of print, but somehow there is always a copy or two available from Amazon [here.](http://www.amazon.com/exec/obidos/ASIN/0138027293/qid%3D1023720253/ref%3Dsr%5F11%5F0%5F1/104-0953845-2989550.) - -Recently a new book has come out, "Distributed Services with [[OpenAFS]]: for Enterprise and Education" by Wolfgang A. Gehrke and Franco Milicchio. It's also available [through Amazon](http://www.amazon.com/Distributed-Services-OpenAFS-Enterprise-Education/dp/3540366334/ref=pd_sim_b) and probably through most other on-line and brick-and-mortar stores. I (Steve Simmons) checked with a co-worker who has read it. He describes it as good for people who've not seen AFS before and might be setting up from scratch. - -### 4.12 Where can I find tools to use with AFS? - -A collection of AFS management tools used at Stanford University can be found at in the AFS section. Included in this collection are tools for handling volume creation, volume deletion, and migrating volumes, a tool for comparing read/write and read-only volumes, tools for monitoring AFS with Nagios, tools for tracking mount point locations for volumes, and some user utilities like a recursive wrapper around fs and a utility to find mount points in a file tree. - -### 4.13 Where can I find stuff from the old transarc.com web site? - -Many of the links to transarc.com in the FAQ, and around the web are broken. The best bet seems to be to use the [Wayback Machine](http://web.archive.org) to search the Internet Archive for old versions of the pages from transarc.com and transarc.ibm.com. Here is one place to start, but things are sometimes missing so you may have to search for older copies and alternate paths. - -Here is the [AFS 3.6 Documentation](http://web.archive.org/web/20010604011953/http://www.transarc.ibm.com/Library/documentation/afs/3.6/unix/en_US/HTML/index.htm) and [AFS for Windows](http://web.archive.org/web/20010529113949/www.transarc.ibm.com/Library/documentation/afs/3.6/windows/en_US/html/index.htm). - diff --git a/general/UsageFAQ.mdwn b/general/UsageFAQ.mdwn deleted file mode 100644 index fa28bcb..0000000 --- a/general/UsageFAQ.mdwn +++ /dev/null @@ -1,393 +0,0 @@ -[[!toc levels=3]] - -## 2 Using AFS - -The Usage Section of the [[AFSFrequentlyAskedQuestions]]. - -- [[PreambleFAQ]] -- [[GeneralFAQ]] -- [[AdminFAQ]] -- [[ResourcesFAQ]] -- [[AboutTheFAQ]] -- [[FurtherReading]] - -### 2.01 What are the differences between AFS and a Unix filesystem? - -Essentially, from a user's point of view, there is little difference between AFS and local Unix filestore. Nearly all the commands normally used to access local files can be used to access files in `/afs`. - -In the following set of sections, I have attempted to "target" each section to an appropriate type of user by including to the right of each section heading one of: User, Programmer, [[SysAdmin]]. - -Here is a summary of the differences: - -**Authentication:** [ User ] - -Before a user can access protected AFS files (s)he needs to become -authenticated to AFS using the `klog` command (Kerberos login) to get an AFS -token. Or, a user can run `aklog` to convert existing krb5 tickets into an AFS -token. - -Without a token, an unauthenticated user is given the AFS identity `system:anyuser`, and as such is only able to access files in directories that have ACLs granting `system:anyuser` access. - -Many systems have the `klog`/`aklog` functionality done integrated into their login procecedure. If you use a system where you have -to issue the `klog`/`aklog` command after login, then you may want to run the `pagsh` command first (see below). - -AFS provides access control lists to give more precise control to users wishing to protect their files (see AFS ACL below). - -**File permissions:** [ User ] - -Unix mode bits on files are usually ignored. The exception to this are the "owner" bits, which can be used to remove access for almost everyone accessing the file (that is, if you remove the "w" bit from the owner permissions, almost nobody can write to the file). - -Instead of Unix mode bits, you should generally use AFS ACLs to protect your data (see below). - -**Data protection with AFS ACLs:** [ User ] - -Some versions of Unix (e.g. IBM's AIX version 3) allow ACLs on local files. In AFS, ACLs protect directories and used with AFS protection groups (see below) provide a finer granularity of protection than can be achieved with basic Unix file permissions. (AFS ACLs are described in more detail below.) - -**Protection groups:** [ User ] - -Users can create and maintain their own protection groups in AFS - as opposed to Unix where only sysadmins can manage protection groups. - -**Hard links:** [ User ] - -In AFS, hard links (`ln old new`) are only valid within a directory. This is because AFS ACLs protect directories (not individual files), and allowing hard links that span directories would subvert ACL protection. - -Symbolic links work in AFS because they reference a pathname and not an inode directly. (Hard links reference an inode directly.) - -**Changing file protection by moving a file:** [ User ] - -Moving a file to a different directory will change the protection of a file if the ACL on the new directory is different from the ACL on the original directory. - -**chown and chgrp:** [ User ] - -Only members of the AFS group `system:administrators` can use these commands on files in `/afs`. Note that these are only used by non-AFS-aware Unix utilities; AFS itself does not use these values, but instead uses the AFS ACL. - -**Save on close:** [ Programmer ] - -The AFS Cache Manager does not send file modifications to a file server until a `close()` or `fsync()` system call is performed. `write()` system calls only update the local cached copy on the client. - -Note the difference in semantics of writing a file: - - - - - - - - - - -
local Unix filewrites update the file immediately
AFS filelocal cached copy updated immediately but the server copy is only updated when the file is `close`d or `fsync`ed
- -It is important to understand that most applications (`vi`, `emacs`, `frame`, `interleaf`, `wingz`, `dogz`, etc.) issue the `close()` system call when the user chooses/issues the "save" command in the application. - -Users are not required to exit the application to save their changes back to the server. - -**Byte-range file locking:** [ Programmer ] - -AFS does not support byte-range locking within a file, although `lockf()` and `fcntl()` calls will return 0 (success). The first time a byte-range lock is attempted, AFS will display - - afs: byte-range lock/unlock ignored; make sure no one else else is running this program. - -There are a couple of platform-specific exceptions to this behavior. Currently (as of 1.6.2), Linux clients will enforce byte-range file locks for processes on the local client only. In addition, Windows clients attempt to simulate byte-range locks for local processes, and acquire full-file locks on the fileserver when a byte-range lock is requested. - -Server-side byte range locking requires a protocol change, which is currently under consideration. - -**Whole-file locking:** [ Programmer ] - -AFS supports advisory locking of an entire file with `flock()`. Processes on the same client workstation that attempt to lock a file obey the proper locking semantics. Processes on different AFS clients requesting a lock on the same file would get `EWOULDBLOCK` returned. - -**Character and block special files:** [ [[SysAdmin]] ] - -AFS does not support character and block special files. The `mknod` command does not create either character or block special files under `/afs`. - -### 2.02 What is an AFS protection group? - -A named list of users. - -Group names are used in AFS ACLs to identify lists of users with particular access permissions. - -In AFS, users can create and maintain their own protection groups. This is different to unix where only the system administrator can manage `/etc/group`. - -AFS groups are stored in the protection database on fileserver(s) and managed by using the `pts` command. - -An AFS group typically has the format `owner-id:group-name`. By default, only the owner of a group can change its members. - -It is possible to have both users and IP addresses as members of an AFS group. By using an IP address like this you can specify all the users from the host with that IP address. Note that IP address membership is insecure, due to the possibility of packet spoofing and the inability of current AFS protocols to protect server communications that do not involve a user-based security token; the `rxgk` security protocol currently under development will enable token-protected access at the client machine level as well as the user level. - -### 2.03 What are the AFS-defined protection groups? - -- `system:anyuser` - - Everyone who has access to an AFS client in any cell that is on the same network as your cell. - -- `system:authuser` - - Everyone who has access to an AFS client in any cell that is on the same network as your cell **and** has valid tokens for your cell (i.e. has been authenticated in your cell). - -- `system:administrators` - - Users who have privileges to execute some but not all system administrator commands. - -### 2.04 What is an AFS access control list (ACL)? - -There is an ACL for every directory in AFS. The ACL specifies protection at the directory level (not file level) by listing permissions of users and/or groups to a directory. There is a maximum of 20 entries on an ACL. - -For example: - -An AFS ACL is displayed by using the `fs` command as shown below: - - tweety@toontown $ fs listacl . - Access list for . is - Normal rights: - fac:coords rlidwka - system:anyuser rl - -This ACL shows that members of the AFS protection group `fac:coords` have full access rights to the current directory and `system:anyuser` has only read and lookup rights. - -The members of `fac:coords` can be determined by accessing the protection group database using the `pts` command as shown below: - - tweety@toontown $ pts membership fac:coords - Members of fac:coords (id: -1577) are: - sylvester - roadrunner - yosemite.sam - -### 2.05 What are the AFS access rights? - -In AFS, there are seven access rights that may be set or not set: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
lookuplPermission to examine the ACL and traverse the directory (needed with most other access rights); permission to look up filenames in a directory
readrView the contents of files in the directory
insertiAdd new files or sub-directories
writewModify file contents, use `chmod`
deletedRemove file(s) in the directory
lockkPermission for programs to `flock()` files in the directory
administeraAbility to change the ACL
- -There are shorthand forms for some common permission combinations: - - - - - - - - - - - - - - - - - - - - - - -
readrlread and lookup
writerlidwkall rights except administer
allrlidwkaall rights
noneremoves all rights
- -### 2.06 What is `pagsh`? - -A command to get a new shell with a process authentication group (PAG). - -This is normally used if your system does not get AFS tokens on login. It is used to get a PAG prior to running `klog`/`aklog`. - -The PAG uniquely identifies the user to the Cache Manager. Without a PAG, the Cache Manager uses the Unix UID to identify a user and tokens will be shared across all processes owned by that UID. - -### 2.07 Why use a PAG? - -There are two reasons: - -1. Child processes inherit the PAG and the AFS token so they are AFS authenticated. - -1. For security: if you don't have a PAG, then the Cache Manager identifies you by Unix UID. Another user with `root` access to the client could `su` to you and thereby use your token. - -### 2.08 How can I tell if I have a PAG? - -Usually you can tell if you have a PAG by typing `id`. (Platforms which are derived directly from AT&T System V Release 4, such as Solaris, will not show the additional group vector by default; if there is no `groups=` section in the output of `id`, try `id -a`.) A PAG is indicated by the appearance of one or two large integers in the list of groups. - -For example: - - sylvester@toontown $ id - uid=1000(sylvester) gid=20(staff) groups=33536,32533,20(staff),30(catz) - -On Linux clients, your PAG may not show up as such a group in the group list. An alternative way to check on Linux is to look at your kernel keyring with `keyctl show`: - - $ keyctl show - Session Keyring - -3 --alswrv 1000 1000 keyring: _ses.32603 - 819041549 ----s--v 0 0 \_ afs_pag: _pag - -If you see an `afs_pag` key in the output, then you are in a PAG. - -### 2.09 Can I still run `cron` jobs with AFS? - -Yes, but remember that in order to fully access files in AFS you have to be AFS authenticated. If your `cron` job doesn't `aklog` then it only gets `system:anyuser` access. - -The preferred way to make use of Kerberos tickets and AFS tokens from a `cron` job is [[kstart|http://www.eyrie.org/~eagle/software/kstart/]]. If you are using the Heimdal implementation of Kerberos, you can also use its `kinit` with the `-afslog` option and a command. - -Note that you can still run a `cron` job without getting a token, if the task does not need to be AFS authenticated. In this case, you may get `stderr` from the `cron` job if your `.profile` is not accessible because of the ACL protecting your `$HOME`. Simply redirect to `/dev/null`: - - 0 7 * * * $sys_anyuser_readable_dir/7AMdaily 2>/dev/null - -### 2.10 How much disk space does a 1-byte file occupy in AFS? - -This varies depending on the filesystem used by the fileserver containing that file. Some filesystems may only use up 1024 bytes for such a file, and others may use 4096; still others may use more or fewer bytes. - -### 2.11 Is it possible to specify a user who is external to the current AFS cell on an ACL? - -Yes. This requires setting up a cross-realm relationship with the Kerberos realm on the remote site, but this is possible. Typically you refer to "remote" users like `user@remote.cell`, and you can use them in ACLs, or add them to `pts` groups. - -### 2.12 Are there any problems printing files in `/afs`? - -There are two common issues that come up with printing from AFS: - -- the print client passes pathnames to the print service, which does not have access to your AFS token; - -- if not using a PAG (UID-based tokens), `setuid` print clients don't have access to your AFS token. - -Both of these may be mitigated by using shell redirection to send the file to the print client: - - lpr < /afs/ny.toontown.com/home/elmer/private/wabbit-hunting - -(The `lp` command generally supports the `-c` option to force a file copy. Note that the `lp` command provided with [[CUPS|http://cups.org]] *always* works this way, and makes a connection to the server to transfer the file instead of copying it to a secure queue area directly, so should not have token issues at all.) - -Very few print services have the ability to manage token access in a way that allows an ACL-protected file to be printed by pathname without enabling access control to be subverted by users by means of the print service. It is **not** recommended to grant the print service general access to AFS by means of [[kstart|http://www.eyrie.org/software/kstart/]] or similar mechanisms. - -### 2.13 Can I create a FIFO (a/k/a named pipe) in `/afs`? - -No. AFS does not support `mknod fifofile p`. AFS only supports normal files, directories, and symlinks; not Unix- or Windows-specific filesystem node types. - -### 2.14 If an AFS server crashes, do I have to reboot my AFS client? - -No. - -Typically, if an AFS server becomes unavailable, the AFS Cache Manager on your AFS client will see you through the outage until the server returns. This robustness is dependent on the way your AFS cell has been configured including the following factors: - -- On the client side: - - How big is the cache? - - Are the files you need already in the cache? - -- On the server side: - - How many servers? It's best to have a minimum of three. - - Is the data you are accessing replicated? In AFS, replicas are [[ReadOnly]] copies. - -With replicated volumes, the AFS Cache Manager knows about all of the servers on which the replicas are located. Therefore, when the Cache Manager accesses a replicated volume, if the RPC times out, the Cache Manager automatically retrys the RPC, using a different file server. - -If necessary, the Cache Manager will attempt to contact all file servers on which a replica of the volume resides. - -If you are accessing [[ReadWrite]] volumes on a crashed server then you will not be able to save changes back to the server until it returns. - -You don't need to reboot, and the Cache Manager activity is "invisible" to the user. You may want to speed up recovery by issuing the command `fs checkservers`, but even this is unnecessary and will usually only improve recovery by a few seconds. - -### 2.15 Can I use AFS on my diskless workstation? - -Yes. The AFS Cache Manager can be configured to work with either a disk based cache or a memory (RAM) based cache. - -Note that using a memory cache may not be as fast as you might think. Modern operating systems should cache disk data in memory when accessed, so using a disk cache should mean you are hitting RAM most of the time anyway. Disk caches are also much more common, and thus much more heavily tested, and so are better optimized. If you have a local disk and it's reasonably fast, usually going with a disk cache is preferable to memory cache. Additionally, most operating systems do a better job of optimizing a native RAM disk, so you might consider putting your AFS cache in a RAM disk instead of using [[OpenAFS]]'s own memory cache. - -### 2.16 Can I test for AFS tokens from within my program? - -Yes. However, the mechanism for doing so varies depending on the platform. To see examples of how to do this, you can look at the source of any program that deals with AFS tokens. One such example is [pam-afs-session](http://www.eyrie.org/~eagle/software/pam-afs-session/) - -### 2.17 What's the difference between `/afs/cellname` and `/afs/.cellname`? - -AFS has [[ReadOnly]] (RO) and [[ReadWrite]] (RW) volumes. - -The convention in AFS is to mount the RW volume `root.cell` as `/afs/.cellname` and the RO volume `root.cell.readonly` as `/afs/cellname`. This is so that when you travel down the `/afs/.cellname` link, AFS will always use the RW site of any volumes that have RO clones. This allows your administrator to update the RW copy of a volume and `vos release $volname` so that it will appear in `/afs/cellname`. - -### 2.18 Can I `aklog` as two users on a machine in the same cell? - -Yes, *if* you use two different PAGs. The token store only supports one token per cell per authentication group; with UID-based PAGs, this means one token per cell per user, but with PAGs you can have multiple shell windows/sessions, each with its own PAG and associated AFS tokens. - -Note that most Kerberos implementations (the one on Mac OS X 10.7 and 10.8 being a notable exception) only allow a ticket-granting ticket (TGT) for a single principal (this restriction is even tighter than AFS's, as you cannot have a separate TGT per realm!), so if you plan to use separate PAGs you will also want to use separate credential caches ("ticket files" in older Kerberos parlance). - -An alternative to using multiple users in this way is to use ACLs to grant access on a shared directory to both users. - -### 2.19 What are the `~/.__afsXXXX` files? - -They are temporary reference files used by the AFS Cache Manager. - -With most Unix filesystems, when you a remove a file that is kept open by a process, the file stays around physically while it is no longer referenced in any directory (which you will see as a mismatch between disk space usage according to `df` and `du`). - -Some applications rely on that feature, e.g. they create a temporary file and remove it immediatley while keeping the file descriptor open. The file then disappears from the filesystem automatically when the process terminates or the file descriptor gets closed otherwise. Such applications could get into trouble with older versions of AFS, where the file could really disappear while it was held open. - -Newer versions of AFS rename such files to `.__afsXXXX`, thus making sure that the data stays around as expected by the application. As soon as the file gets closed, the associated `.__afsXXXX` should disappear. - -### 2.20 How do you set up IP-based ACLs? - -See [[IPAccessControl]]. - -### 2.21 What meaning do the owner, group, and mode bits have in AFS? - -In order to appear more like a local filesystem, AFS will faithfully store the numeric UID (owner), GID (group), for both files and directories, as well as the permission bits (read, write, and execute for user, group, and other, plus `setuid`, `setgid`, and "sticky" bits) for files. Note that permission bits for directories are not stored. - -For the most part, these values are simply recorded and reported back when requested. However, in some instances the fileserver and/or cache manager will make access control decisions based in part on these values. The following is believed to be a complete list of those circumstances. Below, "owner" refers to the user whose numeric `pts` identity is equal to the owner of the file or directory; this might not bear any relationship to the UNIX UID associated with the client process that created the file. - -- implicit ACLs - - the owner of the root directory of a volume has implicit _administer_ (`a`) rights on all directories in the volume - - the owner of a file has implicit _read_ (`r`) and _write_ (`w`) rights on a file if that user has _insert_ (`i`) rights on its parent directory - -- to **read** from a file, you must have _read_ (`r`) rights _and_ at least one of the following must be true: - - the file's `u+r` (user read, `0400` octal) bit is set - - you are the owner of the file - - you are a member of `system:administrators` - -- to **write** to a file, you must have _write_ (`w`) rights _and_ at least one of the following must be true: - - the file's `u+w` (user write, `0200` octal) bit is set - - you are the owner of the file - - you are a member of `system:administrators` - -- changing mode bits and owner/group: - - the fileserver will only allow the mode bits on a file (`ugo+rwx`) to be changed if the user has _write_ (`w`) and _lookup_ (`l`) rights on the file's parent directory - - the fileserver will only allow the mode bits on a directory to be changed if the user has _delete_ (`d`), _insert_ (`i`), and _lookup_ (`l`) rights on the directory - - only members of `system:administrators` can change the owner or group of a file - - only members of `system:administrators` can change the `setuid` and `setgid` bits on a file - -The "sticky" bit, group of a file, `g+rwx` (octal `0070`), and `o+rwx` (octal `0007`) bits are completely ignored by all AFS components. Additionally, the `u+rwx` (octal `0700`) bits are ignored on directories. - -Newly created files and directories are given an owner numerically equal to the `pts` identity of the user who created the file or directory. Initial mode bits are assigned by the AFS cilent, typically based on the creating user's `umask`. - -### 2.22 What are "dropboxes"? - -When the ACL on a directory is set to `irl` (_read_, _list_, _insert_), this creates what is called a "dropbox". In theory, users should be able to deposit files in the directory, but not modify them once deposited. - -In practice, the "not modify them once deposited" part is not enforced by the fileserver; only the [[OpenAFS]] client enforces this restriction. Thus, you should not depend on this for security. - -Also, note that a `system:anyuser irl` ACL has an additional problems: because dropbox semantics are based on `pts` identities (see question 2.21), the fileserver cannot distinguish between two unauthenticated users. So, not only can a user come back days later and modify the "dropped" file, but **any** user can modify a file dropped by an unauthenticated user, at any time. - -### 2.23 Can I access a RW volume using the RO path? - -Depends. Once you have RO-Volumes released, a mountpoint pointing to the RO will bring you to the RO volume. To change that behavior, you have to change the corresponding mountpoint with `fs rmmount` and `fs mkmount -rw`. However, for some situations, like software installations, it might be useful to reach the RW volume through the RO path. - -You can do that for a single client with a special setup. The trick is to break the convention described in 2.17 for a single client: mount the RW volume `root.cell` (instead of `root.cell.readonly`) as `/afs/cellname`. This can be done by creating an alternative `root.afsrw` volume which is identical to `root.afs` except that it has an RW mount for `root.cell`, then add `-rootvol root.afsrw` to the `afsd` command options on startup (either in `/etc/init.d/afs` or wherever your system stores service configuation; this is often `/usr/vice/etc/config/afsd.options` on most Unixes and `/etc/sysconfig/afs` on many Linux distributions) and ensure that the `-dynroot` option is *not* specified. -- 1.9.4