1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
3 <TITLE>Quick Beginnings</TITLE>
4 <!-- Begin Header Records ========================================== -->
5 <!-- /tmp/idwt3574/auqbg000.scr converted by idb2h R4.2 (359) ID -->
6 <!-- Workbench Version (AIX) on 2 Oct 2000 at 12:25:35 -->
7 <META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 12:25:35">
8 <META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 12:25:35">
9 <META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 12:25:35">
11 <!-- (C) IBM Corporation 2000. All Rights Reserved -->
12 <BODY bgcolor="ffffff">
13 <!-- End Header Records ============================================ -->
14 <A NAME="Top_Of_Page"></A>
15 <H1>Quick Beginnings</H1>
16 <HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auqbg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
18 <A NAME="IDX2218"></A>
19 <A NAME="IDX2219"></A>
20 <A NAME="IDX2220"></A>
21 <HR><H1><A NAME="HDRWQ17" HREF="auqbg002.htm#ToC_28">Installing the First AFS Machine</A></H1>
22 <P>This chapter describes how to install the first AFS machine
23 in your cell, configuring it as both a file server machine and a client
24 machine. After completing all procedures in this chapter, you can
25 remove the client functionality if you wish, as described in <A HREF="#HDRWQ98">Removing Client Functionality</A>.
26 <P>To install additional file server machines after completing this chapter,
27 see <A HREF="auqbg006.htm#HDRWQ99">Installing Additional Server Machines</A>.
28 <P>To install additional client machines after completing this chapter, see <A HREF="auqbg007.htm#HDRWQ133">Installing Additional Client Machines</A>.
29 <A NAME="IDX2221"></A>
30 <HR><H2><A NAME="Header_29" HREF="auqbg002.htm#ToC_29">Requirements and Configuration Decisions</A></H2>
31 <P>The instructions in this chapter assume that you meet the following
34 <P><LI>You are logged onto the machine's console as the local superuser
36 <P><LI>A standard version of one of the operating systems supported by the
37 current version of AFS is running on the machine
38 <P><LI>You can access the data on the AFS CD-ROMs, either through a local CD
39 drive or via an NFS mount of a CD drive attached to a machine that is
42 <P>You must make the following configuration decisions while installing the
43 first AFS machine. To speed the installation itself, it is best to make
44 the decisions before beginning. See the chapter in the <I>IBM AFS
45 Administration Guide</I> about issues in cell administration and
46 configuration for detailed guidelines.
47 <A NAME="IDX2222"></A>
48 <A NAME="IDX2223"></A>
49 <A NAME="IDX2224"></A>
51 <P><LI>Select the first AFS machine
52 <P><LI>Select the cell name
53 <P><LI>Decide which partitions or logical volumes to configure as AFS server
54 partitions, and choose the directory names on which to mount them
55 <P><LI>Decide whether to use the standard AFS authentication and authorization
56 software or Kerberos as obtained from another source. On several system
57 types, the decision determines how you incorporate AFS into the machine's
58 authentication system. If you wish to use Kerberos, contact the AFS
59 Product Support group now to learn about how you must modify the installation
61 <P><LI>Decide how big to make the client cache
62 <P><LI>Decide how to configure the top levels of your cell's AFS filespace
64 <P>This chapter is divided into three large sections corresponding to the
65 three parts of installing the first AFS machine. Perform all of the
66 steps in the order they appear. Each functional section begins with a
67 summary of the procedures to perform. The sections are as
70 <P><LI>Installing server functionality (begins in <A HREF="#HDRWQ18">Overview: Installing Server Functionality</A>)
71 <P><LI>Installing client functionality (begins in <A HREF="#HDRWQ63">Overview: Installing Client Functionality</A>)
72 <P><LI>Configuring your cell's filespace, establishing further security
73 mechanisms, and enabling access to foreign cells (begins in <A HREF="#HDRWQ71">Overview: Completing the Installation of the First AFS Machine</A>)
75 <A NAME="IDX2225"></A>
76 <A NAME="IDX2226"></A>
77 <A NAME="IDX2227"></A>
78 <HR><H2><A NAME="HDRWQ18" HREF="auqbg002.htm#ToC_30">Overview: Installing Server Functionality</A></H2>
79 <P>In the first phase of installing your cell's first AFS
80 machine, you install file server and database server functionality by
81 performing the following procedures:
83 <P><LI>Choose which machine to install as the first AFS machine
84 <P><LI>Create AFS-related directories on the local disk
85 <P><LI>Incorporate AFS modifications into the machine's kernel
86 <P><LI>Configure partitions or logical volumes for storing AFS volumes
87 <P><LI>On some system types, install and configure an AFS-modified version of the
89 <P><LI>If the machine is to remain a client machine, incorporate AFS into its
91 <P><LI>Start the Basic OverSeer (BOS) Server
92 <P><LI>Define the cell name and the machine's cell membership
93 <P><LI>Start the database server processes: Authentication Server, Backup
94 Server, Protection Server, and Volume Location (VL) Server
95 <P><LI>Configure initial security mechanisms
96 <P><LI>Start the <B>fs</B> process, which incorporates three component
97 processes: the File Server, Volume Server, and Salvager
98 <P><LI>Start the server portion of the Update Server
99 <P><LI>Start the controller process (called <B>runntp</B>) for the Network
100 Time Protocol Daemon, which synchronizes machine clocks
102 <HR><H2><A NAME="HDRWQ19" HREF="auqbg002.htm#ToC_31">Choosing the First AFS Machine</A></H2>
103 <P>The first AFS machine you install must have sufficient disk
104 space to store AFS volumes. To take best advantage of AFS's
105 capabilities, store client-side binaries as well as user files in
106 volumes. When you later install additional file server machines in your
107 cell, you can distribute these volumes among the different machines as you see
109 <P>These instructions configure the first AFS machine as a <I>database
110 server machine</I>, the <I>binary distribution machine</I> for its
111 system type, and the cell's <I>system control machine</I>. For
112 a description of these roles, see the <I>IBM AFS Administration
114 <P>Installation of additional machines is simplest if the first machine has
115 the lowest IP address of any database server machine you currently plan to
116 install. If you later install database server functionality on a
117 machine with a lower IP address, you must first update the
118 <B>/usr/vice/etc/CellServDB</B> file on all of your cell's client
119 machines. For more details, see <A HREF="auqbg006.htm#HDRWQ114">Installing Database Server Functionality</A>.
120 <HR><H2><A NAME="Header_32" HREF="auqbg002.htm#ToC_32">Creating AFS Directories</A></H2>
121 <A NAME="IDX2228"></A>
122 <A NAME="IDX2229"></A>
123 <A NAME="IDX2230"></A>
124 <A NAME="IDX2231"></A>
125 <A NAME="IDX2232"></A>
126 <A NAME="IDX2233"></A>
127 <A NAME="IDX2234"></A>
128 <A NAME="IDX2235"></A>
129 <A NAME="IDX2236"></A>
130 <A NAME="IDX2237"></A>
131 <A NAME="IDX2238"></A>
132 <P>Create the <B>/usr/afs</B> and <B>/usr/vice/etc</B> directories on
133 the local disk, to house server and client files respectively.
134 Subsequent instructions copy files from the AFS CD-ROM into them.
135 Create the <B>/cdrom</B> directory as a mount point for CD-ROMs, if it
136 does not already exist.
138 # <B>mkdir /usr/afs</B>
140 # <B>mkdir /usr/vice</B>
142 # <B>mkdir /usr/vice/etc</B>
144 # <B>mkdir /cdrom</B>
147 <HR><H2><A NAME="HDRWQ20" HREF="auqbg002.htm#ToC_33">Performing Platform-Specific Procedures</A></H2>
148 <P>Several of the initial procedures for installing a file
149 server machine differ for each system type. For convenience, the
150 following sections group them together for each system type:
152 <A NAME="IDX2239"></A>
153 <A NAME="IDX2240"></A>
154 <A NAME="IDX2241"></A>
155 <P><LI>Incorporate AFS modifications into the kernel.
156 <P>The kernel on every AFS file server and client machine must incorporate AFS
157 extensions. On machines that use a dynamic kernel module loader, it is
158 conventional to alter the machine's initialization script to load the AFS
159 extensions at each reboot.
160 <A NAME="IDX2242"></A>
161 <A NAME="IDX2243"></A>
162 <A NAME="IDX2244"></A>
163 <A NAME="IDX2245"></A>
164 <A NAME="IDX2246"></A>
165 <A NAME="IDX2247"></A>
166 <A NAME="IDX2248"></A>
167 <P><LI>Configure server partitions or logical volumes to house AFS
169 <P>Every AFS file server machine must have at least one partition or logical
170 volume dedicated to storing AFS volumes (for convenience, the documentation
171 hereafter refers to partitions only). Each server partition is mounted
172 at a directory named <B>/vicep</B><VAR>xx</VAR>, where <VAR>xx</VAR> is one or
173 two lowercase letters. By convention, the first 26 partitions are
174 mounted on the directories called <B>/vicepa</B> through
175 <B>/vicepz</B>, the 27th one is mounted on the <B>/vicepaa</B>
176 directory, and so on through <B>/vicepaz</B> and <B>/vicepba</B>,
177 continuing up to the index corresponding to the maximum number of server
178 partitions supported in the current version of AFS (which is specified in the
179 <I>IBM AFS Release Notes</I>).
180 <P>The <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
181 machine's root directory, not in one of its subdirectories (for example,
182 <B>/usr/vicepa</B> is not an acceptable directory location).
183 <P>You can also add or remove server partitions on an existing file server
184 machine. For instructions, see the chapter in the <I>IBM AFS
185 Administration Guide</I> about maintaining server machines.
186 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types supported by an operating system are necessarily
187 supported as AFS server partitions. For possible restrictions, see the
188 <I>IBM AFS Release Notes</I>.
190 <P><LI>On some system types, install and configure a modified <B>fsck</B>
191 program which recognizes the structures that the File Server uses to organize
192 volume data on AFS server partitions. The <B>fsck</B> program
193 provided with the operating system does not understand the AFS data
194 structures, and so removes them to the <B>lost+found</B> directory.
195 <P><LI>If the machine is to remain an AFS client machine, modify the
196 machine's authentication system so that users obtain an AFS token as they
197 log into the local file system. Using AFS is simpler and more
198 convenient for your users if you make the modifications on all client
199 machines. Otherwise, users must perform a two-step login procedure
200 (login to the local file system and then issue the <B>klog</B>
201 command). For further discussion of AFS authentication, see the chapter
202 in the <I>IBM AFS Administration Guide</I> about cell configuration and
203 administration issues.
205 <P>To continue, proceed to the appropriate section:
207 <P><LI><A HREF="#HDRWQ21">Getting Started on AIX Systems</A>
208 <P><LI><A HREF="#HDRWQ26">Getting Started on Digital UNIX Systems</A>
209 <P><LI><A HREF="#HDRWQ31">Getting Started on HP-UX Systems</A>
210 <P><LI><A HREF="#HDRWQ36">Getting Started on IRIX Systems</A>
211 <P><LI><A HREF="#HDRWQ41">Getting Started on Linux Systems</A>
212 <P><LI><A HREF="#HDRWQ45">Getting Started on Solaris Systems</A>
214 <HR><H2><A NAME="HDRWQ21" HREF="auqbg002.htm#ToC_34">Getting Started on AIX Systems</A></H2>
215 <P>Begin by running the AFS initialization script to call the
216 AIX kernel extension facility, which dynamically loads AFS modifications into
217 the kernel. Then use the <B>SMIT</B> program to configure
218 partitions for storing AFS volumes, and replace the AIX <B>fsck</B>
219 program helper with a version that correctly handles AFS volumes. If
220 the machine is to remain an AFS client machine, incorporate AFS into the AIX
221 secondary authentication system.
222 <A NAME="IDX2249"></A>
223 <A NAME="IDX2250"></A>
224 <A NAME="IDX2251"></A>
225 <A NAME="IDX2252"></A>
226 <P><H3><A NAME="HDRWQ22" HREF="auqbg002.htm#ToC_35">Loading AFS into the AIX Kernel</A></H3>
227 <P>The AIX kernel extension facility is the dynamic kernel
228 loader provided by IBM Corporation. AIX does not support incorporation
229 of AFS modifications during a kernel build.
230 <P>For AFS to function correctly, the kernel extension facility must run each
231 time the machine reboots, so the AFS initialization script (included in the
232 AFS distribution) invokes it automatically. In this section you copy
233 the script to the conventional location and edit it to select the appropriate
234 options depending on whether NFS is also to run.
235 <P>After editing the script, you run it to incorporate AFS into the
236 kernel. In later sections you verify that the script correctly
237 initializes all AFS components, then configure the AIX <B>inittab</B> file
238 so that the script runs automatically at reboot.
240 <P><LI>Mount the AFS CD-ROM for AIX on the local <B>/cdrom</B>
241 directory. For instructions on mounting CD-ROMs (either locally or
242 remotely via NFS), see your AIX documentation. Then change directory as
245 # <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
248 <P><LI>Copy the AFS kernel library files to the local
249 <B>/usr/vice/etc/dkload</B> directory, and the AFS initialization script
250 to the <B>/etc</B> directory.
252 # <B>cp -rp dkload /usr/vice/etc</B>
254 # <B>cp -p rc.afs /etc/rc.afs</B>
257 <P><LI>Edit the <B>/etc/rc.afs</B> script, setting the <TT>NFS</TT>
258 variable as indicated.
259 <P>If the machine is not to function as an NFS/AFS Translator, set the
260 <TT>NFS</TT> variable as follows.
264 <P>If the machine is to function as an NFS/AFS Translator and is running AIX
265 4.2.1 or higher, set the <TT>NFS</TT> variable as
266 follows. Note that NFS must already be loaded into the kernel, which
267 happens automatically on systems running AIX 4.1.1 and later, as
268 long as the file <B>/etc/exports</B> exists.
273 <P><LI>Invoke the <B>/etc/rc.afs</B> script to load AFS modifications
274 into the kernel. You can ignore any error messages about the inability
275 to start the BOS Server or the Cache Manager or AFS client.
281 <A NAME="IDX2253"></A>
282 <A NAME="IDX2254"></A>
283 <A NAME="IDX2255"></A>
284 <A NAME="IDX2256"></A>
285 <P><H3><A NAME="HDRWQ23" HREF="auqbg002.htm#ToC_36">Configuring Server Partitions on AIX Systems</A></H3>
286 <P>Every AFS file server machine must have at least one
287 partition or logical volume dedicated to storing AFS volumes. Each
288 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
289 where <VAR>xx</VAR> is one or two lowercase letters. The
290 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
291 machine's root directory, not in one of its subdirectories (for example,
292 <B>/usr/vicepa</B> is not an acceptable directory location). For
293 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
294 <P>To configure server partitions on an AIX system, perform the following
297 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
298 partition you are configuring (there must be at least one). Repeat the
299 command for each partition.
301 # <B>mkdir /vicep</B><VAR>xx</VAR>
304 <P><LI>Use the <B>SMIT</B> program to create a journaling file system on each
305 partition to be configured as an AFS server partition.
306 <P><LI>Mount each partition at one of the <B>/vicep</B><VAR>xx</VAR>
307 directories. Choose one of the following three methods:
309 <P><LI>Use the <B>SMIT</B> program
310 <P><LI>Use the <B>mount -a</B> command to mount all partitions at once
311 <P><LI>Use the <B>mount</B> command on each partition in turn
313 <P>Also configure the partitions so that they are mounted automatically at
314 each reboot. For more information, refer to the AIX
317 <A NAME="IDX2257"></A>
318 <A NAME="IDX2258"></A>
319 <A NAME="IDX2259"></A>
320 <A NAME="IDX2260"></A>
321 <P><H3><A NAME="HDRWQ24" HREF="auqbg002.htm#ToC_37">Replacing the fsck Program Helper on AIX Systems</A></H3>
322 <P>In this section, you make modifications to guarantee that the
323 appropriate <B>fsck</B> program runs on AFS server partitions. The
324 <B>fsck</B> program provided with the operating system must never run on
325 AFS server partitions. Because it does not recognize the structures
326 that the File Server uses to organize volume data, it removes all of the
328 <P><B>Never run the standard fsck program on AFS server partitions.
329 It discards AFS volumes.</B>
330 <P>On AIX systems, you do not replace the <B>fsck</B> binary itself, but
331 rather the <I>program helper</I> file included in the AIX distribution as
332 <B>/sbin/helpers/v3fshelper</B>.
334 <P><LI>Move the AIX <B>fsck</B> program helper to a safe location and install
335 the version from the AFS distribution in its place. The AFS CD-ROM must
336 still be mounted at the <B>/cdrom</B> directory.
338 # <B>cd /sbin/helpers</B>
340 # <B>mv v3fshelper v3fshelper.noafs</B>
342 # <B>cp -p /cdrom/rs_aix42/root.server/etc/v3fshelper v3fshelper</B>
346 <P><LI>If you plan to retain client functionality on this machine after
347 completing the installation, proceed to <A HREF="#HDRWQ25">Enabling AFS Login on AIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
349 <A NAME="IDX2261"></A>
350 <A NAME="IDX2262"></A>
351 <A NAME="IDX2263"></A>
352 <A NAME="IDX2264"></A>
353 <A NAME="IDX2265"></A>
354 <P><H3><A NAME="HDRWQ25" HREF="auqbg002.htm#ToC_38">Enabling AFS Login on AIX Systems</A></H3>
355 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
356 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
358 <P>Follow the instructions in this section to incorporate AFS modifications
359 into the AIX secondary authentication system.
361 <P><LI>Issue the <B>ls</B> command to verify that the
362 <B>afs_dynamic_auth</B> and <B>afs_dynamic_kerbauth</B> programs are
363 installed in the local <B>/usr/vice/etc</B> directory.
365 # <B>ls /usr/vice/etc</B>
367 <P>If the files do not exist, mount the AFS CD-ROM for AIX (if it is not
368 already), change directory as indicated, and copy them.
370 # <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
372 # <B>cp -p afs_dynamic* /usr/vice/etc</B>
375 <P><LI>Edit the local <B> /etc/security/user</B> file, making changes to the
378 <P><LI>In the default stanza, set the <TT>registry</TT> attribute to
379 <B>DCE</B> (not to <B>AFS</B>), as follows:
384 <P><LI>In the default stanza, set the <TT>SYSTEM</TT> attribute as
386 <P>If the machine is an AFS client only, set the following value:
388 SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
390 <P>If the machine is both an AFS and a DCE client, set the following value (it
391 must appear on a single line in the file):
393 SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL] \
394 AND compat[SUCCESS])"
397 <P><LI>In the <TT>root</TT> stanza, set the <TT>registry</TT> attribute as
398 follows. It enables the local superuser <B>root</B> to log into the
399 local file system only, based on the password listed in the local password
407 <P><LI>Edit the local <B>/etc/security/login.cfg</B> file, creating or
408 editing the indicated stanzas:
410 <P><LI>In the <TT>DCE</TT> stanza, set the <TT>program</TT> attribute as
412 <P>If you use the AFS Authentication Server (<B>kaserver</B>
416 program = /usr/vice/etc/afs_dynamic_auth
418 <P>If you use a Kerberos implementation of AFS authentication:
421 program = /usr/vice/etc/afs_dynamic_kerbauth
424 <P><LI>In the <TT>AFS</TT> stanza, set the <TT>program</TT> attribute as
426 <P>If you use the AFS Authentication Server (<B>kaserver</B>
430 program = /usr/vice/etc/afs_dynamic_auth
432 <P>If you use a Kerberos implementation of AFS authentication:
435 program = /usr/vice/etc/afs_dynamic_kerbauth
439 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
440 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
442 <HR><H2><A NAME="HDRWQ26" HREF="auqbg002.htm#ToC_39">Getting Started on Digital UNIX Systems</A></H2>
443 <P>Begin by either building AFS modifications into a new static
444 kernel or by setting up to dynamically load the AFS kernel module. Then create
445 partitions for storing AFS volumes, and replace the Digital UNIX
446 <B>fsck</B> program with a version that correctly handles AFS
447 volumes. If the machine is to remain an AFS client machine, incorporate
448 AFS into the machine's Security Integration Architecture (SIA)
450 <A NAME="IDX2266"></A>
451 <A NAME="IDX2267"></A>
452 <A NAME="IDX2268"></A>
453 <A NAME="IDX2269"></A>
454 <P><H3><A NAME="HDRWQ27a" HREF="auqbg002.htm#ToC_40a">Loading AFS into the Digital UNIX Kernel</A></H3>
455 <P>The <B>sysconfig</B> program is the dynamic kernel loader provided
456 for Digital UNIX systems.
457 <P>For AFS to function correctly, the <B>sysconfig</B> program must run each
458 time the machine reboots, so the AFS initialization script (included on the
459 AFS CD-ROM) invokes it automatically. In this section you copy the
460 appropriate AFS library file to the location where the <B>sysconfig</B>
461 program accesses it and then run the script.
462 <P>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
463 directory. For instructions on mounting CD-ROMs (either locally or
464 remotely via NFS), see your Digital UNIX documentation. Then change
465 directory as indicated.
467 # <B>cd /cdrom/alpha_dux40/root.client</B>
470 <P>Copy the AFS initialization script to the local directory for
471 initialization files (by convention, <B>/sbin/init.d</B> on Digital
472 UNIX machines). Note the removal of the <B>.rc</B> extension
473 as you copy the script.
475 # <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
478 <P>Copy the AFS kernel module to the local <B>/subsys</B>
481 # <B>cp bin/afs.mod /subsys/afs.mod</B>
483 <P>Set up the system to load the module at startup.
485 # <B>/sbin/init.d/autosysconfig add afs</B>
487 <P>Reboot the machine to start using the new kernel, and login again as the
488 superuser <B>root</B>.
492 # <B>shutdown -r now</B>
495 Password: <VAR>root_password</VAR>
498 <P><H3><A NAME="HDRWQ27" HREF="auqbg002.htm#ToC_40">Building AFS into the Digital UNIX Kernel</A></H3>
499 <P>Use the following instructions to build AFS modifications
500 into the kernel on a Digital UNIX system.
502 <P><LI>Create a copy called <B>AFS</B> of the basic kernel configuration file
503 included in the Digital UNIX distribution as
504 <B>/usr/sys/conf/</B><VAR>machine_name</VAR>, where <VAR>machine_name</VAR> is
505 the machine's hostname in all uppercase letters.
507 # <B>cd /usr/sys/conf</B>
509 # <B>cp</B> <VAR>machine_name</VAR> <B>AFS</B>
512 <P><LI>Add AFS to the list of options in the configuration file you created in
513 the previous step, so that the result looks like the following:
523 <P><LI>Add an entry for AFS to two places in the file
524 <B>/usr/sys/conf/files</B>.
526 <P><LI>Add a line for AFS to the list of <TT>OPTIONS</TT>, so that the result
527 looks like the following:
530 OPTIONS/nfs optional nfs
531 OPTIONS/afs optional afs
532 OPTIONS/nfs_server optional nfs_server
537 <P><LI>Add an entry for AFS to the list of <TT>MODULES</TT>, so that the result
538 looks like the following:
542 MODULE/nfs_server optional nfs_server Binary
543 nfs/nfs_server.c module nfs_server optimize -g3
544 nfs/nfs3_server.c module nfs_server optimize -g3
546 MODULE/afs optional afs Binary
547 afs/libafs.c module afs
552 <P><LI>Add an entry for AFS to two places in the file
553 <B>/usr/sys/vfs/vfs_conf.c</B>.
555 <P><LI>Add AFS to the list of defined file systems, so that the result looks like
560 #if defined(AFS) && AFS
561 extern struct vfsops afs_vfsops;
567 <P><LI>Put a declaration for AFS in the <B>vfssw[]</B> table's
568 MOUNT_ADDON slot, so that the result looks like the following:
571 &fdfs_vfsops, "fdfs", /* 12 = MOUNT_FDFS */
573 &afs_vfsops, "afs",
575 (struct vfsops *)0, "", /* 13 = MOUNT_ADDON */
577 #if NFS && INFS_DYNAMIC
578 &nfs3_vfsops, "nfsv3", /* 14 = MOUNT_NFS3 */
582 <P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
583 directory. For instructions on mounting CD-ROMs (either locally or
584 remotely via NFS), see your Digital UNIX documentation. Then change
585 directory as indicated.
587 # <B>cd /cdrom/alpha_dux40/root.client</B>
590 <P><LI>Copy the AFS initialization script to the local directory for
591 initialization files (by convention, <B>/sbin/init.d</B> on Digital
592 UNIX machines). Note the removal of the <B>.rc</B> extension
593 as you copy the script.
595 # <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
598 <P><LI>Copy the AFS kernel module to the local <B>/usr/sys/BINARY</B>
600 <P>If the machine's kernel supports NFS server functionality and is to be
601 used as an NFS translator:
603 # <B>cp bin/libafs.o /usr/sys/BINARY/afs.mod</B>
605 <P>If the machine's kernel does not support NFS server functionality
606 or is not to be used as an NFS translator:
608 # <B>cp bin/libafs.nonfs.o /usr/sys/BINARY/afs.mod</B>
611 <P><LI>Configure and build the kernel. Respond to any prompts by pressing
612 <<B>Return</B>>. The resulting kernel resides in the file
613 <B>/sys/AFS/vmunix</B>.
615 # <B>doconfig -c AFS</B>
618 <P><LI>Rename the existing kernel file and copy the new, AFS-modified file to the
621 # <B>mv /vmunix /vmunix_noafs</B>
623 # <B>cp /sys/AFS/vmunix /vmunix</B>
626 <P><LI>Reboot the machine to start using the new kernel, and login again as the
627 superuser <B>root</B>.
631 # <B>shutdown -r now</B>
634 Password: <VAR>root_password</VAR>
638 <A NAME="IDX2270"></A>
639 <A NAME="IDX2271"></A>
640 <A NAME="IDX2272"></A>
641 <A NAME="IDX2273"></A>
642 <P><H3><A NAME="HDRWQ28" HREF="auqbg002.htm#ToC_41">Configuring Server Partitions on Digital UNIX Systems</A></H3>
643 <P>Every AFS file server machine must have at least one
644 partition or logical volume dedicated to storing AFS volumes. Each
645 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
646 where <VAR>xx</VAR> is one or two lowercase letters. The
647 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
648 machine's root directory, not in one of its subdirectories (for example,
649 <B>/usr/vicepa</B> is not an acceptable directory location). For
650 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
652 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
653 partition you are configuring (there must be at least one). Repeat the
654 command for each partition.
656 # <B>mkdir /vicep</B><VAR>xx</VAR>
659 <P><LI>Add a line with the following format to the file systems registry file,
660 <B>/etc/fstab</B>, for each directory just created. The entry maps
661 the directory name to the disk partition to be mounted on it.
663 /dev/<VAR>disk</VAR> /vicep<VAR>xx</VAR> ufs rw 0 2
665 <P>The following is an example for the first partition being
668 /dev/rz3a /vicepa ufs rw 0 2
671 <P><LI>Create a file system on each partition that is to be mounted at a
672 <B>/vicep</B><VAR>xx</VAR> directory. The following command is
673 probably appropriate, but consult the Digital UNIX documentation for more
676 #<B> newfs -v /dev/</B><VAR>disk</VAR>
679 <P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
680 mount all partitions at once or the <B>mount</B> command to mount each
683 <A NAME="IDX2274"></A>
684 <A NAME="IDX2275"></A>
685 <A NAME="IDX2276"></A>
686 <A NAME="IDX2277"></A>
687 <P><H3><A NAME="HDRWQ29" HREF="auqbg002.htm#ToC_42">Replacing the fsck Program on Digital UNIX Systems</A></H3>
688 <P>In this section, you make modifications to guarantee that the
689 appropriate <B>fsck</B> program runs on AFS server partitions. The
690 <B>fsck</B> program provided with the operating system must never run on
691 AFS server partitions. Because it does not recognize the structures
692 that the File Server uses to organize volume data, it removes all of the
694 <P><B>Never run the standard fsck program on AFS server partitions.
695 It discards AFS volumes.</B>
696 <P>On Digital UNIX systems, the files <B>/sbin/fsck</B> and
697 <B>/usr/sbin/fsck</B> are driver programs. Rather than replacing
698 either of them, you replace the actual binary included in the Digital UNIX
699 distribution as <B>/sbin/ufs_fsck</B> and
700 <B>/usr/sbin/ufs_fsck</B>.
702 <P><LI>Install the <B>vfsck</B> binary to the <B>/sbin</B> and
703 <B>/usr/sbin</B> directories. The AFS CD-ROM must still be mounted
704 at the <B>/cdrom</B> directory.
706 # <B>cd /cdrom/alpha_dux40/root.server/etc</B>
708 # <B>cp vfsck /sbin/vfsck</B>
710 # <B>cp vfsck /usr/sbin/vfsck</B>
713 <P><LI>Rename the Digital UNIX <B>fsck</B> binaries and create symbolic links
714 to the <B>vfsck</B> program.
718 # <B>mv ufs_fsck ufs_fsck.noafs</B>
720 # <B>ln -s vfsck ufs_fsck</B>
722 # <B>cd /usr/sbin</B>
724 # <B>mv ufs_fsck ufs_fsck.noafs</B>
726 # <B>ln -s vfsck ufs_fsck</B>
729 <P><LI>If you plan to retain client functionality on this machine after
730 completing the installation, proceed to <A HREF="#HDRWQ30">Enabling AFS Login on Digital UNIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
732 <A NAME="IDX2278"></A>
733 <A NAME="IDX2279"></A>
734 <A NAME="IDX2280"></A>
735 <A NAME="IDX2281"></A>
736 <A NAME="IDX2282"></A>
737 <A NAME="IDX2283"></A>
738 <P><H3><A NAME="HDRWQ30" HREF="auqbg002.htm#ToC_43">Enabling AFS Login on Digital UNIX Systems</A></H3>
739 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
740 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
742 <P>On Digital UNIX systems, the AFS initialization script automatically
743 incorporates the AFS authentication library file into the Security Integration
744 Architecture (SIA) matrix on the machine, so that users with AFS accounts
745 obtain a token at login. In this section you copy the library file to
746 the appropriate location.
747 <P>For more information on SIA, see the Digital UNIX reference page for
748 <B>matrix.conf</B>, or consult the section on security in your
749 Digital UNIX documentation.
750 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If the machine runs both the DCE and AFS client software, AFS must start
751 after DCE. Consult the AFS initialization script for suggested symbolic
752 links to create for correct ordering. Also, the system startup script
753 order must initialize SIA before any long-running process that uses
756 <P>Perform the following steps to enable AFS login.
758 <P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
759 directory, if it is not already. Change directory as indicated.
761 # <B>cd /cdrom/alpha_dux40/lib/afs</B>
764 <P><LI>Copy the appropriate AFS authentication library file to the local
765 <B>/usr/shlib</B> directory.
766 <P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
769 # <B>cp libafssiad.so /usr/shlib</B>
771 <P>If you use a Kerberos implementation of AFS authentication, rename the
772 library file as you copy it:
774 # <B>cp libafssiad.krb.so /usr/shlib/libafssiad.so</B>
777 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
778 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
780 <HR><H2><A NAME="HDRWQ31" HREF="auqbg002.htm#ToC_44">Getting Started on HP-UX Systems</A></H2>
781 <P>Begin by building AFS modifications into a new kernel;
782 HP-UX does not support dynamic loading. Then create partitions for
783 storing AFS volumes, and install and configure the AFS-modified
784 <B>fsck</B> program to run on AFS server partitions. If the machine
785 is to remain an AFS client machine, incorporate AFS into the machine's
786 Pluggable Authentication Module (PAM) scheme.
787 <A NAME="IDX2284"></A>
788 <A NAME="IDX2285"></A>
789 <A NAME="IDX2286"></A>
790 <A NAME="IDX2287"></A>
791 <P><H3><A NAME="HDRWQ32" HREF="auqbg002.htm#ToC_45">Building AFS into the HP-UX Kernel</A></H3>
792 <P>Use the following instructions to build AFS modifications
793 into the kernel on an HP-UX system.
795 <P><LI>Move the existing kernel-related files to a safe location.
797 # <B>cp /stand/vmunix /stand/vmunix.noafs</B>
799 # <B>cp /stand/system /stand/system.noafs</B>
802 <P><LI>Mount the AFS CD-ROM for HP-UX on the local <B>/cdrom</B>
803 directory. For instructions on mounting CD-ROMs (either locally or
804 remotely via NFS), see your HP-UX documentation. Then change directory
807 # <B>cd /cdrom/hp_ux110/root.client</B>
810 <P><LI>Copy the AFS initialization file to the local directory for initialization
811 files (by convention, <B>/sbin/init.d</B> on HP-UX
812 machines). Note the removal of the <B>.rc</B> extension as
815 # <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
818 <P><LI>Copy the file <B>afs.driver</B> to the local
819 <B>/usr/conf/master.d</B> directory, changing its name to
820 <B>afs</B> as you do.
822 # <B>cp usr/vice/etc/afs.driver /usr/conf/master.d/afs</B>
825 <P><LI>Copy the AFS kernel module to the local <B>/usr/conf/lib</B>
827 <P>If the machine's kernel supports NFS server functionality and is to be
828 used as an NFS translator:
830 # <B>cp bin/libafs.a /usr/conf/lib</B>
832 <P>If the machine's kernel does not support NFS server functionality
833 or is not to be used as an NFS translator, change the file's name as
836 # <B>cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a</B>
839 <P><LI>Incorporate the AFS driver into the kernel, either using the
840 <B>SAM</B> program or a series of individual commands.
842 <P><LI>To use the <B>SAM</B> program:
844 <P><LI>Invoke the <B>SAM</B> program, specifying the hostname of the local
845 machine as <VAR>local_hostname</VAR>. The <B>SAM</B> graphical user
848 # <B>sam -display</B> <VAR>local_hostname</VAR><B>:0</B>
851 <P><LI>Choose the <B>Kernel Configuration</B> icon, then the
852 <B>Drivers</B> icon. From the list of drivers, select
854 <P><LI>Open the pull-down <B>Actions</B> menu and choose the <B>Add Driver
855 to Kernel</B> option.
856 <P><LI>Open the <B>Actions</B> menu again and choose the <B>Create a New
858 <P><LI>Confirm your choices by choosing <B>Yes</B> and <B>OK</B> when
859 prompted by subsequent pop-up windows. The <B>SAM</B> program
860 builds the kernel and reboots the system.
861 <P><LI>Login again as the superuser <B>root</B>.
864 Password: <VAR>root_password</VAR>
868 <P><LI>To use individual commands:
870 <P><LI>Edit the file <B>/stand/system</B>, adding an entry for <B>afs</B>
871 to the <TT>Subsystems</TT> section.
872 <P><LI>Change to the <B>/stand/build</B> directory and issue the
873 <B>mk_kernel</B> command to build the kernel.
875 # <B>cd /stand/build</B>
880 <P><LI>Move the new kernel to the standard location (<B>/stand/vmunix</B>),
881 reboot the machine to start using it, and login again as the superuser
884 # <B>mv /stand/build/vmunix_test /stand/vmunix</B>
888 # <B>shutdown -r now</B>
891 Password: <VAR>root_password</VAR>
897 <A NAME="IDX2288"></A>
898 <A NAME="IDX2289"></A>
899 <A NAME="IDX2290"></A>
900 <A NAME="IDX2291"></A>
901 <P><H3><A NAME="HDRWQ33" HREF="auqbg002.htm#ToC_46">Configuring Server Partitions on HP-UX Systems</A></H3>
902 <P>Every AFS file server machine must have at least one
903 partition or logical volume dedicated to storing AFS volumes. Each
904 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
905 where <VAR>xx</VAR> is one or two lowercase letters. The
906 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
907 machine's root directory, not in one of its subdirectories (for example,
908 <B>/usr/vicepa</B> is not an acceptable directory location). For
909 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
911 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
912 partition you are configuring (there must be at least one). Repeat the
913 command for each partition.
915 # <B>mkdir /vicep</B><VAR>xx</VAR>
918 <P><LI>Use the <B>SAM</B> program to create a file system on each
919 partition. For instructions, consult the HP-UX documentation.
920 <P><LI>On some HP-UX systems that use logical volumes, the <B>SAM</B> program
921 automatically mounts the partitions. If it has not, mount each
922 partition by issuing either the <B>mount -a</B> command to mount all
923 partitions at once or the <B>mount</B> command to mount each partition in
926 <A NAME="IDX2292"></A>
927 <A NAME="IDX2293"></A>
928 <A NAME="IDX2294"></A>
929 <A NAME="IDX2295"></A>
930 <P><H3><A NAME="HDRWQ34" HREF="auqbg002.htm#ToC_47">Configuring the AFS-modified fsck Program on HP-UX Systems</A></H3>
931 <P>In this section, you make modifications to guarantee that the
932 appropriate <B>fsck</B> program runs on AFS server partitions. The
933 <B>fsck</B> program provided with the operating system must never run on
934 AFS server partitions. Because it does not recognize the structures
935 that the File Server uses to organize volume data, it removes all of the
937 <P><B>Never run the standard fsck program on AFS server partitions.
938 It discards AFS volumes.</B>
939 <P>On HP-UX systems, there are several configuration files to install in
940 addition to the AFS-modified <B>fsck</B> program (the <B>vfsck</B>
943 <P><LI>Create the command configuration file
944 <B>/sbin/lib/mfsconfig.d/afs</B>. Use a text editor to place
945 the indicated two lines in it:
948 fsck 0 m,P,p,d,f,b:c:y,n,Y,N,q,
951 <P><LI>Create and change directory to an AFS-specific command directory called
954 # <B>mkdir /sbin/fs/afs</B>
956 # <B>cd /sbin/fs/afs</B>
959 <P><LI>Copy the AFS-modified version of the <B>fsck</B> program (the
960 <B>vfsck</B> binary) and related files from the distribution directory to
961 the new AFS-specific command directory.
963 # <B>cp -p /cdrom/hp_ux110/root.server/etc/* .</B>
966 <P><LI>Change the <B>vfsck</B> binary's name to <B>fsck</B> and set
967 the mode bits appropriately on all of the files in the <B>/sbin/fs/afs</B>
970 # <B>mv vfsck fsck</B>
975 <P><LI>Edit the <B>/etc/fstab</B> file, changing the file system type for
976 each AFS server partition from <TT>hfs</TT> to <TT>afs</TT>. This
977 ensures that the AFS-modified <B>fsck</B> program runs on the appropriate
979 <P>The sixth line in the following example of an edited file shows an AFS
980 server partition, <B>/vicepa</B>.
982 /dev/vg00/lvol1 / hfs defaults 0 1
983 /dev/vg00/lvol4 /opt hfs defaults 0 2
984 /dev/vg00/lvol5 /tmp hfs defaults 0 2
985 /dev/vg00/lvol6 /usr hfs defaults 0 2
986 /dev/vg00/lvol8 /var hfs defaults 0 2
987 /dev/vg00/lvol9 /vicepa afs defaults 0 2
988 /dev/vg00/lvol7 /usr/vice/cache hfs defaults 0 2
991 <P><LI>If you plan to retain client functionality on this machine after
992 completing the installation, proceed to <A HREF="#HDRWQ35">Enabling AFS Login on HP-UX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
994 <A NAME="IDX2296"></A>
995 <A NAME="IDX2297"></A>
996 <A NAME="IDX2298"></A>
997 <A NAME="IDX2299"></A>
998 <A NAME="IDX2300"></A>
999 <A NAME="IDX2301"></A>
1000 <P><H3><A NAME="HDRWQ35" HREF="auqbg002.htm#ToC_48">Enabling AFS Login on HP-UX Systems</A></H3>
1001 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
1002 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1004 <P>At this point you incorporate AFS into the operating system's
1005 Pluggable Authentication Module (PAM) scheme. PAM integrates all
1006 authentication mechanisms on the machine, including login, to provide the
1007 security infrastructure for authenticated access to and from the
1009 <P>Explaining PAM is beyond the scope of this document. It is assumed
1010 that you understand the syntax and meanings of settings in the PAM
1011 configuration file (for example, how the <TT>other</TT> entry works, the
1012 effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
1013 <TT>sufficient</TT>, and so on).
1014 <P>The following instructions explain how to alter the entries in the PAM
1015 configuration file for each service for which you wish to use AFS
1016 authentication. Other configurations possibly also work, but the
1017 instructions specify the recommended and tested configuration.
1018 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
1019 <TT>optional</TT>. However, marking some modules as optional can mean
1020 that they grant access to the corresponding service even when the user does
1021 not meet all of the module's requirements. In some operating
1022 system revisions, for example, if you mark as optional the module that
1023 controls login via a dial-up connection, it allows users to login without
1024 providing a password. See the <I>IBM AFS Release Notes</I> for a
1025 discussion of any limitations that apply to this operating system.
1026 <P>Also, with some operating system versions you must install patches for PAM
1027 to interact correctly with certain authentication programs. For
1028 details, see the <I>IBM AFS Release Notes</I>.
1030 <P>The recommended AFS-related entries in the PAM configuration file make use
1031 of one or more of the following three attributes.
1033 <P><DT><B><TT>try_first_pass</TT>
1034 </B><DD>This is a standard PAM attribute that can be included on entries after the
1035 first one for a service; it directs the module to use the password that
1036 was provided to the first module. For the AFS module, it means that AFS
1037 authentication succeeds if the password provided to the module listed first is
1038 the user's correct AFS password. For further discussion of this
1039 attribute and its alternatives, see the operating system's PAM
1041 <P><DT><B><TT>ignore_root</TT>
1042 </B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
1043 only the local superuser <B> root</B>, but also any user with UID 0
1045 <P><DT><B><TT>setenv_password_expires</TT>
1046 </B><DD>This attribute, specific to the AFS PAM module, sets the environment
1047 variable PASSWORD_EXPIRES to the expiration date of the user's AFS
1048 password, which is recorded in the Authentication Database.
1050 <P>Perform the following steps to enable AFS login.
1052 <P><LI>Mount the AFS CD-ROM for HP-UX on the <B>/cdrom</B> directory, if it
1053 is not already. Then change directory as indicated.
1055 # <B>cd /usr/lib/security</B>
1058 <P><LI>Copy the AFS authentication library file to the
1059 <B>/usr/lib/security</B> directory. Then create a symbolic link to
1060 it whose name does not mention the version. Omitting the version
1061 eliminates the need to edit the PAM configuration file if you later update the
1063 <P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
1066 # <B>cp /cdrom/hp_ux110/lib/pam_afs.so.1 .</B>
1068 # <B>ln -s pam_afs.so.1 pam_afs.so</B>
1070 <P>If you use a Kerberos implementation of AFS authentication:
1072 #<B> cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1 .</B>
1074 # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
1077 <P><LI>Edit the <TT>Authentication management</TT> section of the HP-UX PAM
1078 configuration file, <B>/etc/pam.conf</B> by convention. The
1079 entries in this section have the value <TT>auth</TT> in their second
1081 <P>First edit the standard entries, which refer to the HP-UX PAM module
1082 (usually, the file <B>/usr/lib/security/libpam_unix.1</B>) in their
1083 fourth field. For each service for which you want to use AFS
1084 authentication, edit the third field of its entry to read
1085 <TT>optional</TT>. The <B>pam.conf</B> file in the HP-UX
1086 distribution usually includes standard entries for the <B>login</B> and
1087 <B>ftp</B> services, for instance.
1088 <P>If there are services for which you want to use AFS authentication, but for
1089 which the <B>pam.conf</B> file does not already include a standard
1090 entry, you must create that entry and place the value <TT>optional</TT> in
1091 its third field. For instance, the HP-UX <B>pam.conf</B>
1092 file does not usually include standard entries for the <B>remsh</B> or
1093 <B>telnet</B> services.
1094 <P>Then create an AFS-related entry for each service, placing it immediately
1095 below the standard entry. The following example shows what the
1096 <TT>Authentication Management</TT> section looks like after you have you
1097 edited or created entries for the services mentioned previously. Note
1098 that the example AFS entries appear on two lines only for legibility.
1100 login auth optional /usr/lib/security/libpam_unix.1
1101 login auth optional /usr/lib/security/pam_afs.so \
1102 try_first_pass ignore_root setenv_password_expires
1103 ftp auth optional /usr/lib/security/libpam_unix.1
1104 ftp auth optional /usr/lib/security/pam_afs.so \
1105 try_first_pass ignore_root
1106 remsh auth optional /usr/lib/security/libpam_unix.1
1107 remsh auth optional /usr/lib/security/pam_afs.so \
1108 try_first_pass ignore_root
1109 telnet auth optional /usr/lib/security/libpam_unix.1
1110 telnet auth optional /usr/lib/security/pam_afs.so \
1111 try_first_pass ignore_root setenv_password_expires
1114 <P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
1115 users to obtain an AFS token as they log in, also add or edit the following
1116 four entries in the <TT>Authentication management</TT> section. Note
1117 that the AFS-related entries appear on two lines here only for
1120 dtlogin auth optional /usr/lib/security/libpam_unix.1
1121 dtlogin auth optional /usr/lib/security/pam_afs.so \
1122 try_first_pass ignore_root
1123 dtaction auth optional /usr/lib/security/libpam_unix.1
1124 dtaction auth optional /usr/lib/security/pam_afs.so \
1125 try_first_pass ignore_root
1128 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
1129 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
1131 <HR><H2><A NAME="HDRWQ36" HREF="auqbg002.htm#ToC_49">Getting Started on IRIX Systems</A></H2>
1132 <A NAME="IDX2302"></A>
1133 <A NAME="IDX2303"></A>
1134 <A NAME="IDX2304"></A>
1135 <A NAME="IDX2305"></A>
1136 <A NAME="IDX2306"></A>
1137 <A NAME="IDX2307"></A>
1138 <A NAME="IDX2308"></A>
1139 <P>To incorporate AFS into the kernel on IRIX systems, choose one of two
1142 <P><LI>Run the AFS initialization script to invoke the <B>ml</B> program
1143 distributed by Silicon Graphics, Incorporated (SGI), which dynamically loads
1144 AFS modifications into the kernel
1145 <P><LI>Build a new static kernel
1147 <P>Then create partitions for storing AFS volumes. You do not need to
1148 replace the IRIX <B>fsck</B> program because SGI has already modified it
1149 to handle AFS volumes properly. If the machine is to remain an AFS
1150 client machine, verify that the IRIX login utility installed on the machine
1151 grants an AFS token.
1152 <P>In preparation for either dynamic loading or kernel building, perform the
1153 following procedures:
1155 <P><LI>Mount the AFS CD-ROM for IRIX on the <B>/cdrom</B> directory.
1156 For instructions on mounting CD-ROMs (either locally or remotely via NFS), see
1157 your IRIX documentation. Then change directory as indicated.
1159 # <B>cd /cdrom/sgi_65/root.client</B>
1162 <P><LI>Copy the AFS initialization script to the local directory for
1163 initialization files (by convention, <B>/etc/init.d</B> on IRIX
1164 machines). Note the removal of the <B>.rc</B> extension as
1165 you copy the script.
1167 # <B>cp -p usr/vice/etc/afs.rc /etc/init.d/afs</B>
1170 <P><LI>Issue the <B>uname -m</B> command to determine the machine's CPU
1171 board type. The <B>IP</B><VAR>xx</VAR> value in the output must match
1172 one of the supported CPU board types listed in the <I>IBM AFS Release
1173 Notes</I> for the current version of AFS.
1178 <P><LI>Proceed to either <A HREF="#HDRWQ37">Loading AFS into the IRIX Kernel</A> or <A HREF="#HDRWQ38">Building AFS into the IRIX Kernel</A>.
1180 <A NAME="IDX2309"></A>
1181 <A NAME="IDX2310"></A>
1182 <A NAME="IDX2311"></A>
1183 <A NAME="IDX2312"></A>
1184 <A NAME="IDX2313"></A>
1185 <A NAME="IDX2314"></A>
1186 <A NAME="IDX2315"></A>
1187 <P><H3><A NAME="HDRWQ37" HREF="auqbg002.htm#ToC_50">Loading AFS into the IRIX Kernel</A></H3>
1188 <P>The <B>ml</B> program is the dynamic kernel loader
1189 provided by SGI for IRIX systems. If you use it rather than building
1190 AFS modifications into a static kernel, then for AFS to function correctly the
1191 <B>ml</B> program must run each time the machine reboots.
1192 Therefore, the AFS initialization script (included on the AFS CD-ROM) invokes
1193 it automatically when the <B>afsml</B> configuration variable is
1194 activated. In this section you activate the variable and run the
1196 <P>In later sections you verify that the script correctly initializes all AFS
1197 components, then create the links that incorporate AFS into the IRIX startup
1198 and shutdown sequence.
1200 <P><LI>Create the local <B>/usr/vice/etc/sgiload</B> directory to house the
1201 AFS kernel library file.
1203 # <B>mkdir /usr/vice/etc/sgiload</B>
1206 <P><LI>Copy the appropriate AFS kernel library file to the
1207 <B>/usr/vice/etc/sgiload</B> directory. The
1208 <B>IP</B><VAR>xx</VAR> portion of the library file name must match the value
1209 previously returned by the <B>uname -m</B> command. Also choose the
1210 file appropriate to whether the machine's kernel supports NFS server
1211 functionality and is to be used as an NFS translator (NFS must be
1212 supported for the machine to act as an NFS/AFS
1213 Translator). Single- and multiprocessor machines use the same library
1215 <P>(You can choose to copy all of the kernel library files into the <B>
1216 /usr/vice/etc/sgiload</B> directory, but they require a significant amount
1218 <P>If the machine's kernel supports NFS server functionality and is to be
1219 used as an NFS translator:
1221 # <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.o /usr/vice/etc/sgiload</B>
1223 <P>If the machine's kernel does not support NFS server functionality
1224 or is not to be used as an NFS translator:
1226 # <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.nonfs.o</B> \
1227 <B>/usr/vice/etc/sgiload</B>
1230 <P><LI>Issue the <B>chkconfig</B> command to activate the <B>afsml</B>
1231 configuration variable.
1233 # <B>/etc/chkconfig -f afsml on</B>
1235 <P>If the machine is to function as an NFS/AFS Translator and the kernel
1236 supports NFS server functionality, activate the <B>afsxnfs</B>
1239 # <B>/etc/chkconfig -f afsxnfs on</B>
1242 <P><LI>Run the <B>/etc/init.d/afs</B> script to load AFS extensions
1243 into the kernel. The script invokes the <B>ml</B> command,
1244 automatically determining which kernel library file to use based on this
1245 machine's CPU type and the activation state of the <B>afsxnfs</B>
1247 <P>You can ignore any error messages about the inability to start the BOS
1248 Server or the Cache Manager or AFS client.
1250 # <B>/etc/init.d/afs start</B>
1253 <P><LI>Proceed to <A HREF="#HDRWQ39">Configuring Server Partitions on IRIX Systems</A>.
1255 <A NAME="IDX2316"></A>
1256 <P><H3><A NAME="HDRWQ38" HREF="auqbg002.htm#ToC_51">Building AFS into the IRIX Kernel</A></H3>
1257 <P>Use the following instructions to build AFS modifications
1258 into the kernel on an IRIX system.
1260 <P><LI>Copy the kernel initialization file <B>afs.sm</B> to the local
1261 <B>/var/sysgen/system</B> directory, and the kernel master file
1262 <B>afs</B> to the local <B>/var/sysgen/master.d</B>
1265 # <B>cp -p bin/afs.sm /var/sysgen/system</B>
1267 # <B>cp -p bin/afs /var/sysgen/master.d</B>
1270 <P><LI>Copy the appropriate AFS kernel library file to the local file
1271 <B>/var/sysgen/boot/afs.a</B>; the <B>IP</B><VAR>xx</VAR>
1272 portion of the library file name must match the value previously returned by
1273 the <B>uname -m</B> command. Also choose the file appropriate to
1274 whether the machine's kernel supports NFS server functionality and is
1275 to be used as an NFS translator (NFS must be supported for the machine
1276 to act as an NFS/AFS Translator). Single-
1277 and multiprocessor machines use the same library file.
1278 <P>If the machine's kernel supports NFS server functionality and is to be
1279 used as an NFS translator:
1281 # <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.a /var/sysgen/boot/afs.a</B>
1283 <P>If the machine's kernel does not support NFS server functionality
1284 or is not to be used as an NFS translator:
1286 # <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.nonfs.a /var/sysgen/boot/afs.a</B>
1289 <P><LI>Issue the <B>chkconfig</B> command to deactivate the <B>afsml</B>
1290 configuration variable.
1292 # <B>/etc/chkconfig -f afsml off</B>
1294 <P>If the machine is to function as an NFS/AFS Translator and the kernel
1295 supports NFS server functionality, activate the <B>afsxnfs</B>
1298 # <B>/etc/chkconfig -f afsxnfs on</B>
1301 <P><LI>Copy the existing kernel file, <B>/unix</B>, to a safe
1302 location. Compile the new kernel, which is created in the file
1303 <B>/unix.install</B>. It overwrites the existing
1304 <B>/unix</B> file when the machine reboots in the next step.
1306 # <B>cp /unix /unix_noafs</B>
1311 <P><LI>Reboot the machine to start using the new kernel, and login again as the
1312 superuser <B>root</B>.
1316 # <B>shutdown -i6 -g0 -y</B>
1319 Password: <VAR>root_password</VAR>
1323 <A NAME="IDX2317"></A>
1324 <A NAME="IDX2318"></A>
1325 <A NAME="IDX2319"></A>
1326 <A NAME="IDX2320"></A>
1327 <P><H3><A NAME="HDRWQ39" HREF="auqbg002.htm#ToC_52">Configuring Server Partitions on IRIX Systems</A></H3>
1328 <P>Every AFS file server machine must have at least one
1329 partition or logical volume dedicated to storing AFS volumes. Each
1330 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
1331 where <VAR>xx</VAR> is one or two lowercase letters. The
1332 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
1333 machine's root directory, not in one of its subdirectories (for example,
1334 <B>/usr/vicepa</B> is not an acceptable directory location). For
1335 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
1336 <P>AFS supports use of both EFS and XFS partitions for housing AFS
1337 volumes. SGI encourages use of XFS partitions.
1339 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
1340 partition you are configuring (there must be at least one). Repeat the
1341 command for each partition.
1343 # <B>mkdir /vicep</B><VAR>xx</VAR>
1346 <P><LI>Add a line with the following format to the file systems registry file,
1347 <B>/etc/fstab</B>, for each partition (or logical volume created with the
1348 XLV volume manager) to be mounted on one of the directories created in the
1350 <P>For an XFS partition or logical volume:
1352 /dev/dsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> xfs rw,raw=/dev/rdsk/<VAR>disk</VAR> 0 0
1354 <P>For an EFS partition:
1356 /dev/dsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> efs rw,raw=/dev/rdsk/<VAR>disk</VAR> 0 0
1358 <P>The following are examples of an entry for each file system type:
1360 /dev/dsk/dks0d2s6 /vicepa xfs rw,raw=/dev/rdsk/dks0d2s6 0 0
1361 /dev/dsk/dks0d3s1 /vicepb efs rw,raw=/dev/rdsk/dks0d3s1 0 0
1364 <P><LI>Create a file system on each partition that is to be mounted on a
1365 <B>/vicep</B><VAR>xx</VAR> directory. The following commands are
1366 probably appropriate, but consult the IRIX documentation for more
1367 information. In both cases, <VAR>raw_device</VAR> is a raw device name
1368 like <B>/dev/rdsk/dks0d0s0</B> for a single disk partition or
1369 <B>/dev/rxlv/xlv0</B> for a logical volume.
1370 <P>For XFS file systems, include the indicated options to configure the
1371 partition or logical volume with inodes large enough to accommodate
1372 AFS-specific information:
1374 # <B>mkfs -t xfs -i size=512 -l size=4000b</B> <VAR>raw_device</VAR>
1376 <P>For EFS file systems:
1378 # <B>mkfs -t efs</B> <VAR>raw_device</VAR>
1381 <P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
1382 mount all partitions at once or the <B>mount</B> command to mount each
1384 <P><LI><B>(Optional)</B> If you have configured partitions or logical volumes
1385 to use XFS, issue the following command to verify that the inodes are
1386 configured properly (are large enough to accommodate AFS-specific
1387 information). If the configuration is correct, the command returns no
1388 output. Otherwise, it specifies the command to run in order to
1389 configure each partition or logical volume properly.
1391 # <B>/usr/afs/bin/xfs_size_check</B>
1394 <P><LI>If you plan to retain client functionality on this machine after
1395 completing the installation, proceed to <A HREF="#HDRWQ40">Enabling AFS Login on IRIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1397 <A NAME="IDX2321"></A>
1398 <A NAME="IDX2322"></A>
1399 <A NAME="IDX2323"></A>
1400 <A NAME="IDX2324"></A>
1401 <P><H3><A NAME="HDRWQ40" HREF="auqbg002.htm#ToC_53">Enabling AFS Login on IRIX Systems</A></H3>
1402 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
1403 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1405 <P>The standard IRIX command-line <B>login</B> program and the graphical
1406 <B>xdm</B> login program both automatically grant an AFS token when AFS is
1407 incorporated into the machine's kernel. However, some IRIX
1408 distributions use another login utility by default, and it does not
1409 necessarily incorporate the required AFS modifications. If that is the
1410 case, you must disable the default utility if you want AFS users to obtain AFS
1411 tokens at login. For further discussion, see the <I>IBM AFS Release
1413 <P>If you configure the machine to use an AFS-modified login utility, then the
1414 <B>afsauthlib.so</B> and <B>afskauthlib.so</B> files
1415 (included in the AFS distribution) must reside in the <B>/usr/vice/etc</B>
1416 directory. Issue the <B>ls</B> command to verify.
1418 # <B>ls /usr/vice/etc</B>
1420 <P>If the files do not exist, mount the AFS CD-ROM for IRIX (if it is not
1421 already), change directory as indicated, and copy them.
1423 # <B>cd /cdrom/sgi_65/root.client/usr/vice/etc</B>
1425 # <B>cp -p *authlib* /usr/vice/etc</B>
1427 <P>After taking any necessary action, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1428 <HR><H2><A NAME="HDRWQ41" HREF="auqbg002.htm#ToC_54">Getting Started on Linux Systems</A></H2>
1429 <A NAME="IDX2325"></A>
1430 <A NAME="IDX2326"></A>
1431 <A NAME="IDX2327"></A>
1432 <A NAME="IDX2328"></A>
1433 <P>Begin by running the AFS initialization script to call the
1434 <B>insmod</B> program, which dynamically loads AFS modifications into the
1435 kernel. Then create partitions for storing AFS volumes. You do
1436 not need to replace the Linux <B>fsck</B> program. If the machine
1437 is to remain an AFS client machine, incorporate AFS into the machine's
1438 Pluggable Authentication Module (PAM) scheme.
1439 <A NAME="IDX2329"></A>
1440 <A NAME="IDX2330"></A>
1441 <A NAME="IDX2331"></A>
1442 <A NAME="IDX2332"></A>
1443 <P><H3><A NAME="HDRWQ42" HREF="auqbg002.htm#ToC_55">Loading AFS into the Linux Kernel</A></H3>
1444 <P>The <B>insmod</B> program is the dynamic kernel loader
1445 for Linux. Linux does not support incorporation of AFS modifications
1446 during a kernel build.
1447 <P>For AFS to function correctly, the <B>insmod</B> program must run each
1448 time the machine reboots, so the AFS initialization script (included on the
1449 AFS CD-ROM) invokes it automatically. The script also includes commands
1450 that select the appropriate AFS library file automatically. In this
1451 section you run the script.
1452 <P>In later sections you verify that the script correctly initializes all AFS
1453 components, then activate a configuration variable, which results in the
1454 script being incorporated into the Linux startup and shutdown sequence.
1456 <P><LI>Mount the AFS CD-ROM for Linux on the local <B>/cdrom</B>
1457 directory. For instructions on mounting CD-ROMs (either locally or
1458 remotely via NFS), see your Linux documentation. Then change directory
1461 # <B>cd /cdrom/i386_linux22/root.client/usr/vice/etc</B>
1464 <P><LI>Copy the AFS kernel library files to the local
1465 <B>/usr/vice/etc/modload</B> directory. The filenames for the
1466 libraries have the format
1467 <B>libafs-</B><VAR>version</VAR><B>.o</B>, where <VAR>version</VAR>
1468 indicates the kernel build level. The string <B>.mp</B> in
1469 the <VAR>version</VAR> indicates that the file is appropriate for machines
1470 running a multiprocessor kernel.
1472 # <B>cp -rp modload /usr/vice/etc</B>
1475 <P><LI>Copy the AFS initialization script to the local directory for
1476 initialization files (by convention, <B>/etc/rc.d/init.d</B>
1477 on Linux machines). Note the removal of the <B>.rc</B>
1478 extension as you copy the script.
1480 # <B>cp -p afs.rc /etc/rc.d/init.d/afs</B>
1483 <P><LI>Run the AFS initialization script to load AFS extensions into the
1484 kernel. You can ignore any error messages about the inability to start
1485 the BOS Server or the Cache Manager or AFS client.
1487 # <B>/etc/rc.d/init.d/afs start</B>
1491 <A NAME="IDX2333"></A>
1492 <A NAME="IDX2334"></A>
1493 <A NAME="IDX2335"></A>
1494 <A NAME="IDX2336"></A>
1495 <P><H3><A NAME="HDRWQ43" HREF="auqbg002.htm#ToC_56">Configuring Server Partitions on Linux Systems</A></H3>
1496 <P>Every AFS file server machine must have at least one
1497 partition or logical volume dedicated to storing AFS volumes. Each
1498 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
1499 where <VAR>xx</VAR> is one or two lowercase letters. The
1500 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
1501 machine's root directory, not in one of its subdirectories (for example,
1502 <B>/usr/vicepa</B> is not an acceptable directory location). For
1503 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
1505 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
1506 partition you are configuring (there must be at least one). Repeat the
1507 command for each partition.
1509 # <B>mkdir /vicep</B><VAR>xx</VAR>
1512 <P><LI>Add a line with the following format to the file systems registry file,
1513 <B>/etc/fstab</B>, for each directory just created. The entry maps
1514 the directory name to the disk partition to be mounted on it.
1516 /dev/<VAR>disk</VAR> /vicep<VAR>xx</VAR> ext2 defaults 0 2
1518 <P>The following is an example for the first partition being
1521 /dev/sda8 /vicepa ext2 defaults 0 2
1524 <P><LI>Create a file system on each partition that is to be mounted at a
1525 <B>/vicep</B><VAR>xx</VAR> directory. The following command is
1526 probably appropriate, but consult the Linux documentation for more
1529 #<B> mkfs -v /dev/</B><VAR>disk</VAR>
1532 <P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
1533 mount all partitions at once or the <B>mount</B> command to mount each
1535 <P><LI>If you plan to retain client functionality on this machine after
1536 completing the installation, proceed to <A HREF="#HDRWQ44">Enabling AFS Login on Linux Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1538 <A NAME="IDX2337"></A>
1539 <A NAME="IDX2338"></A>
1540 <A NAME="IDX2339"></A>
1541 <A NAME="IDX2340"></A>
1542 <A NAME="IDX2341"></A>
1543 <P><H3><A NAME="HDRWQ44" HREF="auqbg002.htm#ToC_57">Enabling AFS Login on Linux Systems</A></H3>
1544 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
1545 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1547 <P>At this point you incorporate AFS into the operating system's
1548 Pluggable Authentication Module (PAM) scheme. PAM integrates all
1549 authentication mechanisms on the machine, including login, to provide the
1550 security infrastructure for authenticated access to and from the
1552 <P>Explaining PAM is beyond the scope of this document. It is assumed
1553 that you understand the syntax and meanings of settings in the PAM
1554 configuration file (for example, how the <TT>other</TT> entry works, the
1555 effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
1556 <TT>sufficient</TT>, and so on).
1557 <P>The following instructions explain how to alter the entries in the PAM
1558 configuration file for each service for which you wish to use AFS
1559 authentication. Other configurations possibly also work, but the
1560 instructions specify the recommended and tested configuration.
1561 <P>The recommended AFS-related entries in the PAM configuration file make use
1562 of one or more of the following three attributes.
1564 <P><DT><B><TT>try_first_pass</TT>
1565 </B><DD>This is a standard PAM attribute that can be included on entries after the
1566 first one for a service; it directs the module to use the password that
1567 was provided to the first module. For the AFS module, it means that AFS
1568 authentication succeeds if the password provided to the module listed first is
1569 the user's correct AFS password. For further discussion of this
1570 attribute and its alternatives, see the operating system's PAM
1572 <P><DT><B><TT>ignore_root</TT>
1573 </B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
1574 only the local superuser <B> root</B>, but also any user with UID 0
1576 <P><DT><B><TT>setenv_password_expires</TT>
1577 </B><DD>This attribute, specific to the AFS PAM module, sets the environment
1578 variable PASSWORD_EXPIRES to the expiration date of the user's AFS
1579 password, which is recorded in the Authentication Database.
1581 <P>Perform the following steps to enable AFS login.
1583 <P><LI>Mount the AFS CD-ROM for Linux on the <B>/cdrom</B> directory, if it
1584 is not already. Then change to the directory for PAM modules, which
1585 depends on which Linux distribution you are using.
1586 <P>If you are using a Linux distribution from Red Hat Software:
1588 # <B>cd /lib/security</B>
1590 <P>If you are using another Linux distribution:
1592 # <B>cd /usr/lib/security</B>
1595 <P><LI>Copy the appropriate AFS authentication library file to the directory to
1596 which you changed in the previous step. Create a symbolic link whose
1597 name does not mention the version. Omitting the version eliminates the
1598 need to edit the PAM configuration file if you later update the library
1600 <P>If you use the AFS Authentication Server (<B>kaserver</B>
1603 # <B>cp /cdrom/i386_linux22/lib/pam_afs.so.1 .</B>
1605 # <B>ln -s pam_afs.so.1 pam_afs.so</B>
1607 <P>If you use a Kerberos implementation of AFS authentication:
1609 # <B>cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1 .</B>
1611 # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
1614 <P><LI>For each service with which you want to use AFS authentication, insert an
1615 entry for the AFS PAM module into the <TT>auth</TT> section of the
1616 service's PAM configuration file. (Linux uses a separate
1617 configuration file for each service, unlike some other operating systems which
1618 list all services in a single file.) Mark the entry as
1619 <TT>sufficient</TT> in the second field.
1620 <P>Place the AFS entry below any entries that impose conditions under which
1621 you want the service to fail for a user who does not meet the entry's
1622 requirements. Mark these entries <TT>required</TT>. Place the
1623 AFS entry above any entries that need to execute only if AFS authentication
1625 <P>Insert the following AFS entry if using the Red Hat distribution:
1627 auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
1629 <P>Insert the following AFS entry if using another distribution:
1631 auth sufficient /usr/lib/security/pam_afs.so try_first_pass ignore_root
1633 <P>The following example illustrates the recommended configuration of the
1634 configuration file for the <B>login</B> service
1635 (<B>/etc/pam.d/login</B>) on a machine using the Red Hat
1639 auth required /lib/security/pam_securetty.so
1640 auth required /lib/security/pam_nologin.so
1641 auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
1642 auth required /lib/security/pam_pwdb.so shadow nullok
1643 account required /lib/security/pam_pwdb.so
1644 password required /lib/security/pam_cracklib.so
1645 password required /lib/security/pam_pwdb.so shadow nullok use_authtok
1646 session required /lib/security/pam_pwdb.so
1649 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
1650 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
1652 <HR><H2><A NAME="HDRWQ45" HREF="auqbg002.htm#ToC_58">Getting Started on Solaris Systems</A></H2>
1653 <P>Begin by running the AFS initialization script to call the
1654 <B>modload</B> program distributed by Sun Microsystems, which dynamically
1655 loads AFS modifications into the kernel. Then create partitions for
1656 storing AFS volumes, and install and configure the AFS-modified
1657 <B>fsck</B> program to run on AFS server partitions. If the machine
1658 is to remain an AFS client machine, incorporate AFS into the machine's
1659 Pluggable Authentication Module (PAM) scheme.
1660 <A NAME="IDX2342"></A>
1661 <A NAME="IDX2343"></A>
1662 <A NAME="IDX2344"></A>
1663 <A NAME="IDX2345"></A>
1664 <P><H3><A NAME="HDRWQ46" HREF="auqbg002.htm#ToC_59">Loading AFS into the Solaris Kernel</A></H3>
1665 <P>The <B>modload</B> program is the dynamic kernel loader
1666 provided by Sun Microsystems for Solaris systems. Solaris does not
1667 support incorporation of AFS modifications during a kernel build.
1668 <P>For AFS to function correctly, the <B>modload</B> program must run each
1669 time the machine reboots, so the AFS initialization script (included on the
1670 AFS CD-ROM) invokes it automatically. In this section you copy the
1671 appropriate AFS library file to the location where the <B>modload</B>
1672 program accesses it and then run the script.
1673 <P>In later sections you verify that the script correctly initializes all AFS
1674 components, then create the links that incorporate AFS into the Solaris
1675 startup and shutdown sequence.
1677 <P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B>
1678 directory. For instructions on mounting CD-ROMs (either locally or
1679 remotely via NFS), see your Solaris documentation. Then change
1680 directory as indicated.
1682 # <B>cd /cdrom/sun4x_56/root.client/usr/vice/etc</B>
1685 <P><LI>Copy the AFS initialization script to the local directory for
1686 initialization files (by convention, <B>/etc/init.d</B> on Solaris
1687 machines). Note the removal of the <B>.rc</B> extension as
1688 you copy the script.
1690 # <B>cp -p afs.rc /etc/init.d/afs</B>
1693 <P><LI>Copy the appropriate AFS kernel library file to the local file
1694 <B>/kernel/fs/afs</B>.
1695 <P>If the machine is running Solaris 2.6 or the 32-bit version of
1696 Solaris 7, its kernel supports NFS server functionality and is to be
1697 used as an NFS translator, and the <B>nfsd</B> process is running:
1699 # <B>cp -p modload/libafs.o /kernel/fs/afs</B>
1701 <P>If the machine is running Solaris 2.6 or the 32-bit version of
1702 Solaris 7, and its kernel does not support NFS server functionality, is
1703 not to be used as an NFS translator, or the <B>nfsd</B> process is not running:
1705 # <B>cp -p modload/libafs.nonfs.o /kernel/fs/afs</B>
1707 <P>If the machine is running the 64-bit version of Solaris 7, its kernel
1708 supports NFS server functionality and is to be used as an NFS translator, and the <B>nfsd</B> process is
1711 # <B>cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</B>
1713 <P>If the machine is running the 64-bit version of Solaris 7, and its
1714 kernel does not support NFS server functionality, is not to be used as an NFS translator or the <B>nfsd</B> process is not running:
1716 # <B>cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</B>
1719 <P><LI>Run the AFS initialization script to load AFS modifications into the
1720 kernel. You can ignore any error messages about the inability to start
1721 the BOS Server or the Cache Manager or AFS client.
1723 # <B>/etc/init.d/afs start</B>
1725 <P>When an entry called <TT>afs</TT> does not already exist in the local
1726 <B>/etc/name_to_sysnum</B> file, the script automatically creates it and
1727 reboots the machine to start using the new version of the file. If this
1728 happens, log in again as the superuser <B>root</B> after the reboot and
1729 run the initialization script again. This time the required entry
1730 exists in the <B>/etc/name_to_sysnum</B> file, and the <B>modload</B>
1734 Password: <VAR>root_password</VAR>
1736 # <B>/etc/init.d/afs start</B>
1740 <A NAME="IDX2346"></A>
1741 <A NAME="IDX2347"></A>
1742 <A NAME="IDX2348"></A>
1743 <A NAME="IDX2349"></A>
1744 <P><H3><A NAME="HDRWQ47" HREF="auqbg002.htm#ToC_60">Configuring the AFS-modified fsck Program on Solaris Systems</A></H3>
1745 <P>In this section, you make modifications to guarantee that the
1746 appropriate <B>fsck</B> program runs on AFS server partitions. The
1747 <B>fsck</B> program provided with the operating system must never run on
1748 AFS server partitions. Because it does not recognize the structures
1749 that the File Server uses to organize volume data, it removes all of the
1751 <P><B>Never run the standard fsck program on AFS server partitions.
1752 It discards AFS volumes.</B>
1754 <P><LI>Create the <B>/usr/lib/fs/afs</B> directory to house the AFS-modified
1755 <B>fsck</B> program and related files.
1757 # <B>mkdir /usr/lib/fs/afs</B>
1759 # <B>cd /usr/lib/fs/afs</B>
1762 <P><LI>Copy the <B>vfsck</B> binary to the newly created directory, changing
1763 the name as you do so.
1765 # <B>cp /cdrom/sun4x_56/root.server/etc/vfsck fsck</B>
1768 <P><LI>Working in the <B>/usr/lib/fs/afs</B> directory, create the following
1769 links to Solaris libraries:
1771 # <B>ln -s /usr/lib/fs/ufs/clri</B>
1772 # <B>ln -s /usr/lib/fs/ufs/df</B>
1773 # <B>ln -s /usr/lib/fs/ufs/edquota</B>
1774 # <B>ln -s /usr/lib/fs/ufs/ff</B>
1775 # <B>ln -s /usr/lib/fs/ufs/fsdb</B>
1776 # <B>ln -s /usr/lib/fs/ufs/fsirand</B>
1777 # <B>ln -s /usr/lib/fs/ufs/fstyp</B>
1778 # <B>ln -s /usr/lib/fs/ufs/labelit</B>
1779 # <B>ln -s /usr/lib/fs/ufs/lockfs</B>
1780 # <B>ln -s /usr/lib/fs/ufs/mkfs</B>
1781 # <B>ln -s /usr/lib/fs/ufs/mount</B>
1782 # <B>ln -s /usr/lib/fs/ufs/ncheck</B>
1783 # <B>ln -s /usr/lib/fs/ufs/newfs</B>
1784 # <B>ln -s /usr/lib/fs/ufs/quot</B>
1785 # <B>ln -s /usr/lib/fs/ufs/quota</B>
1786 # <B>ln -s /usr/lib/fs/ufs/quotaoff</B>
1787 # <B>ln -s /usr/lib/fs/ufs/quotaon</B>
1788 # <B>ln -s /usr/lib/fs/ufs/repquota</B>
1789 # <B>ln -s /usr/lib/fs/ufs/tunefs</B>
1790 # <B>ln -s /usr/lib/fs/ufs/ufsdump</B>
1791 # <B>ln -s /usr/lib/fs/ufs/ufsrestore</B>
1792 # <B>ln -s /usr/lib/fs/ufs/volcopy</B>
1795 <P><LI>Append the following line to the end of the file
1796 <B>/etc/dfs/fstypes</B>.
1801 <P><LI>Edit the <B>/sbin/mountall</B> file, making two changes.
1803 <P><LI>Add an entry for AFS to the <TT>case</TT> statement for option 2, so
1804 that it reads as follows:
1807 ufs) foptions="-o p"
1809 afs) foptions="-o p"
1811 s5) foptions="-y -t /var/tmp/tmp$$ -D"
1817 <P><LI>Edit the file so that all AFS and UFS partitions are checked in
1818 parallel. Replace the following section of code:
1820 # For fsck purposes, we make a distinction between ufs and
1821 # other file systems
1823 if [ "$fstype" = "ufs" ]; then
1824 ufs_fscklist="$ufs_fscklist $fsckdev"
1825 saveentry $fstype "$OPTIONS" $special $mountp
1829 <P>with the following section of code:
1831 # For fsck purposes, we make a distinction between ufs/afs
1832 # and other file systems.
1834 if [ "$fstype" = "ufs" -o "$fstype" = "afs" ]; then
1835 ufs_fscklist="$ufs_fscklist $fsckdev"
1836 saveentry $fstype "$OPTIONS" $special $mountp
1843 <A NAME="IDX2350"></A>
1844 <A NAME="IDX2351"></A>
1845 <A NAME="IDX2352"></A>
1846 <A NAME="IDX2353"></A>
1847 <P><H3><A NAME="HDRWQ48" HREF="auqbg002.htm#ToC_61">Configuring Server Partitions on Solaris Systems</A></H3>
1848 <P>Every AFS file server machine must have at least one
1849 partition or logical volume dedicated to storing AFS volumes. Each
1850 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
1851 where <VAR>xx</VAR> is one or two lowercase letters. The
1852 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
1853 machine's root directory, not in one of its subdirectories (for example,
1854 <B>/usr/vicepa</B> is not an acceptable directory location). For
1855 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
1857 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
1858 partition you are configuring (there must be at least one). Repeat the
1859 command for each partition.
1861 # <B>mkdir /vicep</B><VAR>xx</VAR>
1864 <P><LI>Add a line with the following format to the file systems registry file,
1865 <B>/etc/vfstab</B>, for each partition to be mounted on a directory
1866 created in the previous step. Note the value <TT>afs</TT> in the
1867 fourth field, which tells Solaris to use the AFS-modified <B>fsck</B>
1868 program on this partition.
1870 /dev/dsk/<VAR>disk</VAR> /dev/rdsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> afs <VAR>boot_order</VAR> yes
1872 <P>The following is an example for the first partition being
1875 /dev/dsk/c0t6d0s1 /dev/rdsk/c0t6d0s1 /vicepa afs 3 yes
1878 <P><LI>Create a file system on each partition that is to be mounted at a
1879 <B>/vicep</B><VAR>xx</VAR> directory. The following command is
1880 probably appropriate, but consult the Solaris documentation for more
1883 # <B>newfs -v /dev/rdsk/</B><VAR>disk</VAR>
1886 <P><LI>Issue the <B>mountall</B> command to mount all partitions at
1888 <P><LI>If you plan to retain client functionality on this machine after
1889 completing the installation, proceed to <A HREF="#HDRWQ49">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1891 <A NAME="IDX2354"></A>
1892 <A NAME="IDX2355"></A>
1893 <A NAME="IDX2356"></A>
1894 <A NAME="IDX2357"></A>
1895 <A NAME="IDX2358"></A>
1896 <A NAME="IDX2359"></A>
1897 <A NAME="IDX2360"></A>
1898 <A NAME="IDX2361"></A>
1899 <P><H3><A NAME="HDRWQ49" HREF="auqbg002.htm#ToC_62">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</A></H3>
1900 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
1901 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1903 <P>At this point you incorporate AFS into the operating system's
1904 Pluggable Authentication Module (PAM) scheme. PAM integrates all
1905 authentication mechanisms on the machine, including login, to provide the
1906 security infrastructure for authenticated access to and from the
1908 <P>Explaining PAM is beyond the scope of this document. It is assumed
1909 that you understand the syntax and meanings of settings in the PAM
1910 configuration file (for example, how the <TT>other</TT> entry works, the
1911 effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
1912 <TT>sufficient</TT>, and so on).
1913 <P>The following instructions explain how to alter the entries in the PAM
1914 configuration file for each service for which you wish to use AFS
1915 authentication. Other configurations possibly also work, but the
1916 instructions specify the recommended and tested configuration.
1917 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
1918 <TT>optional</TT>. However, marking some modules as optional can mean
1919 that they grant access to the corresponding service even when the user does
1920 not meet all of the module's requirements. In some operating
1921 system revisions, for example, if you mark as optional the module that
1922 controls login via a dial-up connection, it allows users to login without
1923 providing a password. See the <I>IBM AFS Release Notes</I> for a
1924 discussion of any limitations that apply to this operating system.
1925 <P>Also, with some operating system versions you must install patches for PAM
1926 to interact correctly with certain authentication programs. For
1927 details, see the <I>IBM AFS Release Notes</I>.
1929 <P>The recommended AFS-related entries in the PAM configuration file make use
1930 of one or more of the following three attributes.
1932 <P><DT><B><TT>try_first_pass</TT>
1933 </B><DD>This is a standard PAM attribute that can be included on entries after the
1934 first one for a service; it directs the module to use the password that
1935 was provided to the first module. For the AFS module, it means that AFS
1936 authentication succeeds if the password provided to the module listed first is
1937 the user's correct AFS password. For further discussion of this
1938 attribute and its alternatives, see the operating system's PAM
1940 <P><DT><B><TT>ignore_root</TT>
1941 </B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
1942 only the local superuser <B> root</B>, but also any user with UID 0
1944 <P><DT><B><TT>setenv_password_expires</TT>
1945 </B><DD>This attribute, specific to the AFS PAM module, sets the environment
1946 variable PASSWORD_EXPIRES to the expiration date of the user's AFS
1947 password, which is recorded in the Authentication Database.
1949 <P>Perform the following steps to enable AFS login.
1951 <P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B> directory, if it
1952 is not already. Then change directory as indicated.
1954 # <B>cd /usr/lib/security</B>
1957 <P><LI>Copy the AFS authentication library file to the
1958 <B>/usr/lib/security</B> directory. Then create a symbolic link to
1959 it whose name does not mention the version. Omitting the version
1960 eliminates the need to edit the PAM configuration file if you later update the
1962 <P>If you use the AFS Authentication Server (<B>kaserver</B>
1965 #<B> cp /cdrom/sun4x_56/lib/pam_afs.so.1 .</B>
1967 # <B>ln -s pam_afs.so.1 pam_afs.so</B>
1969 <P>If you use a Kerberos implementation of AFS authentication:
1971 # <B>cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .</B>
1973 # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
1976 <P><LI>Edit the <TT>Authentication management</TT> section of the Solaris PAM
1977 configuration file, <B>/etc/pam.conf</B> by convention. The
1978 entries in this section have the value <TT>auth</TT> in their second
1980 <P>First edit the standard entries, which refer to the Solaris PAM module
1981 (usually, the file <B>/usr/lib/security/pam_unix.so.1</B>)
1982 in their fourth field. For each service for which you want to use AFS
1983 authentication, edit the third field of its entry to read
1984 <TT>optional</TT>. The <B>pam.conf</B> file in the Solaris
1985 distribution usually includes standard entries for the <B>login</B>,
1986 <B>rlogin</B>, and <B>rsh</B> services, for instance.
1987 <P>If there are services for which you want to use AFS authentication, but for
1988 which the <B>pam.conf</B> file does not already include a standard
1989 entry, you must create that entry and place the value <TT>optional</TT> in
1990 its third field. For instance, the Solaris <B>pam.conf</B>
1991 file does not usually include standard entries for the <B>ftp</B> or
1992 <B>telnet</B> services.
1993 <P>Then create an AFS-related entry for each service, placing it immediately
1994 below the standard entry. The following example shows what the
1995 <TT>Authentication Management</TT> section looks like after you have you
1996 edited or created entries for the services mentioned previously. Note
1997 that the example AFS entries appear on two lines only for legibility.
1999 login auth optional /usr/lib/security/pam_unix.so.1
2000 login auth optional /usr/lib/security/pam_afs.so \
2001 try_first_pass ignore_root setenv_password_expires
2002 rlogin auth optional /usr/lib/security/pam_unix.so.1
2003 rlogin auth optional /usr/lib/security/pam_afs.so \
2004 try_first_pass ignore_root setenv_password_expires
2005 rsh auth optional /usr/lib/security/pam_unix.so.1
2006 rsh auth optional /usr/lib/security/pam_afs.so \
2007 try_first_pass ignore_root
2008 ftp auth optional /usr/lib/security/pam_unix.so.1
2009 ftp auth optional /usr/lib/security/pam_afs.so \
2010 try_first_pass ignore_root
2011 telnet auth optional /usr/lib/security/pam_unix.so.1
2012 telnet auth optional /usr/lib/security/pam_afs.so \
2013 try_first_pass ignore_root setenv_password_expires
2016 <P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
2017 users to obtain an AFS token as they log in, also add or edit the following
2018 four entries in the <TT>Authentication management</TT> section. Note
2019 that the AFS-related entries appear on two lines here only for
2022 dtlogin auth optional /usr/lib/security/pam_unix.so.1
2023 dtlogin auth optional /usr/lib/security/pam_afs.so \
2024 try_first_pass ignore_root
2025 dtsession auth optional /usr/lib/security/pam_unix.so.1
2026 dtsession auth optional /usr/lib/security/pam_afs.so \
2027 try_first_pass ignore_root
2030 <P><LI>Some Solaris distributions include a script that locates and removes
2031 unneeded files from various file systems. Its conventional location is
2032 <B>/usr/lib/fs/nfs/nfsfind</B>. The script generally uses an
2033 argument to the <B>find</B> command to define which file systems to
2034 search. In this step you modify the command to exclude the
2035 <B>/afs</B> directory. Otherwise, the command traverses the AFS
2036 filespace of every cell that is accessible from the machine, which can take
2037 many hours. The following alterations are possibilities, but you must
2038 verify that they are appropriate for your cell.
2039 <P>The first possible alteration is to add the <B>-local</B> flag to the
2040 existing command, so that it looks like the following:
2042 find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;
2044 <P>Another alternative is to exclude any directories whose names begin with
2045 the lowercase letter <B>a</B> or a non-alphabetic character.
2047 find /[A-Zb-z]* <VAR>remainder of existing command</VAR>
2049 <P>Do not use the following command, which still searches under the
2050 <B>/afs</B> directory, looking for a subdirectory of type
2053 find / -fstype 4.2 /* <VAR>do not use</VAR> */
2056 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
2057 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
2059 <A NAME="IDX2362"></A>
2060 <A NAME="IDX2363"></A>
2061 <A NAME="IDX2364"></A>
2062 <A NAME="IDX2365"></A>
2063 <A NAME="IDX2366"></A>
2064 <A NAME="IDX2367"></A>
2065 <A NAME="IDX2368"></A>
2066 <HR><H2><A NAME="HDRWQ50" HREF="auqbg002.htm#ToC_63">Starting the BOS Server</A></H2>
2067 <P>You are now ready to start the AFS server processes on this
2068 machine. Begin by copying the AFS server binaries from the CD-ROM to
2069 the conventional local disk location, the <B>/usr/afs/bin</B>
2070 directory. The following instructions also create files in other
2071 subdirectories of the <B>/usr/afs</B> directory.
2072 <P>Then issue the <B>bosserver</B> command to initialize the Basic
2073 OverSeer (BOS) Server, which monitors and controls other AFS server processes
2074 on its server machine. Include the <B>-noauth</B> flag to disable
2075 authorization checking. Because you have not yet configured your
2076 cell's AFS authentication and authorization mechanisms, the BOS Server
2077 cannot perform authorization checking as it does during normal
2078 operation. In no-authorization mode, it does not verify the identity or
2079 privilege of the issuer of a <B>bos</B> command, and so performs any
2080 operation for anyone.
2081 <P>Disabling authorization checking gravely compromises cell security.
2082 You must complete all subsequent steps in one uninterrupted pass and must not
2083 leave the machine unattended until you restart the BOS Server with
2084 authorization checking enabled, in <A HREF="#HDRWQ72">Verifying the AFS Initialization Script</A>.
2085 <P>As it initializes for the first time, the BOS Server creates the following
2086 directories and files, setting the owner to the local superuser
2087 <B>root</B> and the mode bits to limit the ability to write (and in some
2088 cases, read) them. For a description of the contents and function of
2089 these directories and files, see the chapter in the <I>IBM AFS
2090 Administration Guide</I> about administering server machines. For
2091 further discussion of the mode bit settings, see <A HREF="#HDRWQ96">Protecting Sensitive AFS Directories</A>.
2092 <A NAME="IDX2369"></A>
2093 <A NAME="IDX2370"></A>
2094 <A NAME="IDX2371"></A>
2095 <A NAME="IDX2372"></A>
2096 <A NAME="IDX2373"></A>
2097 <A NAME="IDX2374"></A>
2098 <A NAME="IDX2375"></A>
2099 <A NAME="IDX2376"></A>
2100 <A NAME="IDX2377"></A>
2101 <A NAME="IDX2378"></A>
2102 <A NAME="IDX2379"></A>
2104 <P><LI><B>/usr/afs/db</B>
2105 <P><LI><B>/usr/afs/etc/CellServDB</B>
2106 <P><LI><B>/usr/afs/etc/ThisCell</B>
2107 <P><LI><B>/usr/afs/local</B>
2108 <P><LI><B>/usr/afs/logs</B>
2110 <P>The BOS Server also creates symbolic links called
2111 <B>/usr/vice/etc/ThisCell</B> and <B>/usr/vice/etc/CellServDB</B> to
2112 the corresponding files in the <B>/usr/afs/etc</B> directory. The
2113 AFS command interpreters consult the <B>CellServDB</B> and
2114 <B>ThisCell</B> files in the <B>/usr/vice/etc</B> directory because
2115 they generally run on client machines. On machines that are AFS servers
2116 only (as this machine currently is), the files reside only in the
2117 <B>/usr/afs/etc</B> directory; the links enable the command
2118 interpreters to retrieve the information they need. Later instructions
2119 for installing the client functionality replace the links with actual
2122 <P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
2123 machine's system type, if it is not already. For instructions on
2124 mounting CD-ROMs (either locally or remotely via NFS), consult the operating
2125 system documentation.
2126 <P><LI>Copy files from the CD-ROM to the local <B>/usr/afs</B>
2129 # <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.server/usr/afs</B>
2131 # <B>cp -rp * /usr/afs</B>
2134 <A NAME="IDX2380"></A>
2135 <A NAME="IDX2381"></A>
2136 <P><LI>Issue the <B>bosserver</B> command. Include the
2137 <B>-noauth</B> flag to disable authorization checking.
2139 # <B>/usr/afs/bin/bosserver -noauth &</B>
2142 <P><LI>Verify that the BOS Server created <B>/usr/vice/etc/ThisCell</B> and
2143 <B>/usr/vice/etc/CellServDB</B> as symbolic links to the corresponding
2144 files in the <B>/usr/afs/etc</B> directory.
2146 # <B>ls -l /usr/vice/etc</B>
2148 <P>If either or both of <B>/usr/vice/etc/ThisCell</B> and
2149 <B>/usr/vice/etc/CellServDB</B> do not exist, or are not links, issue the
2152 # <B>cd /usr/vice/etc</B>
2154 # <B>ln -s /usr/afs/etc/ThisCell</B>
2156 # <B>ln -s /usr/afs/etc/CellServDB</B>
2160 <A NAME="IDX2382"></A>
2161 <A NAME="IDX2383"></A>
2162 <A NAME="IDX2384"></A>
2163 <A NAME="IDX2385"></A>
2164 <A NAME="IDX2386"></A>
2165 <A NAME="IDX2387"></A>
2166 <A NAME="IDX2388"></A>
2167 <A NAME="IDX2389"></A>
2168 <A NAME="IDX2390"></A>
2169 <A NAME="IDX2391"></A>
2170 <A NAME="IDX2392"></A>
2171 <A NAME="IDX2393"></A>
2172 <A NAME="IDX2394"></A>
2173 <A NAME="IDX2395"></A>
2174 <A NAME="IDX2396"></A>
2175 <A NAME="IDX2397"></A>
2176 <A NAME="IDX2398"></A>
2177 <HR><H2><A NAME="HDRWQ51" HREF="auqbg002.htm#ToC_64">Defining Cell Name and Membership for Server Processes</A></H2>
2178 <P>Now assign your cell's name. The chapter in the
2179 <I>IBM AFS Administration Guide</I> about cell configuration and
2180 administration issues discusses the important considerations, explains why
2181 changing the name is difficult, and outlines the restrictions on name
2182 format. Two of the most important restrictions are that the name cannot
2183 include uppercase letters or more than 64 characters.
2184 <P>Use the <B>bos setcellname</B> command to assign the cell name.
2185 It creates two files:
2187 <P><LI><B>/usr/afs/etc/ThisCell</B>, which defines this machine's cell
2189 <P><LI><B>/usr/afs/etc/CellServDB</B>, which lists the cell's database
2190 server machines; the machine named on the command line is placed on the
2193 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">In the following and every instruction in this guide, for the
2194 <VAR>machine name</VAR> argument substitute the fully-qualified hostname
2195 (such as <B>fs1.abc.com</B>) of the machine you are
2196 installing. For the <VAR>cell name</VAR> argument substitute your
2197 cell's complete name (such as <B>abc.com</B>).
2199 <A NAME="IDX2399"></A>
2200 <A NAME="IDX2400"></A>
2202 <P><LI>Issue the <B>bos setcellname</B> command to set the cell name.
2204 # <B>cd /usr/afs/bin</B>
2206 # <B>./bos setcellname</B> <<VAR>machine name</VAR>> <<VAR>cell name</VAR>> <B>-noauth</B>
2208 <P>Because you are not authenticated and authorization checking is disabled,
2209 the <B>bos</B> command interpreter possibly produces error messages about
2210 being unable to obtain tickets and running unauthenticated. You can
2211 safely ignore the messages.
2212 <A NAME="IDX2401"></A>
2213 <A NAME="IDX2402"></A>
2214 <A NAME="IDX2403"></A>
2215 <A NAME="IDX2404"></A>
2216 <P><LI>Issue the <B>bos listhosts</B> command to verify that the machine you
2217 are installing is now registered as the cell's first database server
2220 # <B>./bos listhosts</B> <<VAR>machine name</VAR>> <B>-noauth</B>
2221 Cell name is <VAR>cell_name</VAR>
2222 Host 1 is <VAR>machine_name</VAR>
2226 <A NAME="IDX2405"></A>
2227 <A NAME="IDX2406"></A>
2228 <A NAME="IDX2407"></A>
2229 <A NAME="IDX2408"></A>
2230 <A NAME="IDX2409"></A>
2231 <A NAME="IDX2410"></A>
2232 <A NAME="IDX2411"></A>
2233 <A NAME="IDX2412"></A>
2234 <A NAME="IDX2413"></A>
2235 <A NAME="IDX2414"></A>
2236 <A NAME="IDX2415"></A>
2237 <A NAME="IDX2416"></A>
2238 <A NAME="IDX2417"></A>
2239 <A NAME="IDX2418"></A>
2240 <A NAME="IDX2419"></A>
2241 <A NAME="IDX2420"></A>
2242 <A NAME="IDX2421"></A>
2243 <A NAME="IDX2422"></A>
2244 <A NAME="IDX2423"></A>
2245 <A NAME="IDX2424"></A>
2246 <A NAME="IDX2425"></A>
2247 <A NAME="IDX2426"></A>
2248 <A NAME="IDX2427"></A>
2249 <A NAME="IDX2428"></A>
2250 <A NAME="IDX2429"></A>
2251 <HR><H2><A NAME="HDRWQ52" HREF="auqbg002.htm#ToC_65">Starting the Database Server Processes</A></H2>
2252 <P>Next use the <B>bos create</B> command to create entries
2253 for the four database server processes in the
2254 <B>/usr/afs/local/BosConfig</B> file and start them running. The
2255 four processes run on database server machines only:
2257 <P><LI>The Authentication Server (the <B>kaserver</B> process) maintains the
2258 Authentication Database
2259 <P><LI>The Backup Server (the <B>buserver</B> process) maintains the Backup
2261 <P><LI>The Protection Server (the <B>ptserver</B> process) maintains the
2263 <P><LI>The Volume Location (VL) Server (the <B>vlserver</B> process)
2264 maintains the Volume Location Database (VLDB)
2266 <A NAME="IDX2430"></A>
2267 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">AFS's authentication and authorization software is based on algorithms
2268 and other procedures known as <I>Kerberos</I>, as originally developed by
2269 Project Athena at the Massachusetts Institute of Technology. Some cells
2270 choose to replace the AFS Authentication Server and other security-related
2271 protocols with Kerberos as obtained directly from Project Athena or other
2272 sources. If you wish to do this, contact the AFS Product Support group
2273 now to learn about necessary modifications to the installation.
2275 <P>The remaining instructions in this chapter include the <B>-cell</B>
2276 argument on all applicable commands. Provide the cell name you assigned
2277 in <A HREF="#HDRWQ51">Defining Cell Name and Membership for Server Processes</A>. If a command appears on multiple lines, it is only
2279 <A NAME="IDX2431"></A>
2280 <A NAME="IDX2432"></A>
2282 <P><LI>Issue the <B>bos create</B> command to start the Authentication
2283 Server. The current working directory is still
2284 <B>/usr/afs/bin</B>.
2286 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>kaserver simple /usr/afs/bin/kaserver</B> \
2287 <B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2289 <P>You can safely ignore the messages that tell you to add Kerberos to the
2290 <B>/etc/services</B> file; AFS uses a default value that makes the
2291 addition unnecessary. You can also ignore messages about the failure of
2293 <P><LI>Issue the <B>bos create</B> command to start the Backup Server.
2295 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>buserver simple /usr/afs/bin/buserver</B> \
2296 <B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2299 <P><LI>Issue the <B>bos create</B> command to start the Protection
2302 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>ptserver simple /usr/afs/bin/ptserver</B> \
2303 <B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2306 <P><LI>Issue the <B>bos create</B> command to start the VL Server.
2308 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>vlserver simple /usr/afs/bin/vlserver</B> \
2309 <B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2313 <A NAME="IDX2433"></A>
2314 <A NAME="IDX2434"></A>
2315 <A NAME="IDX2435"></A>
2316 <A NAME="IDX2436"></A>
2317 <A NAME="IDX2437"></A>
2318 <A NAME="IDX2438"></A>
2319 <A NAME="IDX2439"></A>
2320 <A NAME="IDX2440"></A>
2321 <A NAME="IDX2441"></A>
2322 <A NAME="IDX2442"></A>
2323 <A NAME="IDX2443"></A>
2324 <A NAME="IDX2444"></A>
2325 <A NAME="IDX2445"></A>
2326 <HR><H2><A NAME="HDRWQ53" HREF="auqbg002.htm#ToC_66">Initializing Cell Security</A></H2>
2327 <P>Now initialize the cell's security mechanisms.
2328 Begin by creating the following two initial entries in the Authentication
2331 <P><LI>A generic administrative account, called <B>admin</B> by
2332 convention. If you choose to assign a different name, substitute it
2333 throughout the remainder of this document.
2334 <P>After you complete the installation of the first machine, you can continue
2335 to have all administrators use the <B>admin</B> account, or you can create
2336 a separate administrative account for each of them. The latter scheme
2337 implies somewhat more overhead, but provides a more informative audit trail
2338 for administrative operations.
2339 <P><LI>The entry for AFS server processes, called <B>afs</B>. No user
2340 logs in under this identity, but the Authentication Server's Ticket
2341 Granting Service (TGS) module uses the associated key to encrypt the server
2342 tickets that it grants to AFS clients for presentation to server processes
2343 during mutual authentication. (The chapter in the <I>IBM AFS
2344 Administration Guide</I> about cell configuration and administration
2345 describes the role of server encryption keys in mutual authentication.)
2346 <P>In Step <A HREF="#LIWQ58">7</A>, you also place the initial AFS server encryption key into
2347 the <B>/usr/afs/etc/KeyFile</B> file. The AFS server processes
2348 refer to this file to learn the server encryption key when they need to
2349 decrypt server tickets.
2351 <P>You also issue several commands that enable the new <B>admin</B> user
2352 to issue privileged commands in all of the AFS suites.
2353 <P>The following instructions do not configure all of the security mechanisms
2354 related to the AFS Backup System. See the chapter in the <I>IBM AFS
2355 Administration Guide</I> about configuring the Backup System.
2357 <A NAME="IDX2446"></A>
2358 <A NAME="IDX2447"></A>
2359 <A NAME="IDX2448"></A>
2360 <P><LI>Enter <B>kas</B> interactive mode. Because the machine is in
2361 no-authorization checking mode, include the <B>-noauth</B> flag to
2362 suppress the Authentication Server's usual prompt for a password.
2364 # <B>kas -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2368 <A NAME="IDX2449"></A>
2369 <A NAME="IDX2450"></A>
2370 <A NAME="IDX2451"></A>
2371 <A NAME="IDX2452"></A>
2372 <P><LI><A NAME="LIWQ54"></A>Issue the <B>kas create</B> command to create Authentication
2373 Database entries called <B>admin</B> and <B>afs</B>.
2374 <P>Do not provide passwords on the command line. Instead provide them
2375 as <VAR>afs_passwd</VAR> and <VAR>admin_passwd</VAR> in response to the
2376 <B>kas</B> command interpreter's prompts as shown, so that they do
2377 not appear on the standard output stream.
2378 <P>You need to enter the <VAR>afs_passwd</VAR> string only in this step and in
2379 Step <A HREF="#LIWQ58">7</A>, so provide a value that is as long and complex as possible,
2380 preferably including numerals, punctuation characters, and both uppercase and
2381 lowercase letters. Also make the <VAR>admin_passwd</VAR> as long and
2382 complex as possible, but keep in mind that administrators need to enter it
2383 often. Both passwords must be at least six characters long.
2385 ka> <B>create afs</B>
2386 initial_password: <VAR>afs_passwd</VAR>
2387 Verifying, please re-enter initial_password: <VAR>afs_passwd</VAR>
2389 ka> <B>create admin</B>
2390 initial_password: <VAR>admin_passwd</VAR>
2391 Verifying, please re-enter initial_password: <VAR>admin_passwd</VAR>
2394 <A NAME="IDX2453"></A>
2395 <A NAME="IDX2454"></A>
2396 <A NAME="IDX2455"></A>
2397 <P><LI><A NAME="LIWQ55"></A>Issue the <B>kas examine</B> command to display the
2398 <B>afs</B> entry. The output includes a checksum generated by
2399 encrypting a constant with the server encryption key derived from the
2400 <VAR>afs_passwd</VAR> string. In Step <A HREF="#LIWQ59">8</A> you issue the <B>bos listkeys</B> command to verify
2401 that the checksum in its output matches the checksum in this output.
2403 ka> <B>examine afs</B>
2405 key (0) cksum is <VAR>checksum</VAR> . . .
2408 <A NAME="IDX2456"></A>
2409 <A NAME="IDX2457"></A>
2410 <A NAME="IDX2458"></A>
2411 <P><LI><A NAME="LIWQ56"></A>Issue the <B>kas setfields</B> command to turn on the
2412 <TT>ADMIN</TT> flag in the <B>admin</B> entry. This enables the
2413 <B>admin</B> user to issue privileged <B>kas</B> commands. Then
2414 issue the <B> kas examine</B> command to verify that the <TT>ADMIN</TT>
2415 flag appears in parentheses on the first line of the output, as shown in the
2418 ka> <B>setfields admin -flags admin</B>
2420 ka> <B>examine admin </B>
2421 User data for admin (ADMIN) . . .
2424 <A NAME="IDX2459"></A>
2425 <A NAME="IDX2460"></A>
2426 <A NAME="IDX2461"></A>
2427 <P><LI>Issue the <B>kas quit</B> command to leave <B>kas</B> interactive
2433 <A NAME="IDX2462"></A>
2434 <A NAME="IDX2463"></A>
2435 <A NAME="IDX2464"></A>
2436 <A NAME="IDX2465"></A>
2437 <A NAME="IDX2466"></A>
2438 <A NAME="IDX2467"></A>
2439 <A NAME="IDX2468"></A>
2440 <P><LI><A NAME="LIWQ57"></A>Issue the <B>bos adduser</B> command to add the
2441 <B>admin</B> user to the <B>/usr/afs/etc/UserList</B> file.
2442 This enables the <B>admin</B> user to issue privileged <B>bos</B> and
2443 <B>vos</B> commands.
2445 # <B>./bos adduser</B> <<VAR>machine name</VAR>> <B>admin -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2448 <A NAME="IDX2469"></A>
2449 <A NAME="IDX2470"></A>
2450 <A NAME="IDX2471"></A>
2451 <A NAME="IDX2472"></A>
2452 <P><LI><A NAME="LIWQ58"></A>Issue the <B>bos addkey</B> command to define the AFS server
2453 encryption key in the <B>/usr/afs/etc/KeyFile</B> file.
2454 <P>Do not provide the password on the command line. Instead provide it
2455 as <VAR>afs_passwd</VAR> in response to the <B>bos</B> command
2456 interpreter's prompts, as shown. Provide the same string as in
2457 Step <A HREF="#LIWQ54">2</A>.
2459 # <B>./bos addkey</B> <<VAR>machine name</VAR>> <B>-kvno 0 -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2460 Input key: <VAR>afs_passwd</VAR>
2461 Retype input key: <VAR>afs_passwd</VAR>
2464 <A NAME="IDX2473"></A>
2465 <A NAME="IDX2474"></A>
2466 <A NAME="IDX2475"></A>
2467 <P><LI><A NAME="LIWQ59"></A>Issue the <B>bos listkeys</B> command to verify that the
2468 checksum for the new key in the <B>KeyFile</B> file is the same as the
2469 checksum for the key in the Authentication Database's <B>afs</B>
2470 entry, which you displayed in Step <A HREF="#LIWQ55">3</A>.
2472 # <B>./bos listkeys</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2473 key 0 has cksum <VAR>checksum</VAR>
2475 <P>You can safely ignore any error messages indicating that <B>bos</B>
2476 failed to get tickets or that authentication failed.
2477 <P>If the keys are different, issue the following commands, making sure that
2478 the <VAR>afs_passwd</VAR> string is the same in each case. The
2479 <VAR>checksum</VAR> strings reported by the <B>kas examine</B> and <B>bos
2480 listkeys</B> commands must match; if they do not, repeat these
2481 instructions until they do, using the <B>-kvno</B> argument to increment
2482 the key version number each time.
2484 # <B>./kas -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2486 ka> <B>setpassword afs -kvno 1</B>
2487 new_password: <VAR>afs_passwd</VAR>
2488 Verifying, please re-enter initial_password: <VAR>afs_passwd</VAR>
2490 ka> <B>examine afs</B>
2492 key (1) cksum is <VAR>checksum</VAR> . . .
2496 # <B>./bos addkey</B> <<VAR>machine name</VAR>> <B>-kvno 1 -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2497 Input key: <VAR>afs_passwd</VAR>
2498 Retype input key: <VAR>afs_passwd</VAR>
2500 # <B>./bos listkeys</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2501 key 1 has cksum <VAR>checksum</VAR>
2504 <A NAME="IDX2476"></A>
2505 <A NAME="IDX2477"></A>
2506 <A NAME="IDX2478"></A>
2507 <P><LI>Issue the <B>pts createuser</B> command to create a Protection
2508 Database entry for the <B>admin</B> user.
2509 <P>By default, the Protection Server assigns AFS UID 1 (one) to the
2510 <B>admin</B> user, because it is the first user entry you are
2511 creating. If the local password file (<B>/etc/passwd</B> or
2512 equivalent) already has an entry for <B>admin</B> that assigns it a UNIX
2513 UID other than 1, it is best to use the <B>-id</B> argument to the
2514 <B>pts createuser</B> command to make the new AFS UID match the existing
2515 UNIX UID. Otherwise, it is best to accept the default.
2517 # <B>./pts createuser -name admin -cell</B> <<VAR>cell name</VAR>> [<B>-id</B> <<VAR>AFS UID</VAR>>] <B>-noauth</B>
2518 User admin has id <VAR>AFS UID</VAR>
2521 <A NAME="IDX2479"></A>
2522 <A NAME="IDX2480"></A>
2523 <A NAME="IDX2481"></A>
2524 <A NAME="IDX2482"></A>
2525 <P><LI>Issue the <B>pts adduser</B> command to make the <B>admin</B> user
2526 a member of the <B>system:administrators</B> group, and the <B>pts
2527 membership</B> command to verify the new membership. Membership in
2528 the group enables the <B>admin</B> user to issue privileged <B>pts</B>
2529 commands and some privileged <B>fs</B> commands.
2531 # <B>./pts adduser admin system:administrators -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2533 # <B>./pts membership admin -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2534 Groups admin (id: 1) is a member of:
2535 system:administrators
2538 <A NAME="IDX2483"></A>
2539 <A NAME="IDX2484"></A>
2540 <A NAME="IDX2485"></A>
2541 <A NAME="IDX2486"></A>
2542 <P><LI>Issue the <B>bos restart</B> command with the <B>-all</B> flag to
2543 restart the database server processes, so that they start using the new server
2546 # <B>./bos restart</B> <<VAR>machine name</VAR>> <B>-all -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2550 <A NAME="IDX2487"></A>
2551 <A NAME="IDX2488"></A>
2552 <A NAME="IDX2489"></A>
2553 <A NAME="IDX2490"></A>
2554 <A NAME="IDX2491"></A>
2555 <A NAME="IDX2492"></A>
2556 <A NAME="IDX2493"></A>
2557 <A NAME="IDX2494"></A>
2558 <A NAME="IDX2495"></A>
2559 <A NAME="IDX2496"></A>
2560 <A NAME="IDX2497"></A>
2561 <A NAME="IDX2498"></A>
2562 <HR><H2><A NAME="HDRWQ60" HREF="auqbg002.htm#ToC_67">Starting the File Server, Volume Server, and Salvager</A></H2>
2563 <P>Start the <B>fs</B> process, which consists of the File
2564 Server, Volume Server, and Salvager (<B>fileserver</B>,
2565 <B>volserver</B> and <B>salvager</B> processes).
2567 <P><LI>Issue the <B>bos create</B> command to start the <B>fs</B>
2568 process. The command appears here on multiple lines only for
2571 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>fs fs /usr/afs/bin/fileserver</B> \
2572 <B>/usr/afs/bin/volserver /usr/afs/bin/salvager</B> \
2573 <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2575 <P>Sometimes a message about Volume Location Database (VLDB) initialization
2576 appears, along with one or more instances of an error message similar to the
2579 FSYNC_clientInit temporary failure (will retry)
2581 <P>This message appears when the <B>volserver</B> process tries to start
2582 before the <B>fileserver</B> process has completed its
2583 initialization. Wait a few minutes after the last such message before
2584 continuing, to guarantee that both processes have started successfully.
2585 <A NAME="IDX2499"></A>
2586 <A NAME="IDX2500"></A>
2587 <P>You can verify that the <B>fs</B> process has started successfully by
2588 issuing the <B>bos status</B> command. Its output mentions two
2589 <TT>proc starts</TT>.
2591 # <B>./bos status</B> <<VAR>machine name</VAR>> <B>fs -long -noauth</B>
2594 <P><LI>Your next action depends on whether you have ever run AFS file server
2595 machines in the cell:
2597 <A NAME="IDX2501"></A>
2598 <A NAME="IDX2502"></A>
2599 <A NAME="IDX2503"></A>
2600 <A NAME="IDX2504"></A>
2601 <A NAME="IDX2505"></A>
2602 <P><LI>If you are installing the first AFS server machine ever in the cell (that
2603 is, you are not upgrading the AFS software from a previous version), create
2604 the first AFS volume, <B>root.afs</B>.
2605 <P>For the <VAR>partition name</VAR> argument, substitute the name of one of
2606 the machine's AFS server partitions (such as <B>/vicepa</B>).
2608 # <B>./vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.afs</B> \
2609 <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2611 <P>The Volume Server produces a message confirming that it created the volume
2612 on the specified partition. You can ignore error messages indicating
2613 that tokens are missing, or that authentication failed.
2614 <A NAME="IDX2506"></A>
2615 <A NAME="IDX2507"></A>
2616 <A NAME="IDX2508"></A>
2617 <A NAME="IDX2509"></A>
2618 <P><LI>If there are existing AFS file server machines and volumes in the cell,
2619 issue the <B>vos syncvldb</B> and <B>vos syncserv</B> commands to
2620 synchronize the VLDB with the actual state of volumes on the local
2621 machine. To follow the progress of the synchronization operation, which
2622 can take several minutes, use the <B>-verbose</B> flag.
2624 # <B>./vos syncvldb</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-verbose -noauth</B>
2626 # <B>./vos syncserv</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-verbose -noauth</B>
2628 <P>You can ignore error messages indicating that tokens are missing, or that
2629 authentication failed.
2632 <A NAME="IDX2510"></A>
2633 <A NAME="IDX2511"></A>
2634 <A NAME="IDX2512"></A>
2635 <A NAME="IDX2513"></A>
2636 <A NAME="IDX2514"></A>
2637 <A NAME="IDX2515"></A>
2638 <A NAME="IDX2516"></A>
2639 <A NAME="IDX2517"></A>
2640 <HR><H2><A NAME="HDRWQ61" HREF="auqbg002.htm#ToC_68">Starting the Server Portion of the Update Server</A></H2>
2641 <P>Start the server portion of the Update Server (the
2642 <B>upserver</B> process), to distribute the contents of directories on
2643 this machine to other server machines in the cell. It becomes active
2644 when you configure the client portion of the Update Server on additional
2646 <P>Distributing the contents of its <B>/usr/afs/etc</B> directory makes
2647 this machine the cell's <I>system control machine</I>. The
2648 other server machines in the cell run the <B>upclientetc</B> process (an
2649 instance of the client portion of the Update Server) to retrieve the
2650 configuration files. Use the <B>-crypt</B> argument to the
2651 <B>upserver</B> initialization command to specify that the Update Server
2652 distributes the contents of the <B>/usr/afs/etc</B> directory only in
2653 encrypted form, as shown in the following instruction. Several of the
2654 files in the directory, particularly the <B>KeyFile</B> file, are crucial
2655 to cell security and so must never cross the network unencrypted.
2656 <P>(You can choose not to configure a system control machine, in which case
2657 you must update the configuration files in each server machine's
2658 <B>/usr/afs/etc</B> directory individually. The <B>bos</B>
2659 commands used for this purpose also encrypt data before sending it across the
2661 <P>Distributing the contents of its <B>/usr/afs/bin</B> directory to other
2662 server machines of its system type makes this machine a <I>binary
2663 distribution machine</I>. The other server machines of its system
2664 type run the <B>upclientbin</B> process (an instance of the client portion
2665 of the Update Server) to retrieve the binaries.
2666 <P>The binaries in the <B>/usr/afs/bin</B> directory are not sensitive, so
2667 it is not necessary to encrypt them before transfer across the network.
2668 Include the <B>-clear</B> argument to the <B>upserver</B>
2669 initialization command to specify that the Update Server distributes the
2670 contents of the <B>/usr/afs/bin</B> directory in unencrypted form unless
2671 an <B>upclientbin</B> process requests encrypted transfer.
2672 <P>Note that the server and client portions of the Update Server always
2673 mutually authenticate with one another, regardless of whether you use the
2674 <B>-clear</B> or <B>-crypt</B> arguments. This protects their
2675 communications from eavesdropping to some degree.
2676 <P>For more information on the <B>upclient</B> and <B>upserver</B>
2677 processes, see their reference pages in the <I>IBM AFS Administration
2678 Reference</I>. The commands appear on multiple lines here only for
2681 <P><LI>Issue the <B>bos create</B> command to start the <B>upserver</B>
2684 # <B>./bos create</B> <<VAR>machine name></VAR> <B>upserver simple</B> \
2685 <B>"/usr/afs/bin/upserver -crypt /usr/afs/etc </B> \
2686 <B>-clear /usr/afs/bin" -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2690 <A NAME="IDX2518"></A>
2691 <A NAME="IDX2519"></A>
2692 <A NAME="IDX2520"></A>
2693 <A NAME="IDX2521"></A>
2694 <A NAME="IDX2522"></A>
2695 <A NAME="IDX2523"></A>
2696 <HR><H2><A NAME="HDRWQ62" HREF="auqbg002.htm#ToC_69">Starting the Controller for NTPD</A></H2>
2697 <P>Keeping the clocks on all server and client machines in your
2698 cell synchronized is crucial to several functions, and in particular to the
2699 correct operation of AFS's distributed database technology, Ubik.
2700 The chapter in the <I>IBM AFS Administration Guide</I> about administering
2701 server machines explains how time skew can disturb Ubik's performance and
2702 cause service outages in your cell.
2703 <P>The AFS distribution includes a version of the Network Time Protocol Daemon
2704 (NTPD) for synchronizing the clocks on server machines. If a time
2705 synchronization program is not already running on the machine, then in this
2706 section you start the <B>runntp</B> process to configure NTPD for use with
2708 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not run the <B>runntp</B> process if NTPD or another time
2709 synchronization protocol is already running on the machine. Some
2710 versions of some operating systems run a time synchronization program by
2711 default, as detailed in the <I>IBM AFS Release Notes</I>.
2712 <P>Attempting to run multiple instances of the NTPD causes an error.
2713 Running NTPD together with another time synchronization protocol is
2714 unnecessary and can cause instability in the clock setting.
2716 <P>If you run the <B>runntp</B> process and your cell has reliable network
2717 connectivity to machines outside your cell, then it is conventional to
2718 configure the first AFS machine to refer to a time source outside the
2719 cell. When you later install the <B>runntp</B> program on other
2720 server machines in the cell, it configures NTPD to choose a time source at
2721 random from among the database server machines listed in the
2722 <B>/usr/afs/etc/CellServDB</B> file. Time synchronization therefore
2723 works in a chained manner: this database server machine refers to a time
2724 source outside the cell, the database server machines refer to the machine
2725 among them that has access to the most accurate time (NTPD itself includes
2726 code for determining this), and each non-database server machine refers to a
2727 local database server machine chosen at random from the
2728 <B>/usr/afs/etc/CellServDB</B> file. If you ever decide to remove
2729 database server functionality from this machine, it is best to transfer
2730 responsibility for consulting an external time source to a remaining database
2732 <P>If your cell does not have network connectivity to external machines, or if
2733 the connectivity is not reliable, include the <B>-localclock</B> flag to
2734 the <B>runntp</B> command as indicated in the following
2735 instructions. The flag tells NTPD to rely on the machine's
2736 internal clock when all external time sources are inaccessible. The
2737 <B>runntp</B> command has other arguments that are possibly useful given
2738 your cell configuration; see the <I>IBM AFS Administration
2740 <P>Choosing an appropriate external time source is important, but involves
2741 more considerations than can be discussed here. If you need help in
2742 selecting a source, contact the AFS Product Support group.
2743 <P>As the <B>runntp</B> process initializes NTPD, trace messages sometimes
2744 appear on the standard output stream. You can ignore them, but they can
2745 be informative if you understand how NTPD works.
2747 <P><LI>Issue the <B>bos create</B> command to start the <B>runntp</B>
2748 process. For the <VAR>host</VAR> argument, substitute the fully-qualified
2749 hostname or IP address of one or more machines outside the cell that are to
2750 serve as time sources. Separate each name with a space.
2752 <P><LI>If your cell usually has reliable network connectivity to an external time
2753 source, use the following command:
2755 # <B>./bos create </B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
2756 <B>"/usr/afs/bin/runntp</B> <<VAR>host</VAR>>+<B>" -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2759 <P><LI>If your cell does not have network connectivity to an external time
2760 source, use the following command:
2762 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
2763 <B>"/usr/afs/bin/runntp -localclock"</B> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2766 <P><LI>If your cell has network connectivity to an external time source, but the
2767 network connection is frequently interrupted, use the following command:
2770 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
2771 <B>"/usr/afs/bin/runntp -localclock</B> <<VAR>host</VAR>>+<B>"</B> \
2772 <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2777 <A NAME="IDX2524"></A>
2778 <A NAME="IDX2525"></A>
2779 <A NAME="IDX2526"></A>
2780 <HR><H2><A NAME="HDRWQ63" HREF="auqbg002.htm#ToC_70">Overview: Installing Client Functionality</A></H2>
2781 <P>The machine you are installing is now an AFS file server
2782 machine, database server machine, system control machine, and binary
2783 distribution machine. Now make it a client machine by completing the
2786 <P><LI>Define the machine's cell membership for client processes
2787 <P><LI>Create the client version of the <B>CellServDB</B> file
2788 <P><LI>Define cache location and size
2789 <P><LI>Create the <B>/afs</B> directory and start the Cache Manager
2791 <A NAME="IDX2527"></A>
2792 <A NAME="IDX2528"></A>
2793 <A NAME="IDX2529"></A>
2794 <HR><H2><A NAME="HDRWQ64" HREF="auqbg002.htm#ToC_71">Copying Client Files to the Local Disk</A></H2>
2795 <P>Before installing and configuring the AFS client, copy the
2796 necessary files from the AFS CD-ROM to the local <B>/usr/vice/etc</B>
2799 <P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
2800 machine's system type, if it is not already. For instructions on
2801 mounting CD-ROMs (either locally or remotely via NFS), consult the operating
2802 system documentation.
2803 <P><LI>Copy files to the local <B>/usr/vice/etc</B> directory.
2804 <P>This step places a copy of the AFS initialization script (and related
2805 files, if applicable) into the <B>/usr/vice/etc</B> directory. In
2806 the preceding instructions for incorporating AFS into the kernel, you copied
2807 the script directly to the operating system's conventional location for
2808 initialization files. When you incorporate AFS into the machine's
2809 startup sequence in a later step, you can choose to link the two files.
2810 <P>On some system types that use a dynamic kernel loader program, you
2811 previously copied AFS library files into a subdirectory of the
2812 <B>/usr/vice/etc</B> directory. On other system types, you copied
2813 the appropriate AFS library file directly to the directory where the operating
2814 system accesses it. The following commands do not copy or recopy the
2815 AFS library files into the <B>/usr/vice/etc</B> directory, because on some
2816 system types the library files consume a large amount of space. If you
2817 want to copy them, add the <B>-r</B> flag to the first <B>cp</B>
2818 command and skip the second <B>cp</B> command.
2820 # <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.client/usr/vice/etc</B>
2822 # <B>cp -p * /usr/vice/etc</B>
2824 # <B>cp -rp C /usr/vice/etc</B>
2828 <A NAME="IDX2530"></A>
2829 <A NAME="IDX2531"></A>
2830 <A NAME="IDX2532"></A>
2831 <A NAME="IDX2533"></A>
2832 <A NAME="IDX2534"></A>
2833 <A NAME="IDX2535"></A>
2834 <A NAME="IDX2536"></A>
2835 <HR><H2><A NAME="HDRWQ65" HREF="auqbg002.htm#ToC_72">Defining Cell Membership for Client Processes</A></H2>
2836 <P>Every AFS client machine has a copy of the
2837 <B>/usr/vice/etc/ThisCell</B> file on its local disk to define the
2838 machine's cell membership for the AFS client programs that run on
2839 it. The <B>ThisCell</B> file you created in the
2840 <B>/usr/afs/etc</B> directory (in <A HREF="#HDRWQ51">Defining Cell Name and Membership for Server Processes</A>) is used only by server processes.
2841 <P>Among other functions, the <B>ThisCell</B> file on a client machine
2842 determines the following:
2844 <P><LI>The cell in which users authenticate when they log onto the machine,
2845 assuming it is using an AFS-modified login utility
2846 <P><LI>The cell in which users authenticate by default when they issue the
2848 <P><LI>The cell membership of the AFS server processes that the AFS command
2849 interpreters on this machine contact by default
2852 <P><LI>Change to the <B>/usr/vice/etc</B> directory and remove the symbolic
2853 link created in <A HREF="#HDRWQ50">Starting the BOS Server</A>.
2855 # <B>cd /usr/vice/etc</B>
2857 # <B>rm ThisCell</B>
2860 <P><LI>Create the <B>ThisCell</B> file as a copy of the
2861 <B>/usr/afs/etc/ThisCell</B> file. Defining the same local cell for
2862 both server and client processes leads to the most consistent AFS
2865 # <B>cp /usr/afs/etc/ThisCell ThisCell</B>
2869 <A NAME="IDX2537"></A>
2870 <A NAME="IDX2538"></A>
2871 <A NAME="IDX2539"></A>
2872 <A NAME="IDX2540"></A>
2873 <A NAME="IDX2541"></A>
2874 <A NAME="IDX2542"></A>
2875 <A NAME="IDX2543"></A>
2876 <A NAME="IDX2544"></A>
2877 <HR><H2><A NAME="HDRWQ66" HREF="auqbg002.htm#ToC_73">Creating the Client CellServDB File</A></H2>
2878 <P>The <B>/usr/vice/etc/CellServDB</B> file on a client
2879 machine's local disk lists the database server machines for each cell
2880 that the local Cache Manager can contact. If there is no entry in the
2881 file for a cell, or if the list of database server machines is wrong, then
2882 users working on this machine cannot access the cell. The chapter in
2883 the <I>IBM AFS Administration Guide</I> about administering client
2884 machines explains how to maintain the file after creating it.
2885 <P>As the <B>afsd</B> program initializes the Cache Manager, it copies the
2886 contents of the <B>CellServDB</B> file into kernel memory. The
2887 Cache Manager always consults the list in kernel memory rather than the
2888 <B>CellServDB</B> file itself. Between reboots of the machine, you
2889 can use the <B>fs newcell</B> command to update the list in kernel memory
2890 directly; see the chapter in the <I>IBM AFS Administration Guide</I>
2891 about administering client machines.
2892 <P>The AFS distribution includes the file <B>CellServDB.sample</B>,
2893 and you have already copied it to the <B>/usr/vice/etc</B>
2894 directory. It includes an entry for all AFS cells that agreed to share
2895 their database server machine information at the time your AFS CD-ROM was
2896 created. The AFS Product Support group also maintains a copy of the
2897 file, updating it as necessary. If you are interested in participating
2898 in the global AFS namespace, it is a good policy to consult the file
2899 occasionally for updates. Ask the AFS Product Support group for a
2900 pointer to its location.
2901 <P>The <B>CellServDB.sample</B> file can be a good basis for the
2902 client <B>CellServDB</B> file, because all of the entries in it use the
2903 correct format. You can add or remove cell entries as you see
2904 fit. Later (in <A HREF="#HDRWQ91">Enabling Access to Foreign Cells</A>) you perform additional steps that enable the Cache
2905 Manager actually to reach the cells.
2906 <P>In this section, you add an entry for the local cell to the local
2907 <B>CellServDB</B> file. The current working directory is still
2908 <B>/usr/vice/etc</B>.
2910 <P><LI>Remove the symbolic link created in <A HREF="#HDRWQ50">Starting the BOS Server</A> and rename the <B>CellServDB.sample</B> file to
2913 # <B>rm CellServDB</B>
2915 # <B>mv CellServDB.sample CellServDB</B>
2918 <P><LI>Add an entry for the local cell to the <B>CellServDB</B> file.
2919 One easy method is to use the <B>cat</B> command to append the contents of
2920 the server <B>/usr/afs/etc/CellServDB</B> file to the client
2923 # <B>cat /usr/afs/etc/CellServDB >> CellServDB</B>
2925 <P>Then open the file in a text editor to verify that there are no blank
2926 lines, and that all entries have the required format, which is described just
2927 following. The ordering of cells is not significant, but it can be
2928 convenient to have the client machine's home cell at the top; move
2929 it there now if you wish.
2931 <P><LI>The first line of a cell's entry has the following format:
2933 ><VAR>cell_name</VAR> #<VAR>organization</VAR>
2935 <P>where <VAR>cell_name</VAR> is the cell's complete Internet domain name
2936 (for example, <B>abc.com</B>) and <VAR>organization</VAR> is an
2937 optional field that follows any number of spaces and the number sign
2938 (<TT>#</TT>). By convention it names the organization to which the
2939 cell corresponds (for example, the ABC Corporation).
2940 <P><LI>After the first line comes a separate line for each database server
2941 machine. Each line has the following format:
2943 <VAR>IP_address</VAR> #<VAR>machine_name</VAR>
2945 <P>where <VAR>IP_address</VAR> is the machine's IP address in dotted
2946 decimal format (for example, 192.12.105.3).
2947 Following any number of spaces and the number sign (<TT>#</TT>) is
2948 <VAR>machine_name</VAR>, the machine's fully-qualified hostname (for
2949 example, <B>db1.abc.com</B>). In this case, the
2950 number sign does not indicate a comment; <VAR>machine_name</VAR> is a
2953 <P><LI>If the file includes cells that you do not wish users of this machine to
2954 access, remove their entries.
2956 <P>The following example shows entries for two cells, each of which has three
2957 database server machines:
2960 >abc.com #ABC Corporation (home cell)
2961 192.12.105.3 #db1.abc.com
2962 192.12.105.4 #db2.abc.com
2963 192.12.105.55 #db3.abc.com
2964 >stateu.edu #State University cell
2965 138.255.68.93 #serverA.stateu.edu
2966 138.255.68.72 #serverB.stateu.edu
2967 138.255.33.154 #serverC.stateu.edu
2970 <A NAME="IDX2545"></A>
2971 <A NAME="IDX2546"></A>
2972 <A NAME="IDX2547"></A>
2973 <A NAME="IDX2548"></A>
2974 <HR><H2><A NAME="HDRWQ67" HREF="auqbg002.htm#ToC_74">Configuring the Cache</A></H2>
2975 <P>The Cache Manager uses a cache on the local disk or in
2976 machine memory to store local copies of files fetched from file server
2977 machines. As the <B>afsd</B> program initializes the Cache Manager,
2978 it sets basic cache configuration parameters according to definitions in the
2979 local <B>/usr/vice/etc/cacheinfo</B> file. The file has three
2982 <P><LI>The first field names the local directory on which to mount the AFS
2983 filespace. The conventional location is the <B>/afs</B>
2985 <P><LI>The second field defines the local disk directory to use for the disk
2986 cache. The conventional location is the <B>/usr/vice/cache</B>
2987 directory, but you can specify an alternate directory if another partition has
2988 more space available. There must always be a value in this field, but
2989 the Cache Manager ignores it if the machine uses a memory cache.
2990 <P><LI>The third field specifies the number of kilobyte (1024 byte) blocks to
2991 allocate for the cache.
2993 <P>The values you define must meet the following requirements.
2995 <P><LI>On a machine using a disk cache, the Cache Manager expects always to be
2996 able to use the amount of space specified in the third field. Failure
2997 to meet this requirement can cause serious problems, some of which can be
2998 repaired only by rebooting. You must prevent non-AFS processes from
2999 filling up the cache partition. The simplest way is to devote a
3000 partition to the cache exclusively.
3001 <P><LI>The amount of space available in memory or on the partition housing the
3002 disk cache directory imposes an absolute limit on cache size.
3003 <P><LI>The maximum supported cache size can vary in each AFS release; see
3004 the <I>IBM AFS Release Notes</I> for the current version.
3005 <P><LI>For a disk cache, you cannot specify a value in the third field that
3006 exceeds 95% of the space available on the partition mounted at the directory
3007 named in the second field. If you violate this restriction, the
3008 <B>afsd</B> program exits without starting the Cache Manager and prints an
3009 appropriate message on the standard output stream. A value of 90% is
3010 more appropriate on most machines. Some operating systems (such as AIX)
3011 do not automatically reserve some space to prevent the partition from filling
3012 completely; for them, a smaller value (say, 80% to 85% of the space
3013 available) is more appropriate.
3014 <P><LI>For a memory cache, you must leave enough memory for other processes and
3015 applications to run. If you try to allocate more memory than is
3016 actually available, the <B>afsd</B> program exits without initializing the
3017 Cache Manager and produces the following message on the standard output
3020 afsd: memCache allocation failure at <VAR>number</VAR> KB
3022 <P>The <VAR>number</VAR> value is how many kilobytes were allocated just before
3023 the failure, and so indicates the approximate amount of memory
3026 <P>Within these hard limits, the factors that determine appropriate cache size
3027 include the number of users working on the machine, the size of the files with
3028 which they work, and (for a memory cache) the number of processes that run on
3029 the machine. The higher the demand from these factors, the larger the
3030 cache needs to be to maintain good performance.
3031 <P>Disk caches smaller than 10 MB do not generally perform well.
3032 Machines serving multiple users usually perform better with a cache of at
3033 least 60 to 70 MB. The point at which enlarging the cache further does
3034 not really improve performance depends on the factors mentioned previously and
3035 is difficult to predict.
3036 <P>Memory caches smaller than 1 MB are nonfunctional, and the performance of
3037 caches smaller than 5 MB is usually unsatisfactory. Suitable upper
3038 limits are similar to those for disk caches but are probably determined more
3039 by the demands on memory from other sources on the machine (number of users
3040 and processes). Machines running only a few processes possibly can use
3041 a smaller memory cache.
3042 <P><H3><A NAME="HDRWQ68" HREF="auqbg002.htm#ToC_75">Configuring a Disk Cache</A></H3>
3043 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types that an operating system supports are
3044 necessarily supported for use as the cache partition. For possible
3045 restrictions, see the <I>IBM AFS Release Notes</I>.
3047 <P>To configure the disk cache, perform the following procedures:
3049 <P><LI>Create the local directory to use for caching. The following
3050 instruction shows the conventional location,
3051 <B>/usr/vice/cache</B>. If you are devoting a partition exclusively
3052 to caching, as recommended, you must also configure it, make a file system on
3053 it, and mount it at the directory created in this step.
3055 # <B>mkdir /usr/vice/cache</B>
3058 <P><LI>Create the <B>cacheinfo</B> file to define the configuration
3059 parameters discussed previously. The following instruction shows the
3060 standard mount location, <B>/afs</B>, and the standard cache location,
3061 <B>/usr/vice/cache</B>.
3063 # <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
3065 <P>The following example defines the disk cache size as 50,000 KB:
3067 # <B>echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo</B>
3070 <P><H3><A NAME="HDRWQ69" HREF="auqbg002.htm#ToC_76">Configuring a Memory Cache</A></H3>
3071 <P>To configure a memory cache, create the <B>cacheinfo</B>
3072 file to define the configuration parameters discussed previously. The
3073 following instruction shows the standard mount location, <B>/afs</B>, and
3074 the standard cache location, <B>/usr/vice/cache</B> (though the exact
3075 value of the latter is irrelevant for a memory cache).
3077 # <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
3079 <P>The following example allocates 25,000 KB of memory for the cache.
3081 # <B>echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo</B>
3083 <A NAME="IDX2549"></A>
3084 <A NAME="IDX2550"></A>
3085 <A NAME="IDX2551"></A>
3086 <A NAME="IDX2552"></A>
3087 <A NAME="IDX2553"></A>
3088 <A NAME="IDX2554"></A>
3089 <HR><H2><A NAME="HDRWQ70" HREF="auqbg002.htm#ToC_77">Configuring the Cache Manager</A></H2>
3090 <P>By convention, the Cache Manager mounts the AFS filespace on
3091 the local <B>/afs</B> directory. In this section you create that
3093 <P>The <B>afsd</B> program sets several cache configuration parameters as
3094 it initializes the Cache Manager, and starts daemons that improve
3095 performance. You can use the <B>afsd</B> command's arguments
3096 to override the parameters' default values and to change the number of
3097 some of the daemons. Depending on the machine's cache size, its
3098 amount of RAM, and how many people work on it, you can sometimes improve Cache
3099 Manager performance by overriding the default values. For a discussion
3100 of all of the <B>afsd</B> command's arguments, see its reference page
3101 in the <I>IBM AFS Administration Reference</I>.
3102 <P>The <B>afsd</B> command line in the AFS initialization script on each
3103 system type includes an <TT>OPTIONS</TT> variable. You can use it to
3104 set nondefault values for the command's arguments, in one of the
3107 <P><LI>You can create an <B>afsd</B> <I>options file</I> that sets values
3108 for arguments to the <B>afsd</B> command. If the file exists, its
3109 contents are automatically substituted for the <TT>OPTIONS</TT> variable in
3110 the AFS initialization script. The AFS distribution for some system
3111 types includes an options file; on other system types, you must create
3113 <P>You use two variables in the AFS initialization script to specify the path
3114 to the options file: <TT>CONFIG</TT> and <TT>AFSDOPT</TT>. On
3115 system types that define a conventional directory for configuration files, the
3116 <TT>CONFIG</TT> variable indicates it by default; otherwise, the
3117 variable indicates an appropriate location.
3118 <P>List the desired <B>afsd</B> options on a single line in the options
3119 file, separating each option with one or more spaces. The following
3120 example sets the <B>-stat</B> argument to 2500, the <B>-daemons</B>
3121 argument to 4, and the <B>-volumes</B> argument to 100.
3123 -stat 2500 -daemons 4 -volumes 100
3126 <P><LI>On a machine that uses a disk cache, you can set the <TT>OPTIONS</TT>
3127 variable in the AFS initialization script to one of <TT>$SMALL</TT>,
3128 <TT>$MEDIUM</TT>, or <TT>$LARGE</TT>. The AFS initialization script
3129 uses one of these settings if the <B>afsd</B> options file named by the
3130 <TT>AFSDOPT</TT> variable does not exist. In the script as
3131 distributed, the <TT>OPTIONS</TT> variable is set to the value
3133 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not set the <TT>OPTIONS</TT> variable to <TT>$SMALL</TT>,
3134 <TT>$MEDIUM</TT>, or <TT>$LARGE</TT> on a machine that uses a memory
3135 cache. The arguments it sets are appropriate only on a machine that
3138 <P>The script (or on some system types the <B>afsd</B> options file named
3139 by the <TT>AFSDOPT</TT> variable) defines a value for each of
3140 <TT>SMALL</TT>, <TT>MEDIUM</TT>, and <TT>LARGE</TT> that sets
3141 <B>afsd</B> command arguments appropriately for client machines of
3144 <P><LI><TT>SMALL</TT> is suitable for a small machine that serves one or two
3145 users and has approximately 8 MB of RAM and a 20-MB cache
3146 <P><LI><TT>MEDIUM</TT> is suitable for a medium-sized machine that serves two
3147 to six users and has 16 MB of RAM and a 40-MB cache
3148 <P><LI><TT>LARGE</TT> is suitable for a large machine that serves five to ten
3149 users and has 32 MB of RAM and a 100-MB cache
3151 <P><LI>You can choose not to create an <B>afsd</B> options file and to set
3152 the <TT>OPTIONS</TT> variable in the initialization script to a null value
3153 rather than to the default <TT>$MEDIUM</TT> value. You can then
3154 either set arguments directly on the <B>afsd</B> command line in the
3155 script, or set no arguments (and so accept default values for all Cache
3156 Manager parameters).
3159 <P><LI>Create the local directory on which to mount the AFS filespace, by
3160 convention <B>/afs</B>. If the directory already exists, verify
3166 <P><LI>On AIX systems, add the following line to the <B>/etc/vfs</B>
3167 file. It enables AIX to unmount AFS correctly during shutdown.
3172 <P><LI>On Linux systems, copy the <B>afsd</B> options file from the
3173 <B>/usr/vice/etc</B> directory to the <B>/etc/sysconfig</B> directory,
3174 removing the <B>.conf</B> extension as you do so.
3176 # <B>cp /usr/vice/etc/afs.conf /etc/sysconfig/afs</B>
3179 <P><LI>Edit the machine's AFS initialization script or <B>afsd</B>
3180 options file to set appropriate values for <B>afsd</B> command
3181 parameters. The script resides in the indicated location on each system
3184 <P><LI>On AIX systems, <B>/etc/rc.afs</B>
3185 <P><LI>On Digital UNIX systems, <B>/sbin/init.d/afs</B>
3186 <P><LI>On HP-UX systems, <B>/sbin/init.d/afs</B>
3187 <P><LI>On IRIX systems, <B>/etc/init.d/afs</B>
3188 <P><LI>On Linux systems, <B>/etc/sysconfig/afs</B> (the <B>afsd</B>
3190 <P><LI>On Solaris systems, <B>/etc/init.d/afs</B>
3192 <P>Use one of the methods described in the introduction to this section to add
3193 the following flags to the <B>afsd</B> command line. If you intend
3194 for the machine to remain an AFS client, also set any performance-related
3197 <P><LI>Add the <B>-nosettime</B> flag, because this is a file server machine
3198 that is also a client. The flag prevents the machine from picking a
3199 file server machine in the cell as its source for the correct time, which
3200 client machines normally do. File server machines instead use NTPD (as
3201 controlled by the <B>runntp</B> process) or another protocol to
3202 synchronize their clocks.
3203 <P><LI>Add the <B>-memcache</B> flag if the machine is to use a memory
3205 <P><LI>Add the <B>-verbose</B> flag to display a trace of the Cache
3206 Manager's initialization on the standard output stream.
3209 <A NAME="IDX2555"></A>
3210 <A NAME="IDX2556"></A>
3211 <HR><H2><A NAME="HDRWQ71" HREF="auqbg002.htm#ToC_78">Overview: Completing the Installation of the First AFS Machine</A></H2>
3212 <P>The machine is now configured as an AFS file server and
3213 client machine. In this final phase of the installation, you initialize
3214 the Cache Manager and then create the upper levels of your AFS filespace,
3215 among other procedures. The procedures are:
3217 <P><LI>Verify that the initialization script works correctly, and incorporate it
3218 into the operating system's startup and shutdown sequence
3219 <P><LI>Create and mount top-level volumes
3220 <P><LI>Create and mount volumes to store system binaries in AFS
3221 <P><LI>Enable access to foreign cells
3222 <P><LI>Institute additional security measures
3223 <P><LI>Remove client functionality if desired
3225 <A NAME="IDX2557"></A>
3226 <A NAME="IDX2558"></A>
3227 <A NAME="IDX2559"></A>
3228 <A NAME="IDX2560"></A>
3229 <A NAME="IDX2561"></A>
3230 <HR><H2><A NAME="HDRWQ72" HREF="auqbg002.htm#ToC_79">Verifying the AFS Initialization Script</A></H2>
3231 <P>At this point you run the AFS initialization script to verify
3232 that it correctly invokes all of the necessary programs and AFS processes, and
3233 that they start correctly. The following are the relevant
3236 <P><LI>The command that dynamically loads AFS modifications into the kernel, on
3237 some system types (not applicable if the kernel has AFS modifications built
3239 <P><LI>The <B>bosserver</B> command, which starts the BOS Server; it in
3240 turn starts the server processes for which you created entries in the
3241 <B>/usr/afs/local/BosConfig</B> file
3242 <P><LI>The <B>afsd</B> command, which initializes the Cache Manager
3244 <P>On system types that use a dynamic loader program, you must reboot the
3245 machine before running the initialization script, so that it can freshly load
3246 AFS modifications into the kernel.
3247 <P>If there are problems during the initialization, attempt to resolve
3248 them. The AFS Product Support group can provide assistance if
3251 <A NAME="IDX2562"></A>
3252 <A NAME="IDX2563"></A>
3253 <P><LI>Issue the <B>bos shutdown</B> command to shut down the AFS server
3254 processes other than the BOS Server. Include the <B>-wait</B> flag
3255 to delay return of the command shell prompt until all processes shut down
3258 # <B>/usr/afs/bin/bos shutdown</B> <<VAR>machine name</VAR>> <B>-wait</B>
3261 <P><LI>Issue the <B>ps</B> command to learn the <B>bosserver</B>
3262 process's process ID number (PID), and then the <B>kill</B> command
3265 # <B>ps</B> <VAR>appropriate_ps_options</VAR> <B>| grep bosserver</B>
3267 # <B>kill</B> <VAR>bosserver_PID</VAR>
3270 <P><LI>Issue the appropriate commands to run the AFS initialization script for
3272 <A NAME="IDX2564"></A>
3273 <P><B>On AIX systems:</B>
3275 <P><LI>Reboot the machine and log in again as the local superuser
3280 # <B>shutdown -r now</B>
3283 Password: <VAR>root_password</VAR>
3286 <P><LI>Run the AFS initialization script.
3288 # <B>/etc/rc.afs</B>
3292 <A NAME="IDX2565"></A>
3293 <P><B>On Digital UNIX systems:</B>
3295 <P><LI>Run the AFS initialization script.
3297 # <B>/sbin/init.d/afs start</B>
3301 <A NAME="IDX2566"></A>
3302 <P><B>On HP-UX systems:</B>
3304 <P><LI>Run the AFS initialization script.
3306 # <B>/sbin/init.d/afs start</B>
3310 <A NAME="IDX2567"></A>
3311 <A NAME="IDX2568"></A>
3312 <A NAME="IDX2569"></A>
3313 <A NAME="IDX2570"></A>
3314 <A NAME="IDX2571"></A>
3315 <A NAME="IDX2572"></A>
3316 <A NAME="IDX2573"></A>
3317 <P><B>On IRIX systems:</B>
3319 <P><LI>If you have configured the machine to use the <B>ml</B> dynamic loader
3320 program, reboot the machine and log in again as the local superuser
3325 # <B>shutdown -i6 -g0 -y</B>
3328 Password: <VAR>root_password</VAR>
3331 <P><LI>Issue the <B>chkconfig</B> command to activate the
3332 <B>afsserver</B> and <B>afsclient</B> configuration variables.
3334 # <B>/etc/chkconfig -f afsserver on</B>
3336 # <B>/etc/chkconfig -f afsclient on</B>
3339 <P><LI>Run the AFS initialization script.
3341 # <B>/etc/init.d/afs start</B>
3345 <A NAME="IDX2574"></A>
3346 <P><B>On Linux systems:</B>
3348 <P><LI>Reboot the machine and log in again as the local superuser
3353 # <B>shutdown -r now</B>
3356 Password: <VAR>root_password</VAR>
3359 <P><LI>Run the AFS initialization script.
3361 # <B>/etc/rc.d/init.d/afs start</B>
3365 <A NAME="IDX2575"></A>
3366 <P><B>On Solaris systems:</B>
3368 <P><LI>Reboot the machine and log in again as the local superuser
3373 # <B>shutdown -i6 -g0 -y</B>
3376 Password: <VAR>root_password</VAR>
3379 <P><LI>Run the AFS initialization script.
3381 # <B>/etc/init.d/afs start</B>
3385 <A NAME="IDX2576"></A>
3386 <A NAME="IDX2577"></A>
3387 <P><LI>Wait for the message that confirms that Cache Manager initialization is
3389 <P>On machines that use a disk cache, it can take a while to initialize the
3390 Cache Manager for the first time, because the <B>afsd</B> program must
3391 create all of the <B>V</B><VAR>n</VAR> files in the cache directory.
3392 Subsequent Cache Manager initializations do not take nearly as long, because
3393 the <B>V</B><VAR>n</VAR> files already exist.
3394 <P>As a basic test of correct AFS functioning, issue the <B>klog</B>
3395 command to authenticate as the <B>admin</B> user. Provide the
3396 password (<VAR>admin_passwd</VAR>) you defined in <A HREF="#HDRWQ53">Initializing Cell Security</A>.
3398 # <B>/usr/afs/bin/klog admin</B>
3399 Password: <VAR>admin_passwd</VAR>
3402 <A NAME="IDX2578"></A>
3403 <A NAME="IDX2579"></A>
3404 <P><LI>Issue the <B>tokens</B> command to verify that the <B>klog</B>
3405 command worked correctly. If it did, the output looks similar to the
3406 following example for the <B>abc.com</B> cell, where
3407 <B>admin</B>'s AFS UID is 1. If the output does not seem
3408 correct, resolve the problem. Changes to the AFS initialization script
3409 are possibly necessary. The AFS Product Support group can provide
3410 assistance as necessary.
3412 # <B>/usr/afs/bin/tokens</B>
3413 Tokens held by the Cache Manager:
3415 User's (AFS ID 1) tokens for afs@abc.com [Expires May 22 11:52]
3419 <P><LI>Issue the <B>bos status</B> command to verify that the output for each
3420 process reads <TT>Currently running normally</TT>.
3422 # <B>/usr/afs/bin/bos status</B> <<VAR>machine name</VAR>>
3425 <A NAME="IDX2580"></A>
3426 <A NAME="IDX2581"></A>
3427 <P><LI>Change directory to the local file system root (<B>/</B>) and issue
3428 the <B>fs checkvolumes</B> command.
3432 # <B>/usr/afs/bin/fs checkvolumes</B>
3436 <A NAME="IDX2582"></A>
3437 <A NAME="IDX2583"></A>
3438 <A NAME="IDX2584"></A>
3439 <A NAME="IDX2585"></A>
3440 <HR><H2><A NAME="HDRWQ73" HREF="auqbg002.htm#ToC_80">Activating the AFS Initialization Script</A></H2>
3441 <P>Now that you have confirmed that the AFS initialization
3442 script works correctly, take the action necessary to have it run automatically
3443 at each reboot. Proceed to the instructions for your system type:
3445 <P><LI><A HREF="#HDRWQ74">Activating the Script on AIX Systems</A>
3446 <P><LI><A HREF="#HDRWQ75">Activating the Script on Digital UNIX Systems</A>
3447 <P><LI><A HREF="#HDRWQ76">Activating the Script on HP-UX Systems</A>
3448 <P><LI><A HREF="#HDRWQ77">Activating the Script on IRIX Systems</A>
3449 <P><LI><A HREF="#HDRWQ78">Activating the Script on Linux Systems</A>
3450 <P><LI><A HREF="#HDRWQ79">Activating the Script on Solaris Systems</A>
3452 <A NAME="IDX2586"></A>
3453 <P><H3><A NAME="HDRWQ74" HREF="auqbg002.htm#ToC_81">Activating the Script on AIX Systems</A></H3>
3455 <P><LI>Edit the AIX initialization file, <B>/etc/inittab</B>, adding the
3456 following line to invoke the AFS initialization script. Place it just
3457 after the line that starts NFS daemons.
3459 rcafs:2:wait:/etc/rc.afs > /dev/console 2>&1 # Start AFS services
3462 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3463 in both the <B>/usr/vice/etc</B> and <B>/etc</B> directories.
3464 If you want to avoid potential confusion by guaranteeing that they are always
3465 the same, create a link between them. You can always retrieve the
3466 original script from the AFS CD-ROM if necessary.
3468 # <B>cd /usr/vice/etc</B>
3472 # <B>ln -s /etc/rc.afs</B>
3475 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3477 <A NAME="IDX2587"></A>
3478 <P><H3><A NAME="HDRWQ75" HREF="auqbg002.htm#ToC_82">Activating the Script on Digital UNIX Systems</A></H3>
3480 <P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
3481 <B>ln -s</B> command to create symbolic links that incorporate the AFS
3482 initialization script into the Digital UNIX startup and shutdown
3485 # <B>cd /sbin/init.d</B>
3487 # <B>ln -s ../init.d/afs /sbin/rc3.d/S67afs</B>
3489 # <B>ln -s ../init.d/afs /sbin/rc0.d/K66afs</B>
3492 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3493 in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
3494 directories. If you want to avoid potential confusion by guaranteeing
3495 that they are always the same, create a link between them. You can
3496 always retrieve the original script from the AFS CD-ROM if necessary.
3498 # <B>cd /usr/vice/etc</B>
3502 # <B>ln -s /sbin/init.d/afs afs.rc</B>
3505 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3507 <A NAME="IDX2588"></A>
3508 <P><H3><A NAME="HDRWQ76" HREF="auqbg002.htm#ToC_83">Activating the Script on HP-UX Systems</A></H3>
3510 <P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
3511 <B>ln -s</B> command to create symbolic links that incorporate the AFS
3512 initialization script into the HP-UX startup and shutdown sequence.
3514 # <B>cd /sbin/init.d</B>
3516 # <B>ln -s ../init.d/afs /sbin/rc2.d/S460afs</B>
3518 # <B>ln -s ../init.d/afs /sbin/rc2.d/K800afs</B>
3521 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3522 in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
3523 directories. If you want to avoid potential confusion by guaranteeing
3524 that they are always the same, create a link between them. You can
3525 always retrieve the original script from the AFS CD-ROM if necessary.
3527 # <B>cd /usr/vice/etc</B>
3531 # <B>ln -s /sbin/init.d/afs afs.rc</B>
3534 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3536 <A NAME="IDX2589"></A>
3537 <P><H3><A NAME="HDRWQ77" HREF="auqbg002.htm#ToC_84">Activating the Script on IRIX Systems</A></H3>
3539 <P><LI>Change to the <B>/etc/init.d</B> directory and issue the
3540 <B>ln -s</B> command to create symbolic links that incorporate the AFS
3541 initialization script into the IRIX startup and shutdown sequence.
3543 # <B>cd /etc/init.d</B>
3545 # <B>ln -s ../init.d/afs /etc/rc2.d/S35afs</B>
3547 # <B>ln -s ../init.d/afs /etc/rc0.d/K35afs</B>
3550 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3551 in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
3552 directories. If you want to avoid potential confusion by guaranteeing
3553 that they are always the same, create a link between them. You can
3554 always retrieve the original script from the AFS CD-ROM if necessary.
3556 # <B>cd /usr/vice/etc</B>
3560 # <B>ln -s /etc/init.d/afs afs.rc</B>
3563 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3565 <A NAME="IDX2590"></A>
3566 <P><H3><A NAME="HDRWQ78" HREF="auqbg002.htm#ToC_85">Activating the Script on Linux Systems</A></H3>
3568 <P><LI>Issue the <B>chkconfig</B> command to activate the <B>afs</B>
3569 configuration variable. Based on the instruction in the AFS
3570 initialization file that begins with the string <TT>#chkconfig</TT>, the
3571 command automatically creates the symbolic links that incorporate the script
3572 into the Linux startup and shutdown sequence.
3574 # <B>/sbin/chkconfig --add afs</B>
3577 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3578 in both the <B>/usr/vice/etc</B> and
3579 <B>/etc/rc.d/init.d</B> directories, and copies of the
3580 <B>afsd</B> options file in both the <B>/usr/vice/etc</B> and
3581 <B>/etc/sysconfig</B> directories. If you want to avoid potential
3582 confusion by guaranteeing that the two copies of each file are always the
3583 same, create a link between them. You can always retrieve the original
3584 script or options file from the AFS CD-ROM if necessary.
3586 # <B>cd /usr/vice/etc</B>
3588 # <B>rm afs.rc afs.conf</B>
3590 # <B>ln -s /etc/rc.d/init.d/afs afs.rc</B>
3592 # <B>ln -s /etc/sysconfig/afs afs.conf</B>
3595 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3597 <A NAME="IDX2591"></A>
3598 <P><H3><A NAME="HDRWQ79" HREF="auqbg002.htm#ToC_86">Activating the Script on Solaris Systems</A></H3>
3600 <P><LI>Change to the <B>/etc/init.d</B> directory and issue the
3601 <B>ln -s</B> command to create symbolic links that incorporate the AFS
3602 initialization script into the Solaris startup and shutdown sequence.
3604 # <B>cd /etc/init.d</B>
3606 # <B>ln -s ../init.d/afs /etc/rc3.d/S99afs</B>
3608 # <B>ln -s ../init.d/afs /etc/rc0.d/K66afs</B>
3611 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3612 in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
3613 directories. If you want to avoid potential confusion by guaranteeing
3614 that they are always the same, create a link between them. You can
3615 always retrieve the original script from the AFS CD-ROM if necessary.
3617 # <B>cd /usr/vice/etc</B>
3621 # <B>ln -s /etc/init.d/afs afs.rc</B>
3625 <A NAME="IDX2592"></A>
3626 <A NAME="IDX2593"></A>
3627 <HR><H2><A NAME="HDRWQ80" HREF="auqbg002.htm#ToC_87">Configuring the Top Levels of the AFS Filespace</A></H2>
3628 <P>If you have not previously run AFS in your cell, you now
3629 configure the top levels of your cell's AFS filespace. If you have
3630 run a previous version of AFS, the filespace is already configured.
3631 Proceed to <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A>.
3632 <A NAME="IDX2594"></A>
3633 <A NAME="IDX2595"></A>
3634 <A NAME="IDX2596"></A>
3635 <P>You created the <B>root.afs</B> volume in <A HREF="#HDRWQ60">Starting the File Server, Volume Server, and Salvager</A>, and the Cache Manager mounted it automatically on the local
3636 <B>/afs</B> directory when you ran the AFS initialization script in <A HREF="#HDRWQ72">Verifying the AFS Initialization Script</A>. You now set the access control list (ACL) on the
3637 <B>/afs</B> directory; creating, mounting, and setting the ACL are
3638 the three steps required when creating any volume.
3639 <P>After setting the ACL on the <B>root.afs</B> volume, you create
3640 your cell's <B>root.cell</B> volume, mount it as a
3641 subdirectory of the <B>/afs</B> directory, and set the ACL. Create
3642 both a read/write and a regular mount point for the
3643 <B>root.cell</B> volume. The read/write mount point enables
3644 you to access the read/write version of replicated volumes when
3645 necessary. Creating both mount points essentially creates separate
3646 read-only and read-write copies of your filespace, and enables the Cache
3647 Manager to traverse the filespace on a read-only path or read/write path as
3648 appropriate. For further discussion of these concepts, see the chapter
3649 in the <I>IBM AFS Administration Guide</I> about administering
3651 <A NAME="IDX2597"></A>
3652 <A NAME="IDX2598"></A>
3653 <A NAME="IDX2599"></A>
3654 <P>Then replicate both the <B>root.afs</B> and
3655 <B>root.cell</B> volumes. This is required if you want to
3656 replicate any other volumes in your cell, because all volumes mounted above a
3657 replicated volume must themselves be replicated in order for the Cache Manager
3658 to access the replica.
3659 <P>When the <B>root.afs</B> volume is replicated, the Cache Manager
3660 is programmed to access its read-only version
3661 (<B>root.afs.readonly</B>) whenever possible. To make
3662 changes to the contents of the <B>root.afs</B> volume (when, for
3663 example, you mount another cell's <B>root.cell</B> volume at
3664 the second level in your filespace), you must mount the
3665 <B>root.afs</B> volume temporarily, make the changes, release the
3666 volume and remove the temporary mount point. For instructions, see <A HREF="#HDRWQ91">Enabling Access to Foreign Cells</A>.
3667 <A NAME="IDX2600"></A>
3668 <A NAME="IDX2601"></A>
3669 <A NAME="IDX2602"></A>
3670 <A NAME="IDX2603"></A>
3672 <P><LI>Issue the <B>fs setacl</B> command to edit the ACL on the
3673 <B>/afs</B> directory. Add an entry that grants the <B>l</B>
3674 (<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
3675 <B>system:anyuser</B> group, to enable all AFS users who can reach
3676 your cell to traverse through the directory. If you prefer to enable
3677 access only to locally authenticated users, substitute the
3678 <B>system:authuser</B> group.
3679 <P>Note that there is already an ACL entry that grants all seven access rights
3680 to the <B>system:administrators</B> group. It is a default
3681 entry that AFS places on every new volume's root directory.
3683 # <B>/usr/afs/bin/fs setacl /afs system:anyuser rl</B>
3686 <A NAME="IDX2604"></A>
3687 <A NAME="IDX2605"></A>
3688 <A NAME="IDX2606"></A>
3689 <A NAME="IDX2607"></A>
3690 <A NAME="IDX2608"></A>
3691 <A NAME="IDX2609"></A>
3692 <A NAME="IDX2610"></A>
3693 <P><LI><A NAME="LIWQ81"></A>Issue the <B>vos create</B> command to create the
3694 <B>root.cell</B> volume. Then issue the <B>fs
3695 mkmount</B> command to mount it as a subdirectory of the <B>/afs</B>
3696 directory, where it serves as the root of your cell's local AFS
3697 filespace. Finally, issue the <B>fs setacl</B> command to create an
3698 ACL entry for the <B>system:anyuser</B> group (or
3699 <B>system:authuser</B> group).
3700 <P>For the <VAR>partition name</VAR> argument, substitute the name of one of the
3701 machine's AFS server partitions (such as <B>/vicepa</B>). For
3702 the <VAR>cellname</VAR> argument, substitute your cell's fully-qualified
3703 Internet domain name (such as <B>abc.com</B>).
3705 # <B>/usr/afs/bin/vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.cell</B>
3707 # <B>/usr/afs/bin/fs mkmount /afs/</B><VAR>cellname</VAR> <B>root.cell</B>
3709 # <B>/usr/afs/bin/fs setacl /afs/</B><VAR>cellname</VAR> <B>system:anyuser rl</B>
3712 <A NAME="IDX2611"></A>
3713 <A NAME="IDX2612"></A>
3714 <A NAME="IDX2613"></A>
3715 <P><LI><B>(Optional)</B> Create a symbolic link to a shortened cell name, to
3716 reduce the length of pathnames for users in the local cell. For
3717 example, in the <B>abc.com</B> cell, <B>/afs/abc</B> is a link
3718 to <B>/afs/abc.com</B>.
3722 # <B>ln -s</B> <VAR>full_cellname</VAR> <VAR>short_cellname</VAR>
3725 <A NAME="IDX2614"></A>
3726 <A NAME="IDX2615"></A>
3727 <A NAME="IDX2616"></A>
3728 <P><LI>Issue the <B>fs mkmount</B> command to create a read/write mount point
3729 for the <B>root.cell</B> volume (you created a regular mount point
3730 in Step <A HREF="#LIWQ81">2</A>).
3731 <P>By convention, the name of a read/write mount point begins with a period,
3732 both to distinguish it from the regular mount point and to make it visible
3733 only when the <B>-a</B> flag is used on the <B>ls</B> command.
3734 <P>Change directory to <B>/usr/afs/bin</B> to make it easier to access the
3737 # <B>cd /usr/afs/bin</B>
3739 # <B>./fs mkmount /afs/.</B><VAR>cellname</VAR> <B>root.cell -rw</B>
3742 <A NAME="IDX2617"></A>
3743 <A NAME="IDX2618"></A>
3744 <A NAME="IDX2619"></A>
3745 <A NAME="IDX2620"></A>
3746 <P><LI><A NAME="LIWQ82"></A>Issue the <B>vos addsite</B> command to define a replication
3747 site for both the <B>root.afs</B> and <B>root.cell</B>
3748 volumes. In each case, substitute for the <VAR>partition name</VAR>
3749 argument the partition where the volume's read/write version
3750 resides. When you install additional file server machines, it is a good
3751 idea to create replication sites on them as well.
3753 # <B>./vos addsite</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.afs</B>
3755 # <B>./vos addsite</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.cell</B>
3758 <A NAME="IDX2621"></A>
3759 <A NAME="IDX2622"></A>
3760 <P><LI>Issue the <B>fs examine</B> command to verify that the Cache Manager
3761 can access both the <B>root.afs</B> and <B>root.cell</B>
3762 volumes, before you attempt to replicate them. The output lists each
3763 volume's name, volumeID number, quota, size, and the size of the
3764 partition that houses them. If you get an error message instead, do not
3765 continue before taking corrective action.
3767 # <B>./fs examine /afs</B>
3769 # <B>./fs examine /afs/</B><VAR>cellname</VAR>
3772 <A NAME="IDX2623"></A>
3773 <A NAME="IDX2624"></A>
3774 <A NAME="IDX2625"></A>
3775 <A NAME="IDX2626"></A>
3776 <P><LI>Issue the <B>vos release</B> command to release a replica of the
3777 <B>root.afs</B> and <B>root.cell</B> volumes to the
3778 sites you defined in Step <A HREF="#LIWQ82">5</A>.
3780 # <B>./vos release root.afs</B>
3782 # <B>./vos release root.cell</B>
3785 <A NAME="IDX2627"></A>
3786 <A NAME="IDX2628"></A>
3787 <P><LI>Issue the <B>fs checkvolumes</B> to force the Cache Manager to notice
3788 that you have released read-only versions of the volumes, then issue the
3789 <B>fs examine</B> command again. This time its output mentions the
3790 read-only version of the volumes (<B>root.afs.readonly</B>
3791 and <B>root.cell.readonly</B>) instead of the read/write
3792 versions, because of the Cache Manager's bias to access the read-only
3793 version of the <B>root.afs</B> volume if it exists.
3795 # <B>./fs checkvolumes</B>
3797 # <B>./fs examine /afs</B>
3799 # <B>./fs examine /afs/</B><VAR>cellname</VAR>
3803 <A NAME="IDX2629"></A>
3804 <A NAME="IDX2630"></A>
3805 <A NAME="IDX2631"></A>
3806 <A NAME="IDX2632"></A>
3807 <A NAME="IDX2633"></A>
3808 <A NAME="IDX2634"></A>
3809 <HR><H2><A NAME="HDRWQ83" HREF="auqbg002.htm#ToC_88">Storing AFS Binaries in AFS</A></H2>
3810 <P>In the conventional configuration, you make AFS client
3811 binaries and configuration files available in the subdirectories of the
3812 <B>/usr/afsws</B> directory on client machines (<B>afsws</B> is an
3814 w</B><I>ork</I><B>s</B><I>tation</I>). You can conserve
3815 local disk space by creating <B>/usr/afsws</B> as a link to an AFS volume
3816 that houses the AFS client binaries and configuration files for this system
3818 <P>In this section you create the necessary volumes. The conventional
3819 location to which to link <B>/usr/afsws</B> is
3820 <B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>,
3821 where <VAR>sysname</VAR> is the appropriate system type name as specified in the
3822 <I>IBM AFS Release Notes</I>. The instructions in <A HREF="auqbg007.htm#HDRWQ133">Installing Additional Client Machines</A> assume that you have followed the instructions in this
3824 <P>If you have previously run AFS in the cell, the volumes possibly already
3825 exist. If so, you need to perform Step <A HREF="#LIWQ86">8</A> only.
3826 <P>The current working directory is still <B>/usr/afs/bin</B>, which
3827 houses the <B>fs</B> and <B>vos</B> command suite binaries. In
3828 the following commands, it is possible you still need to specify the pathname
3829 to the commands, depending on how your PATH environment variable is
3832 <A NAME="IDX2635"></A>
3833 <A NAME="IDX2636"></A>
3834 <P><LI><A NAME="LIWQ84"></A>Issue the <B>vos create</B> command to create volumes for
3835 storing the AFS client binaries for this system type. The following
3836 example instruction creates volumes called <VAR>sysname</VAR>,
3837 <VAR>sysname</VAR>.<B>usr</B>, and
3838 <VAR>sysname</VAR>.<B>usr.afsws</B>. Refer to the
3839 <I>IBM AFS Release Notes</I> to learn the proper value of <VAR>sysname</VAR>
3840 for this system type.
3842 # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR>
3844 # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr</B>
3846 # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr.afsws</B>
3849 <P><LI>Issue the <B>fs mkmount</B> command to mount the newly created
3850 volumes. Because the <B>root.cell</B> volume is replicated,
3851 you must precede the <I>cellname</I> part of the pathname with a period to
3852 specify the read/write mount point, as shown. Then issue the <B>vos
3853 release</B> command to release a new replica of the
3854 <B>root.cell</B> volume, and the <B>fs checkvolumes</B> command
3855 to force the local Cache Manager to access them.
3857 # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR> <B>-vol</B> <VAR>sysname</VAR>
3859 # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr</B>
3861 # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr.afsws</B>
3863 # <B>vos release root.cell</B>
3865 # <B>fs checkvolumes</B>
3868 <P><LI>Issue the <B>fs setacl</B> command to grant the <B>l</B>
3869 (<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
3870 <B>system:anyuser</B> group on each new directory's ACL.
3872 # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>
3874 # <B>fs setacl -dir . usr usr/afsws -acl system:anyuser rl</B>
3877 <A NAME="IDX2637"></A>
3878 <A NAME="IDX2638"></A>
3879 <A NAME="IDX2639"></A>
3880 <A NAME="IDX2640"></A>
3881 <A NAME="IDX2641"></A>
3882 <P><LI><A NAME="LIWQ85"></A>Issue the <B>fs setquota</B> command to set an unlimited
3883 quota on the volume mounted at the
3884 <B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
3885 directory. This enables you to copy all of the appropriate files from
3886 the CD-ROM into the volume without exceeding the volume's quota.
3887 <P>If you wish, you can set the volume's quota to a finite value after
3888 you complete the copying operation. At that point, use the <B>vos
3889 examine</B> command to determine how much space the volume is
3890 occupying. Then issue the <B>fs setquota</B> command to set a quota
3891 that is slightly larger.
3893 # <B>fs setquota /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws 0</B>
3896 <P><LI>Mount the AFS CD-ROM for this machine's system type on the local
3897 <B>/cdrom</B> directory, if it is not already. For instructions on
3898 mounting CD-ROMs (either locally or remotely via NFS), consult the operating
3899 system documentation.
3900 <A NAME="IDX2642"></A>
3901 <A NAME="IDX2643"></A>
3902 <A NAME="IDX2644"></A>
3903 <P><LI>Copy the contents of the indicated directories from the CD-ROM into the
3904 <B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
3907 # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
3909 # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/bin .</B>
3911 # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/etc .</B>
3913 # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/include .</B>
3915 # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/lib .</B>
3918 <A NAME="IDX2645"></A>
3919 <A NAME="IDX2646"></A>
3920 <P><LI>Issue the <B>fs setacl</B> command to set the ACL on each directory
3921 appropriately. To comply with the terms of your AFS License agreement,
3922 you must prevent unauthorized users from accessing AFS software. To
3923 enable access for locally authenticated users only, set the ACL on the
3924 <B>etc</B>, <B>include</B>, and <B>lib</B> subdirectories to grant
3925 the <B>l</B> and <B>r</B> permissions to the
3926 <B>system:authuser</B> group rather than the
3927 <B>system:anyuser</B> group. The
3928 <B>system:anyuser</B> group must retain the <B>l</B> and
3929 <B>r</B> permissions on the <B>bin</B> subdirectory to enable
3930 unauthenticated users to access the <B>klog</B> binary. To ensure
3931 that unauthorized users are not accessing AFS software, check periodically
3932 that the ACLs on these directories are set properly.
3934 # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
3936 # <B>fs setacl -dir etc include lib -acl system:authuser rl</B> \
3937 <B>system:anyuser none</B>
3940 <A NAME="IDX2647"></A>
3941 <A NAME="IDX2648"></A>
3942 <P><LI><A NAME="LIWQ86"></A>Create <B>/usr/afsws</B> on the local disk as a symbolic
3943 link to the directory
3944 <B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>. You can
3945 specify the actual system name instead of <B>@sys</B> if you wish, but the
3946 advantage of using <B>@sys</B> is that it remains valid if you upgrade
3947 this machine to a different system type.
3949 # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
3952 <A NAME="IDX2649"></A>
3953 <A NAME="IDX2650"></A>
3954 <P><LI><B>(Optional)</B> To enable users to issue commands from the AFS
3955 suites (such as <B>fs</B>) without having to specify a pathname to their
3956 binaries, include the <B>/usr/afsws/bin</B> and <B>/usr/afsws/etc</B>
3957 directories in the PATH environment variable you define in each user's
3958 shell initialization file (such as <B>.cshrc</B>).
3960 <A NAME="IDX2651"></A>
3961 <A NAME="IDX2652"></A>
3962 <A NAME="IDX2653"></A>
3963 <A NAME="IDX2654"></A>
3964 <A NAME="IDX2655"></A>
3965 <A NAME="IDX2656"></A>
3966 <HR><H2><A NAME="HDRWQ87" HREF="auqbg002.htm#ToC_89">Storing AFS Documents in AFS</A></H2>
3967 <P>The AFS distribution includes the following documents:
3969 <P><LI><I>IBM AFS Release Notes</I>
3970 <P><LI><I>IBM AFS Quick Beginnings</I>
3971 <P><LI><I>IBM AFS User Guide</I>
3972 <P><LI><I>IBM AFS Administration Reference</I>
3973 <P><LI><I>IBM AFS Administration Guide</I>
3975 <P>The AFS CD-ROM for each system type has a top-level
3976 <B>Documentation</B> directory, with a subdirectory for each document
3977 format provided. The different formats are suitable for online viewing,
3979 <P>This section explains how to create and mount a volume to house the
3980 documents, making them available to your users. The recommended mount
3981 point for the volume is
3982 <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc</B>. If you wish, you
3983 can create a link to the mount point on each client machine's local disk,
3984 called <B>/usr/afsdoc</B>. Alternatively, you can create a link to
3985 the mount point in each user's home directory. You can also choose
3986 to permit users to access only certain documents (most probably, the <I>IBM
3987 AFS User Guide</I>) by creating different mount points or setting different
3988 ACLs on different document directories.
3989 <P>The current working directory is still <B>/usr/afs/bin</B>, which
3990 houses the <B>fs</B> and <B>vos</B> command suite binaries you use to
3991 create and mount volumes. In the following commands, it is possible you
3992 still need to specify the pathname to the commands, depending on how your PATH
3993 environment variable is set.
3995 <A NAME="IDX2657"></A>
3996 <A NAME="IDX2658"></A>
3997 <P><LI>Issue the <B>vos create</B> command to create a volume for storing the
3998 AFS documentation. Include the <B>-maxquota</B> argument to set an
3999 unlimited quota on the volume. This enables you to copy all of the
4000 appropriate files from the CD-ROM into the volume without exceeding the
4002 <P>If you wish, you can set the volume's quota to a finite value after
4003 you complete the copying operations. At that point, use the <B>vos
4004 examine</B> command to determine how much space the volume is
4005 occupying. Then issue the <B>fs setquota</B> command to set a quota
4006 that is slightly larger.
4008 # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>afsdoc -maxquota 0</B>
4011 <P><LI>Issue the <B>fs mkmount</B> command to mount the new volume.
4012 Because the <B>root.cell</B> volume is replicated, you must precede
4013 the <I>cellname</I> with a period to specify the read/write mount point,
4014 as shown. Then issue the <B>vos release</B> command to release a
4015 new replica of the <B>root.cell</B> volume, and the <B>fs
4016 checkvolumes</B> command to force the local Cache Manager to access
4019 # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/afsdoc</B> <B>-vol</B> <B>afsdoc</B>
4021 # <B>vos release root.cell</B>
4023 # <B>fs checkvolumes</B>
4026 <P><LI>Issue the <B>fs setacl</B> command to grant the <B>rl</B>
4027 permissions to the <B>system:anyuser</B> group on the new
4030 # <B>cd /afs/.</B><VAR>cellname</VAR><B>/afsdoc</B>
4032 # <B>fs setacl . system:anyuser rl</B>
4035 <P><LI>Mount the AFS CD-ROM for any system type on the local <B>/cdrom</B>
4036 directory, if one is not already. For instructions on mounting CD-ROMs
4037 (either locally or remotely via NFS), consult the operating system
4039 <A NAME="IDX2659"></A>
4040 <A NAME="IDX2660"></A>
4041 <A NAME="IDX2661"></A>
4042 <A NAME="IDX2662"></A>
4043 <A NAME="IDX2663"></A>
4044 <P><LI>Copy the AFS documents in one or more formats from the CD-ROM into
4045 subdirectories of the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc</B>
4046 directory. Repeat the commands for each format.
4048 # <B>mkdir</B> <VAR>format_name</VAR>
4050 # <B>cd</B> <VAR>format_name</VAR>
4052 # <B>cp -rp /cdrom/Documentation/</B><VAR>format</VAR> <B>.</B>
4054 <P>If you choose to store the HTML version of the documents in AFS, note that
4055 in addition to a subdirectory for each document there are several files with a
4056 <B>.gif</B> extension, which enable readers to move easily between
4057 sections of a document. The file called <B>index.htm</B> is
4058 an introductory HTML page that contains a hyperlink to each of the
4059 documents. For online viewing to work properly, these files must remain
4060 in the top-level HTML directory (the one named, for example,
4061 <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/html</B>).
4062 <P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
4063 the AFS documents in a certain format via a local disk directory, create
4064 <B>/usr/afsdoc</B> on the local disk as a symbolic link to the
4065 documentation directory in AFS
4066 (<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
4069 # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
4071 <P>An alternative is to create a link in each user's home directory to
4072 the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
4075 <A NAME="IDX2664"></A>
4076 <A NAME="IDX2665"></A>
4077 <A NAME="IDX2666"></A>
4078 <A NAME="IDX2667"></A>
4079 <HR><H2><A NAME="HDRWQ88" HREF="auqbg002.htm#ToC_90">Storing System Binaries in AFS</A></H2>
4080 <P>You can also choose to store other system binaries in AFS
4081 volumes, such as the standard UNIX programs conventionally located in local
4082 disk directories such as <B>/etc</B>, <B>/bin</B>, and
4083 <B>/lib</B>. Storing such binaries in an AFS volume not only frees
4084 local disk space, but makes it easier to update binaries on all client
4086 <P>The following is a suggested scheme for storing system binaries in
4087 AFS. It does not include instructions, but you can use the instructions
4088 in <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A> (which are for AFS-specific binaries) as a template.
4089 <P>Some files must remain on the local disk for use when AFS is inaccessible
4090 (during bootup and file server or network outages). The required
4091 binaries include the following:
4093 <P><LI>A text editor, network commands, and so on
4094 <P><LI>Files used during the boot sequence before the <B>afsd</B> program
4095 runs, such as initialization and configuration files, and binaries for
4096 commands that mount file systems
4097 <P><LI>Files used by dynamic kernel loader programs
4099 <P>In most cases, it is more secure to enable only locally authenticated users
4100 to access system binaries, by granting the <B>l</B> (<B>lookup</B>)
4101 and <B>r</B> (<B>read</B>) permissions to the
4102 <B>system:authuser</B> group on the ACLs of directories that contain
4103 the binaries. If users need to access a binary while unauthenticated,
4104 however, the ACL on its directory must grant those permissions to the
4105 <B>system:anyuser</B> group.
4106 <P>The following chart summarizes the suggested volume and mount point names
4107 for storing system binaries. It uses a separate volume for each
4108 directory. You already created a volume called <VAR>sysname</VAR> for
4109 this machine's system type when you followed the instructions in <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A>.
4110 <P>You can name volumes in any way you wish, and mount them at other locations
4111 than those suggested here. However, this scheme has several
4114 <P><LI>Volume names clearly identify volume contents
4115 <P><LI>Using the <VAR>sysname</VAR> prefix on every volume makes it is easy to back
4116 up all of the volumes together, because the AFS Backup System enables you to
4117 define sets of volumes based on a string included in all of their names
4118 <P><LI>It makes it easy to track related volumes, keeping them together on the
4119 same file server machine if desired
4120 <P><LI>There is a clear relationship between volume name and mount point name
4123 <TABLE WIDTH="100%">
4125 <TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="30%"><B>Volume Name</B>
4126 </TH><TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="70%"><B>Mount Point</B>
4128 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>
4129 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR>
4131 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>bin</B>
4132 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/bin</B>
4134 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>etc</B>
4135 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/etc</B>
4137 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr</B>
4138 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr</B>
4140 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.afsws</B>
4141 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/afsws</B>
4143 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.bin</B>
4144 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/bin</B>
4146 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.etc</B>
4147 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/etc</B>
4149 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.inc</B>
4150 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/include</B>
4152 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.lib</B>
4153 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/lib</B>
4155 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.loc</B>
4156 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/local</B>
4158 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.man</B>
4159 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/man</B>
4161 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.sys</B>
4162 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/sys</B>
4165 <A NAME="IDX2668"></A>
4166 <A NAME="IDX2669"></A>
4167 <A NAME="IDX2670"></A>
4168 <A NAME="IDX2671"></A>
4169 <A NAME="IDX2672"></A>
4170 <A NAME="IDX2673"></A>
4171 <A NAME="IDX2674"></A>
4172 <HR><H2><A NAME="HDRWQ91" HREF="auqbg002.htm#ToC_91">Enabling Access to Foreign Cells</A></H2>
4173 <P>In this section you create a mount point in your AFS
4174 filespace for the <B>root.cell</B> volume of each foreign cell that
4175 you want to enable your users to access. For users working on a client
4176 machine to access the cell, there must in addition be an entry for it in the
4177 client machine's local <B>/usr/vice/etc/CellServDB</B> file.
4178 (The instructions in <A HREF="#HDRWQ66">Creating the Client CellServDB File</A> suggest that you use the <B>CellServDB.sample</B>
4179 file included in the AFS distribution as the basis for your cell's client
4180 <B>CellServDB</B> file. The sample file lists all of the cells that
4181 had agreed to participate in the AFS global namespace at the time your AFS
4182 CD-ROM was created. As mentioned in that section, the AFS Product
4183 Support group also maintains a copy of the file, updating it as
4185 <P>The chapter in the <I>IBM AFS Administration Guide</I> about cell
4186 administration and configuration issues discusses the implications of
4187 participating in the global AFS namespace. The chapter about
4188 administering client machines explains how to maintain knowledge of foreign
4189 cells on client machines, and includes suggestions for maintaining a central
4190 version of the file in AFS.
4192 <P><LI>Issue the <B>fs mkmount</B> command to mount each foreign cell's
4193 <B>root.cell</B> volume on a directory called
4194 <B>/afs/</B><VAR>foreign_cell</VAR>. Because the
4195 <B>root.afs</B> volume is replicated, you must create a temporary
4196 mount point for its read/write version in a directory to which you have write
4197 access (such as your cell's <B>/afs/.</B><VAR>cellname</VAR>
4198 directory). Create the mount points, issue the <B>vos release</B>
4199 command to release new replicas to the read-only sites for the
4200 <B>root.afs</B> volume, and issue the <B>fs checkvolumes</B>
4201 command to force the local Cache Manager to access the new replica.
4202 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">You need to issue the <B>fs mkmount</B> command only once for each
4203 foreign cell's <B>root.cell</B> volume. You do not need
4204 to repeat the command on each client machine.
4206 <P>Substitute your cell's name for <VAR>cellname</VAR>.
4208 # <B>cd /afs/.</B><VAR>cellname</VAR>
4210 # <B>/usr/afs/bin/fs mkmount temp root.afs</B>
4212 <P>Repeat the <B>fs mkmount</B> command for each foreign cell you wish to
4215 # <B>/usr/afs/bin/fs mkmount temp/</B><VAR>foreign_cell</VAR> <B>root.cell -c</B> <VAR>foreign_cell</VAR>
4217 <P>Issue the following commands only once.
4219 # <B>/usr/afs/bin/fs rmmount temp</B>
4221 # <B>/usr/afs/bin/vos release root.afs</B>
4223 # <B>/usr/afs/bin/fs checkvolumes</B>
4226 <A NAME="IDX2675"></A>
4227 <A NAME="IDX2676"></A>
4228 <P><LI><A NAME="LIWQ92"></A>If this machine is going to remain an AFS client after you
4229 complete the installation, verify that the local
4230 <B>/usr/vice/etc/CellServDB</B> file includes an entry for each foreign
4232 <P>For each cell that does not already have an entry, complete the following
4235 <P><LI>Create an entry in the <B>CellServDB</B> file. Be sure to
4236 comply with the formatting instructions in <A HREF="#HDRWQ66">Creating the Client CellServDB File</A>.
4237 <P><LI>Issue the <B>fs newcell</B> command to add an entry for the cell
4238 directly to the list that the Cache Manager maintains in kernel memory.
4239 Provide each database server machine's fully qualified hostname.
4241 # <B>/usr/afs/bin/fs newcell</B> <<VAR>foreign_cell</VAR>> <<VAR>dbserver1></VAR> \
4242 [<<VAR>dbserver2></VAR>] [<<VAR>dbserver3></VAR>]
4245 <P><LI>If you plan to maintain a central version of the <B>CellServDB</B>
4246 file (the conventional location is
4247 <B>/afs/</B><VAR>cellname</VAR><B>/common/etc/CellServDB</B>), create it
4248 now as a copy of the local <B>/usr/vice/etc/CellServDB</B> file.
4249 Verify that it includes an entry for each foreign cell you want your users to
4252 # <B>mkdir common</B>
4254 # <B>mkdir common/etc</B>
4256 # <B>cp /usr/vice/etc/CellServDB common/etc</B>
4258 # <B>/usr/afs/bin/vos release root.cell</B>
4262 <P><LI>Issue the <B>ls</B> command to verify that the new cell's mount
4263 point is visible in your filespace. The output lists the directories at
4264 the top level of the new cell's AFS filespace.
4266 # <B>ls /afs/</B><VAR>foreign_cell</VAR>
4269 <P><LI>Please register your cell with the AFS Product Support group at this
4270 time. If you do not want to participate in the global AFS namespace,
4271 they list your cell in a private <B>CellServDB</B> file that is not
4272 available to other AFS cells.
4274 <A NAME="IDX2677"></A>
4275 <A NAME="IDX2678"></A>
4276 <A NAME="IDX2679"></A>
4277 <A NAME="IDX2680"></A>
4278 <A NAME="IDX2681"></A>
4279 <A NAME="IDX2682"></A>
4280 <HR><H2><A NAME="HDRWQ93" HREF="auqbg002.htm#ToC_92">Improving Cell Security</A></H2>
4281 <P>This section discusses ways to improve the security of AFS
4282 data in your cell. Also see the chapter in the <I>IBM AFS
4283 Administration Guide</I> about configuration and administration
4285 <P><H3><A NAME="HDRWQ94" HREF="auqbg002.htm#ToC_93">Controlling root Access</A></H3>
4286 <P>As on any machine, it is important to prevent unauthorized
4287 users from logging onto an AFS server or client machine as the local superuser
4288 <B>root</B>. Take care to keep the <B>root</B> password
4290 <P>The local <B>root</B> superuser does not have special access to AFS
4291 data through the Cache Manager (as members of the
4292 <B>system:administrators</B> group do), but it does have the
4293 following privileges:
4295 <P><LI>On client machines, the ability to issue commands from the <B>fs</B>
4296 suite that affect AFS performance
4297 <P><LI>On server machines, the ability to disable authorization checking, or to
4298 install rogue process binaries
4300 <P><H3><A NAME="HDRWQ95" HREF="auqbg002.htm#ToC_94">Controlling System Administrator Access</A></H3>
4301 <P>Following are suggestions for managing AFS administrative
4304 <P><LI>Create an administrative account for each administrator named something
4305 like <VAR>username</VAR><B>.admin</B>. Administrators
4306 authenticate under these identities only when performing administrative tasks,
4307 and destroy the administrative tokens immediately after finishing the task
4308 (either by issuing the <B>unlog</B> command, or the <B>klog</B>
4309 command to adopt their regular identity).
4310 <P><LI>Set a short ticket lifetime for administrator accounts (for example, 20
4311 minutes) by using the <B>-lifetime</B> argument to the <B>kas
4312 setfields</B> command, which is described in the <I>IBM AFS Administration
4313 Reference</I>. Do not however, use a short lifetime for users who
4314 issue long-running <B>backup</B> commands.
4315 <P><LI>Limit the number of system administrators in your cell, especially those
4316 who belong to the <B>system:administrators</B> group. By
4317 default they have all ACL rights on all directories in the local AFS
4318 filespace, and therefore must be trusted not to examine private files.
4319 <P><LI>Limit the use of system administrator accounts on machines in public
4320 areas. It is especially important not to leave such machines unattended
4321 without first destroying the administrative tokens.
4322 <P><LI>Limit the use by administrators of standard UNIX commands that make
4323 connections to remote machines (such as the <B>telnet</B> utility).
4324 Many of these programs send passwords across the network without encrypting
4327 <A NAME="IDX2683"></A>
4328 <A NAME="IDX2684"></A>
4329 <A NAME="IDX2685"></A>
4330 <P><H3><A NAME="HDRWQ96" HREF="auqbg002.htm#ToC_95">Protecting Sensitive AFS Directories</A></H3>
4331 <P>Some subdirectories of the <B>/usr/afs</B> directory
4332 contain files crucial to cell security. Unauthorized users must not
4333 read or write to these files because of the potential for misuse of the
4334 information they contain.
4335 <P>As the BOS Server initializes for the first time on a server machine, it
4336 creates several files and directories (as mentioned in <A HREF="#HDRWQ50">Starting the BOS Server</A>). It sets their owner to the local superuser
4337 <B>root</B> and sets their mode bits to enable writing by the owner
4338 only; in some cases, it also restricts reading.
4339 <P>At each subsequent restart, the BOS Server checks that the owner and mode
4340 bits on these files are still set appropriately. If they are not, it
4341 write the following message to the <B>/usr/afs/logs/BosLog</B> file:
4343 Bosserver reports inappropriate access on server directories
4345 <P>The BOS Server does not reset the mode bits, which enables you to set
4346 alternate values if you wish.
4347 <P>The following charts lists the expected mode bit settings. A
4348 question mark indicates that the BOS Server does not check that mode
4351 <TABLE WIDTH="100%">
4353 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs</B>
4354 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
4356 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/backup</B>
4357 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
4359 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/bin</B>
4360 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
4362 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/db</B>
4363 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
4365 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc</B>
4366 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
4368 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc/KeyFile</B>
4369 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>-rw</TT>????<TT>---</TT>
4371 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc/UserList</B>
4372 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>-rw</TT>?????<TT>--</TT>
4374 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/local</B>
4375 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
4377 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/logs</B>
4378 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
4381 <A NAME="IDX2686"></A>
4382 <A NAME="IDX2687"></A>
4383 <HR><H2><A NAME="HDRWQ98" HREF="auqbg002.htm#ToC_96">Removing Client Functionality</A></H2>
4384 <P>Follow the instructions in this section only if you do not
4385 wish this machine to remain an AFS client. Removing client
4386 functionality means that you cannot use this machine to access AFS
4389 <P><LI>Remove the files from the <B>/usr/vice/etc</B> directory. The
4390 command does not remove the directory for files used by the dynamic kernel
4391 loader program, if it exists on this system type. Those files are still
4392 needed on a server-only machine.
4394 # <B>cd /usr/vice/etc</B>
4401 <P><LI>Create symbolic links to the <B>ThisCell</B> and <B>CellServDB</B>
4402 files in the <B>/usr/afs/etc</B> directory. This makes it possible
4403 to issue commands from the AFS command suites (such as <B>bos</B> and
4404 <B>fs</B>) on this machine.
4406 # <B>ln -s /usr/afs/etc/ThisCell ThisCell</B>
4408 # <B>ln -s /usr/afs/etc/CellServDB CellServDB</B>
4411 <P><LI>On IRIX systems, issue the <B>chkconfig</B> command to deactivate the
4412 <B>afsclient</B> configuration variable.
4414 # <B>/etc/chkconfig -f afsclient off</B>
4417 <P><LI>Reboot the machine. Most system types use the <B>shutdown</B>
4418 command, but the appropriate options vary.
4422 # <B>shutdown</B> <VAR>appropriate_options</VAR>
4426 <HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auqbg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
4427 <!-- Begin Footer Records ========================================== -->
4429 <br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
4431 <!-- End Footer Records ============================================ -->
4432 <A NAME="Bot_Of_Page"></A>