added button GIF's to the HTML docs

[openafs.git] / doc / html / QuickStartUnix / auqbg005.htm

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
<HTML><HEAD>
<TITLE>Quick Beginnings</TITLE>
<!-- Begin Header Records  ========================================== -->
<!-- /tmp/idwt3574/auqbg000.scr converted by idb2h R4.2 (359) ID      -->
<!-- Workbench Version (AIX) on 2 Oct 2000 at 12:25:35                -->
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 12:25:35">
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 12:25:35">
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 12:25:35">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved    --> 
<BODY bgcolor="ffffff"> 
<!-- End Header Records  ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>Quick Beginnings</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auqbg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<P>
<A NAME="IDX2218"></A>
<A NAME="IDX2219"></A>
<A NAME="IDX2220"></A>
<HR><H1><A NAME="HDRWQ17" HREF="auqbg002.htm#ToC_28">Installing the First AFS Machine</A></H1>
<P>This chapter describes how to install the first AFS machine
in your cell, configuring it as both a file server machine and a client
machine. After completing all procedures in this chapter, you can
remove the client functionality if you wish, as described in <A HREF="#HDRWQ98">Removing Client Functionality</A>.
<P>To install additional file server machines after completing this chapter,
see <A HREF="auqbg006.htm#HDRWQ99">Installing Additional Server Machines</A>.
<P>To install additional client machines after completing this chapter, see <A HREF="auqbg007.htm#HDRWQ133">Installing Additional Client Machines</A>.
<A NAME="IDX2221"></A>
<HR><H2><A NAME="Header_29" HREF="auqbg002.htm#ToC_29">Requirements and Configuration Decisions</A></H2>
<P>The instructions in this chapter assume that you meet the following
requirements.
<UL>
<P><LI>You are logged onto the machine's console as the local superuser
<B>root</B>
<P><LI>A standard version of one of the operating systems supported by the
current version of AFS is running on the machine
<P><LI>You can access the data on the AFS CD-ROMs, either through a local CD
drive or via an NFS mount of a CD drive attached to a machine that is
accessible by network
</UL>
<P>You must make the following configuration decisions while installing the
first AFS machine. To speed the installation itself, it is best to make
the decisions before beginning. See the chapter in the <I>IBM AFS
Administration Guide</I> about issues in cell administration and
configuration for detailed guidelines.
<A NAME="IDX2222"></A>
<A NAME="IDX2223"></A>
<A NAME="IDX2224"></A>
<UL>
<P><LI>Select the first AFS machine
<P><LI>Select the cell name
<P><LI>Decide which partitions or logical volumes to configure as AFS server
partitions, and choose the directory names on which to mount them
<P><LI>Decide whether to use the standard AFS authentication and authorization
software or Kerberos as obtained from another source. On several system
types, the decision determines how you incorporate AFS into the machine's
authentication system. If you wish to use Kerberos, contact the AFS
Product Support group now to learn about how you must modify the installation
procedure.
<P><LI>Decide how big to make the client cache
<P><LI>Decide how to configure the top levels of your cell's AFS filespace
</UL>
<P>This chapter is divided into three large sections corresponding to the
three parts of installing the first AFS machine. Perform all of the
steps in the order they appear. Each functional section begins with a
summary of the procedures to perform. The sections are as
follows:
<UL>
<P><LI>Installing server functionality (begins in <A HREF="#HDRWQ18">Overview: Installing Server Functionality</A>)
<P><LI>Installing client functionality (begins in <A HREF="#HDRWQ63">Overview: Installing Client Functionality</A>)
<P><LI>Configuring your cell's filespace, establishing further security
mechanisms, and enabling access to foreign cells (begins in <A HREF="#HDRWQ71">Overview: Completing the Installation of the First AFS Machine</A>)
</UL>
<A NAME="IDX2225"></A>
<A NAME="IDX2226"></A>
<A NAME="IDX2227"></A>
<HR><H2><A NAME="HDRWQ18" HREF="auqbg002.htm#ToC_30">Overview: Installing Server Functionality</A></H2>
<P>In the first phase of installing your cell's first AFS
machine, you install file server and database server functionality by
performing the following procedures:
<OL TYPE=1>
<P><LI>Choose which machine to install as the first AFS machine
<P><LI>Create AFS-related directories on the local disk
<P><LI>Incorporate AFS modifications into the machine's kernel
<P><LI>Configure partitions or logical volumes for storing AFS volumes
<P><LI>On some system types, install and configure an AFS-modified version of the
<B>fsck</B> program
<P><LI>If the machine is to remain a client machine, incorporate AFS into its
authentication system
<P><LI>Start the Basic OverSeer (BOS) Server
<P><LI>Define the cell name and the machine's cell membership
<P><LI>Start the database server processes: Authentication Server, Backup
Server, Protection Server, and Volume Location (VL) Server
<P><LI>Configure initial security mechanisms
<P><LI>Start the <B>fs</B> process, which incorporates three component
processes: the File Server, Volume Server, and Salvager
<P><LI>Start the server portion of the Update Server
<P><LI>Start the controller process (called <B>runntp</B>) for the Network
Time Protocol Daemon, which synchronizes machine clocks
</OL>
<HR><H2><A NAME="HDRWQ19" HREF="auqbg002.htm#ToC_31">Choosing the First AFS Machine</A></H2>
<P>The first AFS machine you install must have sufficient disk
space to store AFS volumes. To take best advantage of AFS's
capabilities, store client-side binaries as well as user files in
volumes. When you later install additional file server machines in your
cell, you can distribute these volumes among the different machines as you see
fit.
<P>These instructions configure the first AFS machine as a <I>database
server machine</I>, the <I>binary distribution machine</I> for its
system type, and the cell's <I>system control machine</I>. For
a description of these roles, see the <I>IBM AFS Administration
Guide</I>.
<P>Installation of additional machines is simplest if the first machine has
the lowest IP address of any database server machine you currently plan to
install. If you later install database server functionality on a
machine with a lower IP address, you must first update the
<B>/usr/vice/etc/CellServDB</B> file on all of your cell's client
machines. For more details, see <A HREF="auqbg006.htm#HDRWQ114">Installing Database Server Functionality</A>.
<HR><H2><A NAME="Header_32" HREF="auqbg002.htm#ToC_32">Creating AFS Directories</A></H2>
<A NAME="IDX2228"></A>
<A NAME="IDX2229"></A>
<A NAME="IDX2230"></A>
<A NAME="IDX2231"></A>
<A NAME="IDX2232"></A>
<A NAME="IDX2233"></A>
<A NAME="IDX2234"></A>
<A NAME="IDX2235"></A>
<A NAME="IDX2236"></A>
<A NAME="IDX2237"></A>
<A NAME="IDX2238"></A>
<P>Create the <B>/usr/afs</B> and <B>/usr/vice/etc</B> directories on
the local disk, to house server and client files respectively.
Subsequent instructions copy files from the AFS CD-ROM into them.
Create the <B>/cdrom</B> directory as a mount point for CD-ROMs, if it
does not already exist.
<PRE>      
   # <B>mkdir /usr/afs</B>
      
   # <B>mkdir /usr/vice</B>
      
   # <B>mkdir /usr/vice/etc</B>
   
   # <B>mkdir /cdrom</B> 
     
</PRE>
<HR><H2><A NAME="HDRWQ20" HREF="auqbg002.htm#ToC_33">Performing Platform-Specific Procedures</A></H2>
<P>Several of the initial procedures for installing a file
server machine differ for each system type. For convenience, the
following sections group them together for each system type:
<UL>
<A NAME="IDX2239"></A>
<A NAME="IDX2240"></A>
<A NAME="IDX2241"></A>
<P><LI>Incorporate AFS modifications into the kernel.
<P>The kernel on every AFS file server and client machine must incorporate AFS
extensions. On machines that use a dynamic kernel module loader, it is
conventional to alter the machine's initialization script to load the AFS
extensions at each reboot.
<A NAME="IDX2242"></A>
<A NAME="IDX2243"></A>
<A NAME="IDX2244"></A>
<A NAME="IDX2245"></A>
<A NAME="IDX2246"></A>
<A NAME="IDX2247"></A>
<A NAME="IDX2248"></A>
<P><LI>Configure server partitions or logical volumes to house AFS
volumes. 
<P>Every AFS file server machine must have at least one partition or logical
volume dedicated to storing AFS volumes (for convenience, the documentation
hereafter refers to partitions only). Each server partition is mounted
at a directory named <B>/vicep</B><VAR>xx</VAR>, where <VAR>xx</VAR> is one or
two lowercase letters. By convention, the first 26 partitions are
mounted on the directories called <B>/vicepa</B> through
<B>/vicepz</B>, the 27th one is mounted on the <B>/vicepaa</B>
directory, and so on through <B>/vicepaz</B> and <B>/vicepba</B>,
continuing up to the index corresponding to the maximum number of server
partitions supported in the current version of AFS (which is specified in the
<I>IBM AFS Release Notes</I>). 
<P>The <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
machine's root directory, not in one of its subdirectories (for example,
<B>/usr/vicepa</B> is not an acceptable directory location). 
<P>You can also add or remove server partitions on an existing file server
machine. For instructions, see the chapter in the <I>IBM AFS
Administration Guide</I> about maintaining server machines. 
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types supported by an operating system are necessarily
supported as AFS server partitions. For possible restrictions, see the
<I>IBM AFS Release Notes</I>.
</TD></TR></TABLE>
<P><LI>On some system types, install and configure a modified <B>fsck</B>
program which recognizes the structures that the File Server uses to organize
volume data on AFS server partitions. The <B>fsck</B> program
provided with the operating system does not understand the AFS data
structures, and so removes them to the <B>lost+found</B> directory.
<P><LI>If the machine is to remain an AFS client machine, modify the
machine's authentication system so that users obtain an AFS token as they
log into the local file system. Using AFS is simpler and more
convenient for your users if you make the modifications on all client
machines. Otherwise, users must perform a two-step login procedure
(login to the local file system and then issue the <B>klog</B>
command). For further discussion of AFS authentication, see the chapter
in the <I>IBM AFS Administration Guide</I> about cell configuration and
administration issues.
</UL>
<P>To continue, proceed to the appropriate section:
<UL>
<P><LI><A HREF="#HDRWQ21">Getting Started on AIX Systems</A>
<P><LI><A HREF="#HDRWQ26">Getting Started on Digital UNIX Systems</A>
<P><LI><A HREF="#HDRWQ31">Getting Started on HP-UX Systems</A>
<P><LI><A HREF="#HDRWQ36">Getting Started on IRIX Systems</A>
<P><LI><A HREF="#HDRWQ41">Getting Started on Linux Systems</A>
<P><LI><A HREF="#HDRWQ45">Getting Started on Solaris Systems</A>
</UL>
<HR><H2><A NAME="HDRWQ21" HREF="auqbg002.htm#ToC_34">Getting Started on AIX Systems</A></H2>
<P>Begin by running the AFS initialization script to call the
AIX kernel extension facility, which dynamically loads AFS modifications into
the kernel. Then use the <B>SMIT</B> program to configure
partitions for storing AFS volumes, and replace the AIX <B>fsck</B>
program helper with a version that correctly handles AFS volumes. If
the machine is to remain an AFS client machine, incorporate AFS into the AIX
secondary authentication system.
<A NAME="IDX2249"></A>
<A NAME="IDX2250"></A>
<A NAME="IDX2251"></A>
<A NAME="IDX2252"></A>
<P><H3><A NAME="HDRWQ22" HREF="auqbg002.htm#ToC_35">Loading AFS into the AIX Kernel</A></H3>
<P>The AIX kernel extension facility is the dynamic kernel
loader provided by IBM Corporation. AIX does not support incorporation
of AFS modifications during a kernel build.
<P>For AFS to function correctly, the kernel extension facility must run each
time the machine reboots, so the AFS initialization script (included in the
AFS distribution) invokes it automatically. In this section you copy
the script to the conventional location and edit it to select the appropriate
options depending on whether NFS is also to run.
<P>After editing the script, you run it to incorporate AFS into the
kernel. In later sections you verify that the script correctly
initializes all AFS components, then configure the AIX <B>inittab</B> file
so that the script runs automatically at reboot.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for AIX on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your AIX documentation. Then change directory as
indicated. 
<PRE>   
   # <B>cd  /cdrom/rs_aix42/root.client/usr/vice/etc</B>
   
</PRE>
<P><LI>Copy the AFS kernel library files to the local
<B>/usr/vice/etc/dkload</B> directory, and the AFS initialization script
to the <B>/etc</B> directory. 
<PRE>   
   # <B>cp -rp  dkload  /usr/vice/etc</B>
   
   # <B>cp -p  rc.afs  /etc/rc.afs</B>
    
</PRE>
<P><LI>Edit the <B>/etc/rc.afs</B> script, setting the <TT>NFS</TT>
variable as indicated.
<P>If the machine is not to function as an NFS/AFS Translator, set the
<TT>NFS</TT> variable as follows.
<PRE>      
   NFS=$NFS_NONE
</PRE> 
<P>If the machine is to function as an NFS/AFS Translator and is running AIX
4.2.1 or higher, set the <TT>NFS</TT> variable as
follows. Note that NFS must already be loaded into the kernel, which
happens automatically on systems running AIX 4.1.1 and later, as
long as the file <B>/etc/exports</B> exists.
<PRE>   
   NFS=$NFS_IAUTH
   
</PRE>
<P><LI>Invoke the <B>/etc/rc.afs</B> script to load AFS modifications
into the kernel. You can ignore any error messages about the inability
to start the BOS Server or the Cache Manager or AFS client.
<PRE>   
   # <B>/etc/rc.afs</B>
   
</PRE>
</OL>
<A NAME="IDX2253"></A>
<A NAME="IDX2254"></A>
<A NAME="IDX2255"></A>
<A NAME="IDX2256"></A>
<P><H3><A NAME="HDRWQ23" HREF="auqbg002.htm#ToC_36">Configuring Server Partitions on AIX Systems</A></H3>
<P>Every AFS file server machine must have at least one
partition or logical volume dedicated to storing AFS volumes. Each
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
where <VAR>xx</VAR> is one or two lowercase letters. The
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
machine's root directory, not in one of its subdirectories (for example,
<B>/usr/vicepa</B> is not an acceptable directory location). For
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
<P>To configure server partitions on an AIX system, perform the following
procedures:
<OL TYPE=1>
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
partition you are configuring (there must be at least one). Repeat the
command for each partition.
<PRE>   
   # <B>mkdir /vicep</B><VAR>xx</VAR>
   
</PRE>
<P><LI>Use the <B>SMIT</B> program to create a journaling file system on each
partition to be configured as an AFS server partition.
<P><LI>Mount each partition at one of the <B>/vicep</B><VAR>xx</VAR>
directories. Choose one of the following three methods:
<UL>
<P><LI>Use the <B>SMIT</B> program
<P><LI>Use the <B>mount -a</B> command to mount all partitions at once
<P><LI>Use the <B>mount</B> command on each partition in turn
</UL> 
<P>Also configure the partitions so that they are mounted automatically at
each reboot. For more information, refer to the AIX
documentation.
</OL>
<A NAME="IDX2257"></A>
<A NAME="IDX2258"></A>
<A NAME="IDX2259"></A>
<A NAME="IDX2260"></A>
<P><H3><A NAME="HDRWQ24" HREF="auqbg002.htm#ToC_37">Replacing the fsck Program Helper on AIX Systems</A></H3>
<P>In this section, you make modifications to guarantee that the
appropriate <B>fsck</B> program runs on AFS server partitions. The
<B>fsck</B> program provided with the operating system must never run on
AFS server partitions. Because it does not recognize the structures
that the File Server uses to organize volume data, it removes all of the
data. To repeat:
<P><B>Never run the standard fsck program on AFS server partitions.
It discards AFS volumes.</B>
<P>On AIX systems, you do not replace the <B>fsck</B> binary itself, but
rather the <I>program helper</I> file included in the AIX distribution as
<B>/sbin/helpers/v3fshelper</B>.
<OL TYPE=1>
<P><LI>Move the AIX <B>fsck</B> program helper to a safe location and install
the version from the AFS distribution in its place. The AFS CD-ROM must
still be mounted at the <B>/cdrom</B> directory. 
<PRE>   
   # <B>cd /sbin/helpers</B>
   
   # <B>mv v3fshelper v3fshelper.noafs</B>
   
   # <B>cp -p /cdrom/rs_aix42/root.server/etc/v3fshelper v3fshelper</B>
   
 
</PRE>
<P><LI>If you plan to retain client functionality on this machine after
completing the installation, proceed to <A HREF="#HDRWQ25">Enabling AFS Login on AIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</OL>
<A NAME="IDX2261"></A>
<A NAME="IDX2262"></A>
<A NAME="IDX2263"></A>
<A NAME="IDX2264"></A>
<A NAME="IDX2265"></A>
<P><H3><A NAME="HDRWQ25" HREF="auqbg002.htm#ToC_38">Enabling AFS Login on AIX Systems</A></H3>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</TD></TR></TABLE>
<P>Follow the instructions in this section to incorporate AFS modifications
into the AIX secondary authentication system.
<OL TYPE=1>
<P><LI>Issue the <B>ls</B> command to verify that the
<B>afs_dynamic_auth</B> and <B>afs_dynamic_kerbauth</B> programs are
installed in the local <B>/usr/vice/etc</B> directory. 
<PRE>   
   # <B>ls /usr/vice/etc</B>   
</PRE> 
<P>If the files do not exist, mount the AFS CD-ROM for AIX (if it is not
already), change directory as indicated, and copy them.
<PRE>  
   # <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
   
   # <B>cp  -p  afs_dynamic*  /usr/vice/etc</B>
   
</PRE>
<P><LI>Edit the local <B> /etc/security/user</B> file, making changes to the
indicated stanzas:
<UL>
<P><LI>In the default stanza, set the <TT>registry</TT> attribute to
<B>DCE</B> (not to <B>AFS</B>), as follows:
<PRE>   
   registry = DCE
   
</PRE>
<P><LI>In the default stanza, set the <TT>SYSTEM</TT> attribute as
indicated.
<P>If the machine is an AFS client only, set the following value:
<PRE>   
   SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"   
</PRE> 
<P>If the machine is both an AFS and a DCE client, set the following value (it
must appear on a single line in the file):
<PRE>   
   SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL]  \
       AND compat[SUCCESS])"
   
</PRE>
<P><LI>In the <TT>root</TT> stanza, set the <TT>registry</TT> attribute as
follows. It enables the local superuser <B>root</B> to log into the
local file system only, based on the password listed in the local password
file.
<PRE>   
   root:
         registry = files
   
</PRE>
</UL>
<P><LI>Edit the local <B>/etc/security/login.cfg</B> file, creating or
editing the indicated stanzas:
<UL>
<P><LI>In the <TT>DCE</TT> stanza, set the <TT>program</TT> attribute as
follows.
<P>If you use the AFS Authentication Server (<B>kaserver</B>
process):
<PRE>   
   DCE:
        program = /usr/vice/etc/afs_dynamic_auth   
</PRE> 
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>   
   DCE:
        program = /usr/vice/etc/afs_dynamic_kerbauth
   
</PRE>
<P><LI>In the <TT>AFS</TT> stanza, set the <TT>program</TT> attribute as
follows.
<P>If you use the AFS Authentication Server (<B>kaserver</B>
process):
<PRE>   
   AFS:
        program = /usr/vice/etc/afs_dynamic_auth   
</PRE> 
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>   
   AFS:
        program = /usr/vice/etc/afs_dynamic_kerbauth
   
</PRE>
</UL>
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
</OL>
<HR><H2><A NAME="HDRWQ26" HREF="auqbg002.htm#ToC_39">Getting Started on Digital UNIX Systems</A></H2>
<P>Begin by either building AFS modifications into a new static
kernel or by setting up to dynamically load the AFS kernel module. Then create
partitions for storing AFS volumes, and replace the Digital UNIX
<B>fsck</B> program with a version that correctly handles AFS
volumes. If the machine is to remain an AFS client machine, incorporate
AFS into the machine's Security Integration Architecture (SIA)
matrix.
<A NAME="IDX2266"></A>
<A NAME="IDX2267"></A>
<A NAME="IDX2268"></A>
<A NAME="IDX2269"></A>
<P><H3><A NAME="HDRWQ27a" HREF="auqbg002.htm#ToC_40a">Loading AFS into the Digital UNIX Kernel</A></H3>
<P>The <B>sysconfig</B> program is the dynamic kernel loader provided
for Digital UNIX systems. 
<P>For AFS to function correctly, the <B>sysconfig</B> program must run each
time the machine reboots, so the AFS initialization script (included on the
AFS CD-ROM) invokes it automatically. In this section you copy the
appropriate AFS library file to the location where the <B>sysconfig</B>
program accesses it and then run the script.
<P>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your Digital UNIX documentation. Then change
directory as indicated.
<PRE>   
   # <B>cd /cdrom/alpha_dux40/root.client</B>
   
</PRE>
<P>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/sbin/init.d</B> on Digital
UNIX machines). Note the removal of the <B>.rc</B> extension
as you copy the script.
<PRE>   
   # <B>cp usr/vice/etc/afs.rc  /sbin/init.d/afs</B>
   
</PRE>
<P>Copy the AFS kernel module to the local <B>/subsys</B>
directory. 
<PRE>  
   # <B>cp bin/afs.mod /subsys/afs.mod</B>   
</PRE> 
<P>Set up the system to load the module at startup.
<PRE>
   # <B>/sbin/init.d/autosysconfig add afs</B>
</PRE>
<P>Reboot the machine to start using the new kernel, and login again as the
superuser <B>root</B>. 
<PRE>   
   # <B>cd /</B>
   
   # <B>shutdown -r now</B>
   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
<P><H3><A NAME="HDRWQ27" HREF="auqbg002.htm#ToC_40">Building AFS into the Digital UNIX Kernel</A></H3>
<P>Use the following instructions to build AFS modifications
into the kernel on a Digital UNIX system.
<OL TYPE=1>
<P><LI>Create a copy called <B>AFS</B> of the basic kernel configuration file
included in the Digital UNIX distribution as
<B>/usr/sys/conf/</B><VAR>machine_name</VAR>, where <VAR>machine_name</VAR> is
the machine's hostname in all uppercase letters. 
<PRE>   
   # <B>cd /usr/sys/conf</B>
   
   # <B>cp</B> <VAR>machine_name</VAR> <B>AFS</B>
   
</PRE>
<P><LI>Add AFS to the list of options in the configuration file you created in
the previous step, so that the result looks like the following: 
<PRE>          .                   .
          .                   .
       options               UFS
       options               NFS
       options               AFS
          .                   .
          .                   .
   
</PRE>
<P><LI>Add an entry for AFS to two places in the file
<B>/usr/sys/conf/files</B>. 
<UL>
<P><LI>Add a line for AFS to the list of <TT>OPTIONS</TT>, so that the result
looks like the following:
<PRE>             .                .      .
             .                .      .
      OPTIONS/nfs          optional nfs 
      OPTIONS/afs          optional afs 
      OPTIONS/nfs_server   optional nfs_server
             .                .      .
             .                .      .
   
</PRE>
<P><LI>Add an entry for AFS to the list of <TT>MODULES</TT>, so that the result
looks like the following:
<PRE>             .                  .        .          .
             .                  .        .          .
      #
      MODULE/nfs_server     optional nfs_server Binary
      nfs/nfs_server.c      module nfs_server optimize -g3
      nfs/nfs3_server.c     module nfs_server optimize -g3
      #
      MODULE/afs            optional afs Binary
      afs/libafs.c          module afs
      #
   
</PRE>
</UL>
<P><LI>Add an entry for AFS to two places in the file
<B>/usr/sys/vfs/vfs_conf.c</B>. 
<UL>
<P><LI>Add AFS to the list of defined file systems, so that the result looks like
the following:
<PRE>        .       .              
        .       .              
     #include &lt;afs.h>
     #if defined(AFS) &amp;&amp; AFS
            extern struct vfsops afs_vfsops;
     #endif  
        .       .              
        .       .              
   
</PRE>
<P><LI>Put a declaration for AFS in the <B>vfssw[]</B> table's
MOUNT_ADDON slot, so that the result looks like the following: 
<PRE>        .                          .              .
        .                          .              .
      &amp;fdfs_vfsops,         "fdfs",   /* 12 = MOUNT_FDFS */
   #if  defined(AFS)
      &amp;afs_vfsops,          "afs",
   #else
      (struct vfsops *)0,   "",       /* 13 = MOUNT_ADDON */
   #endif
   #if NFS &amp;&amp; INFS_DYNAMIC   
       &amp;nfs3_vfsops,        "nfsv3",  /* 14 = MOUNT_NFS3 */         
   
</PRE>
</UL>
<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your Digital UNIX documentation. Then change
directory as indicated.
<PRE>   
   # <B>cd /cdrom/alpha_dux40/root.client</B>
   
</PRE>
<P><LI>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/sbin/init.d</B> on Digital
UNIX machines). Note the removal of the <B>.rc</B> extension
as you copy the script.
<PRE>   
   # <B>cp usr/vice/etc/afs.rc  /sbin/init.d/afs</B>
   
</PRE>
<P><LI>Copy the AFS kernel module to the local <B>/usr/sys/BINARY</B>
directory. 
<P>If the machine's kernel supports NFS server functionality:
<PRE>  
   # <B>cp bin/libafs.o /usr/sys/BINARY/afs.mod</B>   
</PRE> 
<P>If the machine's kernel does not support NFS server
functionality:
<PRE>  
   # <B>cp bin/libafs.nonfs.o /usr/sys/BINARY/afs.mod</B>
   
</PRE>
<P><LI>Configure and build the kernel. Respond to any prompts by pressing
&lt;<B>Return</B>>. The resulting kernel resides in the file
<B>/sys/AFS/vmunix</B>. 
<PRE>   
   # <B>doconfig -c AFS</B>
   
</PRE>
<P><LI>Rename the existing kernel file and copy the new, AFS-modified file to the
standard location. 
<PRE>   
   # <B>mv /vmunix /vmunix_noafs</B>
   
   # <B>cp /sys/AFS/vmunix /vmunix</B>
   
</PRE>
<P><LI>Reboot the machine to start using the new kernel, and login again as the
superuser <B>root</B>. 
<PRE>   
   # <B>cd /</B>
   
   # <B>shutdown -r now</B>
   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
</OL>
<A NAME="IDX2270"></A>
<A NAME="IDX2271"></A>
<A NAME="IDX2272"></A>
<A NAME="IDX2273"></A>
<P><H3><A NAME="HDRWQ28" HREF="auqbg002.htm#ToC_41">Configuring Server Partitions on Digital UNIX Systems</A></H3>
<P>Every AFS file server machine must have at least one
partition or logical volume dedicated to storing AFS volumes. Each
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
where <VAR>xx</VAR> is one or two lowercase letters. The
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
machine's root directory, not in one of its subdirectories (for example,
<B>/usr/vicepa</B> is not an acceptable directory location). For
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
<OL TYPE=1>
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
partition you are configuring (there must be at least one). Repeat the
command for each partition.
<PRE>   
   # <B>mkdir /vicep</B><VAR>xx</VAR>
   
</PRE>
<P><LI>Add a line with the following format to the file systems registry file,
<B>/etc/fstab</B>, for each directory just created. The entry maps
the directory name to the disk partition to be mounted on it.
<PRE>   
   /dev/<VAR>disk</VAR> /vicep<VAR>xx</VAR> ufs rw 0 2
</PRE> 
<P>The following is an example for the first partition being
configured. 
<PRE>   
   /dev/rz3a /vicepa ufs rw 0 2
   
</PRE>
<P><LI>Create a file system on each partition that is to be mounted at a
<B>/vicep</B><VAR>xx</VAR> directory. The following command is
probably appropriate, but consult the Digital UNIX documentation for more
information. 
<PRE>   
   #<B> newfs -v /dev/</B><VAR>disk</VAR>
   
</PRE>
<P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
mount all partitions at once or the <B>mount</B> command to mount each
partition in turn.
</OL>
<A NAME="IDX2274"></A>
<A NAME="IDX2275"></A>
<A NAME="IDX2276"></A>
<A NAME="IDX2277"></A>
<P><H3><A NAME="HDRWQ29" HREF="auqbg002.htm#ToC_42">Replacing the fsck Program on Digital UNIX Systems</A></H3>
<P>In this section, you make modifications to guarantee that the
appropriate <B>fsck</B> program runs on AFS server partitions. The
<B>fsck</B> program provided with the operating system must never run on
AFS server partitions. Because it does not recognize the structures
that the File Server uses to organize volume data, it removes all of the
data. To repeat:
<P><B>Never run the standard fsck program on AFS server partitions.
It discards AFS volumes.</B>
<P>On Digital UNIX systems, the files <B>/sbin/fsck</B> and
<B>/usr/sbin/fsck</B> are driver programs. Rather than replacing
either of them, you replace the actual binary included in the Digital UNIX
distribution as <B>/sbin/ufs_fsck</B> and
<B>/usr/sbin/ufs_fsck</B>.
<OL TYPE=1>
<P><LI>Install the <B>vfsck</B> binary to the <B>/sbin</B> and
<B>/usr/sbin</B> directories. The AFS CD-ROM must still be mounted
at the <B>/cdrom</B> directory.
<PRE>   
   # <B>cd /cdrom/alpha_dux40/root.server/etc</B>
   
   # <B>cp vfsck /sbin/vfsck</B>
   
   # <B>cp vfsck /usr/sbin/vfsck</B>
   
</PRE>
<P><LI>Rename the Digital UNIX <B>fsck</B> binaries and create symbolic links
to the <B>vfsck</B> program.
<PRE>   
   # <B>cd /sbin</B>
   
   # <B>mv ufs_fsck ufs_fsck.noafs</B>
   
   # <B>ln -s vfsck ufs_fsck</B>
   
   # <B>cd /usr/sbin</B>
   
   # <B>mv ufs_fsck ufs_fsck.noafs</B>
   
   # <B>ln -s vfsck ufs_fsck</B>
   
</PRE>
<P><LI>If you plan to retain client functionality on this machine after
completing the installation, proceed to <A HREF="#HDRWQ30">Enabling AFS Login on Digital UNIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</OL>
<A NAME="IDX2278"></A>
<A NAME="IDX2279"></A>
<A NAME="IDX2280"></A>
<A NAME="IDX2281"></A>
<A NAME="IDX2282"></A>
<A NAME="IDX2283"></A>
<P><H3><A NAME="HDRWQ30" HREF="auqbg002.htm#ToC_43">Enabling AFS Login on Digital UNIX Systems</A></H3>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</TD></TR></TABLE>
<P>On Digital UNIX systems, the AFS initialization script automatically
incorporates the AFS authentication library file into the Security Integration
Architecture (SIA) matrix on the machine, so that users with AFS accounts
obtain a token at login. In this section you copy the library file to
the appropriate location.
<P>For more information on SIA, see the Digital UNIX reference page for
<B>matrix.conf</B>, or consult the section on security in your
Digital UNIX documentation.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If the machine runs both the DCE and AFS client software, AFS must start
after DCE. Consult the AFS initialization script for suggested symbolic
links to create for correct ordering. Also, the system startup script
order must initialize SIA before any long-running process that uses
authentication.
</TD></TR></TABLE>
<P>Perform the following steps to enable AFS login.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
directory, if it is not already. Change directory as indicated. 
<PRE>   
   # <B>cd /cdrom/alpha_dux40/lib/afs</B>
   
</PRE>
<P><LI>Copy the appropriate AFS authentication library file to the local
<B>/usr/shlib</B> directory. 
<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
the cell:
<PRE>   
   # <B>cp  libafssiad.so  /usr/shlib</B>   
</PRE> 
<P>If you use a Kerberos implementation of AFS authentication, rename the
library file as you copy it:
<PRE>   
   # <B>cp  libafssiad.krb.so  /usr/shlib/libafssiad.so</B>
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
</OL>
<HR><H2><A NAME="HDRWQ31" HREF="auqbg002.htm#ToC_44">Getting Started on HP-UX Systems</A></H2>
<P>Begin by building AFS modifications into a new kernel;
HP-UX does not support dynamic loading. Then create partitions for
storing AFS volumes, and install and configure the AFS-modified
<B>fsck</B> program to run on AFS server partitions. If the machine
is to remain an AFS client machine, incorporate AFS into the machine's
Pluggable Authentication Module (PAM) scheme.
<A NAME="IDX2284"></A>
<A NAME="IDX2285"></A>
<A NAME="IDX2286"></A>
<A NAME="IDX2287"></A>
<P><H3><A NAME="HDRWQ32" HREF="auqbg002.htm#ToC_45">Building AFS into the HP-UX Kernel</A></H3>
<P>Use the following instructions to build AFS modifications
into the kernel on an HP-UX system.
<OL TYPE=1>
<P><LI>Move the existing kernel-related files to a safe location. 
<PRE>   
   # <B>cp /stand/vmunix /stand/vmunix.noafs</B>
   
   # <B>cp /stand/system /stand/system.noafs</B>
   
</PRE>
<P><LI>Mount the AFS CD-ROM for HP-UX on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your HP-UX documentation. Then change directory
as indicated. 
<PRE>   
   # <B>cd /cdrom/hp_ux110/root.client</B>
   
</PRE>
<P><LI>Copy the AFS initialization file to the local directory for initialization
files (by convention, <B>/sbin/init.d</B> on HP-UX
machines). Note the removal of the <B>.rc</B> extension as
you copy the file.
<PRE>   
   # <B>cp usr/vice/etc/afs.rc  /sbin/init.d/afs</B>
   
</PRE>
<P><LI>Copy the file <B>afs.driver</B> to the local
<B>/usr/conf/master.d</B> directory, changing its name to
<B>afs</B> as you do. 
<PRE>     
   # <B>cp  usr/vice/etc/afs.driver  /usr/conf/master.d/afs</B>
   
</PRE>
<P><LI>Copy the AFS kernel module to the local <B>/usr/conf/lib</B>
directory. 
<P>If the machine's kernel supports NFS server functionality:
<PRE>   
   # <B>cp bin/libafs.a /usr/conf/lib</B>   
</PRE>
<P>If the machine's kernel does not support NFS server functionality,
change the file's name as you copy it:
<PRE>   
   # <B>cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a</B>
   
</PRE>
<P><LI>Incorporate the AFS driver into the kernel, either using the
<B>SAM</B> program or a series of individual commands. 
<UL>
<P><LI>To use the <B>SAM</B> program: 
<OL TYPE=a>
<P><LI>Invoke the <B>SAM</B> program, specifying the hostname of the local
machine as <VAR>local_hostname</VAR>. The <B>SAM</B> graphical user
interface pops up. 
<PRE>   
   # <B>sam -display</B> <VAR>local_hostname</VAR><B>:0</B> 
   
</PRE>
<P><LI>Choose the <B>Kernel Configuration</B> icon, then the
<B>Drivers</B> icon. From the list of drivers, select
<B>afs</B>.
<P><LI>Open the pull-down <B>Actions</B> menu and choose the <B>Add Driver
to Kernel</B> option.
<P><LI>Open the <B>Actions</B> menu again and choose the <B>Create a New
Kernel</B> option.
<P><LI>Confirm your choices by choosing <B>Yes</B> and <B>OK</B> when
prompted by subsequent pop-up windows. The <B>SAM</B> program
builds the kernel and reboots the system.
<P><LI>Login again as the superuser <B>root</B>.
<PRE>   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
</OL>
<P><LI>To use individual commands: 
<OL TYPE=a>
<P><LI>Edit the file <B>/stand/system</B>, adding an entry for <B>afs</B>
to the <TT>Subsystems</TT> section.
<P><LI>Change to the <B>/stand/build</B> directory and issue the
<B>mk_kernel</B> command to build the kernel. 
<PRE>   
   # <B>cd /stand/build</B>
      
   # <B>mk_kernel</B>
   
</PRE>
<P><LI>Move the new kernel to the standard location (<B>/stand/vmunix</B>),
reboot the machine to start using it, and login again as the superuser
<B>root</B>.
<PRE>   
   # <B>mv /stand/build/vmunix_test /stand/vmunix</B>
      
   # <B>cd /</B>
      
   # <B>shutdown -r now</B>             
   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
</OL>
</UL>
</OL>
<A NAME="IDX2288"></A>
<A NAME="IDX2289"></A>
<A NAME="IDX2290"></A>
<A NAME="IDX2291"></A>
<P><H3><A NAME="HDRWQ33" HREF="auqbg002.htm#ToC_46">Configuring Server Partitions on HP-UX Systems</A></H3>
<P>Every AFS file server machine must have at least one
partition or logical volume dedicated to storing AFS volumes. Each
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
where <VAR>xx</VAR> is one or two lowercase letters. The
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
machine's root directory, not in one of its subdirectories (for example,
<B>/usr/vicepa</B> is not an acceptable directory location). For
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
<OL TYPE=1>
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
partition you are configuring (there must be at least one). Repeat the
command for each partition.
<PRE>   
   # <B>mkdir /vicep</B><VAR>xx</VAR>
   
</PRE>
<P><LI>Use the <B>SAM</B> program to create a file system on each
partition. For instructions, consult the HP-UX documentation.
<P><LI>On some HP-UX systems that use logical volumes, the <B>SAM</B> program
automatically mounts the partitions. If it has not, mount each
partition by issuing either the <B>mount -a</B> command to mount all
partitions at once or the <B>mount</B> command to mount each partition in
turn.
</OL>
<A NAME="IDX2292"></A>
<A NAME="IDX2293"></A>
<A NAME="IDX2294"></A>
<A NAME="IDX2295"></A>
<P><H3><A NAME="HDRWQ34" HREF="auqbg002.htm#ToC_47">Configuring the AFS-modified fsck Program on HP-UX Systems</A></H3>
<P>In this section, you make modifications to guarantee that the
appropriate <B>fsck</B> program runs on AFS server partitions. The
<B>fsck</B> program provided with the operating system must never run on
AFS server partitions. Because it does not recognize the structures
that the File Server uses to organize volume data, it removes all of the
data. To repeat:
<P><B>Never run the standard fsck program on AFS server partitions.
It discards AFS volumes.</B>
<P>On HP-UX systems, there are several configuration files to install in
addition to the AFS-modified <B>fsck</B> program (the <B>vfsck</B>
binary).
<OL TYPE=1>
<P><LI>Create the command configuration file
<B>/sbin/lib/mfsconfig.d/afs</B>. Use a text editor to place
the indicated two lines in it: 
<PRE>   
   format_revision 1
   fsck            0        m,P,p,d,f,b:c:y,n,Y,N,q,
   
</PRE>
<P><LI>Create and change directory to an AFS-specific command directory called
<B>/sbin/fs/afs</B>. 
<PRE>   
   # <B>mkdir /sbin/fs/afs</B>
   
   # <B>cd  /sbin/fs/afs</B>
   
</PRE>
<P><LI>Copy the AFS-modified version of the <B>fsck</B> program (the
<B>vfsck</B> binary) and related files from the distribution directory to
the new AFS-specific command directory. 
<PRE>   
   # <B>cp -p /cdrom/hp_ux110/root.server/etc/*  .</B>
          
</PRE>
<P><LI>Change the <B>vfsck</B> binary's name to <B>fsck</B> and set
the mode bits appropriately on all of the files in the <B>/sbin/fs/afs</B>
directory.
<PRE>      
   # <B>mv  vfsck  fsck</B>
   
   # <B>chmod  755  *</B>
   
</PRE>
<P><LI>Edit the <B>/etc/fstab</B> file, changing the file system type for
each AFS server partition from <TT>hfs</TT> to <TT>afs</TT>. This
ensures that the AFS-modified <B>fsck</B> program runs on the appropriate
partitions. 
<P>The sixth line in the following example of an edited file shows an AFS
server partition, <B>/vicepa</B>. 
<PRE>   
   /dev/vg00/lvol1 / hfs defaults 0 1
   /dev/vg00/lvol4 /opt hfs defaults 0 2
   /dev/vg00/lvol5 /tmp hfs defaults 0 2
   /dev/vg00/lvol6 /usr hfs defaults 0 2
   /dev/vg00/lvol8 /var hfs defaults 0 2
   /dev/vg00/lvol9 /vicepa afs defaults 0 2
   /dev/vg00/lvol7 /usr/vice/cache hfs defaults 0 2
   
</PRE>
<P><LI>If you plan to retain client functionality on this machine after
completing the installation, proceed to <A HREF="#HDRWQ35">Enabling AFS Login on HP-UX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</OL>
<A NAME="IDX2296"></A>
<A NAME="IDX2297"></A>
<A NAME="IDX2298"></A>
<A NAME="IDX2299"></A>
<A NAME="IDX2300"></A>
<A NAME="IDX2301"></A>
<P><H3><A NAME="HDRWQ35" HREF="auqbg002.htm#ToC_48">Enabling AFS Login on HP-UX Systems</A></H3>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</TD></TR></TABLE>
<P>At this point you incorporate AFS into the operating system's
Pluggable Authentication Module (PAM) scheme. PAM integrates all
authentication mechanisms on the machine, including login, to provide the
security infrastructure for authenticated access to and from the
machine.
<P>Explaining PAM is beyond the scope of this document. It is assumed
that you understand the syntax and meanings of settings in the PAM
configuration file (for example, how the <TT>other</TT> entry works, the
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
<TT>sufficient</TT>, and so on).
<P>The following instructions explain how to alter the entries in the PAM
configuration file for each service for which you wish to use AFS
authentication. Other configurations possibly also work, but the
instructions specify the recommended and tested configuration.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
<TT>optional</TT>. However, marking some modules as optional can mean
that they grant access to the corresponding service even when the user does
not meet all of the module's requirements. In some operating
system revisions, for example, if you mark as optional the module that
controls login via a dial-up connection, it allows users to login without
providing a password. See the <I>IBM AFS Release Notes</I> for a
discussion of any limitations that apply to this operating system. 
<P>Also, with some operating system versions you must install patches for PAM
to interact correctly with certain authentication programs. For
details, see the <I>IBM AFS Release Notes</I>.
</TD></TR></TABLE>
<P>The recommended AFS-related entries in the PAM configuration file make use
of one or more of the following three attributes.
<DL>
<P><DT><B><TT>try_first_pass</TT>
</B><DD>This is a standard PAM attribute that can be included on entries after the
first one for a service; it directs the module to use the password that
was provided to the first module. For the AFS module, it means that AFS
authentication succeeds if the password provided to the module listed first is
the user's correct AFS password. For further discussion of this
attribute and its alternatives, see the operating system's PAM
documentation.
<P><DT><B><TT>ignore_root</TT>
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
only the local superuser <B> root</B>, but also any user with UID 0
(zero).
<P><DT><B><TT>setenv_password_expires</TT>
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
password, which is recorded in the Authentication Database.
</DL>
<P>Perform the following steps to enable AFS login.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for HP-UX on the <B>/cdrom</B> directory, if it
is not already. Then change directory as indicated.
<PRE>  
   # <B>cd /usr/lib/security</B>
   
</PRE>
<P><LI>Copy the AFS authentication library file to the
<B>/usr/lib/security</B> directory. Then create a symbolic link to
it whose name does not mention the version. Omitting the version
eliminates the need to edit the PAM configuration file if you later update the
library file. 
<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
the cell: 
<PRE>   
   # <B>cp /cdrom/hp_ux110/lib/pam_afs.so.1  .</B>
  
   # <B>ln -s  pam_afs.so.1  pam_afs.so</B>   
</PRE> 
<P>If you use a Kerberos implementation of AFS authentication: 
<PRE>  
   #<B> cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1   .</B>
  
   # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
   
</PRE>
<P><LI>Edit the <TT>Authentication management</TT> section of the HP-UX PAM
configuration file, <B>/etc/pam.conf</B> by convention. The
entries in this section have the value <TT>auth</TT> in their second
field. 
<P>First edit the standard entries, which refer to the HP-UX PAM module
(usually, the file <B>/usr/lib/security/libpam_unix.1</B>) in their
fourth field. For each service for which you want to use AFS
authentication, edit the third field of its entry to read
<TT>optional</TT>. The <B>pam.conf</B> file in the HP-UX
distribution usually includes standard entries for the <B>login</B> and
<B>ftp</B> services, for instance. 
<P>If there are services for which you want to use AFS authentication, but for
which the <B>pam.conf</B> file does not already include a standard
entry, you must create that entry and place the value <TT>optional</TT> in
its third field. For instance, the HP-UX <B>pam.conf</B>
file does not usually include standard entries for the <B>remsh</B> or
<B>telnet</B> services. 
<P>Then create an AFS-related entry for each service, placing it immediately
below the standard entry. The following example shows what the
<TT>Authentication Management</TT> section looks like after you have you
edited or created entries for the services mentioned previously. Note
that the example AFS entries appear on two lines only for legibility. 
<PRE>   
   login   auth  optional  /usr/lib/security/libpam_unix.1
   login   auth  optional  /usr/lib/security/pam_afs.so      \
         try_first_pass  ignore_root  setenv_password_expires
   ftp     auth  optional  /usr/lib/security/libpam_unix.1
   ftp     auth  optional  /usr/lib/security/pam_afs.so      \
         try_first_pass  ignore_root
   remsh   auth  optional  /usr/lib/security/libpam_unix.1
   remsh   auth  optional  /usr/lib/security/pam_afs.so      \
         try_first_pass  ignore_root            
   telnet  auth  optional  /usr/lib/security/libpam_unix.1
   telnet  auth  optional  /usr/lib/security/pam_afs.so      \
         try_first_pass  ignore_root  setenv_password_expires
   
</PRE>
<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
users to obtain an AFS token as they log in, also add or edit the following
four entries in the <TT>Authentication management</TT> section. Note
that the AFS-related entries appear on two lines here only for
legibility. 
<PRE>  
   dtlogin   auth  optional  /usr/lib/security/libpam_unix.1
   dtlogin   auth  optional  /usr/lib/security/pam_afs.so     \
         try_first_pass  ignore_root
   dtaction  auth  optional  /usr/lib/security/libpam_unix.1
   dtaction  auth  optional  /usr/lib/security/pam_afs.so     \
         try_first_pass  ignore_root
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
</OL>
<HR><H2><A NAME="HDRWQ36" HREF="auqbg002.htm#ToC_49">Getting Started on IRIX Systems</A></H2>
<A NAME="IDX2302"></A>
<A NAME="IDX2303"></A>
<A NAME="IDX2304"></A>
<A NAME="IDX2305"></A>
<A NAME="IDX2306"></A>
<A NAME="IDX2307"></A>
<A NAME="IDX2308"></A>
<P>To incorporate AFS into the kernel on IRIX systems, choose one of two
methods:
<UL>
<P><LI>Run the AFS initialization script to invoke the <B>ml</B> program
distributed by Silicon Graphics, Incorporated (SGI), which dynamically loads
AFS modifications into the kernel
<P><LI>Build a new static kernel
</UL>
<P>Then create partitions for storing AFS volumes. You do not need to
replace the IRIX <B>fsck</B> program because SGI has already modified it
to handle AFS volumes properly. If the machine is to remain an AFS
client machine, verify that the IRIX login utility installed on the machine
grants an AFS token.
<P>In preparation for either dynamic loading or kernel building, perform the
following procedures:
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for IRIX on the <B>/cdrom</B> directory.
For instructions on mounting CD-ROMs (either locally or remotely via NFS), see
your IRIX documentation. Then change directory as indicated.
<PRE>   
   # <B>cd  /cdrom/sgi_65/root.client</B>
   
</PRE>
<P><LI>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/etc/init.d</B> on IRIX
machines). Note the removal of the <B>.rc</B> extension as
you copy the script.
<PRE>   
   # <B>cp -p   usr/vice/etc/afs.rc  /etc/init.d/afs</B>
   
</PRE>
<P><LI>Issue the <B>uname -m</B> command to determine the machine's CPU
board type. The <B>IP</B><VAR>xx</VAR> value in the output must match
one of the supported CPU board types listed in the <I>IBM AFS Release
Notes</I> for the current version of AFS.
<PRE>   
   # <B>uname -m</B>
    
</PRE>
<P><LI>Proceed to either <A HREF="#HDRWQ37">Loading AFS into the IRIX Kernel</A> or <A HREF="#HDRWQ38">Building AFS into the IRIX Kernel</A>.
</OL>
<A NAME="IDX2309"></A>
<A NAME="IDX2310"></A>
<A NAME="IDX2311"></A>
<A NAME="IDX2312"></A>
<A NAME="IDX2313"></A>
<A NAME="IDX2314"></A>
<A NAME="IDX2315"></A>
<P><H3><A NAME="HDRWQ37" HREF="auqbg002.htm#ToC_50">Loading AFS into the IRIX Kernel</A></H3>
<P>The <B>ml</B> program is the dynamic kernel loader
provided by SGI for IRIX systems. If you use it rather than building
AFS modifications into a static kernel, then for AFS to function correctly the
<B>ml</B> program must run each time the machine reboots.
Therefore, the AFS initialization script (included on the AFS CD-ROM) invokes
it automatically when the <B>afsml</B> configuration variable is
activated. In this section you activate the variable and run the
script.
<P>In later sections you verify that the script correctly initializes all AFS
components, then create the links that incorporate AFS into the IRIX startup
and shutdown sequence.
<OL TYPE=1>
<P><LI>Create the local <B>/usr/vice/etc/sgiload</B> directory to house the
AFS kernel library file.
<PRE>   
   # <B>mkdir /usr/vice/etc/sgiload</B>
   
</PRE>
<P><LI>Copy the appropriate AFS kernel library file to the
<B>/usr/vice/etc/sgiload</B> directory. The
<B>IP</B><VAR>xx</VAR> portion of the library file name must match the value
previously returned by the <B>uname -m</B> command. Also choose the
file appropriate to whether the machine's kernel supports NFS server
functionality (NFS must be supported for the machine to act as an NFS/AFS
Translator). Single- and multiprocessor machines use the same library
file. 
<P>(You can choose to copy all of the kernel library files into the <B>
/usr/vice/etc/sgiload</B> directory, but they require a significant amount
of space.) 
<P>If the machine's kernel supports NFS server functionality:
<PRE>   
   # <B>cp -p  usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.o  /usr/vice/etc/sgiload</B>   
</PRE> 
<P>If the machine's kernel does not support NFS server
functionality:
<PRE>   
   # <B>cp -p  usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.nonfs.o</B>   \
                   <B>/usr/vice/etc/sgiload</B>
   
</PRE>
<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afsml</B>
configuration variable. 
<PRE>   
   # <B>/etc/chkconfig -f afsml on</B>   
</PRE> 
<P>If the machine is to function as an NFS/AFS Translator and the kernel
supports NFS server functionality, activate the <B>afsxnfs</B>
variable.
<PRE>   
   # <B>/etc/chkconfig -f afsxnfs on</B>
   
</PRE>
<P><LI>Run the <B>/etc/init.d/afs</B> script to load AFS extensions
into the kernel. The script invokes the <B>ml</B> command,
automatically determining which kernel library file to use based on this
machine's CPU type and the activation state of the <B>afsxnfs</B>
variable. 
<P>You can ignore any error messages about the inability to start the BOS
Server or the Cache Manager or AFS client.
<PRE>   
   # <B>/etc/init.d/afs start</B>
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ39">Configuring Server Partitions on IRIX Systems</A>.
</OL>
<A NAME="IDX2316"></A>
<P><H3><A NAME="HDRWQ38" HREF="auqbg002.htm#ToC_51">Building AFS into the IRIX Kernel</A></H3>
<P>Use the following instructions to build AFS modifications
into the kernel on an IRIX system.
<OL TYPE=1>
<P><LI>Copy the kernel initialization file <B>afs.sm</B> to the local
<B>/var/sysgen/system</B> directory, and the kernel master file
<B>afs</B> to the local <B>/var/sysgen/master.d</B>
directory.
<PRE>   
   # <B>cp -p  bin/afs.sm  /var/sysgen/system</B>
   
   # <B>cp -p  bin/afs  /var/sysgen/master.d</B>
   
</PRE>
<P><LI>Copy the appropriate AFS kernel library file to the local file
<B>/var/sysgen/boot/afs.a</B>; the <B>IP</B><VAR>xx</VAR>
portion of the library file name must match the value previously returned by
the <B>uname -m</B> command. Also choose the file appropriate to
whether the machine's kernel supports NFS server functionality (NFS must
be supported for the machine to act as an NFS/AFS Translator). Single-
and multiprocessor machines use the same library file. 
<P>If the machine's kernel supports NFS server functionality:
<PRE>   
   # <B>cp -p   bin/libafs.IP</B><VAR>xx</VAR><B>.a   /var/sysgen/boot/afs.a</B>   
</PRE> 
<P>If the machine's kernel does not support NFS server
functionality:
<PRE>   
   # <B>cp -p  bin/libafs.IP</B><VAR>xx</VAR><B>.nonfs.a  /var/sysgen/boot/afs.a</B>
   
</PRE>
<P><LI>Issue the <B>chkconfig</B> command to deactivate the <B>afsml</B>
configuration variable. 
<PRE>   
   # <B>/etc/chkconfig -f afsml off</B>   
</PRE> 
<P>If the machine is to function as an NFS/AFS Translator and the kernel
supports NFS server functionality, activate the <B>afsxnfs</B>
variable. 
<PRE>    
   # <B>/etc/chkconfig -f afsxnfs on</B>
   
</PRE>
<P><LI>Copy the existing kernel file, <B>/unix</B>, to a safe
location. Compile the new kernel, which is created in the file
<B>/unix.install</B>. It overwrites the existing
<B>/unix</B> file when the machine reboots in the next step. 
<PRE>   
   # <B>cp /unix /unix_noafs</B>
   
   # <B>autoconfig</B>
   
</PRE>
<P><LI>Reboot the machine to start using the new kernel, and login again as the
superuser <B>root</B>. 
<PRE>   
   # <B>cd /</B>
         
   # <B>shutdown -i6 -g0 -y</B>
   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
</OL>
<A NAME="IDX2317"></A>
<A NAME="IDX2318"></A>
<A NAME="IDX2319"></A>
<A NAME="IDX2320"></A>
<P><H3><A NAME="HDRWQ39" HREF="auqbg002.htm#ToC_52">Configuring Server Partitions on IRIX Systems</A></H3>
<P>Every AFS file server machine must have at least one
partition or logical volume dedicated to storing AFS volumes. Each
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
where <VAR>xx</VAR> is one or two lowercase letters. The
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
machine's root directory, not in one of its subdirectories (for example,
<B>/usr/vicepa</B> is not an acceptable directory location). For
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
<P>AFS supports use of both EFS and XFS partitions for housing AFS
volumes. SGI encourages use of XFS partitions.
<OL TYPE=1>
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
partition you are configuring (there must be at least one). Repeat the
command for each partition.
<PRE>   
   # <B>mkdir /vicep</B><VAR>xx</VAR>
   
</PRE>
<P><LI>Add a line with the following format to the file systems registry file,
<B>/etc/fstab</B>, for each partition (or logical volume created with the
XLV volume manager) to be mounted on one of the directories created in the
previous step. 
<P>For an XFS partition or logical volume:
<PRE>   
   /dev/dsk/<VAR>disk</VAR>  /vicep<VAR>xx</VAR>  xfs  rw,raw=/dev/rdsk/<VAR>disk</VAR>  0  0   
</PRE> 
<P>For an EFS partition:
<PRE>   
   /dev/dsk/<VAR>disk</VAR>  /vicep<VAR>xx</VAR>  efs  rw,raw=/dev/rdsk/<VAR>disk</VAR>  0  0   
</PRE> 
<P>The following are examples of an entry for each file system type:
<PRE>   
   /dev/dsk/dks0d2s6 /vicepa  xfs rw,raw=/dev/rdsk/dks0d2s6  0 0
   /dev/dsk/dks0d3s1 /vicepb  efs rw,raw=/dev/rdsk/dks0d3s1  0 0
   
</PRE>
<P><LI>Create a file system on each partition that is to be mounted on a
<B>/vicep</B><VAR>xx</VAR> directory. The following commands are
probably appropriate, but consult the IRIX documentation for more
information. In both cases, <VAR>raw_device</VAR> is a raw device name
like <B>/dev/rdsk/dks0d0s0</B> for a single disk partition or
<B>/dev/rxlv/xlv0</B> for a logical volume. 
<P>For XFS file systems, include the indicated options to configure the
partition or logical volume with inodes large enough to accommodate
AFS-specific information:
<PRE>   
   # <B>mkfs -t xfs -i size=512 -l size=4000b</B> <VAR>raw_device</VAR>   
</PRE> 
<P>For EFS file systems: 
<PRE>   
   # <B>mkfs -t efs</B> <VAR>raw_device</VAR>
   
</PRE>
<P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
mount all partitions at once or the <B>mount</B> command to mount each
partition in turn.
<P><LI><B>(Optional)</B> If you have configured partitions or logical volumes
to use XFS, issue the following command to verify that the inodes are
configured properly (are large enough to accommodate AFS-specific
information). If the configuration is correct, the command returns no
output. Otherwise, it specifies the command to run in order to
configure each partition or logical volume properly. 
<PRE>   
   # <B>/usr/afs/bin/xfs_size_check</B>
   
</PRE>
<P><LI>If you plan to retain client functionality on this machine after
completing the installation, proceed to <A HREF="#HDRWQ40">Enabling AFS Login on IRIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</OL>
<A NAME="IDX2321"></A>
<A NAME="IDX2322"></A>
<A NAME="IDX2323"></A>
<A NAME="IDX2324"></A>
<P><H3><A NAME="HDRWQ40" HREF="auqbg002.htm#ToC_53">Enabling AFS Login on IRIX Systems</A></H3>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</TD></TR></TABLE>
<P>The standard IRIX command-line <B>login</B> program and the graphical
<B>xdm</B> login program both automatically grant an AFS token when AFS is
incorporated into the machine's kernel. However, some IRIX
distributions use another login utility by default, and it does not
necessarily incorporate the required AFS modifications. If that is the
case, you must disable the default utility if you want AFS users to obtain AFS
tokens at login. For further discussion, see the <I>IBM AFS Release
Notes</I>.
<P>If you configure the machine to use an AFS-modified login utility, then the
<B>afsauthlib.so</B> and <B>afskauthlib.so</B> files
(included in the AFS distribution) must reside in the <B>/usr/vice/etc</B>
directory. Issue the <B>ls</B> command to verify.
<PRE>  
   # <B>ls /usr/vice/etc</B>   
</PRE>
<P>If the files do not exist, mount the AFS CD-ROM for IRIX (if it is not
already), change directory as indicated, and copy them.
<PRE>  
   # <B>cd /cdrom/sgi_65/root.client/usr/vice/etc</B>
   
   # <B>cp  -p  *authlib*  /usr/vice/etc</B>   
</PRE>
<P>After taking any necessary action, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
<HR><H2><A NAME="HDRWQ41" HREF="auqbg002.htm#ToC_54">Getting Started on Linux Systems</A></H2>
<A NAME="IDX2325"></A>
<A NAME="IDX2326"></A>
<A NAME="IDX2327"></A>
<A NAME="IDX2328"></A>
<P>Begin by running the AFS initialization script to call the
<B>insmod</B> program, which dynamically loads AFS modifications into the
kernel. Then create partitions for storing AFS volumes. You do
not need to replace the Linux <B>fsck</B> program. If the machine
is to remain an AFS client machine, incorporate AFS into the machine's
Pluggable Authentication Module (PAM) scheme.
<A NAME="IDX2329"></A>
<A NAME="IDX2330"></A>
<A NAME="IDX2331"></A>
<A NAME="IDX2332"></A>
<P><H3><A NAME="HDRWQ42" HREF="auqbg002.htm#ToC_55">Loading AFS into the Linux Kernel</A></H3>
<P>The <B>insmod</B> program is the dynamic kernel loader
for Linux. Linux does not support incorporation of AFS modifications
during a kernel build.
<P>For AFS to function correctly, the <B>insmod</B> program must run each
time the machine reboots, so the AFS initialization script (included on the
AFS CD-ROM) invokes it automatically. The script also includes commands
that select the appropriate AFS library file automatically. In this
section you run the script.
<P>In later sections you verify that the script correctly initializes all AFS
components, then activate a configuration variable, which results in the
script being incorporated into the Linux startup and shutdown sequence.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Linux on the local <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your Linux documentation. Then change directory
as indicated. 
<PRE>   
   # <B>cd  /cdrom/i386_linux22/root.client/usr/vice/etc</B>
   
</PRE>
<P><LI>Copy the AFS kernel library files to the local
<B>/usr/vice/etc/modload</B> directory. The filenames for the
libraries have the format
<B>libafs-</B><VAR>version</VAR><B>.o</B>, where <VAR>version</VAR>
indicates the kernel build level. The string <B>.mp</B> in
the <VAR>version</VAR> indicates that the file is appropriate for machines
running a multiprocessor kernel. 
<PRE>   
   # <B>cp -rp  modload  /usr/vice/etc</B>
   
</PRE>
<P><LI>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/etc/rc.d/init.d</B>
on Linux machines). Note the removal of the <B>.rc</B>
extension as you copy the script.
<PRE>   
   # <B>cp -p   afs.rc  /etc/rc.d/init.d/afs</B> 
    
</PRE>
<P><LI>Run the AFS initialization script to load AFS extensions into the
kernel. You can ignore any error messages about the inability to start
the BOS Server or the Cache Manager or AFS client.
<PRE>   
   # <B>/etc/rc.d/init.d/afs  start</B>
   
</PRE>
</OL>
<A NAME="IDX2333"></A>
<A NAME="IDX2334"></A>
<A NAME="IDX2335"></A>
<A NAME="IDX2336"></A>
<P><H3><A NAME="HDRWQ43" HREF="auqbg002.htm#ToC_56">Configuring Server Partitions on Linux Systems</A></H3>
<P>Every AFS file server machine must have at least one
partition or logical volume dedicated to storing AFS volumes. Each
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
where <VAR>xx</VAR> is one or two lowercase letters. The
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
machine's root directory, not in one of its subdirectories (for example,
<B>/usr/vicepa</B> is not an acceptable directory location). For
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
<OL TYPE=1>
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
partition you are configuring (there must be at least one). Repeat the
command for each partition.
<PRE>   
   # <B>mkdir /vicep</B><VAR>xx</VAR>
   
</PRE>
<P><LI>Add a line with the following format to the file systems registry file,
<B>/etc/fstab</B>, for each directory just created. The entry maps
the directory name to the disk partition to be mounted on it.
<PRE>   
   /dev/<VAR>disk</VAR>  /vicep<VAR>xx</VAR>  ext2  defaults  0  2   
</PRE> 
<P>The following is an example for the first partition being
configured. 
<PRE>   
   /dev/sda8 /vicepa ext2 defaults 0 2
   
</PRE>
<P><LI>Create a file system on each partition that is to be mounted at a
<B>/vicep</B><VAR>xx</VAR> directory. The following command is
probably appropriate, but consult the Linux documentation for more
information. 
<PRE>   
   #<B> mkfs -v /dev/</B><VAR>disk</VAR>
   
</PRE>
<P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
mount all partitions at once or the <B>mount</B> command to mount each
partition in turn.
<P><LI>If you plan to retain client functionality on this machine after
completing the installation, proceed to <A HREF="#HDRWQ44">Enabling AFS Login on Linux Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</OL>
<A NAME="IDX2337"></A>
<A NAME="IDX2338"></A>
<A NAME="IDX2339"></A>
<A NAME="IDX2340"></A>
<A NAME="IDX2341"></A>
<P><H3><A NAME="HDRWQ44" HREF="auqbg002.htm#ToC_57">Enabling AFS Login on Linux Systems</A></H3>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</TD></TR></TABLE>
<P>At this point you incorporate AFS into the operating system's
Pluggable Authentication Module (PAM) scheme. PAM integrates all
authentication mechanisms on the machine, including login, to provide the
security infrastructure for authenticated access to and from the
machine.
<P>Explaining PAM is beyond the scope of this document. It is assumed
that you understand the syntax and meanings of settings in the PAM
configuration file (for example, how the <TT>other</TT> entry works, the
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
<TT>sufficient</TT>, and so on).
<P>The following instructions explain how to alter the entries in the PAM
configuration file for each service for which you wish to use AFS
authentication. Other configurations possibly also work, but the
instructions specify the recommended and tested configuration.
<P>The recommended AFS-related entries in the PAM configuration file make use
of one or more of the following three attributes.
<DL>
<P><DT><B><TT>try_first_pass</TT>
</B><DD>This is a standard PAM attribute that can be included on entries after the
first one for a service; it directs the module to use the password that
was provided to the first module. For the AFS module, it means that AFS
authentication succeeds if the password provided to the module listed first is
the user's correct AFS password. For further discussion of this
attribute and its alternatives, see the operating system's PAM
documentation.
<P><DT><B><TT>ignore_root</TT>
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
only the local superuser <B> root</B>, but also any user with UID 0
(zero).
<P><DT><B><TT>setenv_password_expires</TT>
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
password, which is recorded in the Authentication Database.
</DL>
<P>Perform the following steps to enable AFS login.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Linux on the <B>/cdrom</B> directory, if it
is not already. Then change to the directory for PAM modules, which
depends on which Linux distribution you are using. 
<P>If you are using a Linux distribution from Red Hat Software:
<PRE>   
   # <B>cd /lib/security</B>   
</PRE> 
<P>If you are using another Linux distribution:
<PRE>   
   # <B>cd /usr/lib/security</B>
   
</PRE>
<P><LI>Copy the appropriate AFS authentication library file to the directory to
which you changed in the previous step. Create a symbolic link whose
name does not mention the version. Omitting the version eliminates the
need to edit the PAM configuration file if you later update the library
file. 
<P>If you use the AFS Authentication Server (<B>kaserver</B>
process):
<PRE>   
   # <B>cp /cdrom/i386_linux22/lib/pam_afs.so.1  .</B>
   
   # <B>ln -s pam_afs.so.1 pam_afs.so</B>   
</PRE> 
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>   
   # <B>cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1   .</B>
   
   # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
   
</PRE>
<P><LI>For each service with which you want to use AFS authentication, insert an
entry for the AFS PAM module into the <TT>auth</TT> section of the
service's PAM configuration file. (Linux uses a separate
configuration file for each service, unlike some other operating systems which
list all services in a single file.) Mark the entry as
<TT>sufficient</TT> in the second field. 
<P>Place the AFS entry below any entries that impose conditions under which
you want the service to fail for a user who does not meet the entry's
requirements. Mark these entries <TT>required</TT>. Place the
AFS entry above any entries that need to execute only if AFS authentication
fails. 
<P>Insert the following AFS entry if using the Red Hat distribution:
<PRE>   
   auth  sufficient  /lib/security/pam_afs.so   try_first_pass  ignore_root   
</PRE> 
<P>Insert the following AFS entry if using another distribution:
<PRE>   
   auth  sufficient  /usr/lib/security/pam_afs.so  try_first_pass  ignore_root   
</PRE> 
<P>The following example illustrates the recommended configuration of the
configuration file for the <B>login</B> service
(<B>/etc/pam.d/login</B>) on a machine using the Red Hat
distribution.
<PRE>   
   #%PAM-1.0
   auth      required   /lib/security/pam_securetty.so
   auth      required   /lib/security/pam_nologin.so
   auth      sufficient /lib/security/pam_afs.so try_first_pass ignore_root
   auth      required   /lib/security/pam_pwdb.so shadow nullok
   account   required   /lib/security/pam_pwdb.so
   password  required   /lib/security/pam_cracklib.so
   password  required   /lib/security/pam_pwdb.so shadow nullok use_authtok
   session   required   /lib/security/pam_pwdb.so
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
</OL>
<HR><H2><A NAME="HDRWQ45" HREF="auqbg002.htm#ToC_58">Getting Started on Solaris Systems</A></H2>
<P>Begin by running the AFS initialization script to call the
<B>modload</B> program distributed by Sun Microsystems, which dynamically
loads AFS modifications into the kernel. Then create partitions for
storing AFS volumes, and install and configure the AFS-modified
<B>fsck</B> program to run on AFS server partitions. If the machine
is to remain an AFS client machine, incorporate AFS into the machine's
Pluggable Authentication Module (PAM) scheme.
<A NAME="IDX2342"></A>
<A NAME="IDX2343"></A>
<A NAME="IDX2344"></A>
<A NAME="IDX2345"></A>
<P><H3><A NAME="HDRWQ46" HREF="auqbg002.htm#ToC_59">Loading AFS into the Solaris Kernel</A></H3>
<P>The <B>modload</B> program is the dynamic kernel loader
provided by Sun Microsystems for Solaris systems. Solaris does not
support incorporation of AFS modifications during a kernel build.
<P>For AFS to function correctly, the <B>modload</B> program must run each
time the machine reboots, so the AFS initialization script (included on the
AFS CD-ROM) invokes it automatically. In this section you copy the
appropriate AFS library file to the location where the <B>modload</B>
program accesses it and then run the script.
<P>In later sections you verify that the script correctly initializes all AFS
components, then create the links that incorporate AFS into the Solaris
startup and shutdown sequence.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B>
directory. For instructions on mounting CD-ROMs (either locally or
remotely via NFS), see your Solaris documentation. Then change
directory as indicated. 
<PRE>   
   # <B>cd  /cdrom/sun4x_56/root.client/usr/vice/etc</B>
   
</PRE>
<P><LI>Copy the AFS initialization script to the local directory for
initialization files (by convention, <B>/etc/init.d</B> on Solaris
machines). Note the removal of the <B>.rc</B> extension as
you copy the script. 
<PRE>   
   # <B>cp -p  afs.rc  /etc/init.d/afs</B>
   
</PRE>
<P><LI>Copy the appropriate AFS kernel library file to the local file
<B>/kernel/fs/afs</B>. 
<P>If the machine is running Solaris 2.6 or the 32-bit version of
Solaris 7, its kernel supports NFS server functionality, and the
<B>nfsd</B> process is running:
<PRE>   
   # <B>cp -p modload/libafs.o /kernel/fs/afs</B>   
</PRE> 
<P>If the machine is running Solaris 2.6 or the 32-bit version of
Solaris 7, and its kernel does not support NFS server functionality or the
<B>nfsd</B> process is not running:
<PRE>   
   # <B>cp -p modload/libafs.nonfs.o /kernel/fs/afs</B>   
</PRE> 
<P>If the machine is running the 64-bit version of Solaris 7, its kernel
supports NFS server functionality, and the <B>nfsd</B> process is
running:
<PRE>   
   # <B>cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</B>   
</PRE> 
<P>If the machine is running the 64-bit version of Solaris 7, and its
kernel does not support NFS server functionality or the <B>nfsd</B>
process is not running:
<PRE>   
   # <B>cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</B>
   
</PRE>
<P><LI>Run the AFS initialization script to load AFS modifications into the
kernel. You can ignore any error messages about the inability to start
the BOS Server or the Cache Manager or AFS client.
<PRE>   
   # <B>/etc/init.d/afs start</B>   
</PRE> 
<P>When an entry called <TT>afs</TT> does not already exist in the local
<B>/etc/name_to_sysnum</B> file, the script automatically creates it and
reboots the machine to start using the new version of the file. If this
happens, log in again as the superuser <B>root</B> after the reboot and
run the initialization script again. This time the required entry
exists in the <B>/etc/name_to_sysnum</B> file, and the <B>modload</B>
program runs. 
<PRE>   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
   # <B>/etc/init.d/afs start</B>
   
</PRE>
</OL>
<A NAME="IDX2346"></A>
<A NAME="IDX2347"></A>
<A NAME="IDX2348"></A>
<A NAME="IDX2349"></A>
<P><H3><A NAME="HDRWQ47" HREF="auqbg002.htm#ToC_60">Configuring the AFS-modified fsck Program on Solaris Systems</A></H3>
<P>In this section, you make modifications to guarantee that the
appropriate <B>fsck</B> program runs on AFS server partitions. The
<B>fsck</B> program provided with the operating system must never run on
AFS server partitions. Because it does not recognize the structures
that the File Server uses to organize volume data, it removes all of the
data. To repeat:
<P><B>Never run the standard fsck program on AFS server partitions.
It discards AFS volumes.</B>
<OL TYPE=1>
<P><LI>Create the <B>/usr/lib/fs/afs</B> directory to house the AFS-modified
<B>fsck</B> program and related files. 
<PRE>  
   # <B>mkdir /usr/lib/fs/afs</B>
   
   # <B>cd /usr/lib/fs/afs</B>  
  
</PRE>
<P><LI>Copy the <B>vfsck</B> binary to the newly created directory, changing
the name as you do so. 
<PRE>   
   # <B>cp  /cdrom/sun4x_56/root.server/etc/vfsck  fsck</B>
  
</PRE>
<P><LI>Working in the <B>/usr/lib/fs/afs</B> directory, create the following
links to Solaris libraries: 
<PRE>  
   # <B>ln -s /usr/lib/fs/ufs/clri</B>  
   # <B>ln -s /usr/lib/fs/ufs/df</B>
   # <B>ln -s /usr/lib/fs/ufs/edquota</B>
   # <B>ln -s /usr/lib/fs/ufs/ff</B>
   # <B>ln -s /usr/lib/fs/ufs/fsdb</B>  
   # <B>ln -s /usr/lib/fs/ufs/fsirand</B>
   # <B>ln -s /usr/lib/fs/ufs/fstyp</B>
   # <B>ln -s /usr/lib/fs/ufs/labelit</B>
   # <B>ln -s /usr/lib/fs/ufs/lockfs</B>
   # <B>ln -s /usr/lib/fs/ufs/mkfs</B>  
   # <B>ln -s /usr/lib/fs/ufs/mount</B>
   # <B>ln -s /usr/lib/fs/ufs/ncheck</B>
   # <B>ln -s /usr/lib/fs/ufs/newfs</B>
   # <B>ln -s /usr/lib/fs/ufs/quot</B>
   # <B>ln -s /usr/lib/fs/ufs/quota</B>
   # <B>ln -s /usr/lib/fs/ufs/quotaoff</B>
   # <B>ln -s /usr/lib/fs/ufs/quotaon</B>
   # <B>ln -s /usr/lib/fs/ufs/repquota</B>
   # <B>ln -s /usr/lib/fs/ufs/tunefs</B>
   # <B>ln -s /usr/lib/fs/ufs/ufsdump</B>
   # <B>ln -s /usr/lib/fs/ufs/ufsrestore</B>
   # <B>ln -s /usr/lib/fs/ufs/volcopy</B>
   
</PRE>
<P><LI>Append the following line to the end of the file
<B>/etc/dfs/fstypes</B>. 
<PRE>  
   afs AFS Utilities
  
</PRE>
<P><LI>Edit the <B>/sbin/mountall</B> file, making two changes. 
<UL>
<P><LI>Add an entry for AFS to the <TT>case</TT> statement for option 2, so
that it reads as follows:
<PRE>  
   case "$2" in
   ufs)    foptions="-o p"
           ;;
   afs)    foptions="-o p"
           ;;
   s5)     foptions="-y -t /var/tmp/tmp$$ -D"
           ;;
   *)      foptions="-y"
           ;;
  
</PRE>
<P><LI>Edit the file so that all AFS and UFS partitions are checked in
parallel. Replace the following section of code:
<PRE>  
   # For  fsck purposes, we make a distinction between ufs and
   # other file systems
   #
   if [ "$fstype" = "ufs" ]; then
        ufs_fscklist="$ufs_fscklist $fsckdev"
        saveentry $fstype "$OPTIONS" $special $mountp
        continue
   fi  
</PRE> 
<P>with the following section of code:
<PRE>  
   # For fsck purposes, we make a distinction between ufs/afs
   # and other file systems.
   #
   if [ "$fstype" = "ufs" -o "$fstype" = "afs" ]; then
        ufs_fscklist="$ufs_fscklist $fsckdev"
        saveentry $fstype "$OPTIONS" $special $mountp
        continue
   fi
  
</PRE>
</UL>
</OL>
<A NAME="IDX2350"></A>
<A NAME="IDX2351"></A>
<A NAME="IDX2352"></A>
<A NAME="IDX2353"></A>
<P><H3><A NAME="HDRWQ48" HREF="auqbg002.htm#ToC_61">Configuring Server Partitions on Solaris Systems</A></H3>
<P>Every AFS file server machine must have at least one
partition or logical volume dedicated to storing AFS volumes. Each
server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
where <VAR>xx</VAR> is one or two lowercase letters. The
<B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
machine's root directory, not in one of its subdirectories (for example,
<B>/usr/vicepa</B> is not an acceptable directory location). For
additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
<OL TYPE=1>
<P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
partition you are configuring (there must be at least one). Repeat the
command for each partition.
<PRE>   
   # <B>mkdir /vicep</B><VAR>xx</VAR>
   
</PRE>
<P><LI>Add a line with the following format to the file systems registry file,
<B>/etc/vfstab</B>, for each partition to be mounted on a directory
created in the previous step. Note the value <TT>afs</TT> in the
fourth field, which tells Solaris to use the AFS-modified <B>fsck</B>
program on this partition.
<PRE>   
   /dev/dsk/<VAR>disk</VAR>   /dev/rdsk/<VAR>disk</VAR>   /vicep<VAR>xx</VAR>   afs   <VAR>boot_order</VAR>  yes  
</PRE> 
<P>The following is an example for the first partition being
configured.
<PRE>  
   /dev/dsk/c0t6d0s1 /dev/rdsk/c0t6d0s1 /vicepa afs 3 yes
  
</PRE>
<P><LI>Create a file system on each partition that is to be mounted at a
<B>/vicep</B><VAR>xx</VAR> directory. The following command is
probably appropriate, but consult the Solaris documentation for more
information. 
<PRE>  
   # <B>newfs -v /dev/rdsk/</B><VAR>disk</VAR>
  
</PRE>
<P><LI>Issue the <B>mountall</B> command to mount all partitions at
once.
<P><LI>If you plan to retain client functionality on this machine after
completing the installation, proceed to <A HREF="#HDRWQ49">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</OL>
<A NAME="IDX2354"></A>
<A NAME="IDX2355"></A>
<A NAME="IDX2356"></A>
<A NAME="IDX2357"></A>
<A NAME="IDX2358"></A>
<A NAME="IDX2359"></A>
<A NAME="IDX2360"></A>
<A NAME="IDX2361"></A>
<P><H3><A NAME="HDRWQ49" HREF="auqbg002.htm#ToC_62">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</A></H3>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
</TD></TR></TABLE>
<P>At this point you incorporate AFS into the operating system's
Pluggable Authentication Module (PAM) scheme. PAM integrates all
authentication mechanisms on the machine, including login, to provide the
security infrastructure for authenticated access to and from the
machine.
<P>Explaining PAM is beyond the scope of this document. It is assumed
that you understand the syntax and meanings of settings in the PAM
configuration file (for example, how the <TT>other</TT> entry works, the
effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
<TT>sufficient</TT>, and so on).
<P>The following instructions explain how to alter the entries in the PAM
configuration file for each service for which you wish to use AFS
authentication. Other configurations possibly also work, but the
instructions specify the recommended and tested configuration.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
<TT>optional</TT>. However, marking some modules as optional can mean
that they grant access to the corresponding service even when the user does
not meet all of the module's requirements. In some operating
system revisions, for example, if you mark as optional the module that
controls login via a dial-up connection, it allows users to login without
providing a password. See the <I>IBM AFS Release Notes</I> for a
discussion of any limitations that apply to this operating system. 
<P>Also, with some operating system versions you must install patches for PAM
to interact correctly with certain authentication programs. For
details, see the <I>IBM AFS Release Notes</I>.
</TD></TR></TABLE>
<P>The recommended AFS-related entries in the PAM configuration file make use
of one or more of the following three attributes.
<DL>
<P><DT><B><TT>try_first_pass</TT>
</B><DD>This is a standard PAM attribute that can be included on entries after the
first one for a service; it directs the module to use the password that
was provided to the first module. For the AFS module, it means that AFS
authentication succeeds if the password provided to the module listed first is
the user's correct AFS password. For further discussion of this
attribute and its alternatives, see the operating system's PAM
documentation.
<P><DT><B><TT>ignore_root</TT>
</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
only the local superuser <B> root</B>, but also any user with UID 0
(zero).
<P><DT><B><TT>setenv_password_expires</TT>
</B><DD>This attribute, specific to the AFS PAM module, sets the environment
variable PASSWORD_EXPIRES to the expiration date of the user's AFS
password, which is recorded in the Authentication Database.
</DL>
<P>Perform the following steps to enable AFS login.
<OL TYPE=1>
<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B> directory, if it
is not already. Then change directory as indicated. 
<PRE>  
   # <B>cd /usr/lib/security</B>
   
</PRE>
<P><LI>Copy the AFS authentication library file to the
<B>/usr/lib/security</B> directory. Then create a symbolic link to
it whose name does not mention the version. Omitting the version
eliminates the need to edit the PAM configuration file if you later update the
library file. 
<P>If you use the AFS Authentication Server (<B>kaserver</B>
process): 
<PRE>  
   #<B> cp /cdrom/sun4x_56/lib/pam_afs.so.1 .</B>
  
   # <B>ln -s pam_afs.so.1 pam_afs.so</B>   
</PRE> 
<P>If you use a Kerberos implementation of AFS authentication:
<PRE>     
   # <B>cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .</B>
  
   # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
   
</PRE>
<P><LI>Edit the <TT>Authentication management</TT> section of the Solaris PAM
configuration file, <B>/etc/pam.conf</B> by convention. The
entries in this section have the value <TT>auth</TT> in their second
field. 
<P>First edit the standard entries, which refer to the Solaris PAM module
(usually, the file <B>/usr/lib/security/pam_unix.so.1</B>)
in their fourth field. For each service for which you want to use AFS
authentication, edit the third field of its entry to read
<TT>optional</TT>. The <B>pam.conf</B> file in the Solaris
distribution usually includes standard entries for the <B>login</B>,
<B>rlogin</B>, and <B>rsh</B> services, for instance. 
<P>If there are services for which you want to use AFS authentication, but for
which the <B>pam.conf</B> file does not already include a standard
entry, you must create that entry and place the value <TT>optional</TT> in
its third field. For instance, the Solaris <B>pam.conf</B>
file does not usually include standard entries for the <B>ftp</B> or
<B>telnet</B> services. 
<P>Then create an AFS-related entry for each service, placing it immediately
below the standard entry. The following example shows what the
<TT>Authentication Management</TT> section looks like after you have you
edited or created entries for the services mentioned previously. Note
that the example AFS entries appear on two lines only for legibility.
<PRE>  
   login   auth  optional  /usr/lib/security/pam_unix.so.1
   login   auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root  setenv_password_expires
   rlogin  auth  optional  /usr/lib/security/pam_unix.so.1
   rlogin  auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root  setenv_password_expires
   rsh     auth  optional  /usr/lib/security/pam_unix.so.1
   rsh     auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root            
   ftp     auth  optional  /usr/lib/security/pam_unix.so.1
   ftp     auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root
   telnet  auth  optional  /usr/lib/security/pam_unix.so.1
   telnet  auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root  setenv_password_expires
   
</PRE>
<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
users to obtain an AFS token as they log in, also add or edit the following
four entries in the <TT>Authentication management</TT> section. Note
that the AFS-related entries appear on two lines here only for
legibility. 
<PRE>   
   dtlogin   auth  optional  /usr/lib/security/pam_unix.so.1
   dtlogin   auth  optional  /usr/lib/security/pam_afs.so     \
         try_first_pass  ignore_root
   dtsession  auth  optional /usr/lib/security/pam_unix.so.1
   dtsession  auth  optional /usr/lib/security/pam_afs.so     \
         try_first_pass  ignore_root
   
</PRE>
<P><LI>Some Solaris distributions include a script that locates and removes
unneeded files from various file systems. Its conventional location is
<B>/usr/lib/fs/nfs/nfsfind</B>. The script generally uses an
argument to the <B>find</B> command to define which file systems to
search. In this step you modify the command to exclude the
<B>/afs</B> directory. Otherwise, the command traverses the AFS
filespace of every cell that is accessible from the machine, which can take
many hours. The following alterations are possibilities, but you must
verify that they are appropriate for your cell. 
<P>The first possible alteration is to add the <B>-local</B> flag to the
existing command, so that it looks like the following:
<PRE>  
   find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;   
</PRE> 
<P>Another alternative is to exclude any directories whose names begin with
the lowercase letter <B>a</B> or a non-alphabetic character.
<PRE>  
   find /[A-Zb-z]*  <VAR>remainder of existing command</VAR>   
</PRE> 
<P>Do not use the following command, which still searches under the
<B>/afs</B> directory, looking for a subdirectory of type
<B>4.2</B>. 
<PRE>  
   find / -fstype 4.2     /* <VAR>do not use</VAR> */
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
</OL>
<A NAME="IDX2362"></A>
<A NAME="IDX2363"></A>
<A NAME="IDX2364"></A>
<A NAME="IDX2365"></A>
<A NAME="IDX2366"></A>
<A NAME="IDX2367"></A>
<A NAME="IDX2368"></A>
<HR><H2><A NAME="HDRWQ50" HREF="auqbg002.htm#ToC_63">Starting the BOS Server</A></H2>
<P>You are now ready to start the AFS server processes on this
machine. Begin by copying the AFS server binaries from the CD-ROM to
the conventional local disk location, the <B>/usr/afs/bin</B>
directory. The following instructions also create files in other
subdirectories of the <B>/usr/afs</B> directory.
<P>Then issue the <B>bosserver</B> command to initialize the Basic
OverSeer (BOS) Server, which monitors and controls other AFS server processes
on its server machine. Include the <B>-noauth</B> flag to disable
authorization checking. Because you have not yet configured your
cell's AFS authentication and authorization mechanisms, the BOS Server
cannot perform authorization checking as it does during normal
operation. In no-authorization mode, it does not verify the identity or
privilege of the issuer of a <B>bos</B> command, and so performs any
operation for anyone.
<P>Disabling authorization checking gravely compromises cell security.
You must complete all subsequent steps in one uninterrupted pass and must not
leave the machine unattended until you restart the BOS Server with
authorization checking enabled, in <A HREF="#HDRWQ72">Verifying the AFS Initialization Script</A>.
<P>As it initializes for the first time, the BOS Server creates the following
directories and files, setting the owner to the local superuser
<B>root</B> and the mode bits to limit the ability to write (and in some
cases, read) them. For a description of the contents and function of
these directories and files, see the chapter in the <I>IBM AFS
Administration Guide</I> about administering server machines. For
further discussion of the mode bit settings, see <A HREF="#HDRWQ96">Protecting Sensitive AFS Directories</A>.
<A NAME="IDX2369"></A>
<A NAME="IDX2370"></A>
<A NAME="IDX2371"></A>
<A NAME="IDX2372"></A>
<A NAME="IDX2373"></A>
<A NAME="IDX2374"></A>
<A NAME="IDX2375"></A>
<A NAME="IDX2376"></A>
<A NAME="IDX2377"></A>
<A NAME="IDX2378"></A>
<A NAME="IDX2379"></A>
<UL>
<P><LI><B>/usr/afs/db</B>
<P><LI><B>/usr/afs/etc/CellServDB</B>
<P><LI><B>/usr/afs/etc/ThisCell</B>
<P><LI><B>/usr/afs/local</B>
<P><LI><B>/usr/afs/logs</B>
</UL>
<P>The BOS Server also creates symbolic links called
<B>/usr/vice/etc/ThisCell</B> and <B>/usr/vice/etc/CellServDB</B> to
the corresponding files in the <B>/usr/afs/etc</B> directory. The
AFS command interpreters consult the <B>CellServDB</B> and
<B>ThisCell</B> files in the <B>/usr/vice/etc</B> directory because
they generally run on client machines. On machines that are AFS servers
only (as this machine currently is), the files reside only in the
<B>/usr/afs/etc</B> directory; the links enable the command
interpreters to retrieve the information they need. Later instructions
for installing the client functionality replace the links with actual
files.
<OL TYPE=1>
<P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
machine's system type, if it is not already. For instructions on
mounting CD-ROMs (either locally or remotely via NFS), consult the operating
system documentation.
<P><LI>Copy files from the CD-ROM to the local <B>/usr/afs</B>
directory.
<PRE>   
   # <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.server/usr/afs</B>
   
   # <B>cp -rp  *  /usr/afs</B>
   
</PRE>
<A NAME="IDX2380"></A>
<A NAME="IDX2381"></A>
<P><LI>Issue the <B>bosserver</B> command. Include the
<B>-noauth</B> flag to disable authorization checking. 
<PRE>   
   # <B>/usr/afs/bin/bosserver -noauth &amp;</B>
   
</PRE>
<P><LI>Verify that the BOS Server created <B>/usr/vice/etc/ThisCell</B> and
<B>/usr/vice/etc/CellServDB</B> as symbolic links to the corresponding
files in the <B>/usr/afs/etc</B> directory. 
<PRE>   
   # <B>ls -l  /usr/vice/etc</B>
</PRE> 
<P>If either or both of <B>/usr/vice/etc/ThisCell</B> and
<B>/usr/vice/etc/CellServDB</B> do not exist, or are not links, issue the
following commands.
<PRE>   
   # <B>cd /usr/vice/etc</B>
   
   # <B>ln -s /usr/afs/etc/ThisCell</B>
   
   # <B>ln -s /usr/afs/etc/CellServDB</B> 
    
</PRE>
</OL>
<A NAME="IDX2382"></A>
<A NAME="IDX2383"></A>
<A NAME="IDX2384"></A>
<A NAME="IDX2385"></A>
<A NAME="IDX2386"></A>
<A NAME="IDX2387"></A>
<A NAME="IDX2388"></A>
<A NAME="IDX2389"></A>
<A NAME="IDX2390"></A>
<A NAME="IDX2391"></A>
<A NAME="IDX2392"></A>
<A NAME="IDX2393"></A>
<A NAME="IDX2394"></A>
<A NAME="IDX2395"></A>
<A NAME="IDX2396"></A>
<A NAME="IDX2397"></A>
<A NAME="IDX2398"></A>
<HR><H2><A NAME="HDRWQ51" HREF="auqbg002.htm#ToC_64">Defining Cell Name and Membership for Server Processes</A></H2>
<P>Now assign your cell's name. The chapter in the
<I>IBM AFS Administration Guide</I> about cell configuration and
administration issues discusses the important considerations, explains why
changing the name is difficult, and outlines the restrictions on name
format. Two of the most important restrictions are that the name cannot
include uppercase letters or more than 64 characters.
<P>Use the <B>bos setcellname</B> command to assign the cell name.
It creates two files:
<UL>
<P><LI><B>/usr/afs/etc/ThisCell</B>, which defines this machine's cell
membership
<P><LI><B>/usr/afs/etc/CellServDB</B>, which lists the cell's database
server machines; the machine named on the command line is placed on the
list automatically
</UL>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">In the following and every instruction in this guide, for the
<VAR>machine&nbsp;name</VAR> argument substitute the fully-qualified hostname
(such as <B>fs1.abc.com</B>) of the machine you are
installing. For the <VAR>cell&nbsp;name</VAR> argument substitute your
cell's complete name (such as <B>abc.com</B>).
</TD></TR></TABLE>
<A NAME="IDX2399"></A>
<A NAME="IDX2400"></A>
<OL TYPE=1>
<P><LI>Issue the <B>bos setcellname</B> command to set the cell name. 
<PRE>   
   # <B>cd /usr/afs/bin</B>
      
   # <B>./bos setcellname</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B>
</PRE> 
<P>Because you are not authenticated and authorization checking is disabled,
the <B>bos</B> command interpreter possibly produces error messages about
being unable to obtain tickets and running unauthenticated. You can
safely ignore the messages.
<A NAME="IDX2401"></A>
<A NAME="IDX2402"></A>
<A NAME="IDX2403"></A>
<A NAME="IDX2404"></A>
<P><LI>Issue the <B>bos listhosts</B> command to verify that the machine you
are installing is now registered as the cell's first database server
machine. 
<PRE>   
   # <B>./bos listhosts</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-noauth</B>
   Cell name is <VAR>cell_name</VAR>
       Host 1 is <VAR>machine_name</VAR>
   
</PRE>
</OL>
<A NAME="IDX2405"></A>
<A NAME="IDX2406"></A>
<A NAME="IDX2407"></A>
<A NAME="IDX2408"></A>
<A NAME="IDX2409"></A>
<A NAME="IDX2410"></A>
<A NAME="IDX2411"></A>
<A NAME="IDX2412"></A>
<A NAME="IDX2413"></A>
<A NAME="IDX2414"></A>
<A NAME="IDX2415"></A>
<A NAME="IDX2416"></A>
<A NAME="IDX2417"></A>
<A NAME="IDX2418"></A>
<A NAME="IDX2419"></A>
<A NAME="IDX2420"></A>
<A NAME="IDX2421"></A>
<A NAME="IDX2422"></A>
<A NAME="IDX2423"></A>
<A NAME="IDX2424"></A>
<A NAME="IDX2425"></A>
<A NAME="IDX2426"></A>
<A NAME="IDX2427"></A>
<A NAME="IDX2428"></A>
<A NAME="IDX2429"></A>
<HR><H2><A NAME="HDRWQ52" HREF="auqbg002.htm#ToC_65">Starting the Database Server Processes</A></H2>
<P>Next use the <B>bos create</B> command to create entries
for the four database server processes in the
<B>/usr/afs/local/BosConfig</B> file and start them running. The
four processes run on database server machines only:
<UL>
<P><LI>The Authentication Server (the <B>kaserver</B> process) maintains the
Authentication Database
<P><LI>The Backup Server (the <B>buserver</B> process) maintains the Backup
Database
<P><LI>The Protection Server (the <B>ptserver</B> process) maintains the
Protection Database
<P><LI>The Volume Location (VL) Server (the <B>vlserver</B> process)
maintains the Volume Location Database (VLDB)
</UL>
<A NAME="IDX2430"></A>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">AFS's authentication and authorization software is based on algorithms
and other procedures known as <I>Kerberos</I>, as originally developed by
Project Athena at the Massachusetts Institute of Technology. Some cells
choose to replace the AFS Authentication Server and other security-related
protocols with Kerberos as obtained directly from Project Athena or other
sources. If you wish to do this, contact the AFS Product Support group
now to learn about necessary modifications to the installation.
</TD></TR></TABLE>
<P>The remaining instructions in this chapter include the <B>-cell</B>
argument on all applicable commands. Provide the cell name you assigned
in <A HREF="#HDRWQ51">Defining Cell Name and Membership for Server Processes</A>. If a command appears on multiple lines, it is only
for legibility.
<A NAME="IDX2431"></A>
<A NAME="IDX2432"></A>
<OL TYPE=1>
<P><LI>Issue the <B>bos create</B> command to start the Authentication
Server. The current working directory is still
<B>/usr/afs/bin</B>. 
<PRE>   
   # <B>./bos create</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>kaserver simple /usr/afs/bin/kaserver</B>  \
<B>                  -cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>   
</PRE> 
<P>You can safely ignore the messages that tell you to add Kerberos to the
<B>/etc/services</B> file; AFS uses a default value that makes the
addition unnecessary. You can also ignore messages about the failure of
authentication.
<P><LI>Issue the <B>bos create</B> command to start the Backup Server.
<PRE>   
   # <B>./bos create</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>buserver simple /usr/afs/bin/buserver</B>  \
<B>                  -cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>
   
</PRE>
<P><LI>Issue the <B>bos create</B> command to start the Protection
Server. 
<PRE>   
   # <B>./bos create</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>ptserver simple /usr/afs/bin/ptserver</B>  \
<B>                  -cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>
   
</PRE>
<P><LI>Issue the <B>bos create</B> command to start the VL Server. 
<PRE>   
   # <B>./bos create</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>vlserver simple /usr/afs/bin/vlserver</B>  \
<B>                  -cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>
   
</PRE>
</OL>
<A NAME="IDX2433"></A>
<A NAME="IDX2434"></A>
<A NAME="IDX2435"></A>
<A NAME="IDX2436"></A>
<A NAME="IDX2437"></A>
<A NAME="IDX2438"></A>
<A NAME="IDX2439"></A>
<A NAME="IDX2440"></A>
<A NAME="IDX2441"></A>
<A NAME="IDX2442"></A>
<A NAME="IDX2443"></A>
<A NAME="IDX2444"></A>
<A NAME="IDX2445"></A>
<HR><H2><A NAME="HDRWQ53" HREF="auqbg002.htm#ToC_66">Initializing Cell Security</A></H2>
<P>Now initialize the cell's security mechanisms.
Begin by creating the following two initial entries in the Authentication
Database:
<UL>
<P><LI>A generic administrative account, called <B>admin</B> by
convention. If you choose to assign a different name, substitute it
throughout the remainder of this document. 
<P>After you complete the installation of the first machine, you can continue
to have all administrators use the <B>admin</B> account, or you can create
a separate administrative account for each of them. The latter scheme
implies somewhat more overhead, but provides a more informative audit trail
for administrative operations.
<P><LI>The entry for AFS server processes, called <B>afs</B>. No user
logs in under this identity, but the Authentication Server's Ticket
Granting Service (TGS) module uses the associated key to encrypt the server
tickets that it grants to AFS clients for presentation to server processes
during mutual authentication. (The chapter in the <I>IBM AFS
Administration Guide</I> about cell configuration and administration
describes the role of server encryption keys in mutual authentication.)
<P>In Step <A HREF="#LIWQ58">7</A>, you also place the initial AFS server encryption key into
the <B>/usr/afs/etc/KeyFile</B> file. The AFS server processes
refer to this file to learn the server encryption key when they need to
decrypt server tickets.
</UL>
<P>You also issue several commands that enable the new <B>admin</B> user
to issue privileged commands in all of the AFS suites.
<P>The following instructions do not configure all of the security mechanisms
related to the AFS Backup System. See the chapter in the <I>IBM AFS
Administration Guide</I> about configuring the Backup System.
<OL TYPE=1>
<A NAME="IDX2446"></A>
<A NAME="IDX2447"></A>
<A NAME="IDX2448"></A>
<P><LI>Enter <B>kas</B> interactive mode. Because the machine is in
no-authorization checking mode, include the <B>-noauth</B> flag to
suppress the Authentication Server's usual prompt for a password.
<PRE>   
   # <B>kas  -cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B> 
   ka>
  
</PRE>
<A NAME="IDX2449"></A>
<A NAME="IDX2450"></A>
<A NAME="IDX2451"></A>
<A NAME="IDX2452"></A>
<P><LI><A NAME="LIWQ54"></A>Issue the <B>kas create</B> command to create Authentication
Database entries called <B>admin</B> and <B>afs</B>. 
<P>Do not provide passwords on the command line. Instead provide them
as <VAR>afs_passwd</VAR> and <VAR>admin_passwd</VAR> in response to the
<B>kas</B> command interpreter's prompts as shown, so that they do
not appear on the standard output stream.
<P>You need to enter the <VAR>afs_passwd</VAR> string only in this step and in
Step <A HREF="#LIWQ58">7</A>, so provide a value that is as long and complex as possible,
preferably including numerals, punctuation characters, and both uppercase and
lowercase letters. Also make the <VAR>admin_passwd</VAR> as long and
complex as possible, but keep in mind that administrators need to enter it
often. Both passwords must be at least six characters long.
<PRE>   
   ka> <B>create afs</B> 
   initial_password:  <VAR>afs_passwd</VAR>
   Verifying, please re-enter initial_password: <VAR>afs_passwd</VAR>
    
   ka> <B>create admin</B>
   initial_password: <VAR>admin_passwd</VAR>
   Verifying, please re-enter initial_password: <VAR>admin_passwd</VAR>
   
</PRE>
<A NAME="IDX2453"></A>
<A NAME="IDX2454"></A>
<A NAME="IDX2455"></A>
<P><LI><A NAME="LIWQ55"></A>Issue the <B>kas examine</B> command to display the
<B>afs</B> entry. The output includes a checksum generated by
encrypting a constant with the server encryption key derived from the
<VAR>afs_passwd</VAR> string. In Step <A HREF="#LIWQ59">8</A> you issue the <B>bos listkeys</B> command to verify
that the checksum in its output matches the checksum in this output.
<PRE>   
   ka> <B>examine afs</B>
   User data for afs
    key (0) cksum is <VAR>checksum</VAR> . . .
   
</PRE>
<A NAME="IDX2456"></A>
<A NAME="IDX2457"></A>
<A NAME="IDX2458"></A>
<P><LI><A NAME="LIWQ56"></A>Issue the <B>kas setfields</B> command to turn on the
<TT>ADMIN</TT> flag in the <B>admin</B> entry. This enables the
<B>admin</B> user to issue privileged <B>kas</B> commands. Then
issue the <B> kas examine</B> command to verify that the <TT>ADMIN</TT>
flag appears in parentheses on the first line of the output, as shown in the
example.
<PRE>   
   ka> <B>setfields admin -flags admin</B>
   
   ka> <B>examine admin </B>
   User data for admin (ADMIN) . . .
     
</PRE>
<A NAME="IDX2459"></A>
<A NAME="IDX2460"></A>
<A NAME="IDX2461"></A>
<P><LI>Issue the <B>kas quit</B> command to leave <B>kas</B> interactive
mode.
<PRE>   
   ka> <B>quit</B>
   
</PRE>
<A NAME="IDX2462"></A>
<A NAME="IDX2463"></A>
<A NAME="IDX2464"></A>
<A NAME="IDX2465"></A>
<A NAME="IDX2466"></A>
<A NAME="IDX2467"></A>
<A NAME="IDX2468"></A>
<P><LI><A NAME="LIWQ57"></A>Issue the <B>bos adduser</B> command to add the
<B>admin</B> user to the <B>/usr/afs/etc/UserList</B> file.
This enables the <B>admin</B> user to issue privileged <B>bos</B> and
<B>vos</B> commands. 
<PRE>   
   # <B>./bos adduser</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>admin -cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B>
   
</PRE>
<A NAME="IDX2469"></A>
<A NAME="IDX2470"></A>
<A NAME="IDX2471"></A>
<A NAME="IDX2472"></A>
<P><LI><A NAME="LIWQ58"></A>Issue the <B>bos addkey</B> command to define the AFS server
encryption key in the <B>/usr/afs/etc/KeyFile</B> file. 
<P>Do not provide the password on the command line. Instead provide it
as <VAR>afs_passwd</VAR> in response to the <B>bos</B> command
interpreter's prompts, as shown. Provide the same string as in
Step <A HREF="#LIWQ54">2</A>.
<PRE>   
   # <B>./bos addkey</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-kvno 0 -cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>
   Input key: <VAR>afs_passwd</VAR>
   Retype input key: <VAR>afs_passwd</VAR>
   
</PRE>
<A NAME="IDX2473"></A>
<A NAME="IDX2474"></A>
<A NAME="IDX2475"></A>
<P><LI><A NAME="LIWQ59"></A>Issue the <B>bos listkeys</B> command to verify that the
checksum for the new key in the <B>KeyFile</B> file is the same as the
checksum for the key in the Authentication Database's <B>afs</B>
entry, which you displayed in Step <A HREF="#LIWQ55">3</A>. 
<PRE>   
   # <B>./bos listkeys</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B>
   key 0 has cksum <VAR>checksum</VAR>    
</PRE> 
<P>You can safely ignore any error messages indicating that <B>bos</B>
failed to get tickets or that authentication failed.
<P>If the keys are different, issue the following commands, making sure that
the <VAR>afs_passwd</VAR> string is the same in each case. The
<VAR>checksum</VAR> strings reported by the <B>kas examine</B> and <B>bos
listkeys</B> commands must match; if they do not, repeat these
instructions until they do, using the <B>-kvno</B> argument to increment
the key version number each time.
<PRE>   
   # <B>./kas  -cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B> 
       
   ka> <B>setpassword afs -kvno 1</B> 
   new_password: <VAR>afs_passwd</VAR>
   Verifying, please re-enter initial_password: <VAR>afs_passwd</VAR>
   
   ka> <B>examine afs</B>
   User data for afs
    key (1) cksum is <VAR>checksum</VAR> . . .
  
   ka> <B>quit</B>
  
   # <B>./bos addkey</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-kvno 1 -cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B> 
   Input key: <VAR>afs_passwd</VAR>
   Retype input key: <VAR>afs_passwd</VAR>
   
   # <B>./bos listkeys</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B>
   key 1 has cksum <VAR>checksum</VAR>
   
</PRE>
<A NAME="IDX2476"></A>
<A NAME="IDX2477"></A>
<A NAME="IDX2478"></A>
<P><LI>Issue the <B>pts createuser</B> command to create a Protection
Database entry for the <B>admin</B> user. 
<P>By default, the Protection Server assigns AFS UID 1 (one) to the
<B>admin</B> user, because it is the first user entry you are
creating. If the local password file (<B>/etc/passwd</B> or
equivalent) already has an entry for <B>admin</B> that assigns it a UNIX
UID other than 1, it is best to use the <B>-id</B> argument to the
<B>pts createuser</B> command to make the new AFS UID match the existing
UNIX UID. Otherwise, it is best to accept the default. 
<PRE>   
   # <B>./pts createuser -name admin -cell</B> &lt;<VAR>cell&nbsp;name</VAR>> [<B>-id</B> &lt;<VAR>AFS&nbsp;UID</VAR>>]  <B>-noauth</B>
   User admin has id <VAR>AFS&nbsp;UID</VAR>
   
</PRE>
<A NAME="IDX2479"></A>
<A NAME="IDX2480"></A>
<A NAME="IDX2481"></A>
<A NAME="IDX2482"></A>
<P><LI>Issue the <B>pts adduser</B> command to make the <B>admin</B> user
a member of the <B>system:administrators</B> group, and the <B>pts
membership</B> command to verify the new membership. Membership in
the group enables the <B>admin</B> user to issue privileged <B>pts</B>
commands and some privileged <B>fs</B> commands.
<PRE>   
   # <B>./pts adduser admin system:administrators -cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B>
   
   # <B>./pts membership admin -cell</B>  &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B>
   Groups admin (id: 1) is a member of:
     system:administrators
   
</PRE>
<A NAME="IDX2483"></A>
<A NAME="IDX2484"></A>
<A NAME="IDX2485"></A>
<A NAME="IDX2486"></A>
<P><LI>Issue the <B>bos restart</B> command with the <B>-all</B> flag to
restart the database server processes, so that they start using the new server
encryption key. 
<PRE>   
   # <B>./bos restart</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-all -cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-noauth</B>
   
</PRE>
</OL>
<A NAME="IDX2487"></A>
<A NAME="IDX2488"></A>
<A NAME="IDX2489"></A>
<A NAME="IDX2490"></A>
<A NAME="IDX2491"></A>
<A NAME="IDX2492"></A>
<A NAME="IDX2493"></A>
<A NAME="IDX2494"></A>
<A NAME="IDX2495"></A>
<A NAME="IDX2496"></A>
<A NAME="IDX2497"></A>
<A NAME="IDX2498"></A>
<HR><H2><A NAME="HDRWQ60" HREF="auqbg002.htm#ToC_67">Starting the File Server, Volume Server, and Salvager</A></H2>
<P>Start the <B>fs</B> process, which consists of the File
Server, Volume Server, and Salvager (<B>fileserver</B>,
<B>volserver</B> and <B>salvager</B> processes).
<OL TYPE=1>
<P><LI>Issue the <B>bos create</B> command to start the <B>fs</B>
process. The command appears here on multiple lines only for
legibility.
<PRE>   
   # <B>./bos create</B>  &lt;<VAR>machine&nbsp;name</VAR>> <B>fs fs /usr/afs/bin/fileserver</B>   \
                   <B>/usr/afs/bin/volserver /usr/afs/bin/salvager</B>  \
                   <B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>   
</PRE> 
<P>Sometimes a message about Volume Location Database (VLDB) initialization
appears, along with one or more instances of an error message similar to the
following:
<PRE>   
   FSYNC_clientInit temporary failure (will retry)   
</PRE> 
<P>This message appears when the <B>volserver</B> process tries to start
before the <B>fileserver</B> process has completed its
initialization. Wait a few minutes after the last such message before
continuing, to guarantee that both processes have started successfully.
<A NAME="IDX2499"></A>
<A NAME="IDX2500"></A>
<P>You can verify that the <B>fs</B> process has started successfully by
issuing the <B>bos status</B> command. Its output mentions two
<TT>proc starts</TT>.
<PRE>  
   # <B>./bos status</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>fs -long -noauth</B>
   
</PRE>
<P><LI>Your next action depends on whether you have ever run AFS file server
machines in the cell:
<UL>
<A NAME="IDX2501"></A>
<A NAME="IDX2502"></A>
<A NAME="IDX2503"></A>
<A NAME="IDX2504"></A>
<A NAME="IDX2505"></A>
<P><LI>If you are installing the first AFS server machine ever in the cell (that
is, you are not upgrading the AFS software from a previous version), create
the first AFS volume, <B>root.afs</B>.
<P>For the <VAR>partition&nbsp;name</VAR> argument, substitute the name of one of
the machine's AFS server partitions (such as <B>/vicepa</B>). 
<PRE>  
   # <B>./vos create</B>  &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <B>root.afs</B>   \
                   <B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>   
</PRE> 
<P>The Volume Server produces a message confirming that it created the volume
on the specified partition. You can ignore error messages indicating
that tokens are missing, or that authentication failed.
<A NAME="IDX2506"></A>
<A NAME="IDX2507"></A>
<A NAME="IDX2508"></A>
<A NAME="IDX2509"></A>
<P><LI>If there are existing AFS file server machines and volumes in the cell,
issue the <B>vos syncvldb</B> and <B>vos syncserv</B> commands to
synchronize the VLDB with the actual state of volumes on the local
machine. To follow the progress of the synchronization operation, which
can take several minutes, use the <B>-verbose</B> flag.
<PRE>  
   # <B>./vos syncvldb</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-verbose  -noauth</B>
  
   # <B>./vos syncserv</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>> <B>-verbose  -noauth</B>   
</PRE> 
<P>You can ignore error messages indicating that tokens are missing, or that
authentication failed.
</UL>
</OL>
<A NAME="IDX2510"></A>
<A NAME="IDX2511"></A>
<A NAME="IDX2512"></A>
<A NAME="IDX2513"></A>
<A NAME="IDX2514"></A>
<A NAME="IDX2515"></A>
<A NAME="IDX2516"></A>
<A NAME="IDX2517"></A>
<HR><H2><A NAME="HDRWQ61" HREF="auqbg002.htm#ToC_68">Starting the Server Portion of the Update Server</A></H2>
<P>Start the server portion of the Update Server (the
<B>upserver</B> process), to distribute the contents of directories on
this machine to other server machines in the cell. It becomes active
when you configure the client portion of the Update Server on additional
server machines.
<P>Distributing the contents of its <B>/usr/afs/etc</B> directory makes
this machine the cell's <I>system control machine</I>. The
other server machines in the cell run the <B>upclientetc</B> process (an
instance of the client portion of the Update Server) to retrieve the
configuration files. Use the <B>-crypt</B> argument to the
<B>upserver</B> initialization command to specify that the Update Server
distributes the contents of the <B>/usr/afs/etc</B> directory only in
encrypted form, as shown in the following instruction. Several of the
files in the directory, particularly the <B>KeyFile</B> file, are crucial
to cell security and so must never cross the network unencrypted.
<P>(You can choose not to configure a system control machine, in which case
you must update the configuration files in each server machine's
<B>/usr/afs/etc</B> directory individually. The <B>bos</B>
commands used for this purpose also encrypt data before sending it across the
network.)
<P>Distributing the contents of its <B>/usr/afs/bin</B> directory to other
server machines of its system type makes this machine a <I>binary
distribution machine</I>. The other server machines of its system
type run the <B>upclientbin</B> process (an instance of the client portion
of the Update Server) to retrieve the binaries.
<P>The binaries in the <B>/usr/afs/bin</B> directory are not sensitive, so
it is not necessary to encrypt them before transfer across the network.
Include the <B>-clear</B> argument to the <B>upserver</B>
initialization command to specify that the Update Server distributes the
contents of the <B>/usr/afs/bin</B> directory in unencrypted form unless
an <B>upclientbin</B> process requests encrypted transfer.
<P>Note that the server and client portions of the Update Server always
mutually authenticate with one another, regardless of whether you use the
<B>-clear</B> or <B>-crypt</B> arguments. This protects their
communications from eavesdropping to some degree.
<P>For more information on the <B>upclient</B> and <B>upserver</B>
processes, see their reference pages in the <I>IBM AFS Administration
Reference</I>. The commands appear on multiple lines here only for
legibility.
<OL TYPE=1>
<P><LI>Issue the <B>bos create</B> command to start the <B>upserver</B>
process. 
<PRE>   
   # <B>./bos create</B>  &lt;<VAR>machine&nbsp;name></VAR> <B>upserver simple</B>  \ 
             <B>"/usr/afs/bin/upserver  -crypt /usr/afs/etc </B>   \
             <B>-clear /usr/afs/bin" -cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B> 
   
</PRE>
</OL>
<A NAME="IDX2518"></A>
<A NAME="IDX2519"></A>
<A NAME="IDX2520"></A>
<A NAME="IDX2521"></A>
<A NAME="IDX2522"></A>
<A NAME="IDX2523"></A>
<HR><H2><A NAME="HDRWQ62" HREF="auqbg002.htm#ToC_69">Starting the Controller for NTPD</A></H2>
<P>Keeping the clocks on all server and client machines in your
cell synchronized is crucial to several functions, and in particular to the
correct operation of AFS's distributed database technology, Ubik.
The chapter in the <I>IBM AFS Administration Guide</I> about administering
server machines explains how time skew can disturb Ubik's performance and
cause service outages in your cell.
<P>The AFS distribution includes a version of the Network Time Protocol Daemon
(NTPD) for synchronizing the clocks on server machines. If a time
synchronization program is not already running on the machine, then in this
section you start the <B>runntp</B> process to configure NTPD for use with
AFS.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not run the <B>runntp</B> process if NTPD or another time
synchronization protocol is already running on the machine. Some
versions of some operating systems run a time synchronization program by
default, as detailed in the <I>IBM AFS Release Notes</I>. 
<P>Attempting to run multiple instances of the NTPD causes an error.
Running NTPD together with another time synchronization protocol is
unnecessary and can cause instability in the clock setting.
</TD></TR></TABLE>
<P>If you run the <B>runntp</B> process and your cell has reliable network
connectivity to machines outside your cell, then it is conventional to
configure the first AFS machine to refer to a time source outside the
cell. When you later install the <B>runntp</B> program on other
server machines in the cell, it configures NTPD to choose a time source at
random from among the database server machines listed in the
<B>/usr/afs/etc/CellServDB</B> file. Time synchronization therefore
works in a chained manner: this database server machine refers to a time
source outside the cell, the database server machines refer to the machine
among them that has access to the most accurate time (NTPD itself includes
code for determining this), and each non-database server machine refers to a
local database server machine chosen at random from the
<B>/usr/afs/etc/CellServDB</B> file. If you ever decide to remove
database server functionality from this machine, it is best to transfer
responsibility for consulting an external time source to a remaining database
server machine.
<P>If your cell does not have network connectivity to external machines, or if
the connectivity is not reliable, include the <B>-localclock</B> flag to
the <B>runntp</B> command as indicated in the following
instructions. The flag tells NTPD to rely on the machine's
internal clock when all external time sources are inaccessible. The
<B>runntp</B> command has other arguments that are possibly useful given
your cell configuration; see the <I>IBM AFS Administration
Reference</I>.
<P>Choosing an appropriate external time source is important, but involves
more considerations than can be discussed here. If you need help in
selecting a source, contact the AFS Product Support group.
<P>As the <B>runntp</B> process initializes NTPD, trace messages sometimes
appear on the standard output stream. You can ignore them, but they can
be informative if you understand how NTPD works.
<OL TYPE=1>
<P><LI>Issue the <B>bos create</B> command to start the <B>runntp</B>
process. For the <VAR>host</VAR> argument, substitute the fully-qualified
hostname or IP address of one or more machines outside the cell that are to
serve as time sources. Separate each name with a space. 
<UL>
<P><LI>If your cell usually has reliable network connectivity to an external time
source, use the following command: 
<PRE>   
   # <B>./bos create </B> &lt;<VAR>machine&nbsp;name</VAR>>   <B>runntp simple</B>   \
        <B>"/usr/afs/bin/runntp</B> &lt;<VAR>host</VAR>>+<B>"  -cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>
   
</PRE>
<P><LI>If your cell does not have network connectivity to an external time
source, use the following command: 
<PRE>   
   # <B>./bos create</B>  &lt;<VAR>machine&nbsp;name</VAR>> <B>runntp simple</B>  \ 
        <B>"/usr/afs/bin/runntp -localclock"</B>  <B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>
   
</PRE>
<P><LI>If your cell has network connectivity to an external time source, but the
network connection is frequently interrupted, use the following command:
<P>
<PRE>   
   # <B>./bos create</B>  &lt;<VAR>machine&nbsp;name</VAR>> <B>runntp simple</B>  \ 
         <B>"/usr/afs/bin/runntp -localclock</B> &lt;<VAR>host</VAR>>+<B>"</B>  \
         <B>-cell</B> &lt;<VAR>cell&nbsp;name</VAR>>  <B>-noauth</B>
   
</PRE>
</UL>
</OL>
<A NAME="IDX2524"></A>
<A NAME="IDX2525"></A>
<A NAME="IDX2526"></A>
<HR><H2><A NAME="HDRWQ63" HREF="auqbg002.htm#ToC_70">Overview: Installing Client Functionality</A></H2>
<P>The machine you are installing is now an AFS file server
machine, database server machine, system control machine, and binary
distribution machine. Now make it a client machine by completing the
following tasks:
<OL TYPE=1>
<P><LI>Define the machine's cell membership for client processes
<P><LI>Create the client version of the <B>CellServDB</B> file
<P><LI>Define cache location and size
<P><LI>Create the <B>/afs</B> directory and start the Cache Manager
</OL>
<A NAME="IDX2527"></A>
<A NAME="IDX2528"></A>
<A NAME="IDX2529"></A>
<HR><H2><A NAME="HDRWQ64" HREF="auqbg002.htm#ToC_71">Copying Client Files to the Local Disk</A></H2>
<P>Before installing and configuring the AFS client, copy the
necessary files from the AFS CD-ROM to the local <B>/usr/vice/etc</B>
directory.
<OL TYPE=1>
<P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
machine's system type, if it is not already. For instructions on
mounting CD-ROMs (either locally or remotely via NFS), consult the operating
system documentation.
<P><LI>Copy files to the local <B>/usr/vice/etc</B> directory.
<P>This step places a copy of the AFS initialization script (and related
files, if applicable) into the <B>/usr/vice/etc</B> directory. In
the preceding instructions for incorporating AFS into the kernel, you copied
the script directly to the operating system's conventional location for
initialization files. When you incorporate AFS into the machine's
startup sequence in a later step, you can choose to link the two files.
<P>On some system types that use a dynamic kernel loader program, you
previously copied AFS library files into a subdirectory of the
<B>/usr/vice/etc</B> directory. On other system types, you copied
the appropriate AFS library file directly to the directory where the operating
system accesses it. The following commands do not copy or recopy the
AFS library files into the <B>/usr/vice/etc</B> directory, because on some
system types the library files consume a large amount of space. If you
want to copy them, add the <B>-r</B> flag to the first <B>cp</B>
command and skip the second <B>cp</B> command.
<PRE>   
   # <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.client/usr/vice/etc</B>
   
   # <B>cp -p  *  /usr/vice/etc</B>
  
   # <B>cp -rp  C  /usr/vice/etc</B>
   
</PRE>
</OL>
<A NAME="IDX2530"></A>
<A NAME="IDX2531"></A>
<A NAME="IDX2532"></A>
<A NAME="IDX2533"></A>
<A NAME="IDX2534"></A>
<A NAME="IDX2535"></A>
<A NAME="IDX2536"></A>
<HR><H2><A NAME="HDRWQ65" HREF="auqbg002.htm#ToC_72">Defining Cell Membership for Client Processes</A></H2>
<P>Every AFS client machine has a copy of the
<B>/usr/vice/etc/ThisCell</B> file on its local disk to define the
machine's cell membership for the AFS client programs that run on
it. The <B>ThisCell</B> file you created in the
<B>/usr/afs/etc</B> directory (in <A HREF="#HDRWQ51">Defining Cell Name and Membership for Server Processes</A>) is used only by server processes.
<P>Among other functions, the <B>ThisCell</B> file on a client machine
determines the following:
<UL>
<P><LI>The cell in which users authenticate when they log onto the machine,
assuming it is using an AFS-modified login utility
<P><LI>The cell in which users authenticate by default when they issue the
<B>klog</B> command
<P><LI>The cell membership of the AFS server processes that the AFS command
interpreters on this machine contact by default
</UL>
<OL TYPE=1>
<P><LI>Change to the <B>/usr/vice/etc</B> directory and remove the symbolic
link created in <A HREF="#HDRWQ50">Starting the BOS Server</A>. 
<PRE>      
   # <B>cd /usr/vice/etc</B>
   
   # <B>rm ThisCell</B>
   
</PRE>
<P><LI>Create the <B>ThisCell</B> file as a copy of the
<B>/usr/afs/etc/ThisCell</B> file. Defining the same local cell for
both server and client processes leads to the most consistent AFS
performance.
<PRE>   
   # <B>cp  /usr/afs/etc/ThisCell  ThisCell</B>
   
</PRE>
</OL>
<A NAME="IDX2537"></A>
<A NAME="IDX2538"></A>
<A NAME="IDX2539"></A>
<A NAME="IDX2540"></A>
<A NAME="IDX2541"></A>
<A NAME="IDX2542"></A>
<A NAME="IDX2543"></A>
<A NAME="IDX2544"></A>
<HR><H2><A NAME="HDRWQ66" HREF="auqbg002.htm#ToC_73">Creating the Client CellServDB File</A></H2>
<P>The <B>/usr/vice/etc/CellServDB</B> file on a client
machine's local disk lists the database server machines for each cell
that the local Cache Manager can contact. If there is no entry in the
file for a cell, or if the list of database server machines is wrong, then
users working on this machine cannot access the cell. The chapter in
the <I>IBM AFS Administration Guide</I> about administering client
machines explains how to maintain the file after creating it.
<P>As the <B>afsd</B> program initializes the Cache Manager, it copies the
contents of the <B>CellServDB</B> file into kernel memory. The
Cache Manager always consults the list in kernel memory rather than the
<B>CellServDB</B> file itself. Between reboots of the machine, you
can use the <B>fs newcell</B> command to update the list in kernel memory
directly; see the chapter in the <I>IBM AFS Administration Guide</I>
about administering client machines.
<P>The AFS distribution includes the file <B>CellServDB.sample</B>,
and you have already copied it to the <B>/usr/vice/etc</B>
directory. It includes an entry for all AFS cells that agreed to share
their database server machine information at the time your AFS CD-ROM was
created. The AFS Product Support group also maintains a copy of the
file, updating it as necessary. If you are interested in participating
in the global AFS namespace, it is a good policy to consult the file
occasionally for updates. Ask the AFS Product Support group for a
pointer to its location.
<P>The <B>CellServDB.sample</B> file can be a good basis for the
client <B>CellServDB</B> file, because all of the entries in it use the
correct format. You can add or remove cell entries as you see
fit. Later (in <A HREF="#HDRWQ91">Enabling Access to Foreign Cells</A>) you perform additional steps that enable the Cache
Manager actually to reach the cells.
<P>In this section, you add an entry for the local cell to the local
<B>CellServDB</B> file. The current working directory is still
<B>/usr/vice/etc</B>.
<OL TYPE=1>
<P><LI>Remove the symbolic link created in <A HREF="#HDRWQ50">Starting the BOS Server</A> and rename the <B>CellServDB.sample</B> file to
<B>CellServDB</B>.
<PRE>   
   # <B>rm CellServDB</B>
  
   # <B>mv CellServDB.sample CellServDB</B>
      
</PRE>
<P><LI>Add an entry for the local cell to the <B>CellServDB</B> file.
One easy method is to use the <B>cat</B> command to append the contents of
the server <B>/usr/afs/etc/CellServDB</B> file to the client
version.
<PRE>   
    # <B>cat  /usr/afs/etc/CellServDB >>  CellServDB</B>   
</PRE> 
<P>Then open the file in a text editor to verify that there are no blank
lines, and that all entries have the required format, which is described just
following. The ordering of cells is not significant, but it can be
convenient to have the client machine's home cell at the top; move
it there now if you wish.
<UL>
<P><LI>The first line of a cell's entry has the following format: 
<PRE>   
   ><VAR>cell_name</VAR>      #<VAR>organization</VAR>   
</PRE> 
<P>where <VAR>cell_name</VAR> is the cell's complete Internet domain name
(for example, <B>abc.com</B>) and <VAR>organization</VAR> is an
optional field that follows any number of spaces and the number sign
(<TT>#</TT>). By convention it names the organization to which the
cell corresponds (for example, the ABC Corporation).
<P><LI>After the first line comes a separate line for each database server
machine. Each line has the following format: 
<PRE>   
   <VAR>IP_address</VAR>   #<VAR>machine_name</VAR>   
</PRE> 
<P>where <VAR>IP_address</VAR> is the machine's IP address in dotted
decimal format (for example, 192.12.105.3).
Following any number of spaces and the number sign (<TT>#</TT>) is
<VAR>machine_name</VAR>, the machine's fully-qualified hostname (for
example, <B>db1.abc.com</B>). In this case, the
number sign does not indicate a comment; <VAR>machine_name</VAR> is a
required field.
</UL>
<P><LI>If the file includes cells that you do not wish users of this machine to
access, remove their entries.
</OL>
<P>The following example shows entries for two cells, each of which has three
database server machines:
<P>
<PRE>   
   >abc.com       #ABC Corporation (home cell)
   192.12.105.3      #db1.abc.com
   192.12.105.4      #db2.abc.com
   192.12.105.55     #db3.abc.com
   >stateu.edu    #State University cell
   138.255.68.93     #serverA.stateu.edu
   138.255.68.72     #serverB.stateu.edu
   138.255.33.154    #serverC.stateu.edu
   
</PRE>
<A NAME="IDX2545"></A>
<A NAME="IDX2546"></A>
<A NAME="IDX2547"></A>
<A NAME="IDX2548"></A>
<HR><H2><A NAME="HDRWQ67" HREF="auqbg002.htm#ToC_74">Configuring the Cache</A></H2>
<P>The Cache Manager uses a cache on the local disk or in
machine memory to store local copies of files fetched from file server
machines. As the <B>afsd</B> program initializes the Cache Manager,
it sets basic cache configuration parameters according to definitions in the
local <B>/usr/vice/etc/cacheinfo</B> file. The file has three
fields:
<OL TYPE=1>
<P><LI>The first field names the local directory on which to mount the AFS
filespace. The conventional location is the <B>/afs</B>
directory.
<P><LI>The second field defines the local disk directory to use for the disk
cache. The conventional location is the <B>/usr/vice/cache</B>
directory, but you can specify an alternate directory if another partition has
more space available. There must always be a value in this field, but
the Cache Manager ignores it if the machine uses a memory cache.
<P><LI>The third field specifies the number of kilobyte (1024 byte) blocks to
allocate for the cache.
</OL>
<P>The values you define must meet the following requirements.
<UL>
<P><LI>On a machine using a disk cache, the Cache Manager expects always to be
able to use the amount of space specified in the third field. Failure
to meet this requirement can cause serious problems, some of which can be
repaired only by rebooting. You must prevent non-AFS processes from
filling up the cache partition. The simplest way is to devote a
partition to the cache exclusively.
<P><LI>The amount of space available in memory or on the partition housing the
disk cache directory imposes an absolute limit on cache size.
<P><LI>The maximum supported cache size can vary in each AFS release; see
the <I>IBM AFS Release Notes</I> for the current version.
<P><LI>For a disk cache, you cannot specify a value in the third field that
exceeds 95% of the space available on the partition mounted at the directory
named in the second field. If you violate this restriction, the
<B>afsd</B> program exits without starting the Cache Manager and prints an
appropriate message on the standard output stream. A value of 90% is
more appropriate on most machines. Some operating systems (such as AIX)
do not automatically reserve some space to prevent the partition from filling
completely; for them, a smaller value (say, 80% to 85% of the space
available) is more appropriate.
<P><LI>For a memory cache, you must leave enough memory for other processes and
applications to run. If you try to allocate more memory than is
actually available, the <B>afsd</B> program exits without initializing the
Cache Manager and produces the following message on the standard output
stream. 
<PRE>   
   afsd: memCache allocation failure at <VAR>number</VAR> KB
</PRE> 
<P>The <VAR>number</VAR> value is how many kilobytes were allocated just before
the failure, and so indicates the approximate amount of memory
available.
</UL>
<P>Within these hard limits, the factors that determine appropriate cache size
include the number of users working on the machine, the size of the files with
which they work, and (for a memory cache) the number of processes that run on
the machine. The higher the demand from these factors, the larger the
cache needs to be to maintain good performance.
<P>Disk caches smaller than 10 MB do not generally perform well.
Machines serving multiple users usually perform better with a cache of at
least 60 to 70 MB. The point at which enlarging the cache further does
not really improve performance depends on the factors mentioned previously and
is difficult to predict.
<P>Memory caches smaller than 1 MB are nonfunctional, and the performance of
caches smaller than 5 MB is usually unsatisfactory. Suitable upper
limits are similar to those for disk caches but are probably determined more
by the demands on memory from other sources on the machine (number of users
and processes). Machines running only a few processes possibly can use
a smaller memory cache.
<P><H3><A NAME="HDRWQ68" HREF="auqbg002.htm#ToC_75">Configuring a Disk Cache</A></H3>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types that an operating system supports are
necessarily supported for use as the cache partition. For possible
restrictions, see the <I>IBM AFS Release Notes</I>.
</TD></TR></TABLE>
<P>To configure the disk cache, perform the following procedures:
<OL TYPE=1>
<P><LI>Create the local directory to use for caching. The following
instruction shows the conventional location,
<B>/usr/vice/cache</B>. If you are devoting a partition exclusively
to caching, as recommended, you must also configure it, make a file system on
it, and mount it at the directory created in this step.
<PRE>   
   # <B>mkdir /usr/vice/cache</B>
   
</PRE>
<P><LI>Create the <B>cacheinfo</B> file to define the configuration
parameters discussed previously. The following instruction shows the
standard mount location, <B>/afs</B>, and the standard cache location,
<B>/usr/vice/cache</B>. 
<PRE>   
   # <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
</PRE> 
<P>The following example defines the disk cache size as 50,000 KB: 
<PRE>   
   # <B>echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo</B>
</PRE>
</OL>
<P><H3><A NAME="HDRWQ69" HREF="auqbg002.htm#ToC_76">Configuring a Memory Cache</A></H3>
<P>To configure a memory cache, create the <B>cacheinfo</B>
file to define the configuration parameters discussed previously. The
following instruction shows the standard mount location, <B>/afs</B>, and
the standard cache location, <B>/usr/vice/cache</B> (though the exact
value of the latter is irrelevant for a memory cache).
<PRE>   
   # <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
</PRE>
<P>The following example allocates 25,000 KB of memory for the cache.
<PRE>   
   # <B>echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo</B>
</PRE>
<A NAME="IDX2549"></A>
<A NAME="IDX2550"></A>
<A NAME="IDX2551"></A>
<A NAME="IDX2552"></A>
<A NAME="IDX2553"></A>
<A NAME="IDX2554"></A>
<HR><H2><A NAME="HDRWQ70" HREF="auqbg002.htm#ToC_77">Configuring the Cache Manager</A></H2>
<P>By convention, the Cache Manager mounts the AFS filespace on
the local <B>/afs</B> directory. In this section you create that
directory.
<P>The <B>afsd</B> program sets several cache configuration parameters as
it initializes the Cache Manager, and starts daemons that improve
performance. You can use the <B>afsd</B> command's arguments
to override the parameters' default values and to change the number of
some of the daemons. Depending on the machine's cache size, its
amount of RAM, and how many people work on it, you can sometimes improve Cache
Manager performance by overriding the default values. For a discussion
of all of the <B>afsd</B> command's arguments, see its reference page
in the <I>IBM AFS Administration Reference</I>.
<P>The <B>afsd</B> command line in the AFS initialization script on each
system type includes an <TT>OPTIONS</TT> variable. You can use it to
set nondefault values for the command's arguments, in one of the
following ways:
<UL>
<P><LI>You can create an <B>afsd</B> <I>options file</I> that sets values
for arguments to the <B>afsd</B> command. If the file exists, its
contents are automatically substituted for the <TT>OPTIONS</TT> variable in
the AFS initialization script. The AFS distribution for some system
types includes an options file; on other system types, you must create
it. 
<P>You use two variables in the AFS initialization script to specify the path
to the options file: <TT>CONFIG</TT> and <TT>AFSDOPT</TT>. On
system types that define a conventional directory for configuration files, the
<TT>CONFIG</TT> variable indicates it by default; otherwise, the
variable indicates an appropriate location. 
<P>List the desired <B>afsd</B> options on a single line in the options
file, separating each option with one or more spaces. The following
example sets the <B>-stat</B> argument to 2500, the <B>-daemons</B>
argument to 4, and the <B>-volumes</B> argument to 100.
<PRE>   
   -stat 2500 -daemons 4 -volumes 100   
   
</PRE>
<P><LI>On a machine that uses a disk cache, you can set the <TT>OPTIONS</TT>
variable in the AFS initialization script to one of <TT>$SMALL</TT>,
<TT>$MEDIUM</TT>, or <TT>$LARGE</TT>. The AFS initialization script
uses one of these settings if the <B>afsd</B> options file named by the
<TT>AFSDOPT</TT> variable does not exist. In the script as
distributed, the <TT>OPTIONS</TT> variable is set to the value
<TT>$MEDIUM</TT>.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not set the <TT>OPTIONS</TT> variable to <TT>$SMALL</TT>,
<TT>$MEDIUM</TT>, or <TT>$LARGE</TT> on a machine that uses a memory
cache. The arguments it sets are appropriate only on a machine that
uses a disk cache.
</TD></TR></TABLE>
<P>The script (or on some system types the <B>afsd</B> options file named
by the <TT>AFSDOPT</TT> variable) defines a value for each of
<TT>SMALL</TT>, <TT>MEDIUM</TT>, and <TT>LARGE</TT> that sets
<B>afsd</B> command arguments appropriately for client machines of
different sizes:
<UL>
<P><LI><TT>SMALL</TT> is suitable for a small machine that serves one or two
users and has approximately 8 MB of RAM and a 20-MB cache
<P><LI><TT>MEDIUM</TT> is suitable for a medium-sized machine that serves two
to six users and has 16 MB of RAM and a 40-MB cache
<P><LI><TT>LARGE</TT> is suitable for a large machine that serves five to ten
users and has 32 MB of RAM and a 100-MB cache
</UL>
<P><LI>You can choose not to create an <B>afsd</B> options file and to set
the <TT>OPTIONS</TT> variable in the initialization script to a null value
rather than to the default <TT>$MEDIUM</TT> value. You can then
either set arguments directly on the <B>afsd</B> command line in the
script, or set no arguments (and so accept default values for all Cache
Manager parameters).
</UL>
<OL TYPE=1>
<P><LI>Create the local directory on which to mount the AFS filespace, by
convention <B>/afs</B>. If the directory already exists, verify
that it is empty. 
<PRE>   
   # <B>mkdir /afs</B>
   
</PRE>
<P><LI>On AIX systems, add the following line to the <B>/etc/vfs</B>
file. It enables AIX to unmount AFS correctly during shutdown.
<PRE>   
   afs     4     none     none
   
</PRE>
<P><LI>On Linux systems, copy the <B>afsd</B> options file from the
<B>/usr/vice/etc</B> directory to the <B>/etc/sysconfig</B> directory,
removing the <B>.conf</B> extension as you do so.
<PRE>   
   # <B>cp /usr/vice/etc/afs.conf /etc/sysconfig/afs</B>
   
</PRE>
<P><LI>Edit the machine's AFS initialization script or <B>afsd</B>
options file to set appropriate values for <B>afsd</B> command
parameters. The script resides in the indicated location on each system
type:
<UL>
<P><LI>On AIX systems, <B>/etc/rc.afs</B>
<P><LI>On Digital UNIX systems, <B>/sbin/init.d/afs</B>
<P><LI>On HP-UX systems, <B>/sbin/init.d/afs</B>
<P><LI>On IRIX systems, <B>/etc/init.d/afs</B>
<P><LI>On Linux systems, <B>/etc/sysconfig/afs</B> (the <B>afsd</B>
options file)
<P><LI>On Solaris systems, <B>/etc/init.d/afs</B>
</UL> 
<P>Use one of the methods described in the introduction to this section to add
the following flags to the <B>afsd</B> command line. If you intend
for the machine to remain an AFS client, also set any performance-related
arguments you wish.
<UL>
<P><LI>Add the <B>-nosettime</B> flag, because this is a file server machine
that is also a client. The flag prevents the machine from picking a
file server machine in the cell as its source for the correct time, which
client machines normally do. File server machines instead use NTPD (as
controlled by the <B>runntp</B> process) or another protocol to
synchronize their clocks.
<P><LI>Add the <B>-memcache</B> flag if the machine is to use a memory
cache.
<P><LI>Add the <B>-verbose</B> flag to display a trace of the Cache
Manager's initialization on the standard output stream.
</UL>
</OL>
<A NAME="IDX2555"></A>
<A NAME="IDX2556"></A>
<HR><H2><A NAME="HDRWQ71" HREF="auqbg002.htm#ToC_78">Overview: Completing the Installation of the First AFS Machine</A></H2>
<P>The machine is now configured as an AFS file server and
client machine. In this final phase of the installation, you initialize
the Cache Manager and then create the upper levels of your AFS filespace,
among other procedures. The procedures are:
<OL TYPE=1>
<P><LI>Verify that the initialization script works correctly, and incorporate it
into the operating system's startup and shutdown sequence
<P><LI>Create and mount top-level volumes
<P><LI>Create and mount volumes to store system binaries in AFS
<P><LI>Enable access to foreign cells
<P><LI>Institute additional security measures
<P><LI>Remove client functionality if desired
</OL>
<A NAME="IDX2557"></A>
<A NAME="IDX2558"></A>
<A NAME="IDX2559"></A>
<A NAME="IDX2560"></A>
<A NAME="IDX2561"></A>
<HR><H2><A NAME="HDRWQ72" HREF="auqbg002.htm#ToC_79">Verifying the AFS Initialization Script</A></H2>
<P>At this point you run the AFS initialization script to verify
that it correctly invokes all of the necessary programs and AFS processes, and
that they start correctly. The following are the relevant
commands:
<UL>
<P><LI>The command that dynamically loads AFS modifications into the kernel, on
some system types (not applicable if the kernel has AFS modifications built
in)
<P><LI>The <B>bosserver</B> command, which starts the BOS Server; it in
turn starts the server processes for which you created entries in the
<B>/usr/afs/local/BosConfig</B> file
<P><LI>The <B>afsd</B> command, which initializes the Cache Manager
</UL>
<P>On system types that use a dynamic loader program, you must reboot the
machine before running the initialization script, so that it can freshly load
AFS modifications into the kernel.
<P>If there are problems during the initialization, attempt to resolve
them. The AFS Product Support group can provide assistance if
necessary.
<OL TYPE=1>
<A NAME="IDX2562"></A>
<A NAME="IDX2563"></A>
<P><LI>Issue the <B>bos shutdown</B> command to shut down the AFS server
processes other than the BOS Server. Include the <B>-wait</B> flag
to delay return of the command shell prompt until all processes shut down
completely. 
<PRE>      
   # <B>/usr/afs/bin/bos shutdown</B> &lt;<VAR>machine&nbsp;name</VAR>> <B>-wait</B>
   
</PRE>
<P><LI>Issue the <B>ps</B> command to learn the <B>bosserver</B>
process's process ID number (PID), and then the <B>kill</B> command
to stop it.
<PRE>   
   # <B>ps</B> <VAR>appropriate_ps_options</VAR> <B>| grep bosserver</B>
   
   # <B>kill</B> <VAR>bosserver_PID</VAR>
   
</PRE>
<P><LI>Issue the appropriate commands to run the AFS initialization script for
this system type. 
<A NAME="IDX2564"></A>
<P><B>On AIX systems:</B> 
<OL TYPE=a>
<P><LI>Reboot the machine and log in again as the local superuser
<B>root</B>. 
<PRE>   
   # <B>cd /</B>
   
   # <B>shutdown -r now</B>
   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
<P><LI>Run the AFS initialization script. 
<PRE>   
   # <B>/etc/rc.afs</B>
   
</PRE>
</OL> 
<A NAME="IDX2565"></A>
<P><B>On Digital UNIX systems:</B> 
<OL TYPE=a>
<P><LI>Run the AFS initialization script. 
<PRE>   
   # <B>/sbin/init.d/afs  start</B>
   
</PRE>
</OL> 
<A NAME="IDX2566"></A>
<P><B>On HP-UX systems:</B> 
<OL TYPE=a>
<P><LI>Run the AFS initialization script. 
<PRE>   
   # <B>/sbin/init.d/afs  start</B>
   
</PRE>
</OL> 
<A NAME="IDX2567"></A>
<A NAME="IDX2568"></A>
<A NAME="IDX2569"></A>
<A NAME="IDX2570"></A>
<A NAME="IDX2571"></A>
<A NAME="IDX2572"></A>
<A NAME="IDX2573"></A>
<P><B>On IRIX systems:</B> 
<OL TYPE=a>
<P><LI>If you have configured the machine to use the <B>ml</B> dynamic loader
program, reboot the machine and log in again as the local superuser
<B>root</B>. 
<PRE>   
   # <B>cd /</B>
   
   # <B>shutdown -i6 -g0 -y</B>
   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
<P><LI>Issue the <B>chkconfig</B> command to activate the
<B>afsserver</B> and <B>afsclient</B> configuration variables.
<PRE>   
   # <B>/etc/chkconfig -f afsserver on</B>
   
   # <B>/etc/chkconfig -f afsclient on</B> 
   
</PRE>
<P><LI>Run the AFS initialization script. 
<PRE>   
   # <B>/etc/init.d/afs  start</B>
   
</PRE>
</OL> 
<A NAME="IDX2574"></A>
<P><B>On Linux systems:</B> 
<OL TYPE=a>
<P><LI>Reboot the machine and log in again as the local superuser
<B>root</B>. 
<PRE>  
   # <B>cd /</B>
         
   # <B>shutdown -r now</B>
   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
<P><LI>Run the AFS initialization script. 
<PRE>   
   # <B>/etc/rc.d/init.d/afs  start</B>
   
</PRE>
</OL> 
<A NAME="IDX2575"></A>
<P><B>On Solaris systems:</B> 
<OL TYPE=a>
<P><LI>Reboot the machine and log in again as the local superuser
<B>root</B>. 
<PRE>   
   # <B>cd /</B>
      
   # <B>shutdown -i6 -g0 -y</B>
   
   login: <B>root</B>
   Password: <VAR>root_password</VAR>
   
</PRE>
<P><LI>Run the AFS initialization script. 
<PRE>   
   # <B>/etc/init.d/afs  start</B>
   
</PRE>
</OL>
<A NAME="IDX2576"></A>
<A NAME="IDX2577"></A>
<P><LI>Wait for the message that confirms that Cache Manager initialization is
complete. 
<P>On machines that use a disk cache, it can take a while to initialize the
Cache Manager for the first time, because the <B>afsd</B> program must
create all of the <B>V</B><VAR>n</VAR> files in the cache directory.
Subsequent Cache Manager initializations do not take nearly as long, because
the <B>V</B><VAR>n</VAR> files already exist.
<P>As a basic test of correct AFS functioning, issue the <B>klog</B>
command to authenticate as the <B>admin</B> user. Provide the
password (<VAR>admin_passwd</VAR>) you defined in <A HREF="#HDRWQ53">Initializing Cell Security</A>. 
<PRE>   
   # <B>/usr/afs/bin/klog admin</B>
   Password:  <VAR>admin_passwd</VAR>
   
</PRE>
<A NAME="IDX2578"></A>
<A NAME="IDX2579"></A>
<P><LI>Issue the <B>tokens</B> command to verify that the <B>klog</B>
command worked correctly. If it did, the output looks similar to the
following example for the <B>abc.com</B> cell, where
<B>admin</B>'s AFS UID is 1. If the output does not seem
correct, resolve the problem. Changes to the AFS initialization script
are possibly necessary. The AFS Product Support group can provide
assistance as necessary. 
<PRE>   
   # <B>/usr/afs/bin/tokens</B>
   Tokens held by the Cache Manager:
  
   User's (AFS ID 1) tokens for afs@abc.com [Expires May 22 11:52]
       --End of list--
   
</PRE>
<P><LI>Issue the <B>bos status</B> command to verify that the output for each
process reads <TT>Currently running normally</TT>. 
<PRE>   
   # <B>/usr/afs/bin/bos status</B> &lt;<VAR>machine&nbsp;name</VAR>>
   
</PRE>
<A NAME="IDX2580"></A>
<A NAME="IDX2581"></A>
<P><LI>Change directory to the local file system root (<B>/</B>) and issue
the <B>fs checkvolumes</B> command.
<PRE>   
   # <B>cd /</B>
   
   # <B>/usr/afs/bin/fs checkvolumes</B>
   
</PRE>
</OL>
<A NAME="IDX2582"></A>
<A NAME="IDX2583"></A>
<A NAME="IDX2584"></A>
<A NAME="IDX2585"></A>
<HR><H2><A NAME="HDRWQ73" HREF="auqbg002.htm#ToC_80">Activating the AFS Initialization Script</A></H2>
<P>Now that you have confirmed that the AFS initialization
script works correctly, take the action necessary to have it run automatically
at each reboot. Proceed to the instructions for your system type:
<UL>
<P><LI><A HREF="#HDRWQ74">Activating the Script on AIX Systems</A>
<P><LI><A HREF="#HDRWQ75">Activating the Script on Digital UNIX Systems</A>
<P><LI><A HREF="#HDRWQ76">Activating the Script on HP-UX Systems</A>
<P><LI><A HREF="#HDRWQ77">Activating the Script on IRIX Systems</A>
<P><LI><A HREF="#HDRWQ78">Activating the Script on Linux Systems</A>
<P><LI><A HREF="#HDRWQ79">Activating the Script on Solaris Systems</A>
</UL>
<A NAME="IDX2586"></A>
<P><H3><A NAME="HDRWQ74" HREF="auqbg002.htm#ToC_81">Activating the Script on AIX Systems</A></H3>
<OL TYPE=1>
<P><LI>Edit the AIX initialization file, <B>/etc/inittab</B>, adding the
following line to invoke the AFS initialization script. Place it just
after the line that starts NFS daemons.
<PRE>   
   rcafs:2:wait:/etc/rc.afs > /dev/console 2>&amp;1 # Start AFS services
   
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/etc</B> directories.
If you want to avoid potential confusion by guaranteeing that they are always
the same, create a link between them. You can always retrieve the
original script from the AFS CD-ROM if necessary.
<PRE>   
   # <B>cd  /usr/vice/etc</B>
   
   # <B>rm  rc.afs</B>
  
   # <B>ln -s  /etc/rc.afs</B>
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
</OL>
<A NAME="IDX2587"></A>
<P><H3><A NAME="HDRWQ75" HREF="auqbg002.htm#ToC_82">Activating the Script on Digital UNIX Systems</A></H3>
<OL TYPE=1>
<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
<B>ln -s</B> command to create symbolic links that incorporate the AFS
initialization script into the Digital UNIX startup and shutdown
sequence.
<PRE>   
   # <B>cd  /sbin/init.d</B>
   
   # <B>ln -s  ../init.d/afs  /sbin/rc3.d/S67afs</B>
   
   # <B>ln -s  ../init.d/afs  /sbin/rc0.d/K66afs</B>
   
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
directories. If you want to avoid potential confusion by guaranteeing
that they are always the same, create a link between them. You can
always retrieve the original script from the AFS CD-ROM if necessary.
<PRE>   
   # <B>cd /usr/vice/etc</B>
   
   # <B>rm afs.rc</B>
  
   # <B>ln -s  /sbin/init.d/afs  afs.rc</B>
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
</OL>
<A NAME="IDX2588"></A>
<P><H3><A NAME="HDRWQ76" HREF="auqbg002.htm#ToC_83">Activating the Script on HP-UX Systems</A></H3>
<OL TYPE=1>
<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
<B>ln -s</B> command to create symbolic links that incorporate the AFS
initialization script into the HP-UX startup and shutdown sequence.
<PRE>   
   # <B>cd /sbin/init.d</B>
   
   # <B>ln -s ../init.d/afs /sbin/rc2.d/S460afs</B>
  
   # <B>ln -s ../init.d/afs /sbin/rc2.d/K800afs</B>
   
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
directories. If you want to avoid potential confusion by guaranteeing
that they are always the same, create a link between them. You can
always retrieve the original script from the AFS CD-ROM if necessary.
<PRE>   
   # <B>cd /usr/vice/etc</B>
   
   # <B>rm afs.rc</B>
  
   # <B>ln -s  /sbin/init.d/afs  afs.rc</B>
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
</OL>
<A NAME="IDX2589"></A>
<P><H3><A NAME="HDRWQ77" HREF="auqbg002.htm#ToC_84">Activating the Script on IRIX Systems</A></H3>
<OL TYPE=1>
<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
<B>ln -s</B> command to create symbolic links that incorporate the AFS
initialization script into the IRIX startup and shutdown sequence.
<PRE>   
   # <B>cd /etc/init.d</B>
   
   # <B>ln -s ../init.d/afs /etc/rc2.d/S35afs</B>
  
   # <B>ln -s ../init.d/afs /etc/rc0.d/K35afs</B>
   
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
directories. If you want to avoid potential confusion by guaranteeing
that they are always the same, create a link between them. You can
always retrieve the original script from the AFS CD-ROM if necessary.
<PRE>   
   # <B>cd /usr/vice/etc</B>
   
   # <B>rm afs.rc</B>
  
   # <B>ln -s  /etc/init.d/afs  afs.rc</B>
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
</OL>
<A NAME="IDX2590"></A>
<P><H3><A NAME="HDRWQ78" HREF="auqbg002.htm#ToC_85">Activating the Script on Linux Systems</A></H3>
<OL TYPE=1>
<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afs</B>
configuration variable. Based on the instruction in the AFS
initialization file that begins with the string <TT>#chkconfig</TT>, the
command automatically creates the symbolic links that incorporate the script
into the Linux startup and shutdown sequence. 
<PRE>   
   # <B>/sbin/chkconfig  --add afs</B>
   
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and
<B>/etc/rc.d/init.d</B> directories, and copies of the
<B>afsd</B> options file in both the <B>/usr/vice/etc</B> and
<B>/etc/sysconfig</B> directories. If you want to avoid potential
confusion by guaranteeing that the two copies of each file are always the
same, create a link between them. You can always retrieve the original
script or options file from the AFS CD-ROM if necessary.
<PRE>   
   # <B>cd /usr/vice/etc</B>
   
   # <B>rm afs.rc afs.conf</B>
    
   # <B>ln -s  /etc/rc.d/init.d/afs  afs.rc</B>
   
   # <B>ln -s  /etc/sysconfig/afs  afs.conf</B>
   
</PRE>
<P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
</OL>
<A NAME="IDX2591"></A>
<P><H3><A NAME="HDRWQ79" HREF="auqbg002.htm#ToC_86">Activating the Script on Solaris Systems</A></H3>
<OL TYPE=1>
<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
<B>ln -s</B> command to create symbolic links that incorporate the AFS
initialization script into the Solaris startup and shutdown sequence.
<PRE>   
   # <B>cd /etc/init.d</B>
  
   # <B>ln -s ../init.d/afs /etc/rc3.d/S99afs</B>
  
   # <B>ln -s ../init.d/afs /etc/rc0.d/K66afs</B>
   
</PRE>
<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
directories. If you want to avoid potential confusion by guaranteeing
that they are always the same, create a link between them. You can
always retrieve the original script from the AFS CD-ROM if necessary.
<PRE>   
   # <B>cd /usr/vice/etc</B>
   
   # <B>rm afs.rc</B>
  
   # <B>ln -s  /etc/init.d/afs  afs.rc</B>
   
</PRE>
</OL>
<A NAME="IDX2592"></A>
<A NAME="IDX2593"></A>
<HR><H2><A NAME="HDRWQ80" HREF="auqbg002.htm#ToC_87">Configuring the Top Levels of the AFS Filespace</A></H2>
<P>If you have not previously run AFS in your cell, you now
configure the top levels of your cell's AFS filespace. If you have
run a previous version of AFS, the filespace is already configured.
Proceed to <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A>.
<A NAME="IDX2594"></A>
<A NAME="IDX2595"></A>
<A NAME="IDX2596"></A>
<P>You created the <B>root.afs</B> volume in <A HREF="#HDRWQ60">Starting the File Server, Volume Server, and Salvager</A>, and the Cache Manager mounted it automatically on the local
<B>/afs</B> directory when you ran the AFS initialization script in <A HREF="#HDRWQ72">Verifying the AFS Initialization Script</A>. You now set the access control list (ACL) on the
<B>/afs</B> directory; creating, mounting, and setting the ACL are
the three steps required when creating any volume.
<P>After setting the ACL on the <B>root.afs</B> volume, you create
your cell's <B>root.cell</B> volume, mount it as a
subdirectory of the <B>/afs</B> directory, and set the ACL. Create
both a read/write and a regular mount point for the
<B>root.cell</B> volume. The read/write mount point enables
you to access the read/write version of replicated volumes when
necessary. Creating both mount points essentially creates separate
read-only and read-write copies of your filespace, and enables the Cache
Manager to traverse the filespace on a read-only path or read/write path as
appropriate. For further discussion of these concepts, see the chapter
in the <I>IBM AFS Administration Guide</I> about administering
volumes.
<A NAME="IDX2597"></A>
<A NAME="IDX2598"></A>
<A NAME="IDX2599"></A>
<P>Then replicate both the <B>root.afs</B> and
<B>root.cell</B> volumes. This is required if you want to
replicate any other volumes in your cell, because all volumes mounted above a
replicated volume must themselves be replicated in order for the Cache Manager
to access the replica.
<P>When the <B>root.afs</B> volume is replicated, the Cache Manager
is programmed to access its read-only version
(<B>root.afs.readonly</B>) whenever possible. To make
changes to the contents of the <B>root.afs</B> volume (when, for
example, you mount another cell's <B>root.cell</B> volume at
the second level in your filespace), you must mount the
<B>root.afs</B> volume temporarily, make the changes, release the
volume and remove the temporary mount point. For instructions, see <A HREF="#HDRWQ91">Enabling Access to Foreign Cells</A>.
<A NAME="IDX2600"></A>
<A NAME="IDX2601"></A>
<A NAME="IDX2602"></A>
<A NAME="IDX2603"></A>
<OL TYPE=1>
<P><LI>Issue the <B>fs setacl</B> command to edit the ACL on the
<B>/afs</B> directory. Add an entry that grants the <B>l</B>
(<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
<B>system:anyuser</B> group, to enable all AFS users who can reach
your cell to traverse through the directory. If you prefer to enable
access only to locally authenticated users, substitute the
<B>system:authuser</B> group. 
<P>Note that there is already an ACL entry that grants all seven access rights
to the <B>system:administrators</B> group. It is a default
entry that AFS places on every new volume's root directory. 
<PRE>   
   # <B>/usr/afs/bin/fs setacl /afs system:anyuser rl</B>
   
</PRE>
<A NAME="IDX2604"></A>
<A NAME="IDX2605"></A>
<A NAME="IDX2606"></A>
<A NAME="IDX2607"></A>
<A NAME="IDX2608"></A>
<A NAME="IDX2609"></A>
<A NAME="IDX2610"></A>
<P><LI><A NAME="LIWQ81"></A>Issue the <B>vos create</B> command to create the
<B>root.cell</B> volume. Then issue the <B>fs
mkmount</B> command to mount it as a subdirectory of the <B>/afs</B>
directory, where it serves as the root of your cell's local AFS
filespace. Finally, issue the <B>fs setacl</B> command to create an
ACL entry for the <B>system:anyuser</B> group (or
<B>system:authuser</B> group). 
<P>For the <VAR>partition name</VAR> argument, substitute the name of one of the
machine's AFS server partitions (such as <B>/vicepa</B>). For
the <VAR>cellname</VAR> argument, substitute your cell's fully-qualified
Internet domain name (such as <B>abc.com</B>).
<PRE>   
   # <B>/usr/afs/bin/vos create</B>  &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <B>root.cell</B> 
   
   # <B>/usr/afs/bin/fs mkmount /afs/</B><VAR>cellname</VAR>  <B>root.cell</B>
   
   # <B>/usr/afs/bin/fs setacl /afs/</B><VAR>cellname</VAR>  <B>system:anyuser rl</B>
   
</PRE>
<A NAME="IDX2611"></A>
<A NAME="IDX2612"></A>
<A NAME="IDX2613"></A>
<P><LI><B>(Optional)</B> Create a symbolic link to a shortened cell name, to
reduce the length of pathnames for users in the local cell. For
example, in the <B>abc.com</B> cell, <B>/afs/abc</B> is a link
to <B>/afs/abc.com</B>. 
<PRE>     
   # <B>cd /afs</B>
   
   # <B>ln -s</B>  <VAR>full_cellname</VAR>  <VAR>short_cellname</VAR>
   
</PRE>
<A NAME="IDX2614"></A>
<A NAME="IDX2615"></A>
<A NAME="IDX2616"></A>
<P><LI>Issue the <B>fs mkmount</B> command to create a read/write mount point
for the <B>root.cell</B> volume (you created a regular mount point
in Step <A HREF="#LIWQ81">2</A>).
<P>By convention, the name of a read/write mount point begins with a period,
both to distinguish it from the regular mount point and to make it visible
only when the <B>-a</B> flag is used on the <B>ls</B> command.
<P>Change directory to <B>/usr/afs/bin</B> to make it easier to access the
command binaries.
<PRE>   
   # <B>cd /usr/afs/bin</B>
   
   # <B>./fs mkmount   /afs/.</B><VAR>cellname</VAR>   <B>root.cell -rw</B>
   
</PRE>
<A NAME="IDX2617"></A>
<A NAME="IDX2618"></A>
<A NAME="IDX2619"></A>
<A NAME="IDX2620"></A>
<P><LI><A NAME="LIWQ82"></A>Issue the <B>vos addsite</B> command to define a replication
site for both the <B>root.afs</B> and <B>root.cell</B>
volumes. In each case, substitute for the <VAR>partition name</VAR>
argument the partition where the volume's read/write version
resides. When you install additional file server machines, it is a good
idea to create replication sites on them as well. 
<PRE>   
   # <B>./vos addsite</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <B>root.afs</B>
   
   # <B>./vos addsite</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <B>root.cell</B>
   
</PRE>
<A NAME="IDX2621"></A>
<A NAME="IDX2622"></A>
<P><LI>Issue the <B>fs examine</B> command to verify that the Cache Manager
can access both the <B>root.afs</B> and <B>root.cell</B>
volumes, before you attempt to replicate them. The output lists each
volume's name, volumeID number, quota, size, and the size of the
partition that houses them. If you get an error message instead, do not
continue before taking corrective action. 
<PRE> 
   # <B>./fs examine /afs</B>
   
   # <B>./fs examine /afs/</B><VAR>cellname</VAR>
   
</PRE>
<A NAME="IDX2623"></A>
<A NAME="IDX2624"></A>
<A NAME="IDX2625"></A>
<A NAME="IDX2626"></A>
<P><LI>Issue the <B>vos release</B> command to release a replica of the
<B>root.afs</B> and <B>root.cell</B> volumes to the
sites you defined in Step <A HREF="#LIWQ82">5</A>. 
<PRE>   
   # <B>./vos release root.afs</B>
   
   # <B>./vos release root.cell</B>
   
</PRE>
<A NAME="IDX2627"></A>
<A NAME="IDX2628"></A>
<P><LI>Issue the <B>fs checkvolumes</B> to force the Cache Manager to notice
that you have released read-only versions of the volumes, then issue the
<B>fs examine</B> command again. This time its output mentions the
read-only version of the volumes (<B>root.afs.readonly</B>
and <B>root.cell.readonly</B>) instead of the read/write
versions, because of the Cache Manager's bias to access the read-only
version of the <B>root.afs</B> volume if it exists. 
<PRE>   
   # <B>./fs checkvolumes</B>
   
   # <B>./fs examine /afs</B>
   
   # <B>./fs examine /afs/</B><VAR>cellname</VAR>
   
</PRE>
</OL>
<A NAME="IDX2629"></A>
<A NAME="IDX2630"></A>
<A NAME="IDX2631"></A>
<A NAME="IDX2632"></A>
<A NAME="IDX2633"></A>
<A NAME="IDX2634"></A>
<HR><H2><A NAME="HDRWQ83" HREF="auqbg002.htm#ToC_88">Storing AFS Binaries in AFS</A></H2>
<P>In the conventional configuration, you make AFS client
binaries and configuration files available in the subdirectories of the
<B>/usr/afsws</B> directory on client machines (<B>afsws</B> is an
acronym for <B>AFS
w</B><I>ork</I><B>s</B><I>tation</I>). You can conserve
local disk space by creating <B>/usr/afsws</B> as a link to an AFS volume
that houses the AFS client binaries and configuration files for this system
type.
<P>In this section you create the necessary volumes. The conventional
location to which to link <B>/usr/afsws</B> is
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>,
where <VAR>sysname</VAR> is the appropriate system type name as specified in the
<I>IBM AFS Release Notes</I>. The instructions in <A HREF="auqbg007.htm#HDRWQ133">Installing Additional Client Machines</A> assume that you have followed the instructions in this
section.
<P>If you have previously run AFS in the cell, the volumes possibly already
exist. If so, you need to perform Step <A HREF="#LIWQ86">8</A> only.
<P>The current working directory is still <B>/usr/afs/bin</B>, which
houses the <B>fs</B> and <B>vos</B> command suite binaries. In
the following commands, it is possible you still need to specify the pathname
to the commands, depending on how your PATH environment variable is
set.
<OL TYPE=1>
<A NAME="IDX2635"></A>
<A NAME="IDX2636"></A>
<P><LI><A NAME="LIWQ84"></A>Issue the <B>vos create</B> command to create volumes for
storing the AFS client binaries for this system type. The following
example instruction creates volumes called <VAR>sysname</VAR>,
<VAR>sysname</VAR>.<B>usr</B>, and
<VAR>sysname</VAR>.<B>usr.afsws</B>. Refer to the
<I>IBM AFS Release Notes</I> to learn the proper value of <VAR>sysname</VAR>
for this system type. 
<PRE>    
   # <B>vos create</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <VAR>sysname</VAR>
     
   # <B>vos create</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <VAR>sysname</VAR><B>.usr</B>
     
   # <B>vos create</B> &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>> <VAR>sysname</VAR><B>.usr.afsws</B>
    
</PRE>
<P><LI>Issue the <B>fs mkmount</B> command to mount the newly created
volumes. Because the <B>root.cell</B> volume is replicated,
you must precede the <I>cellname</I> part of the pathname with a period to
specify the read/write mount point, as shown. Then issue the <B>vos
release</B> command to release a new replica of the
<B>root.cell</B> volume, and the <B>fs checkvolumes</B> command
to force the local Cache Manager to access them. 
<PRE>   
   # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR> <B>-vol</B> <VAR>sysname</VAR>
   
   # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr</B>  <B>-vol</B> <VAR>sysname</VAR><B>.usr</B>
   
   # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr.afsws</B>
   
   # <B>vos release root.cell</B>
   
   # <B>fs checkvolumes</B>
   
</PRE>
<P><LI>Issue the <B>fs setacl</B> command to grant the <B>l</B>
(<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
<B>system:anyuser</B> group on each new directory's ACL.
<PRE>   
   # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>
   
   # <B>fs setacl  -dir  .  usr  usr/afsws  -acl  system:anyuser rl</B> 
   
</PRE>
<A NAME="IDX2637"></A>
<A NAME="IDX2638"></A>
<A NAME="IDX2639"></A>
<A NAME="IDX2640"></A>
<A NAME="IDX2641"></A>
<P><LI><A NAME="LIWQ85"></A>Issue the <B>fs setquota</B> command to set an unlimited
quota on the volume mounted at the
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
directory. This enables you to copy all of the appropriate files from
the CD-ROM into the volume without exceeding the volume's quota. 
<P>If you wish, you can set the volume's quota to a finite value after
you complete the copying operation. At that point, use the <B>vos
examine</B> command to determine how much space the volume is
occupying. Then issue the <B>fs setquota</B> command to set a quota
that is slightly larger. 
<PRE>   
   # <B>fs setquota /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws  0</B>
   
</PRE>
<P><LI>Mount the AFS CD-ROM for this machine's system type on the local
<B>/cdrom</B> directory, if it is not already. For instructions on
mounting CD-ROMs (either locally or remotely via NFS), consult the operating
system documentation.
<A NAME="IDX2642"></A>
<A NAME="IDX2643"></A>
<A NAME="IDX2644"></A>
<P><LI>Copy the contents of the indicated directories from the CD-ROM into the
<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
directory.
<PRE>   
   # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
   
   # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/bin  .</B>
   
   # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/etc  .</B>
   
   # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/include  .</B>
   
   # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/lib  .</B>
   
</PRE>
<A NAME="IDX2645"></A>
<A NAME="IDX2646"></A>
<P><LI>Issue the <B>fs setacl</B> command to set the ACL on each directory
appropriately. To comply with the terms of your AFS License agreement,
you must prevent unauthorized users from accessing AFS software. To
enable access for locally authenticated users only, set the ACL on the
<B>etc</B>, <B>include</B>, and <B>lib</B> subdirectories to grant
the <B>l</B> and <B>r</B> permissions to the
<B>system:authuser</B> group rather than the
<B>system:anyuser</B> group. The
<B>system:anyuser</B> group must retain the <B>l</B> and
<B>r</B> permissions on the <B>bin</B> subdirectory to enable
unauthenticated users to access the <B>klog</B> binary. To ensure
that unauthorized users are not accessing AFS software, check periodically
that the ACLs on these directories are set properly.
<PRE>     
   # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
   
   # <B>fs setacl  -dir etc include lib  -acl  system:authuser rl</B>  \
              <B>system:anyuser none</B>
   
</PRE>
<A NAME="IDX2647"></A>
<A NAME="IDX2648"></A>
<P><LI><A NAME="LIWQ86"></A>Create <B>/usr/afsws</B> on the local disk as a symbolic
link to the directory
<B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>. You can
specify the actual system name instead of <B>@sys</B> if you wish, but the
advantage of using <B>@sys</B> is that it remains valid if you upgrade
this machine to a different system type. 
<PRE>   
   # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws  /usr/afsws</B>
   
</PRE>
<A NAME="IDX2649"></A>
<A NAME="IDX2650"></A>
<P><LI><B>(Optional)</B> To enable users to issue commands from the AFS
suites (such as <B>fs</B>) without having to specify a pathname to their
binaries, include the <B>/usr/afsws/bin</B> and <B>/usr/afsws/etc</B>
directories in the PATH environment variable you define in each user's
shell initialization file (such as <B>.cshrc</B>).
</OL>
<A NAME="IDX2651"></A>
<A NAME="IDX2652"></A>
<A NAME="IDX2653"></A>
<A NAME="IDX2654"></A>
<A NAME="IDX2655"></A>
<A NAME="IDX2656"></A>
<HR><H2><A NAME="HDRWQ87" HREF="auqbg002.htm#ToC_89">Storing AFS Documents in AFS</A></H2>
<P>The AFS distribution includes the following documents:
<UL>
<P><LI><I>IBM AFS Release Notes</I>
<P><LI><I>IBM AFS Quick Beginnings</I>
<P><LI><I>IBM AFS User Guide</I>
<P><LI><I>IBM AFS Administration Reference</I>
<P><LI><I>IBM AFS Administration Guide</I>
</UL>
<P>The AFS CD-ROM for each system type has a top-level
<B>Documentation</B> directory, with a subdirectory for each document
format provided. The different formats are suitable for online viewing,
printing, or both.
<P>This section explains how to create and mount a volume to house the
documents, making them available to your users. The recommended mount
point for the volume is
<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc</B>. If you wish, you
can create a link to the mount point on each client machine's local disk,
called <B>/usr/afsdoc</B>. Alternatively, you can create a link to
the mount point in each user's home directory. You can also choose
to permit users to access only certain documents (most probably, the <I>IBM
AFS User Guide</I>) by creating different mount points or setting different
ACLs on different document directories.
<P>The current working directory is still <B>/usr/afs/bin</B>, which
houses the <B>fs</B> and <B>vos</B> command suite binaries you use to
create and mount volumes. In the following commands, it is possible you
still need to specify the pathname to the commands, depending on how your PATH
environment variable is set.
<OL TYPE=1>
<A NAME="IDX2657"></A>
<A NAME="IDX2658"></A>
<P><LI>Issue the <B>vos create</B> command to create a volume for storing the
AFS documentation. Include the <B>-maxquota</B> argument to set an
unlimited quota on the volume. This enables you to copy all of the
appropriate files from the CD-ROM into the volume without exceeding the
volume's quota. 
<P>If you wish, you can set the volume's quota to a finite value after
you complete the copying operations. At that point, use the <B>vos
examine</B> command to determine how much space the volume is
occupying. Then issue the <B>fs setquota</B> command to set a quota
that is slightly larger. 
<PRE>   
   # <B>vos create</B>  &lt;<VAR>machine&nbsp;name</VAR>> &lt;<VAR>partition&nbsp;name</VAR>>  <B>afsdoc  -maxquota  0</B> 
     
</PRE>
<P><LI>Issue the <B>fs mkmount</B> command to mount the new volume.
Because the <B>root.cell</B> volume is replicated, you must precede
the <I>cellname</I> with a period to specify the read/write mount point,
as shown. Then issue the <B>vos release</B> command to release a
new replica of the <B>root.cell</B> volume, and the <B>fs
checkvolumes</B> command to force the local Cache Manager to access
them. 
<PRE>     
   # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/afsdoc</B> <B>-vol</B> <B>afsdoc</B>
   
   # <B>vos release root.cell</B>
   
   # <B>fs checkvolumes</B>
    
</PRE>
<P><LI>Issue the <B>fs setacl</B> command to grant the <B>rl</B>
permissions to the <B>system:anyuser</B> group on the new
directory's ACL.
<PRE>       
   # <B>cd /afs/.</B><VAR>cellname</VAR><B>/afsdoc</B> 
    
   # <B>fs setacl  .  system:anyuser rl</B> 
   
</PRE>
<P><LI>Mount the AFS CD-ROM for any system type on the local <B>/cdrom</B>
directory, if one is not already. For instructions on mounting CD-ROMs
(either locally or remotely via NFS), consult the operating system
documentation.
<A NAME="IDX2659"></A>
<A NAME="IDX2660"></A>
<A NAME="IDX2661"></A>
<A NAME="IDX2662"></A>
<A NAME="IDX2663"></A>
<P><LI>Copy the AFS documents in one or more formats from the CD-ROM into
subdirectories of the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc</B>
directory. Repeat the commands for each format. 
<PRE>    
   # <B>mkdir</B> <VAR>format_name</VAR>
  
   # <B>cd</B> <VAR>format_name</VAR>
  
   # <B>cp -rp /cdrom/Documentation/</B><VAR>format</VAR>  <B>.</B>      
</PRE> 
<P>If you choose to store the HTML version of the documents in AFS, note that
in addition to a subdirectory for each document there are several files with a
<B>.gif</B> extension, which enable readers to move easily between
sections of a document. The file called <B>index.htm</B> is
an introductory HTML page that contains a hyperlink to each of the
documents. For online viewing to work properly, these files must remain
in the top-level HTML directory (the one named, for example,
<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/html</B>).
<P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
the AFS documents in a certain format via a local disk directory, create
<B>/usr/afsdoc</B> on the local disk as a symbolic link to the
documentation directory in AFS
(<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
<P>
<PRE>   
   # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
</PRE> 
<P>An alternative is to create a link in each user's home directory to
the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
directory.
</OL>
<A NAME="IDX2664"></A>
<A NAME="IDX2665"></A>
<A NAME="IDX2666"></A>
<A NAME="IDX2667"></A>
<HR><H2><A NAME="HDRWQ88" HREF="auqbg002.htm#ToC_90">Storing System Binaries in AFS</A></H2>
<P>You can also choose to store other system binaries in AFS
volumes, such as the standard UNIX programs conventionally located in local
disk directories such as <B>/etc</B>, <B>/bin</B>, and
<B>/lib</B>. Storing such binaries in an AFS volume not only frees
local disk space, but makes it easier to update binaries on all client
machines.
<P>The following is a suggested scheme for storing system binaries in
AFS. It does not include instructions, but you can use the instructions
in <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A> (which are for AFS-specific binaries) as a template.
<P>Some files must remain on the local disk for use when AFS is inaccessible
(during bootup and file server or network outages). The required
binaries include the following:
<UL>
<P><LI>A text editor, network commands, and so on
<P><LI>Files used during the boot sequence before the <B>afsd</B> program
runs, such as initialization and configuration files, and binaries for
commands that mount file systems
<P><LI>Files used by dynamic kernel loader programs
</UL>
<P>In most cases, it is more secure to enable only locally authenticated users
to access system binaries, by granting the <B>l</B> (<B>lookup</B>)
and <B>r</B> (<B>read</B>) permissions to the
<B>system:authuser</B> group on the ACLs of directories that contain
the binaries. If users need to access a binary while unauthenticated,
however, the ACL on its directory must grant those permissions to the
<B>system:anyuser</B> group.
<P>The following chart summarizes the suggested volume and mount point names
for storing system binaries. It uses a separate volume for each
directory. You already created a volume called <VAR>sysname</VAR> for
this machine's system type when you followed the instructions in <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A>.
<P>You can name volumes in any way you wish, and mount them at other locations
than those suggested here. However, this scheme has several
advantages:
<UL>
<P><LI>Volume names clearly identify volume contents
<P><LI>Using the <VAR>sysname</VAR> prefix on every volume makes it is easy to back
up all of the volumes together, because the AFS Backup System enables you to
define sets of volumes based on a string included in all of their names
<P><LI>It makes it easy to track related volumes, keeping them together on the
same file server machine if desired
<P><LI>There is a clear relationship between volume name and mount point name
</UL>
<BR>
<TABLE WIDTH="100%">
<TR>
<TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="30%"><B>Volume Name</B>
</TH><TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="70%"><B>Mount Point</B>
</TH></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>bin</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/bin</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>etc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/etc</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.afsws</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/afsws</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.bin</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/bin</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.etc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/etc</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.inc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/include</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.lib</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/lib</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.loc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/local</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.man</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/man</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.sys</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/sys</B>
</TD></TR></TABLE>
<P>
<A NAME="IDX2668"></A>
<A NAME="IDX2669"></A>
<A NAME="IDX2670"></A>
<A NAME="IDX2671"></A>
<A NAME="IDX2672"></A>
<A NAME="IDX2673"></A>
<A NAME="IDX2674"></A>
<HR><H2><A NAME="HDRWQ91" HREF="auqbg002.htm#ToC_91">Enabling Access to Foreign Cells</A></H2>
<P>In this section you create a mount point in your AFS
filespace for the <B>root.cell</B> volume of each foreign cell that
you want to enable your users to access. For users working on a client
machine to access the cell, there must in addition be an entry for it in the
client machine's local <B>/usr/vice/etc/CellServDB</B> file.
(The instructions in <A HREF="#HDRWQ66">Creating the Client CellServDB File</A> suggest that you use the <B>CellServDB.sample</B>
file included in the AFS distribution as the basis for your cell's client
<B>CellServDB</B> file. The sample file lists all of the cells that
had agreed to participate in the AFS global namespace at the time your AFS
CD-ROM was created. As mentioned in that section, the AFS Product
Support group also maintains a copy of the file, updating it as
necessary.)
<P>The chapter in the <I>IBM AFS Administration Guide</I> about cell
administration and configuration issues discusses the implications of
participating in the global AFS namespace. The chapter about
administering client machines explains how to maintain knowledge of foreign
cells on client machines, and includes suggestions for maintaining a central
version of the file in AFS.
<OL TYPE=1>
<P><LI>Issue the <B>fs mkmount</B> command to mount each foreign cell's
<B>root.cell</B> volume on a directory called
<B>/afs/</B><VAR>foreign_cell</VAR>. Because the
<B>root.afs</B> volume is replicated, you must create a temporary
mount point for its read/write version in a directory to which you have write
access (such as your cell's <B>/afs/.</B><VAR>cellname</VAR>
directory). Create the mount points, issue the <B>vos release</B>
command to release new replicas to the read-only sites for the
<B>root.afs</B> volume, and issue the <B>fs checkvolumes</B>
command to force the local Cache Manager to access the new replica.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">You need to issue the <B>fs mkmount</B> command only once for each
foreign cell's <B>root.cell</B> volume. You do not need
to repeat the command on each client machine.
</TD></TR></TABLE> 
<P>Substitute your cell's name for <VAR>cellname</VAR>. 
<PRE>   
   # <B>cd /afs/.</B><VAR>cellname</VAR>
   
   # <B>/usr/afs/bin/fs  mkmount  temp  root.afs</B>   
</PRE> 
<P>Repeat the <B>fs mkmount</B> command for each foreign cell you wish to
mount at this time.
<PRE>   
   # <B>/usr/afs/bin/fs mkmount temp/</B><VAR>foreign_cell</VAR> <B>root.cell -c</B> <VAR>foreign_cell</VAR>   
</PRE> 
<P>Issue the following commands only once.
<PRE>     
   # <B>/usr/afs/bin/fs rmmount temp</B>
   
   # <B>/usr/afs/bin/vos release root.afs</B>
   
   # <B>/usr/afs/bin/fs checkvolumes</B>
   
</PRE>
<A NAME="IDX2675"></A>
<A NAME="IDX2676"></A>
<P><LI><A NAME="LIWQ92"></A>If this machine is going to remain an AFS client after you
complete the installation, verify that the local
<B>/usr/vice/etc/CellServDB</B> file includes an entry for each foreign
cell. 
<P>For each cell that does not already have an entry, complete the following
instructions:
<OL TYPE=a>
<P><LI>Create an entry in the <B>CellServDB</B> file. Be sure to
comply with the formatting instructions in <A HREF="#HDRWQ66">Creating the Client CellServDB File</A>.
<P><LI>Issue the <B>fs newcell</B> command to add an entry for the cell
directly to the list that the Cache Manager maintains in kernel memory.
Provide each database server machine's fully qualified hostname.
<PRE>   
   # <B>/usr/afs/bin/fs newcell</B> &lt;<VAR>foreign_cell</VAR>> &lt;<VAR>dbserver1></VAR>    \
            [&lt;<VAR>dbserver2></VAR>] [&lt;<VAR>dbserver3></VAR>]
   
</PRE>
<P><LI>If you plan to maintain a central version of the <B>CellServDB</B>
file (the conventional location is
<B>/afs/</B><VAR>cellname</VAR><B>/common/etc/CellServDB</B>), create it
now as a copy of the local <B>/usr/vice/etc/CellServDB</B> file.
Verify that it includes an entry for each foreign cell you want your users to
be able to access.
<PRE>   
   # <B>mkdir common</B>
   
   # <B>mkdir common/etc</B>
   
   # <B>cp  /usr/vice/etc/CellServDB  common/etc</B>
   
   # <B>/usr/afs/bin/vos release root.cell</B>
   
</PRE>
</OL>
<P><LI>Issue the <B>ls</B> command to verify that the new cell's mount
point is visible in your filespace. The output lists the directories at
the top level of the new cell's AFS filespace.
<PRE>   
   # <B>ls /afs/</B><VAR>foreign_cell</VAR>
   
</PRE>
<P><LI>Please register your cell with the AFS Product Support group at this
time. If you do not want to participate in the global AFS namespace,
they list your cell in a private <B>CellServDB</B> file that is not
available to other AFS cells.
</OL>
<A NAME="IDX2677"></A>
<A NAME="IDX2678"></A>
<A NAME="IDX2679"></A>
<A NAME="IDX2680"></A>
<A NAME="IDX2681"></A>
<A NAME="IDX2682"></A>
<HR><H2><A NAME="HDRWQ93" HREF="auqbg002.htm#ToC_92">Improving Cell Security</A></H2>
<P>This section discusses ways to improve the security of AFS
data in your cell. Also see the chapter in the <I>IBM AFS
Administration Guide</I> about configuration and administration
issues.
<P><H3><A NAME="HDRWQ94" HREF="auqbg002.htm#ToC_93">Controlling root Access</A></H3>
<P>As on any machine, it is important to prevent unauthorized
users from logging onto an AFS server or client machine as the local superuser
<B>root</B>. Take care to keep the <B>root</B> password
secret.
<P>The local <B>root</B> superuser does not have special access to AFS
data through the Cache Manager (as members of the
<B>system:administrators</B> group do), but it does have the
following privileges:
<UL>
<P><LI>On client machines, the ability to issue commands from the <B>fs</B>
suite that affect AFS performance
<P><LI>On server machines, the ability to disable authorization checking, or to
install rogue process binaries
</UL>
<P><H3><A NAME="HDRWQ95" HREF="auqbg002.htm#ToC_94">Controlling System Administrator Access</A></H3>
<P>Following are suggestions for managing AFS administrative
privilege:
<UL>
<P><LI>Create an administrative account for each administrator named something
like <VAR>username</VAR><B>.admin</B>. Administrators
authenticate under these identities only when performing administrative tasks,
and destroy the administrative tokens immediately after finishing the task
(either by issuing the <B>unlog</B> command, or the <B>klog</B>
command to adopt their regular identity).
<P><LI>Set a short ticket lifetime for administrator accounts (for example, 20
minutes) by using the <B>-lifetime</B> argument to the <B>kas
setfields</B> command, which is described in the <I>IBM AFS Administration
Reference</I>. Do not however, use a short lifetime for users who
issue long-running <B>backup</B> commands.
<P><LI>Limit the number of system administrators in your cell, especially those
who belong to the <B>system:administrators</B> group. By
default they have all ACL rights on all directories in the local AFS
filespace, and therefore must be trusted not to examine private files.
<P><LI>Limit the use of system administrator accounts on machines in public
areas. It is especially important not to leave such machines unattended
without first destroying the administrative tokens.
<P><LI>Limit the use by administrators of standard UNIX commands that make
connections to remote machines (such as the <B>telnet</B> utility).
Many of these programs send passwords across the network without encrypting
them.
</UL>
<A NAME="IDX2683"></A>
<A NAME="IDX2684"></A>
<A NAME="IDX2685"></A>
<P><H3><A NAME="HDRWQ96" HREF="auqbg002.htm#ToC_95">Protecting Sensitive AFS Directories</A></H3>
<P>Some subdirectories of the <B>/usr/afs</B> directory
contain files crucial to cell security. Unauthorized users must not
read or write to these files because of the potential for misuse of the
information they contain.
<P>As the BOS Server initializes for the first time on a server machine, it
creates several files and directories (as mentioned in <A HREF="#HDRWQ50">Starting the BOS Server</A>). It sets their owner to the local superuser
<B>root</B> and sets their mode bits to enable writing by the owner
only; in some cases, it also restricts reading.
<P>At each subsequent restart, the BOS Server checks that the owner and mode
bits on these files are still set appropriately. If they are not, it
write the following message to the <B>/usr/afs/logs/BosLog</B> file:
<PRE>   
   Bosserver reports inappropriate access on server directories   
</PRE>
<P>The BOS Server does not reset the mode bits, which enables you to set
alternate values if you wish.
<P>The following charts lists the expected mode bit settings. A
question mark indicates that the BOS Server does not check that mode
bit.
<BR>
<TABLE WIDTH="100%">
<TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/backup</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/bin</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/db</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc/KeyFile</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>-rw</TT>????<TT>---</TT>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc/UserList</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>-rw</TT>?????<TT>--</TT>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/local</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/logs</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
</TD></TR></TABLE>
<P>
<A NAME="IDX2686"></A>
<A NAME="IDX2687"></A>
<HR><H2><A NAME="HDRWQ98" HREF="auqbg002.htm#ToC_96">Removing Client Functionality</A></H2>
<P>Follow the instructions in this section only if you do not
wish this machine to remain an AFS client. Removing client
functionality means that you cannot use this machine to access AFS
files.
<OL TYPE=1>
<P><LI>Remove the files from the <B>/usr/vice/etc</B> directory. The
command does not remove the directory for files used by the dynamic kernel
loader program, if it exists on this system type. Those files are still
needed on a server-only machine.
<PRE>    
   # <B>cd /usr/vice/etc</B>
   
   # <B>rm  * </B>
   
   # <B>rm -rf  C</B>
   
</PRE>
<P><LI>Create symbolic links to the <B>ThisCell</B> and <B>CellServDB</B>
files in the <B>/usr/afs/etc</B> directory. This makes it possible
to issue commands from the AFS command suites (such as <B>bos</B> and
<B>fs</B>) on this machine. 
<PRE>     
   # <B>ln -s /usr/afs/etc/ThisCell ThisCell</B>
   
   # <B>ln -s /usr/afs/etc/CellServDB CellServDB</B>
   
</PRE>
<P><LI>On IRIX systems, issue the <B>chkconfig</B> command to deactivate the
<B>afsclient</B> configuration variable. 
<PRE>   
   # <B>/etc/chkconfig -f afsclient off</B>
   
</PRE>
<P><LI>Reboot the machine. Most system types use the <B>shutdown</B>
command, but the appropriate options vary.
<PRE>   
   # <B>cd /</B>
   
   # <B>shutdown</B> <VAR>appropriate_options</VAR>
   
</PRE>
</OL>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auqbg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<!-- Begin Footer Records  ========================================== -->
<P><HR><B> 
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A>  All Rights Reserved 
</B> 
<!-- End Footer Records  ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>