1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
3 <TITLE>Quick Beginnings</TITLE>
4 <!-- Begin Header Records ========================================== -->
5 <!-- /tmp/idwt3574/auqbg000.scr converted by idb2h R4.2 (359) ID -->
6 <!-- Workbench Version (AIX) on 2 Oct 2000 at 12:25:35 -->
7 <META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 12:25:35">
8 <META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 12:25:35">
9 <META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 12:25:35">
11 <!-- (C) IBM Corporation 2000. All Rights Reserved -->
12 <BODY bgcolor="ffffff">
13 <!-- End Header Records ============================================ -->
14 <A NAME="Top_Of_Page"></A>
15 <H1>Quick Beginnings</H1>
16 <HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auqbg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
18 <A NAME="IDX2218"></A>
19 <A NAME="IDX2219"></A>
20 <A NAME="IDX2220"></A>
21 <HR><H1><A NAME="HDRWQ17" HREF="auqbg002.htm#ToC_28">Installing the First AFS Machine</A></H1>
22 <P>This chapter describes how to install the first AFS machine
23 in your cell, configuring it as both a file server machine and a client
24 machine. After completing all procedures in this chapter, you can
25 remove the client functionality if you wish, as described in <A HREF="#HDRWQ98">Removing Client Functionality</A>.
26 <P>To install additional file server machines after completing this chapter,
27 see <A HREF="auqbg006.htm#HDRWQ99">Installing Additional Server Machines</A>.
28 <P>To install additional client machines after completing this chapter, see <A HREF="auqbg007.htm#HDRWQ133">Installing Additional Client Machines</A>.
29 <A NAME="IDX2221"></A>
30 <HR><H2><A NAME="Header_29" HREF="auqbg002.htm#ToC_29">Requirements and Configuration Decisions</A></H2>
31 <P>The instructions in this chapter assume that you meet the following
34 <P><LI>You are logged onto the machine's console as the local superuser
36 <P><LI>A standard version of one of the operating systems supported by the
37 current version of AFS is running on the machine
38 <P><LI>You can access the data on the AFS CD-ROMs, either through a local CD
39 drive or via an NFS mount of a CD drive attached to a machine that is
42 <P>You must make the following configuration decisions while installing the
43 first AFS machine. To speed the installation itself, it is best to make
44 the decisions before beginning. See the chapter in the <I>IBM AFS
45 Administration Guide</I> about issues in cell administration and
46 configuration for detailed guidelines.
47 <A NAME="IDX2222"></A>
48 <A NAME="IDX2223"></A>
49 <A NAME="IDX2224"></A>
51 <P><LI>Select the first AFS machine
52 <P><LI>Select the cell name
53 <P><LI>Decide which partitions or logical volumes to configure as AFS server
54 partitions, and choose the directory names on which to mount them
55 <P><LI>Decide whether to use the standard AFS authentication and authorization
56 software or Kerberos as obtained from another source. On several system
57 types, the decision determines how you incorporate AFS into the machine's
58 authentication system. If you wish to use Kerberos, contact the AFS
59 Product Support group now to learn about how you must modify the installation
61 <P><LI>Decide how big to make the client cache
62 <P><LI>Decide how to configure the top levels of your cell's AFS filespace
64 <P>This chapter is divided into three large sections corresponding to the
65 three parts of installing the first AFS machine. Perform all of the
66 steps in the order they appear. Each functional section begins with a
67 summary of the procedures to perform. The sections are as
70 <P><LI>Installing server functionality (begins in <A HREF="#HDRWQ18">Overview: Installing Server Functionality</A>)
71 <P><LI>Installing client functionality (begins in <A HREF="#HDRWQ63">Overview: Installing Client Functionality</A>)
72 <P><LI>Configuring your cell's filespace, establishing further security
73 mechanisms, and enabling access to foreign cells (begins in <A HREF="#HDRWQ71">Overview: Completing the Installation of the First AFS Machine</A>)
75 <A NAME="IDX2225"></A>
76 <A NAME="IDX2226"></A>
77 <A NAME="IDX2227"></A>
78 <HR><H2><A NAME="HDRWQ18" HREF="auqbg002.htm#ToC_30">Overview: Installing Server Functionality</A></H2>
79 <P>In the first phase of installing your cell's first AFS
80 machine, you install file server and database server functionality by
81 performing the following procedures:
83 <P><LI>Choose which machine to install as the first AFS machine
84 <P><LI>Create AFS-related directories on the local disk
85 <P><LI>Incorporate AFS modifications into the machine's kernel
86 <P><LI>Configure partitions or logical volumes for storing AFS volumes
87 <P><LI>On some system types, install and configure an AFS-modified version of the
89 <P><LI>If the machine is to remain a client machine, incorporate AFS into its
91 <P><LI>Start the Basic OverSeer (BOS) Server
92 <P><LI>Define the cell name and the machine's cell membership
93 <P><LI>Start the database server processes: Authentication Server, Backup
94 Server, Protection Server, and Volume Location (VL) Server
95 <P><LI>Configure initial security mechanisms
96 <P><LI>Start the <B>fs</B> process, which incorporates three component
97 processes: the File Server, Volume Server, and Salvager
98 <P><LI>Start the server portion of the Update Server
99 <P><LI>Start the controller process (called <B>runntp</B>) for the Network
100 Time Protocol Daemon, which synchronizes machine clocks
102 <HR><H2><A NAME="HDRWQ19" HREF="auqbg002.htm#ToC_31">Choosing the First AFS Machine</A></H2>
103 <P>The first AFS machine you install must have sufficient disk
104 space to store AFS volumes. To take best advantage of AFS's
105 capabilities, store client-side binaries as well as user files in
106 volumes. When you later install additional file server machines in your
107 cell, you can distribute these volumes among the different machines as you see
109 <P>These instructions configure the first AFS machine as a <I>database
110 server machine</I>, the <I>binary distribution machine</I> for its
111 system type, and the cell's <I>system control machine</I>. For
112 a description of these roles, see the <I>IBM AFS Administration
114 <P>Installation of additional machines is simplest if the first machine has
115 the lowest IP address of any database server machine you currently plan to
116 install. If you later install database server functionality on a
117 machine with a lower IP address, you must first update the
118 <B>/usr/vice/etc/CellServDB</B> file on all of your cell's client
119 machines. For more details, see <A HREF="auqbg006.htm#HDRWQ114">Installing Database Server Functionality</A>.
120 <HR><H2><A NAME="Header_32" HREF="auqbg002.htm#ToC_32">Creating AFS Directories</A></H2>
121 <A NAME="IDX2228"></A>
122 <A NAME="IDX2229"></A>
123 <A NAME="IDX2230"></A>
124 <A NAME="IDX2231"></A>
125 <A NAME="IDX2232"></A>
126 <A NAME="IDX2233"></A>
127 <A NAME="IDX2234"></A>
128 <A NAME="IDX2235"></A>
129 <A NAME="IDX2236"></A>
130 <A NAME="IDX2237"></A>
131 <A NAME="IDX2238"></A>
132 <P>Create the <B>/usr/afs</B> and <B>/usr/vice/etc</B> directories on
133 the local disk, to house server and client files respectively.
134 Subsequent instructions copy files from the AFS CD-ROM into them.
135 Create the <B>/cdrom</B> directory as a mount point for CD-ROMs, if it
136 does not already exist.
138 # <B>mkdir /usr/afs</B>
140 # <B>mkdir /usr/vice</B>
142 # <B>mkdir /usr/vice/etc</B>
144 # <B>mkdir /cdrom</B>
147 <HR><H2><A NAME="HDRWQ20" HREF="auqbg002.htm#ToC_33">Performing Platform-Specific Procedures</A></H2>
148 <P>Several of the initial procedures for installing a file
149 server machine differ for each system type. For convenience, the
150 following sections group them together for each system type:
152 <A NAME="IDX2239"></A>
153 <A NAME="IDX2240"></A>
154 <A NAME="IDX2241"></A>
155 <P><LI>Incorporate AFS modifications into the kernel.
156 <P>The kernel on every AFS file server and client machine must incorporate AFS
157 extensions. On machines that use a dynamic kernel module loader, it is
158 conventional to alter the machine's initialization script to load the AFS
159 extensions at each reboot.
160 <A NAME="IDX2242"></A>
161 <A NAME="IDX2243"></A>
162 <A NAME="IDX2244"></A>
163 <A NAME="IDX2245"></A>
164 <A NAME="IDX2246"></A>
165 <A NAME="IDX2247"></A>
166 <A NAME="IDX2248"></A>
167 <P><LI>Configure server partitions or logical volumes to house AFS
169 <P>Every AFS file server machine must have at least one partition or logical
170 volume dedicated to storing AFS volumes (for convenience, the documentation
171 hereafter refers to partitions only). Each server partition is mounted
172 at a directory named <B>/vicep</B><VAR>xx</VAR>, where <VAR>xx</VAR> is one or
173 two lowercase letters. By convention, the first 26 partitions are
174 mounted on the directories called <B>/vicepa</B> through
175 <B>/vicepz</B>, the 27th one is mounted on the <B>/vicepaa</B>
176 directory, and so on through <B>/vicepaz</B> and <B>/vicepba</B>,
177 continuing up to the index corresponding to the maximum number of server
178 partitions supported in the current version of AFS (which is specified in the
179 <I>IBM AFS Release Notes</I>).
180 <P>The <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
181 machine's root directory, not in one of its subdirectories (for example,
182 <B>/usr/vicepa</B> is not an acceptable directory location).
183 <P>You can also add or remove server partitions on an existing file server
184 machine. For instructions, see the chapter in the <I>IBM AFS
185 Administration Guide</I> about maintaining server machines.
186 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types supported by an operating system are necessarily
187 supported as AFS server partitions. For possible restrictions, see the
188 <I>IBM AFS Release Notes</I>.
190 <P><LI>On some system types, install and configure a modified <B>fsck</B>
191 program which recognizes the structures that the File Server uses to organize
192 volume data on AFS server partitions. The <B>fsck</B> program
193 provided with the operating system does not understand the AFS data
194 structures, and so removes them to the <B>lost+found</B> directory.
195 <P><LI>If the machine is to remain an AFS client machine, modify the
196 machine's authentication system so that users obtain an AFS token as they
197 log into the local file system. Using AFS is simpler and more
198 convenient for your users if you make the modifications on all client
199 machines. Otherwise, users must perform a two-step login procedure
200 (login to the local file system and then issue the <B>klog</B>
201 command). For further discussion of AFS authentication, see the chapter
202 in the <I>IBM AFS Administration Guide</I> about cell configuration and
203 administration issues.
205 <P>To continue, proceed to the appropriate section:
207 <P><LI><A HREF="#HDRWQ21">Getting Started on AIX Systems</A>
208 <P><LI><A HREF="#HDRWQ26">Getting Started on Digital UNIX Systems</A>
209 <P><LI><A HREF="#HDRWQ31">Getting Started on HP-UX Systems</A>
210 <P><LI><A HREF="#HDRWQ36">Getting Started on IRIX Systems</A>
211 <P><LI><A HREF="#HDRWQ41">Getting Started on Linux Systems</A>
212 <P><LI><A HREF="#HDRWQ45">Getting Started on Solaris Systems</A>
214 <HR><H2><A NAME="HDRWQ21" HREF="auqbg002.htm#ToC_34">Getting Started on AIX Systems</A></H2>
215 <P>Begin by running the AFS initialization script to call the
216 AIX kernel extension facility, which dynamically loads AFS modifications into
217 the kernel. Then use the <B>SMIT</B> program to configure
218 partitions for storing AFS volumes, and replace the AIX <B>fsck</B>
219 program helper with a version that correctly handles AFS volumes. If
220 the machine is to remain an AFS client machine, incorporate AFS into the AIX
221 secondary authentication system.
222 <A NAME="IDX2249"></A>
223 <A NAME="IDX2250"></A>
224 <A NAME="IDX2251"></A>
225 <A NAME="IDX2252"></A>
226 <P><H3><A NAME="HDRWQ22" HREF="auqbg002.htm#ToC_35">Loading AFS into the AIX Kernel</A></H3>
227 <P>The AIX kernel extension facility is the dynamic kernel
228 loader provided by IBM Corporation. AIX does not support incorporation
229 of AFS modifications during a kernel build.
230 <P>For AFS to function correctly, the kernel extension facility must run each
231 time the machine reboots, so the AFS initialization script (included in the
232 AFS distribution) invokes it automatically. In this section you copy
233 the script to the conventional location and edit it to select the appropriate
234 options depending on whether NFS is also to run.
235 <P>After editing the script, you run it to incorporate AFS into the
236 kernel. In later sections you verify that the script correctly
237 initializes all AFS components, then configure the AIX <B>inittab</B> file
238 so that the script runs automatically at reboot.
240 <P><LI>Mount the AFS CD-ROM for AIX on the local <B>/cdrom</B>
241 directory. For instructions on mounting CD-ROMs (either locally or
242 remotely via NFS), see your AIX documentation. Then change directory as
245 # <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
248 <P><LI>Copy the AFS kernel library files to the local
249 <B>/usr/vice/etc/dkload</B> directory, and the AFS initialization script
250 to the <B>/etc</B> directory.
252 # <B>cp -rp dkload /usr/vice/etc</B>
254 # <B>cp -p rc.afs /etc/rc.afs</B>
257 <P><LI>Edit the <B>/etc/rc.afs</B> script, setting the <TT>NFS</TT>
258 variable as indicated.
259 <P>If the machine is not to function as an NFS/AFS Translator, set the
260 <TT>NFS</TT> variable as follows.
264 <P>If the machine is to function as an NFS/AFS Translator and is running AIX
265 4.2.1 or higher, set the <TT>NFS</TT> variable as
266 follows. Note that NFS must already be loaded into the kernel, which
267 happens automatically on systems running AIX 4.1.1 and later, as
268 long as the file <B>/etc/exports</B> exists.
273 <P><LI>Invoke the <B>/etc/rc.afs</B> script to load AFS modifications
274 into the kernel. You can ignore any error messages about the inability
275 to start the BOS Server or the Cache Manager or AFS client.
281 <A NAME="IDX2253"></A>
282 <A NAME="IDX2254"></A>
283 <A NAME="IDX2255"></A>
284 <A NAME="IDX2256"></A>
285 <P><H3><A NAME="HDRWQ23" HREF="auqbg002.htm#ToC_36">Configuring Server Partitions on AIX Systems</A></H3>
286 <P>Every AFS file server machine must have at least one
287 partition or logical volume dedicated to storing AFS volumes. Each
288 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
289 where <VAR>xx</VAR> is one or two lowercase letters. The
290 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
291 machine's root directory, not in one of its subdirectories (for example,
292 <B>/usr/vicepa</B> is not an acceptable directory location). For
293 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
294 <P>To configure server partitions on an AIX system, perform the following
297 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
298 partition you are configuring (there must be at least one). Repeat the
299 command for each partition.
301 # <B>mkdir /vicep</B><VAR>xx</VAR>
304 <P><LI>Use the <B>SMIT</B> program to create a journaling file system on each
305 partition to be configured as an AFS server partition.
306 <P><LI>Mount each partition at one of the <B>/vicep</B><VAR>xx</VAR>
307 directories. Choose one of the following three methods:
309 <P><LI>Use the <B>SMIT</B> program
310 <P><LI>Use the <B>mount -a</B> command to mount all partitions at once
311 <P><LI>Use the <B>mount</B> command on each partition in turn
313 <P>Also configure the partitions so that they are mounted automatically at
314 each reboot. For more information, refer to the AIX
317 <A NAME="IDX2257"></A>
318 <A NAME="IDX2258"></A>
319 <A NAME="IDX2259"></A>
320 <A NAME="IDX2260"></A>
321 <P><H3><A NAME="HDRWQ24" HREF="auqbg002.htm#ToC_37">Replacing the fsck Program Helper on AIX Systems</A></H3>
322 <P>In this section, you make modifications to guarantee that the
323 appropriate <B>fsck</B> program runs on AFS server partitions. The
324 <B>fsck</B> program provided with the operating system must never run on
325 AFS server partitions. Because it does not recognize the structures
326 that the File Server uses to organize volume data, it removes all of the
328 <P><B>Never run the standard fsck program on AFS server partitions.
329 It discards AFS volumes.</B>
330 <P>On AIX systems, you do not replace the <B>fsck</B> binary itself, but
331 rather the <I>program helper</I> file included in the AIX distribution as
332 <B>/sbin/helpers/v3fshelper</B>.
334 <P><LI>Move the AIX <B>fsck</B> program helper to a safe location and install
335 the version from the AFS distribution in its place. The AFS CD-ROM must
336 still be mounted at the <B>/cdrom</B> directory.
338 # <B>cd /sbin/helpers</B>
340 # <B>mv v3fshelper v3fshelper.noafs</B>
342 # <B>cp -p /cdrom/rs_aix42/root.server/etc/v3fshelper v3fshelper</B>
346 <P><LI>If you plan to retain client functionality on this machine after
347 completing the installation, proceed to <A HREF="#HDRWQ25">Enabling AFS Login on AIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
349 <A NAME="IDX2261"></A>
350 <A NAME="IDX2262"></A>
351 <A NAME="IDX2263"></A>
352 <A NAME="IDX2264"></A>
353 <A NAME="IDX2265"></A>
354 <P><H3><A NAME="HDRWQ25" HREF="auqbg002.htm#ToC_38">Enabling AFS Login on AIX Systems</A></H3>
355 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
356 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
358 <P>Follow the instructions in this section to incorporate AFS modifications
359 into the AIX secondary authentication system.
361 <P><LI>Issue the <B>ls</B> command to verify that the
362 <B>afs_dynamic_auth</B> and <B>afs_dynamic_kerbauth</B> programs are
363 installed in the local <B>/usr/vice/etc</B> directory.
365 # <B>ls /usr/vice/etc</B>
367 <P>If the files do not exist, mount the AFS CD-ROM for AIX (if it is not
368 already), change directory as indicated, and copy them.
370 # <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
372 # <B>cp -p afs_dynamic* /usr/vice/etc</B>
375 <P><LI>Edit the local <B> /etc/security/user</B> file, making changes to the
378 <P><LI>In the default stanza, set the <TT>registry</TT> attribute to
379 <B>DCE</B> (not to <B>AFS</B>), as follows:
384 <P><LI>In the default stanza, set the <TT>SYSTEM</TT> attribute as
386 <P>If the machine is an AFS client only, set the following value:
388 SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
390 <P>If the machine is both an AFS and a DCE client, set the following value (it
391 must appear on a single line in the file):
393 SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL] \
394 AND compat[SUCCESS])"
397 <P><LI>In the <TT>root</TT> stanza, set the <TT>registry</TT> attribute as
398 follows. It enables the local superuser <B>root</B> to log into the
399 local file system only, based on the password listed in the local password
407 <P><LI>Edit the local <B>/etc/security/login.cfg</B> file, creating or
408 editing the indicated stanzas:
410 <P><LI>In the <TT>DCE</TT> stanza, set the <TT>program</TT> attribute as
412 <P>If you use the AFS Authentication Server (<B>kaserver</B>
416 program = /usr/vice/etc/afs_dynamic_auth
418 <P>If you use a Kerberos implementation of AFS authentication:
421 program = /usr/vice/etc/afs_dynamic_kerbauth
424 <P><LI>In the <TT>AFS</TT> stanza, set the <TT>program</TT> attribute as
426 <P>If you use the AFS Authentication Server (<B>kaserver</B>
430 program = /usr/vice/etc/afs_dynamic_auth
432 <P>If you use a Kerberos implementation of AFS authentication:
435 program = /usr/vice/etc/afs_dynamic_kerbauth
439 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
440 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
442 <HR><H2><A NAME="HDRWQ26" HREF="auqbg002.htm#ToC_39">Getting Started on Digital UNIX Systems</A></H2>
443 <P>Begin by building AFS modifications into a new static
444 kernel; Digital UNIX does not support dynamic loading. Then create
445 partitions for storing AFS volumes, and replace the Digital UNIX
446 <B>fsck</B> program with a version that correctly handles AFS
447 volumes. If the machine is to remain an AFS client machine, incorporate
448 AFS into the machine's Security Integration Architecture (SIA)
450 <A NAME="IDX2266"></A>
451 <A NAME="IDX2267"></A>
452 <A NAME="IDX2268"></A>
453 <A NAME="IDX2269"></A>
454 <P><H3><A NAME="HDRWQ27" HREF="auqbg002.htm#ToC_40">Building AFS into the Digital UNIX Kernel</A></H3>
455 <P>Use the following instructions to build AFS modifications
456 into the kernel on a Digital UNIX system.
458 <P><LI>Create a copy called <B>AFS</B> of the basic kernel configuration file
459 included in the Digital UNIX distribution as
460 <B>/usr/sys/conf/</B><VAR>machine_name</VAR>, where <VAR>machine_name</VAR> is
461 the machine's hostname in all uppercase letters.
463 # <B>cd /usr/sys/conf</B>
465 # <B>cp</B> <VAR>machine_name</VAR> <B>AFS</B>
468 <P><LI>Add AFS to the list of options in the configuration file you created in
469 the previous step, so that the result looks like the following:
479 <P><LI>Add an entry for AFS to two places in the file
480 <B>/usr/sys/conf/files</B>.
482 <P><LI>Add a line for AFS to the list of <TT>OPTIONS</TT>, so that the result
483 looks like the following:
486 OPTIONS/nfs optional nfs
487 OPTIONS/afs optional afs
488 OPTIONS/nfs_server optional nfs_server
493 <P><LI>Add an entry for AFS to the list of <TT>MODULES</TT>, so that the result
494 looks like the following:
498 MODULE/nfs_server optional nfs_server Binary
499 nfs/nfs_server.c module nfs_server optimize -g3
500 nfs/nfs3_server.c module nfs_server optimize -g3
502 MODULE/afs optional afs Binary
503 afs/libafs.c module afs
508 <P><LI>Add an entry for AFS to two places in the file
509 <B>/usr/sys/vfs/vfs_conf.c</B>.
511 <P><LI>Add AFS to the list of defined file systems, so that the result looks like
516 #if defined(AFS) && AFS
517 extern struct vfsops afs_vfsops;
523 <P><LI>Put a declaration for AFS in the <B>vfssw[]</B> table's
524 MOUNT_ADDON slot, so that the result looks like the following:
527 &fdfs_vfsops, "fdfs", /* 12 = MOUNT_FDFS */
529 &afs_vfsops, "afs",
531 (struct vfsops *)0, "", /* 13 = MOUNT_ADDON */
533 #if NFS && INFS_DYNAMIC
534 &nfs3_vfsops, "nfsv3", /* 14 = MOUNT_NFS3 */
538 <P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
539 directory. For instructions on mounting CD-ROMs (either locally or
540 remotely via NFS), see your Digital UNIX documentation. Then change
541 directory as indicated.
543 # <B>cd /cdrom/alpha_dux40/root.client</B>
546 <P><LI>Copy the AFS initialization script to the local directory for
547 initialization files (by convention, <B>/sbin/init.d</B> on Digital
548 UNIX machines). Note the removal of the <B>.rc</B> extension
549 as you copy the script.
551 # <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
554 <P><LI>Copy the AFS kernel module to the local <B>/usr/sys/BINARY</B>
556 <P>If the machine's kernel supports NFS server functionality:
558 # <B>cp bin/libafs.o /usr/sys/BINARY/afs.mod</B>
560 <P>If the machine's kernel does not support NFS server
563 # <B>cp bin/libafs.nonfs.o /usr/sys/BINARY/afs.mod</B>
566 <P><LI>Configure and build the kernel. Respond to any prompts by pressing
567 <<B>Return</B>>. The resulting kernel resides in the file
568 <B>/sys/AFS/vmunix</B>.
570 # <B>doconfig -c AFS</B>
573 <P><LI>Rename the existing kernel file and copy the new, AFS-modified file to the
576 # <B>mv /vmunix /vmunix_noafs</B>
578 # <B>cp /sys/AFS/vmunix /vmunix</B>
581 <P><LI>Reboot the machine to start using the new kernel, and login again as the
582 superuser <B>root</B>.
586 # <B>shutdown -r now</B>
589 Password: <VAR>root_password</VAR>
593 <A NAME="IDX2270"></A>
594 <A NAME="IDX2271"></A>
595 <A NAME="IDX2272"></A>
596 <A NAME="IDX2273"></A>
597 <P><H3><A NAME="HDRWQ28" HREF="auqbg002.htm#ToC_41">Configuring Server Partitions on Digital UNIX Systems</A></H3>
598 <P>Every AFS file server machine must have at least one
599 partition or logical volume dedicated to storing AFS volumes. Each
600 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
601 where <VAR>xx</VAR> is one or two lowercase letters. The
602 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
603 machine's root directory, not in one of its subdirectories (for example,
604 <B>/usr/vicepa</B> is not an acceptable directory location). For
605 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
607 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
608 partition you are configuring (there must be at least one). Repeat the
609 command for each partition.
611 # <B>mkdir /vicep</B><VAR>xx</VAR>
614 <P><LI>Add a line with the following format to the file systems registry file,
615 <B>/etc/fstab</B>, for each directory just created. The entry maps
616 the directory name to the disk partition to be mounted on it.
618 /dev/<VAR>disk</VAR> /vicep<VAR>xx</VAR> ufs rw 0 2
620 <P>The following is an example for the first partition being
623 /dev/rz3a /vicepa ufs rw 0 2
626 <P><LI>Create a file system on each partition that is to be mounted at a
627 <B>/vicep</B><VAR>xx</VAR> directory. The following command is
628 probably appropriate, but consult the Digital UNIX documentation for more
631 #<B> newfs -v /dev/</B><VAR>disk</VAR>
634 <P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
635 mount all partitions at once or the <B>mount</B> command to mount each
638 <A NAME="IDX2274"></A>
639 <A NAME="IDX2275"></A>
640 <A NAME="IDX2276"></A>
641 <A NAME="IDX2277"></A>
642 <P><H3><A NAME="HDRWQ29" HREF="auqbg002.htm#ToC_42">Replacing the fsck Program on Digital UNIX Systems</A></H3>
643 <P>In this section, you make modifications to guarantee that the
644 appropriate <B>fsck</B> program runs on AFS server partitions. The
645 <B>fsck</B> program provided with the operating system must never run on
646 AFS server partitions. Because it does not recognize the structures
647 that the File Server uses to organize volume data, it removes all of the
649 <P><B>Never run the standard fsck program on AFS server partitions.
650 It discards AFS volumes.</B>
651 <P>On Digital UNIX systems, the files <B>/sbin/fsck</B> and
652 <B>/usr/sbin/fsck</B> are driver programs. Rather than replacing
653 either of them, you replace the actual binary included in the Digital UNIX
654 distribution as <B>/sbin/ufs_fsck</B> and
655 <B>/usr/sbin/ufs_fsck</B>.
657 <P><LI>Install the <B>vfsck</B> binary to the <B>/sbin</B> and
658 <B>/usr/sbin</B> directories. The AFS CD-ROM must still be mounted
659 at the <B>/cdrom</B> directory.
661 # <B>cd /cdrom/alpha_dux40/root.server/etc</B>
663 # <B>cp vfsck /sbin/vfsck</B>
665 # <B>cp vfsck /usr/sbin/vfsck</B>
668 <P><LI>Rename the Digital UNIX <B>fsck</B> binaries and create symbolic links
669 to the <B>vfsck</B> program.
673 # <B>mv ufs_fsck ufs_fsck.noafs</B>
675 # <B>ln -s vfsck ufs_fsck</B>
677 # <B>cd /usr/sbin</B>
679 # <B>mv ufs_fsck ufs_fsck.noafs</B>
681 # <B>ln -s vfsck ufs_fsck</B>
684 <P><LI>If you plan to retain client functionality on this machine after
685 completing the installation, proceed to <A HREF="#HDRWQ30">Enabling AFS Login on Digital UNIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
687 <A NAME="IDX2278"></A>
688 <A NAME="IDX2279"></A>
689 <A NAME="IDX2280"></A>
690 <A NAME="IDX2281"></A>
691 <A NAME="IDX2282"></A>
692 <A NAME="IDX2283"></A>
693 <P><H3><A NAME="HDRWQ30" HREF="auqbg002.htm#ToC_43">Enabling AFS Login on Digital UNIX Systems</A></H3>
694 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
695 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
697 <P>On Digital UNIX systems, the AFS initialization script automatically
698 incorporates the AFS authentication library file into the Security Integration
699 Architecture (SIA) matrix on the machine, so that users with AFS accounts
700 obtain a token at login. In this section you copy the library file to
701 the appropriate location.
702 <P>For more information on SIA, see the Digital UNIX reference page for
703 <B>matrix.conf</B>, or consult the section on security in your
704 Digital UNIX documentation.
705 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If the machine runs both the DCE and AFS client software, AFS must start
706 after DCE. Consult the AFS initialization script for suggested symbolic
707 links to create for correct ordering. Also, the system startup script
708 order must initialize SIA before any long-running process that uses
711 <P>Perform the following steps to enable AFS login.
713 <P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
714 directory, if it is not already. Change directory as indicated.
716 # <B>cd /cdrom/alpha_dux40/lib/afs</B>
719 <P><LI>Copy the appropriate AFS authentication library file to the local
720 <B>/usr/shlib</B> directory.
721 <P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
724 # <B>cp libafssiad.so /usr/shlib</B>
726 <P>If you use a Kerberos implementation of AFS authentication, rename the
727 library file as you copy it:
729 # <B>cp libafssiad.krb.so /usr/shlib/libafssiad.so</B>
732 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
733 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
735 <HR><H2><A NAME="HDRWQ31" HREF="auqbg002.htm#ToC_44">Getting Started on HP-UX Systems</A></H2>
736 <P>Begin by building AFS modifications into a new kernel;
737 HP-UX does not support dynamic loading. Then create partitions for
738 storing AFS volumes, and install and configure the AFS-modified
739 <B>fsck</B> program to run on AFS server partitions. If the machine
740 is to remain an AFS client machine, incorporate AFS into the machine's
741 Pluggable Authentication Module (PAM) scheme.
742 <A NAME="IDX2284"></A>
743 <A NAME="IDX2285"></A>
744 <A NAME="IDX2286"></A>
745 <A NAME="IDX2287"></A>
746 <P><H3><A NAME="HDRWQ32" HREF="auqbg002.htm#ToC_45">Building AFS into the HP-UX Kernel</A></H3>
747 <P>Use the following instructions to build AFS modifications
748 into the kernel on an HP-UX system.
750 <P><LI>Move the existing kernel-related files to a safe location.
752 # <B>cp /stand/vmunix /stand/vmunix.noafs</B>
754 # <B>cp /stand/system /stand/system.noafs</B>
757 <P><LI>Mount the AFS CD-ROM for HP-UX on the local <B>/cdrom</B>
758 directory. For instructions on mounting CD-ROMs (either locally or
759 remotely via NFS), see your HP-UX documentation. Then change directory
762 # <B>cd /cdrom/hp_ux110/root.client</B>
765 <P><LI>Copy the AFS initialization file to the local directory for initialization
766 files (by convention, <B>/sbin/init.d</B> on HP-UX
767 machines). Note the removal of the <B>.rc</B> extension as
770 # <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
773 <P><LI>Copy the file <B>afs.driver</B> to the local
774 <B>/usr/conf/master.d</B> directory, changing its name to
775 <B>afs</B> as you do.
777 # <B>cp usr/vice/etc/afs.driver /usr/conf/master.d/afs</B>
780 <P><LI>Copy the AFS kernel module to the local <B>/usr/conf/lib</B>
782 <P>If the machine's kernel supports NFS server functionality:
784 # <B>cp bin/libafs.a /usr/conf/lib</B>
786 <P>If the machine's kernel does not support NFS server functionality,
787 change the file's name as you copy it:
789 # <B>cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a</B>
792 <P><LI>Incorporate the AFS driver into the kernel, either using the
793 <B>SAM</B> program or a series of individual commands.
795 <P><LI>To use the <B>SAM</B> program:
797 <P><LI>Invoke the <B>SAM</B> program, specifying the hostname of the local
798 machine as <VAR>local_hostname</VAR>. The <B>SAM</B> graphical user
801 # <B>sam -display</B> <VAR>local_hostname</VAR><B>:0</B>
804 <P><LI>Choose the <B>Kernel Configuration</B> icon, then the
805 <B>Drivers</B> icon. From the list of drivers, select
807 <P><LI>Open the pull-down <B>Actions</B> menu and choose the <B>Add Driver
808 to Kernel</B> option.
809 <P><LI>Open the <B>Actions</B> menu again and choose the <B>Create a New
811 <P><LI>Confirm your choices by choosing <B>Yes</B> and <B>OK</B> when
812 prompted by subsequent pop-up windows. The <B>SAM</B> program
813 builds the kernel and reboots the system.
814 <P><LI>Login again as the superuser <B>root</B>.
817 Password: <VAR>root_password</VAR>
821 <P><LI>To use individual commands:
823 <P><LI>Edit the file <B>/stand/system</B>, adding an entry for <B>afs</B>
824 to the <TT>Subsystems</TT> section.
825 <P><LI>Change to the <B>/stand/build</B> directory and issue the
826 <B>mk_kernel</B> command to build the kernel.
828 # <B>cd /stand/build</B>
833 <P><LI>Move the new kernel to the standard location (<B>/stand/vmunix</B>),
834 reboot the machine to start using it, and login again as the superuser
837 # <B>mv /stand/build/vmunix_test /stand/vmunix</B>
841 # <B>shutdown -r now</B>
844 Password: <VAR>root_password</VAR>
850 <A NAME="IDX2288"></A>
851 <A NAME="IDX2289"></A>
852 <A NAME="IDX2290"></A>
853 <A NAME="IDX2291"></A>
854 <P><H3><A NAME="HDRWQ33" HREF="auqbg002.htm#ToC_46">Configuring Server Partitions on HP-UX Systems</A></H3>
855 <P>Every AFS file server machine must have at least one
856 partition or logical volume dedicated to storing AFS volumes. Each
857 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
858 where <VAR>xx</VAR> is one or two lowercase letters. The
859 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
860 machine's root directory, not in one of its subdirectories (for example,
861 <B>/usr/vicepa</B> is not an acceptable directory location). For
862 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
864 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
865 partition you are configuring (there must be at least one). Repeat the
866 command for each partition.
868 # <B>mkdir /vicep</B><VAR>xx</VAR>
871 <P><LI>Use the <B>SAM</B> program to create a file system on each
872 partition. For instructions, consult the HP-UX documentation.
873 <P><LI>On some HP-UX systems that use logical volumes, the <B>SAM</B> program
874 automatically mounts the partitions. If it has not, mount each
875 partition by issuing either the <B>mount -a</B> command to mount all
876 partitions at once or the <B>mount</B> command to mount each partition in
879 <A NAME="IDX2292"></A>
880 <A NAME="IDX2293"></A>
881 <A NAME="IDX2294"></A>
882 <A NAME="IDX2295"></A>
883 <P><H3><A NAME="HDRWQ34" HREF="auqbg002.htm#ToC_47">Configuring the AFS-modified fsck Program on HP-UX Systems</A></H3>
884 <P>In this section, you make modifications to guarantee that the
885 appropriate <B>fsck</B> program runs on AFS server partitions. The
886 <B>fsck</B> program provided with the operating system must never run on
887 AFS server partitions. Because it does not recognize the structures
888 that the File Server uses to organize volume data, it removes all of the
890 <P><B>Never run the standard fsck program on AFS server partitions.
891 It discards AFS volumes.</B>
892 <P>On HP-UX systems, there are several configuration files to install in
893 addition to the AFS-modified <B>fsck</B> program (the <B>vfsck</B>
896 <P><LI>Create the command configuration file
897 <B>/sbin/lib/mfsconfig.d/afs</B>. Use a text editor to place
898 the indicated two lines in it:
901 fsck 0 m,P,p,d,f,b:c:y,n,Y,N,q,
904 <P><LI>Create and change directory to an AFS-specific command directory called
907 # <B>mkdir /sbin/fs/afs</B>
909 # <B>cd /sbin/fs/afs</B>
912 <P><LI>Copy the AFS-modified version of the <B>fsck</B> program (the
913 <B>vfsck</B> binary) and related files from the distribution directory to
914 the new AFS-specific command directory.
916 # <B>cp -p /cdrom/hp_ux110/root.server/etc/* .</B>
919 <P><LI>Change the <B>vfsck</B> binary's name to <B>fsck</B> and set
920 the mode bits appropriately on all of the files in the <B>/sbin/fs/afs</B>
923 # <B>mv vfsck fsck</B>
928 <P><LI>Edit the <B>/etc/fstab</B> file, changing the file system type for
929 each AFS server partition from <TT>hfs</TT> to <TT>afs</TT>. This
930 ensures that the AFS-modified <B>fsck</B> program runs on the appropriate
932 <P>The sixth line in the following example of an edited file shows an AFS
933 server partition, <B>/vicepa</B>.
935 /dev/vg00/lvol1 / hfs defaults 0 1
936 /dev/vg00/lvol4 /opt hfs defaults 0 2
937 /dev/vg00/lvol5 /tmp hfs defaults 0 2
938 /dev/vg00/lvol6 /usr hfs defaults 0 2
939 /dev/vg00/lvol8 /var hfs defaults 0 2
940 /dev/vg00/lvol9 /vicepa afs defaults 0 2
941 /dev/vg00/lvol7 /usr/vice/cache hfs defaults 0 2
944 <P><LI>If you plan to retain client functionality on this machine after
945 completing the installation, proceed to <A HREF="#HDRWQ35">Enabling AFS Login on HP-UX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
947 <A NAME="IDX2296"></A>
948 <A NAME="IDX2297"></A>
949 <A NAME="IDX2298"></A>
950 <A NAME="IDX2299"></A>
951 <A NAME="IDX2300"></A>
952 <A NAME="IDX2301"></A>
953 <P><H3><A NAME="HDRWQ35" HREF="auqbg002.htm#ToC_48">Enabling AFS Login on HP-UX Systems</A></H3>
954 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
955 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
957 <P>At this point you incorporate AFS into the operating system's
958 Pluggable Authentication Module (PAM) scheme. PAM integrates all
959 authentication mechanisms on the machine, including login, to provide the
960 security infrastructure for authenticated access to and from the
962 <P>Explaining PAM is beyond the scope of this document. It is assumed
963 that you understand the syntax and meanings of settings in the PAM
964 configuration file (for example, how the <TT>other</TT> entry works, the
965 effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
966 <TT>sufficient</TT>, and so on).
967 <P>The following instructions explain how to alter the entries in the PAM
968 configuration file for each service for which you wish to use AFS
969 authentication. Other configurations possibly also work, but the
970 instructions specify the recommended and tested configuration.
971 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
972 <TT>optional</TT>. However, marking some modules as optional can mean
973 that they grant access to the corresponding service even when the user does
974 not meet all of the module's requirements. In some operating
975 system revisions, for example, if you mark as optional the module that
976 controls login via a dial-up connection, it allows users to login without
977 providing a password. See the <I>IBM AFS Release Notes</I> for a
978 discussion of any limitations that apply to this operating system.
979 <P>Also, with some operating system versions you must install patches for PAM
980 to interact correctly with certain authentication programs. For
981 details, see the <I>IBM AFS Release Notes</I>.
983 <P>The recommended AFS-related entries in the PAM configuration file make use
984 of one or more of the following three attributes.
986 <P><DT><B><TT>try_first_pass</TT>
987 </B><DD>This is a standard PAM attribute that can be included on entries after the
988 first one for a service; it directs the module to use the password that
989 was provided to the first module. For the AFS module, it means that AFS
990 authentication succeeds if the password provided to the module listed first is
991 the user's correct AFS password. For further discussion of this
992 attribute and its alternatives, see the operating system's PAM
994 <P><DT><B><TT>ignore_root</TT>
995 </B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
996 only the local superuser <B> root</B>, but also any user with UID 0
998 <P><DT><B><TT>setenv_password_expires</TT>
999 </B><DD>This attribute, specific to the AFS PAM module, sets the environment
1000 variable PASSWORD_EXPIRES to the expiration date of the user's AFS
1001 password, which is recorded in the Authentication Database.
1003 <P>Perform the following steps to enable AFS login.
1005 <P><LI>Mount the AFS CD-ROM for HP-UX on the <B>/cdrom</B> directory, if it
1006 is not already. Then change directory as indicated.
1008 # <B>cd /usr/lib/security</B>
1011 <P><LI>Copy the AFS authentication library file to the
1012 <B>/usr/lib/security</B> directory. Then create a symbolic link to
1013 it whose name does not mention the version. Omitting the version
1014 eliminates the need to edit the PAM configuration file if you later update the
1016 <P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
1019 # <B>cp /cdrom/hp_ux110/lib/pam_afs.so.1 .</B>
1021 # <B>ln -s pam_afs.so.1 pam_afs.so</B>
1023 <P>If you use a Kerberos implementation of AFS authentication:
1025 #<B> cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1 .</B>
1027 # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
1030 <P><LI>Edit the <TT>Authentication management</TT> section of the HP-UX PAM
1031 configuration file, <B>/etc/pam.conf</B> by convention. The
1032 entries in this section have the value <TT>auth</TT> in their second
1034 <P>First edit the standard entries, which refer to the HP-UX PAM module
1035 (usually, the file <B>/usr/lib/security/libpam_unix.1</B>) in their
1036 fourth field. For each service for which you want to use AFS
1037 authentication, edit the third field of its entry to read
1038 <TT>optional</TT>. The <B>pam.conf</B> file in the HP-UX
1039 distribution usually includes standard entries for the <B>login</B> and
1040 <B>ftp</B> services, for instance.
1041 <P>If there are services for which you want to use AFS authentication, but for
1042 which the <B>pam.conf</B> file does not already include a standard
1043 entry, you must create that entry and place the value <TT>optional</TT> in
1044 its third field. For instance, the HP-UX <B>pam.conf</B>
1045 file does not usually include standard entries for the <B>remsh</B> or
1046 <B>telnet</B> services.
1047 <P>Then create an AFS-related entry for each service, placing it immediately
1048 below the standard entry. The following example shows what the
1049 <TT>Authentication Management</TT> section looks like after you have you
1050 edited or created entries for the services mentioned previously. Note
1051 that the example AFS entries appear on two lines only for legibility.
1053 login auth optional /usr/lib/security/libpam_unix.1
1054 login auth optional /usr/lib/security/pam_afs.so \
1055 try_first_pass ignore_root setenv_password_expires
1056 ftp auth optional /usr/lib/security/libpam_unix.1
1057 ftp auth optional /usr/lib/security/pam_afs.so \
1058 try_first_pass ignore_root
1059 remsh auth optional /usr/lib/security/libpam_unix.1
1060 remsh auth optional /usr/lib/security/pam_afs.so \
1061 try_first_pass ignore_root
1062 telnet auth optional /usr/lib/security/libpam_unix.1
1063 telnet auth optional /usr/lib/security/pam_afs.so \
1064 try_first_pass ignore_root setenv_password_expires
1067 <P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
1068 users to obtain an AFS token as they log in, also add or edit the following
1069 four entries in the <TT>Authentication management</TT> section. Note
1070 that the AFS-related entries appear on two lines here only for
1073 dtlogin auth optional /usr/lib/security/libpam_unix.1
1074 dtlogin auth optional /usr/lib/security/pam_afs.so \
1075 try_first_pass ignore_root
1076 dtaction auth optional /usr/lib/security/libpam_unix.1
1077 dtaction auth optional /usr/lib/security/pam_afs.so \
1078 try_first_pass ignore_root
1081 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
1082 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
1084 <HR><H2><A NAME="HDRWQ36" HREF="auqbg002.htm#ToC_49">Getting Started on IRIX Systems</A></H2>
1085 <A NAME="IDX2302"></A>
1086 <A NAME="IDX2303"></A>
1087 <A NAME="IDX2304"></A>
1088 <A NAME="IDX2305"></A>
1089 <A NAME="IDX2306"></A>
1090 <A NAME="IDX2307"></A>
1091 <A NAME="IDX2308"></A>
1092 <P>To incorporate AFS into the kernel on IRIX systems, choose one of two
1095 <P><LI>Run the AFS initialization script to invoke the <B>ml</B> program
1096 distributed by Silicon Graphics, Incorporated (SGI), which dynamically loads
1097 AFS modifications into the kernel
1098 <P><LI>Build a new static kernel
1100 <P>Then create partitions for storing AFS volumes. You do not need to
1101 replace the IRIX <B>fsck</B> program because SGI has already modified it
1102 to handle AFS volumes properly. If the machine is to remain an AFS
1103 client machine, verify that the IRIX login utility installed on the machine
1104 grants an AFS token.
1105 <P>In preparation for either dynamic loading or kernel building, perform the
1106 following procedures:
1108 <P><LI>Mount the AFS CD-ROM for IRIX on the <B>/cdrom</B> directory.
1109 For instructions on mounting CD-ROMs (either locally or remotely via NFS), see
1110 your IRIX documentation. Then change directory as indicated.
1112 # <B>cd /cdrom/sgi_65/root.client</B>
1115 <P><LI>Copy the AFS initialization script to the local directory for
1116 initialization files (by convention, <B>/etc/init.d</B> on IRIX
1117 machines). Note the removal of the <B>.rc</B> extension as
1118 you copy the script.
1120 # <B>cp -p usr/vice/etc/afs.rc /etc/init.d/afs</B>
1123 <P><LI>Issue the <B>uname -m</B> command to determine the machine's CPU
1124 board type. The <B>IP</B><VAR>xx</VAR> value in the output must match
1125 one of the supported CPU board types listed in the <I>IBM AFS Release
1126 Notes</I> for the current version of AFS.
1131 <P><LI>Proceed to either <A HREF="#HDRWQ37">Loading AFS into the IRIX Kernel</A> or <A HREF="#HDRWQ38">Building AFS into the IRIX Kernel</A>.
1133 <A NAME="IDX2309"></A>
1134 <A NAME="IDX2310"></A>
1135 <A NAME="IDX2311"></A>
1136 <A NAME="IDX2312"></A>
1137 <A NAME="IDX2313"></A>
1138 <A NAME="IDX2314"></A>
1139 <A NAME="IDX2315"></A>
1140 <P><H3><A NAME="HDRWQ37" HREF="auqbg002.htm#ToC_50">Loading AFS into the IRIX Kernel</A></H3>
1141 <P>The <B>ml</B> program is the dynamic kernel loader
1142 provided by SGI for IRIX systems. If you use it rather than building
1143 AFS modifications into a static kernel, then for AFS to function correctly the
1144 <B>ml</B> program must run each time the machine reboots.
1145 Therefore, the AFS initialization script (included on the AFS CD-ROM) invokes
1146 it automatically when the <B>afsml</B> configuration variable is
1147 activated. In this section you activate the variable and run the
1149 <P>In later sections you verify that the script correctly initializes all AFS
1150 components, then create the links that incorporate AFS into the IRIX startup
1151 and shutdown sequence.
1153 <P><LI>Create the local <B>/usr/vice/etc/sgiload</B> directory to house the
1154 AFS kernel library file.
1156 # <B>mkdir /usr/vice/etc/sgiload</B>
1159 <P><LI>Copy the appropriate AFS kernel library file to the
1160 <B>/usr/vice/etc/sgiload</B> directory. The
1161 <B>IP</B><VAR>xx</VAR> portion of the library file name must match the value
1162 previously returned by the <B>uname -m</B> command. Also choose the
1163 file appropriate to whether the machine's kernel supports NFS server
1164 functionality (NFS must be supported for the machine to act as an NFS/AFS
1165 Translator). Single- and multiprocessor machines use the same library
1167 <P>(You can choose to copy all of the kernel library files into the <B>
1168 /usr/vice/etc/sgiload</B> directory, but they require a significant amount
1170 <P>If the machine's kernel supports NFS server functionality:
1172 # <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.o /usr/vice/etc/sgiload</B>
1174 <P>If the machine's kernel does not support NFS server
1177 # <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.nonfs.o</B> \
1178 <B>/usr/vice/etc/sgiload</B>
1181 <P><LI>Issue the <B>chkconfig</B> command to activate the <B>afsml</B>
1182 configuration variable.
1184 # <B>/etc/chkconfig -f afsml on</B>
1186 <P>If the machine is to function as an NFS/AFS Translator and the kernel
1187 supports NFS server functionality, activate the <B>afsxnfs</B>
1190 # <B>/etc/chkconfig -f afsxnfs on</B>
1193 <P><LI>Run the <B>/etc/init.d/afs</B> script to load AFS extensions
1194 into the kernel. The script invokes the <B>ml</B> command,
1195 automatically determining which kernel library file to use based on this
1196 machine's CPU type and the activation state of the <B>afsxnfs</B>
1198 <P>You can ignore any error messages about the inability to start the BOS
1199 Server or the Cache Manager or AFS client.
1201 # <B>/etc/init.d/afs start</B>
1204 <P><LI>Proceed to <A HREF="#HDRWQ39">Configuring Server Partitions on IRIX Systems</A>.
1206 <A NAME="IDX2316"></A>
1207 <P><H3><A NAME="HDRWQ38" HREF="auqbg002.htm#ToC_51">Building AFS into the IRIX Kernel</A></H3>
1208 <P>Use the following instructions to build AFS modifications
1209 into the kernel on an IRIX system.
1211 <P><LI>Copy the kernel initialization file <B>afs.sm</B> to the local
1212 <B>/var/sysgen/system</B> directory, and the kernel master file
1213 <B>afs</B> to the local <B>/var/sysgen/master.d</B>
1216 # <B>cp -p bin/afs.sm /var/sysgen/system</B>
1218 # <B>cp -p bin/afs /var/sysgen/master.d</B>
1221 <P><LI>Copy the appropriate AFS kernel library file to the local file
1222 <B>/var/sysgen/boot/afs.a</B>; the <B>IP</B><VAR>xx</VAR>
1223 portion of the library file name must match the value previously returned by
1224 the <B>uname -m</B> command. Also choose the file appropriate to
1225 whether the machine's kernel supports NFS server functionality (NFS must
1226 be supported for the machine to act as an NFS/AFS Translator). Single-
1227 and multiprocessor machines use the same library file.
1228 <P>If the machine's kernel supports NFS server functionality:
1230 # <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.a /var/sysgen/boot/afs.a</B>
1232 <P>If the machine's kernel does not support NFS server
1235 # <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.nonfs.a /var/sysgen/boot/afs.a</B>
1238 <P><LI>Issue the <B>chkconfig</B> command to deactivate the <B>afsml</B>
1239 configuration variable.
1241 # <B>/etc/chkconfig -f afsml off</B>
1243 <P>If the machine is to function as an NFS/AFS Translator and the kernel
1244 supports NFS server functionality, activate the <B>afsxnfs</B>
1247 # <B>/etc/chkconfig -f afsxnfs on</B>
1250 <P><LI>Copy the existing kernel file, <B>/unix</B>, to a safe
1251 location. Compile the new kernel, which is created in the file
1252 <B>/unix.install</B>. It overwrites the existing
1253 <B>/unix</B> file when the machine reboots in the next step.
1255 # <B>cp /unix /unix_noafs</B>
1260 <P><LI>Reboot the machine to start using the new kernel, and login again as the
1261 superuser <B>root</B>.
1265 # <B>shutdown -i6 -g0 -y</B>
1268 Password: <VAR>root_password</VAR>
1272 <A NAME="IDX2317"></A>
1273 <A NAME="IDX2318"></A>
1274 <A NAME="IDX2319"></A>
1275 <A NAME="IDX2320"></A>
1276 <P><H3><A NAME="HDRWQ39" HREF="auqbg002.htm#ToC_52">Configuring Server Partitions on IRIX Systems</A></H3>
1277 <P>Every AFS file server machine must have at least one
1278 partition or logical volume dedicated to storing AFS volumes. Each
1279 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
1280 where <VAR>xx</VAR> is one or two lowercase letters. The
1281 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
1282 machine's root directory, not in one of its subdirectories (for example,
1283 <B>/usr/vicepa</B> is not an acceptable directory location). For
1284 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
1285 <P>AFS supports use of both EFS and XFS partitions for housing AFS
1286 volumes. SGI encourages use of XFS partitions.
1288 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
1289 partition you are configuring (there must be at least one). Repeat the
1290 command for each partition.
1292 # <B>mkdir /vicep</B><VAR>xx</VAR>
1295 <P><LI>Add a line with the following format to the file systems registry file,
1296 <B>/etc/fstab</B>, for each partition (or logical volume created with the
1297 XLV volume manager) to be mounted on one of the directories created in the
1299 <P>For an XFS partition or logical volume:
1301 /dev/dsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> xfs rw,raw=/dev/rdsk/<VAR>disk</VAR> 0 0
1303 <P>For an EFS partition:
1305 /dev/dsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> efs rw,raw=/dev/rdsk/<VAR>disk</VAR> 0 0
1307 <P>The following are examples of an entry for each file system type:
1309 /dev/dsk/dks0d2s6 /vicepa xfs rw,raw=/dev/rdsk/dks0d2s6 0 0
1310 /dev/dsk/dks0d3s1 /vicepb efs rw,raw=/dev/rdsk/dks0d3s1 0 0
1313 <P><LI>Create a file system on each partition that is to be mounted on a
1314 <B>/vicep</B><VAR>xx</VAR> directory. The following commands are
1315 probably appropriate, but consult the IRIX documentation for more
1316 information. In both cases, <VAR>raw_device</VAR> is a raw device name
1317 like <B>/dev/rdsk/dks0d0s0</B> for a single disk partition or
1318 <B>/dev/rxlv/xlv0</B> for a logical volume.
1319 <P>For XFS file systems, include the indicated options to configure the
1320 partition or logical volume with inodes large enough to accommodate
1321 AFS-specific information:
1323 # <B>mkfs -t xfs -i size=512 -l size=4000b</B> <VAR>raw_device</VAR>
1325 <P>For EFS file systems:
1327 # <B>mkfs -t efs</B> <VAR>raw_device</VAR>
1330 <P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
1331 mount all partitions at once or the <B>mount</B> command to mount each
1333 <P><LI><B>(Optional)</B> If you have configured partitions or logical volumes
1334 to use XFS, issue the following command to verify that the inodes are
1335 configured properly (are large enough to accommodate AFS-specific
1336 information). If the configuration is correct, the command returns no
1337 output. Otherwise, it specifies the command to run in order to
1338 configure each partition or logical volume properly.
1340 # <B>/usr/afs/bin/xfs_size_check</B>
1343 <P><LI>If you plan to retain client functionality on this machine after
1344 completing the installation, proceed to <A HREF="#HDRWQ40">Enabling AFS Login on IRIX Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1346 <A NAME="IDX2321"></A>
1347 <A NAME="IDX2322"></A>
1348 <A NAME="IDX2323"></A>
1349 <A NAME="IDX2324"></A>
1350 <P><H3><A NAME="HDRWQ40" HREF="auqbg002.htm#ToC_53">Enabling AFS Login on IRIX Systems</A></H3>
1351 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
1352 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1354 <P>The standard IRIX command-line <B>login</B> program and the graphical
1355 <B>xdm</B> login program both automatically grant an AFS token when AFS is
1356 incorporated into the machine's kernel. However, some IRIX
1357 distributions use another login utility by default, and it does not
1358 necessarily incorporate the required AFS modifications. If that is the
1359 case, you must disable the default utility if you want AFS users to obtain AFS
1360 tokens at login. For further discussion, see the <I>IBM AFS Release
1362 <P>If you configure the machine to use an AFS-modified login utility, then the
1363 <B>afsauthlib.so</B> and <B>afskauthlib.so</B> files
1364 (included in the AFS distribution) must reside in the <B>/usr/vice/etc</B>
1365 directory. Issue the <B>ls</B> command to verify.
1367 # <B>ls /usr/vice/etc</B>
1369 <P>If the files do not exist, mount the AFS CD-ROM for IRIX (if it is not
1370 already), change directory as indicated, and copy them.
1372 # <B>cd /cdrom/sgi_65/root.client/usr/vice/etc</B>
1374 # <B>cp -p *authlib* /usr/vice/etc</B>
1376 <P>After taking any necessary action, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1377 <HR><H2><A NAME="HDRWQ41" HREF="auqbg002.htm#ToC_54">Getting Started on Linux Systems</A></H2>
1378 <A NAME="IDX2325"></A>
1379 <A NAME="IDX2326"></A>
1380 <A NAME="IDX2327"></A>
1381 <A NAME="IDX2328"></A>
1382 <P>Begin by running the AFS initialization script to call the
1383 <B>insmod</B> program, which dynamically loads AFS modifications into the
1384 kernel. Then create partitions for storing AFS volumes. You do
1385 not need to replace the Linux <B>fsck</B> program. If the machine
1386 is to remain an AFS client machine, incorporate AFS into the machine's
1387 Pluggable Authentication Module (PAM) scheme.
1388 <A NAME="IDX2329"></A>
1389 <A NAME="IDX2330"></A>
1390 <A NAME="IDX2331"></A>
1391 <A NAME="IDX2332"></A>
1392 <P><H3><A NAME="HDRWQ42" HREF="auqbg002.htm#ToC_55">Loading AFS into the Linux Kernel</A></H3>
1393 <P>The <B>insmod</B> program is the dynamic kernel loader
1394 for Linux. Linux does not support incorporation of AFS modifications
1395 during a kernel build.
1396 <P>For AFS to function correctly, the <B>insmod</B> program must run each
1397 time the machine reboots, so the AFS initialization script (included on the
1398 AFS CD-ROM) invokes it automatically. The script also includes commands
1399 that select the appropriate AFS library file automatically. In this
1400 section you run the script.
1401 <P>In later sections you verify that the script correctly initializes all AFS
1402 components, then activate a configuration variable, which results in the
1403 script being incorporated into the Linux startup and shutdown sequence.
1405 <P><LI>Mount the AFS CD-ROM for Linux on the local <B>/cdrom</B>
1406 directory. For instructions on mounting CD-ROMs (either locally or
1407 remotely via NFS), see your Linux documentation. Then change directory
1410 # <B>cd /cdrom/i386_linux22/root.client/usr/vice/etc</B>
1413 <P><LI>Copy the AFS kernel library files to the local
1414 <B>/usr/vice/etc/modload</B> directory. The filenames for the
1415 libraries have the format
1416 <B>libafs-</B><VAR>version</VAR><B>.o</B>, where <VAR>version</VAR>
1417 indicates the kernel build level. The string <B>.mp</B> in
1418 the <VAR>version</VAR> indicates that the file is appropriate for machines
1419 running a multiprocessor kernel.
1421 # <B>cp -rp modload /usr/vice/etc</B>
1424 <P><LI>Copy the AFS initialization script to the local directory for
1425 initialization files (by convention, <B>/etc/rc.d/init.d</B>
1426 on Linux machines). Note the removal of the <B>.rc</B>
1427 extension as you copy the script.
1429 # <B>cp -p afs.rc /etc/rc.d/init.d/afs</B>
1432 <P><LI>Run the AFS initialization script to load AFS extensions into the
1433 kernel. You can ignore any error messages about the inability to start
1434 the BOS Server or the Cache Manager or AFS client.
1436 # <B>/etc/rc.d/init.d/afs start</B>
1440 <A NAME="IDX2333"></A>
1441 <A NAME="IDX2334"></A>
1442 <A NAME="IDX2335"></A>
1443 <A NAME="IDX2336"></A>
1444 <P><H3><A NAME="HDRWQ43" HREF="auqbg002.htm#ToC_56">Configuring Server Partitions on Linux Systems</A></H3>
1445 <P>Every AFS file server machine must have at least one
1446 partition or logical volume dedicated to storing AFS volumes. Each
1447 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
1448 where <VAR>xx</VAR> is one or two lowercase letters. The
1449 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
1450 machine's root directory, not in one of its subdirectories (for example,
1451 <B>/usr/vicepa</B> is not an acceptable directory location). For
1452 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
1454 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
1455 partition you are configuring (there must be at least one). Repeat the
1456 command for each partition.
1458 # <B>mkdir /vicep</B><VAR>xx</VAR>
1461 <P><LI>Add a line with the following format to the file systems registry file,
1462 <B>/etc/fstab</B>, for each directory just created. The entry maps
1463 the directory name to the disk partition to be mounted on it.
1465 /dev/<VAR>disk</VAR> /vicep<VAR>xx</VAR> ext2 defaults 0 2
1467 <P>The following is an example for the first partition being
1470 /dev/sda8 /vicepa ext2 defaults 0 2
1473 <P><LI>Create a file system on each partition that is to be mounted at a
1474 <B>/vicep</B><VAR>xx</VAR> directory. The following command is
1475 probably appropriate, but consult the Linux documentation for more
1478 #<B> mkfs -v /dev/</B><VAR>disk</VAR>
1481 <P><LI>Mount each partition by issuing either the <B>mount -a</B> command to
1482 mount all partitions at once or the <B>mount</B> command to mount each
1484 <P><LI>If you plan to retain client functionality on this machine after
1485 completing the installation, proceed to <A HREF="#HDRWQ44">Enabling AFS Login on Linux Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1487 <A NAME="IDX2337"></A>
1488 <A NAME="IDX2338"></A>
1489 <A NAME="IDX2339"></A>
1490 <A NAME="IDX2340"></A>
1491 <A NAME="IDX2341"></A>
1492 <P><H3><A NAME="HDRWQ44" HREF="auqbg002.htm#ToC_57">Enabling AFS Login on Linux Systems</A></H3>
1493 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
1494 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1496 <P>At this point you incorporate AFS into the operating system's
1497 Pluggable Authentication Module (PAM) scheme. PAM integrates all
1498 authentication mechanisms on the machine, including login, to provide the
1499 security infrastructure for authenticated access to and from the
1501 <P>Explaining PAM is beyond the scope of this document. It is assumed
1502 that you understand the syntax and meanings of settings in the PAM
1503 configuration file (for example, how the <TT>other</TT> entry works, the
1504 effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
1505 <TT>sufficient</TT>, and so on).
1506 <P>The following instructions explain how to alter the entries in the PAM
1507 configuration file for each service for which you wish to use AFS
1508 authentication. Other configurations possibly also work, but the
1509 instructions specify the recommended and tested configuration.
1510 <P>The recommended AFS-related entries in the PAM configuration file make use
1511 of one or more of the following three attributes.
1513 <P><DT><B><TT>try_first_pass</TT>
1514 </B><DD>This is a standard PAM attribute that can be included on entries after the
1515 first one for a service; it directs the module to use the password that
1516 was provided to the first module. For the AFS module, it means that AFS
1517 authentication succeeds if the password provided to the module listed first is
1518 the user's correct AFS password. For further discussion of this
1519 attribute and its alternatives, see the operating system's PAM
1521 <P><DT><B><TT>ignore_root</TT>
1522 </B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
1523 only the local superuser <B> root</B>, but also any user with UID 0
1525 <P><DT><B><TT>setenv_password_expires</TT>
1526 </B><DD>This attribute, specific to the AFS PAM module, sets the environment
1527 variable PASSWORD_EXPIRES to the expiration date of the user's AFS
1528 password, which is recorded in the Authentication Database.
1530 <P>Perform the following steps to enable AFS login.
1532 <P><LI>Mount the AFS CD-ROM for Linux on the <B>/cdrom</B> directory, if it
1533 is not already. Then change to the directory for PAM modules, which
1534 depends on which Linux distribution you are using.
1535 <P>If you are using a Linux distribution from Red Hat Software:
1537 # <B>cd /lib/security</B>
1539 <P>If you are using another Linux distribution:
1541 # <B>cd /usr/lib/security</B>
1544 <P><LI>Copy the appropriate AFS authentication library file to the directory to
1545 which you changed in the previous step. Create a symbolic link whose
1546 name does not mention the version. Omitting the version eliminates the
1547 need to edit the PAM configuration file if you later update the library
1549 <P>If you use the AFS Authentication Server (<B>kaserver</B>
1552 # <B>cp /cdrom/i386_linux22/lib/pam_afs.so.1 .</B>
1554 # <B>ln -s pam_afs.so.1 pam_afs.so</B>
1556 <P>If you use a Kerberos implementation of AFS authentication:
1558 # <B>cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1 .</B>
1560 # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
1563 <P><LI>For each service with which you want to use AFS authentication, insert an
1564 entry for the AFS PAM module into the <TT>auth</TT> section of the
1565 service's PAM configuration file. (Linux uses a separate
1566 configuration file for each service, unlike some other operating systems which
1567 list all services in a single file.) Mark the entry as
1568 <TT>sufficient</TT> in the second field.
1569 <P>Place the AFS entry below any entries that impose conditions under which
1570 you want the service to fail for a user who does not meet the entry's
1571 requirements. Mark these entries <TT>required</TT>. Place the
1572 AFS entry above any entries that need to execute only if AFS authentication
1574 <P>Insert the following AFS entry if using the Red Hat distribution:
1576 auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
1578 <P>Insert the following AFS entry if using another distribution:
1580 auth sufficient /usr/lib/security/pam_afs.so try_first_pass ignore_root
1582 <P>The following example illustrates the recommended configuration of the
1583 configuration file for the <B>login</B> service
1584 (<B>/etc/pam.d/login</B>) on a machine using the Red Hat
1588 auth required /lib/security/pam_securetty.so
1589 auth required /lib/security/pam_nologin.so
1590 auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
1591 auth required /lib/security/pam_pwdb.so shadow nullok
1592 account required /lib/security/pam_pwdb.so
1593 password required /lib/security/pam_cracklib.so
1594 password required /lib/security/pam_pwdb.so shadow nullok use_authtok
1595 session required /lib/security/pam_pwdb.so
1598 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
1599 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
1601 <HR><H2><A NAME="HDRWQ45" HREF="auqbg002.htm#ToC_58">Getting Started on Solaris Systems</A></H2>
1602 <P>Begin by running the AFS initialization script to call the
1603 <B>modload</B> program distributed by Sun Microsystems, which dynamically
1604 loads AFS modifications into the kernel. Then create partitions for
1605 storing AFS volumes, and install and configure the AFS-modified
1606 <B>fsck</B> program to run on AFS server partitions. If the machine
1607 is to remain an AFS client machine, incorporate AFS into the machine's
1608 Pluggable Authentication Module (PAM) scheme.
1609 <A NAME="IDX2342"></A>
1610 <A NAME="IDX2343"></A>
1611 <A NAME="IDX2344"></A>
1612 <A NAME="IDX2345"></A>
1613 <P><H3><A NAME="HDRWQ46" HREF="auqbg002.htm#ToC_59">Loading AFS into the Solaris Kernel</A></H3>
1614 <P>The <B>modload</B> program is the dynamic kernel loader
1615 provided by Sun Microsystems for Solaris systems. Solaris does not
1616 support incorporation of AFS modifications during a kernel build.
1617 <P>For AFS to function correctly, the <B>modload</B> program must run each
1618 time the machine reboots, so the AFS initialization script (included on the
1619 AFS CD-ROM) invokes it automatically. In this section you copy the
1620 appropriate AFS library file to the location where the <B>modload</B>
1621 program accesses it and then run the script.
1622 <P>In later sections you verify that the script correctly initializes all AFS
1623 components, then create the links that incorporate AFS into the Solaris
1624 startup and shutdown sequence.
1626 <P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B>
1627 directory. For instructions on mounting CD-ROMs (either locally or
1628 remotely via NFS), see your Solaris documentation. Then change
1629 directory as indicated.
1631 # <B>cd /cdrom/sun4x_56/root.client/usr/vice/etc</B>
1634 <P><LI>Copy the AFS initialization script to the local directory for
1635 initialization files (by convention, <B>/etc/init.d</B> on Solaris
1636 machines). Note the removal of the <B>.rc</B> extension as
1637 you copy the script.
1639 # <B>cp -p afs.rc /etc/init.d/afs</B>
1642 <P><LI>Copy the appropriate AFS kernel library file to the local file
1643 <B>/kernel/fs/afs</B>.
1644 <P>If the machine is running Solaris 2.6 or the 32-bit version of
1645 Solaris 7, its kernel supports NFS server functionality, and the
1646 <B>nfsd</B> process is running:
1648 # <B>cp -p modload/libafs.o /kernel/fs/afs</B>
1650 <P>If the machine is running Solaris 2.6 or the 32-bit version of
1651 Solaris 7, and its kernel does not support NFS server functionality or the
1652 <B>nfsd</B> process is not running:
1654 # <B>cp -p modload/libafs.nonfs.o /kernel/fs/afs</B>
1656 <P>If the machine is running the 64-bit version of Solaris 7, its kernel
1657 supports NFS server functionality, and the <B>nfsd</B> process is
1660 # <B>cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</B>
1662 <P>If the machine is running the 64-bit version of Solaris 7, and its
1663 kernel does not support NFS server functionality or the <B>nfsd</B>
1664 process is not running:
1666 # <B>cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</B>
1669 <P><LI>Run the AFS initialization script to load AFS modifications into the
1670 kernel. You can ignore any error messages about the inability to start
1671 the BOS Server or the Cache Manager or AFS client.
1673 # <B>/etc/init.d/afs start</B>
1675 <P>When an entry called <TT>afs</TT> does not already exist in the local
1676 <B>/etc/name_to_sysnum</B> file, the script automatically creates it and
1677 reboots the machine to start using the new version of the file. If this
1678 happens, log in again as the superuser <B>root</B> after the reboot and
1679 run the initialization script again. This time the required entry
1680 exists in the <B>/etc/name_to_sysnum</B> file, and the <B>modload</B>
1684 Password: <VAR>root_password</VAR>
1686 # <B>/etc/init.d/afs start</B>
1690 <A NAME="IDX2346"></A>
1691 <A NAME="IDX2347"></A>
1692 <A NAME="IDX2348"></A>
1693 <A NAME="IDX2349"></A>
1694 <P><H3><A NAME="HDRWQ47" HREF="auqbg002.htm#ToC_60">Configuring the AFS-modified fsck Program on Solaris Systems</A></H3>
1695 <P>In this section, you make modifications to guarantee that the
1696 appropriate <B>fsck</B> program runs on AFS server partitions. The
1697 <B>fsck</B> program provided with the operating system must never run on
1698 AFS server partitions. Because it does not recognize the structures
1699 that the File Server uses to organize volume data, it removes all of the
1701 <P><B>Never run the standard fsck program on AFS server partitions.
1702 It discards AFS volumes.</B>
1704 <P><LI>Create the <B>/usr/lib/fs/afs</B> directory to house the AFS-modified
1705 <B>fsck</B> program and related files.
1707 # <B>mkdir /usr/lib/fs/afs</B>
1709 # <B>cd /usr/lib/fs/afs</B>
1712 <P><LI>Copy the <B>vfsck</B> binary to the newly created directory, changing
1713 the name as you do so.
1715 # <B>cp /cdrom/sun4x_56/root.server/etc/vfsck fsck</B>
1718 <P><LI>Working in the <B>/usr/lib/fs/afs</B> directory, create the following
1719 links to Solaris libraries:
1721 # <B>ln -s /usr/lib/fs/ufs/clri</B>
1722 # <B>ln -s /usr/lib/fs/ufs/df</B>
1723 # <B>ln -s /usr/lib/fs/ufs/edquota</B>
1724 # <B>ln -s /usr/lib/fs/ufs/ff</B>
1725 # <B>ln -s /usr/lib/fs/ufs/fsdb</B>
1726 # <B>ln -s /usr/lib/fs/ufs/fsirand</B>
1727 # <B>ln -s /usr/lib/fs/ufs/fstyp</B>
1728 # <B>ln -s /usr/lib/fs/ufs/labelit</B>
1729 # <B>ln -s /usr/lib/fs/ufs/lockfs</B>
1730 # <B>ln -s /usr/lib/fs/ufs/mkfs</B>
1731 # <B>ln -s /usr/lib/fs/ufs/mount</B>
1732 # <B>ln -s /usr/lib/fs/ufs/ncheck</B>
1733 # <B>ln -s /usr/lib/fs/ufs/newfs</B>
1734 # <B>ln -s /usr/lib/fs/ufs/quot</B>
1735 # <B>ln -s /usr/lib/fs/ufs/quota</B>
1736 # <B>ln -s /usr/lib/fs/ufs/quotaoff</B>
1737 # <B>ln -s /usr/lib/fs/ufs/quotaon</B>
1738 # <B>ln -s /usr/lib/fs/ufs/repquota</B>
1739 # <B>ln -s /usr/lib/fs/ufs/tunefs</B>
1740 # <B>ln -s /usr/lib/fs/ufs/ufsdump</B>
1741 # <B>ln -s /usr/lib/fs/ufs/ufsrestore</B>
1742 # <B>ln -s /usr/lib/fs/ufs/volcopy</B>
1745 <P><LI>Append the following line to the end of the file
1746 <B>/etc/dfs/fstypes</B>.
1751 <P><LI>Edit the <B>/sbin/mountall</B> file, making two changes.
1753 <P><LI>Add an entry for AFS to the <TT>case</TT> statement for option 2, so
1754 that it reads as follows:
1757 ufs) foptions="-o p"
1759 afs) foptions="-o p"
1761 s5) foptions="-y -t /var/tmp/tmp$$ -D"
1767 <P><LI>Edit the file so that all AFS and UFS partitions are checked in
1768 parallel. Replace the following section of code:
1770 # For fsck purposes, we make a distinction between ufs and
1771 # other file systems
1773 if [ "$fstype" = "ufs" ]; then
1774 ufs_fscklist="$ufs_fscklist $fsckdev"
1775 saveentry $fstype "$OPTIONS" $special $mountp
1779 <P>with the following section of code:
1781 # For fsck purposes, we make a distinction between ufs/afs
1782 # and other file systems.
1784 if [ "$fstype" = "ufs" -o "$fstype" = "afs" ]; then
1785 ufs_fscklist="$ufs_fscklist $fsckdev"
1786 saveentry $fstype "$OPTIONS" $special $mountp
1793 <A NAME="IDX2350"></A>
1794 <A NAME="IDX2351"></A>
1795 <A NAME="IDX2352"></A>
1796 <A NAME="IDX2353"></A>
1797 <P><H3><A NAME="HDRWQ48" HREF="auqbg002.htm#ToC_61">Configuring Server Partitions on Solaris Systems</A></H3>
1798 <P>Every AFS file server machine must have at least one
1799 partition or logical volume dedicated to storing AFS volumes. Each
1800 server partition is mounted at a directory named <B>/vicep</B><VAR>xx</VAR>,
1801 where <VAR>xx</VAR> is one or two lowercase letters. The
1802 <B>/vicep</B><VAR>xx</VAR> directories must reside in the file server
1803 machine's root directory, not in one of its subdirectories (for example,
1804 <B>/usr/vicepa</B> is not an acceptable directory location). For
1805 additional information, see <A HREF="#HDRWQ20">Performing Platform-Specific Procedures</A>.
1807 <P><LI>Create a directory called <B>/vicep</B><VAR>xx</VAR> for each AFS server
1808 partition you are configuring (there must be at least one). Repeat the
1809 command for each partition.
1811 # <B>mkdir /vicep</B><VAR>xx</VAR>
1814 <P><LI>Add a line with the following format to the file systems registry file,
1815 <B>/etc/vfstab</B>, for each partition to be mounted on a directory
1816 created in the previous step. Note the value <TT>afs</TT> in the
1817 fourth field, which tells Solaris to use the AFS-modified <B>fsck</B>
1818 program on this partition.
1820 /dev/dsk/<VAR>disk</VAR> /dev/rdsk/<VAR>disk</VAR> /vicep<VAR>xx</VAR> afs <VAR>boot_order</VAR> yes
1822 <P>The following is an example for the first partition being
1825 /dev/dsk/c0t6d0s1 /dev/rdsk/c0t6d0s1 /vicepa afs 3 yes
1828 <P><LI>Create a file system on each partition that is to be mounted at a
1829 <B>/vicep</B><VAR>xx</VAR> directory. The following command is
1830 probably appropriate, but consult the Solaris documentation for more
1833 # <B>newfs -v /dev/rdsk/</B><VAR>disk</VAR>
1836 <P><LI>Issue the <B>mountall</B> command to mount all partitions at
1838 <P><LI>If you plan to retain client functionality on this machine after
1839 completing the installation, proceed to <A HREF="#HDRWQ49">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</A>. Otherwise, proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1841 <A NAME="IDX2354"></A>
1842 <A NAME="IDX2355"></A>
1843 <A NAME="IDX2356"></A>
1844 <A NAME="IDX2357"></A>
1845 <A NAME="IDX2358"></A>
1846 <A NAME="IDX2359"></A>
1847 <A NAME="IDX2360"></A>
1848 <A NAME="IDX2361"></A>
1849 <P><H3><A NAME="HDRWQ49" HREF="auqbg002.htm#ToC_62">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</A></H3>
1850 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you plan to remove client functionality from this machine
1851 after completing the installation, skip this section and proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A>.
1853 <P>At this point you incorporate AFS into the operating system's
1854 Pluggable Authentication Module (PAM) scheme. PAM integrates all
1855 authentication mechanisms on the machine, including login, to provide the
1856 security infrastructure for authenticated access to and from the
1858 <P>Explaining PAM is beyond the scope of this document. It is assumed
1859 that you understand the syntax and meanings of settings in the PAM
1860 configuration file (for example, how the <TT>other</TT> entry works, the
1861 effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
1862 <TT>sufficient</TT>, and so on).
1863 <P>The following instructions explain how to alter the entries in the PAM
1864 configuration file for each service for which you wish to use AFS
1865 authentication. Other configurations possibly also work, but the
1866 instructions specify the recommended and tested configuration.
1867 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
1868 <TT>optional</TT>. However, marking some modules as optional can mean
1869 that they grant access to the corresponding service even when the user does
1870 not meet all of the module's requirements. In some operating
1871 system revisions, for example, if you mark as optional the module that
1872 controls login via a dial-up connection, it allows users to login without
1873 providing a password. See the <I>IBM AFS Release Notes</I> for a
1874 discussion of any limitations that apply to this operating system.
1875 <P>Also, with some operating system versions you must install patches for PAM
1876 to interact correctly with certain authentication programs. For
1877 details, see the <I>IBM AFS Release Notes</I>.
1879 <P>The recommended AFS-related entries in the PAM configuration file make use
1880 of one or more of the following three attributes.
1882 <P><DT><B><TT>try_first_pass</TT>
1883 </B><DD>This is a standard PAM attribute that can be included on entries after the
1884 first one for a service; it directs the module to use the password that
1885 was provided to the first module. For the AFS module, it means that AFS
1886 authentication succeeds if the password provided to the module listed first is
1887 the user's correct AFS password. For further discussion of this
1888 attribute and its alternatives, see the operating system's PAM
1890 <P><DT><B><TT>ignore_root</TT>
1891 </B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
1892 only the local superuser <B> root</B>, but also any user with UID 0
1894 <P><DT><B><TT>setenv_password_expires</TT>
1895 </B><DD>This attribute, specific to the AFS PAM module, sets the environment
1896 variable PASSWORD_EXPIRES to the expiration date of the user's AFS
1897 password, which is recorded in the Authentication Database.
1899 <P>Perform the following steps to enable AFS login.
1901 <P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B> directory, if it
1902 is not already. Then change directory as indicated.
1904 # <B>cd /usr/lib/security</B>
1907 <P><LI>Copy the AFS authentication library file to the
1908 <B>/usr/lib/security</B> directory. Then create a symbolic link to
1909 it whose name does not mention the version. Omitting the version
1910 eliminates the need to edit the PAM configuration file if you later update the
1912 <P>If you use the AFS Authentication Server (<B>kaserver</B>
1915 #<B> cp /cdrom/sun4x_56/lib/pam_afs.so.1 .</B>
1917 # <B>ln -s pam_afs.so.1 pam_afs.so</B>
1919 <P>If you use a Kerberos implementation of AFS authentication:
1921 # <B>cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .</B>
1923 # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
1926 <P><LI>Edit the <TT>Authentication management</TT> section of the Solaris PAM
1927 configuration file, <B>/etc/pam.conf</B> by convention. The
1928 entries in this section have the value <TT>auth</TT> in their second
1930 <P>First edit the standard entries, which refer to the Solaris PAM module
1931 (usually, the file <B>/usr/lib/security/pam_unix.so.1</B>)
1932 in their fourth field. For each service for which you want to use AFS
1933 authentication, edit the third field of its entry to read
1934 <TT>optional</TT>. The <B>pam.conf</B> file in the Solaris
1935 distribution usually includes standard entries for the <B>login</B>,
1936 <B>rlogin</B>, and <B>rsh</B> services, for instance.
1937 <P>If there are services for which you want to use AFS authentication, but for
1938 which the <B>pam.conf</B> file does not already include a standard
1939 entry, you must create that entry and place the value <TT>optional</TT> in
1940 its third field. For instance, the Solaris <B>pam.conf</B>
1941 file does not usually include standard entries for the <B>ftp</B> or
1942 <B>telnet</B> services.
1943 <P>Then create an AFS-related entry for each service, placing it immediately
1944 below the standard entry. The following example shows what the
1945 <TT>Authentication Management</TT> section looks like after you have you
1946 edited or created entries for the services mentioned previously. Note
1947 that the example AFS entries appear on two lines only for legibility.
1949 login auth optional /usr/lib/security/pam_unix.so.1
1950 login auth optional /usr/lib/security/pam_afs.so \
1951 try_first_pass ignore_root setenv_password_expires
1952 rlogin auth optional /usr/lib/security/pam_unix.so.1
1953 rlogin auth optional /usr/lib/security/pam_afs.so \
1954 try_first_pass ignore_root setenv_password_expires
1955 rsh auth optional /usr/lib/security/pam_unix.so.1
1956 rsh auth optional /usr/lib/security/pam_afs.so \
1957 try_first_pass ignore_root
1958 ftp auth optional /usr/lib/security/pam_unix.so.1
1959 ftp auth optional /usr/lib/security/pam_afs.so \
1960 try_first_pass ignore_root
1961 telnet auth optional /usr/lib/security/pam_unix.so.1
1962 telnet auth optional /usr/lib/security/pam_afs.so \
1963 try_first_pass ignore_root setenv_password_expires
1966 <P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
1967 users to obtain an AFS token as they log in, also add or edit the following
1968 four entries in the <TT>Authentication management</TT> section. Note
1969 that the AFS-related entries appear on two lines here only for
1972 dtlogin auth optional /usr/lib/security/pam_unix.so.1
1973 dtlogin auth optional /usr/lib/security/pam_afs.so \
1974 try_first_pass ignore_root
1975 dtsession auth optional /usr/lib/security/pam_unix.so.1
1976 dtsession auth optional /usr/lib/security/pam_afs.so \
1977 try_first_pass ignore_root
1980 <P><LI>Some Solaris distributions include a script that locates and removes
1981 unneeded files from various file systems. Its conventional location is
1982 <B>/usr/lib/fs/nfs/nfsfind</B>. The script generally uses an
1983 argument to the <B>find</B> command to define which file systems to
1984 search. In this step you modify the command to exclude the
1985 <B>/afs</B> directory. Otherwise, the command traverses the AFS
1986 filespace of every cell that is accessible from the machine, which can take
1987 many hours. The following alterations are possibilities, but you must
1988 verify that they are appropriate for your cell.
1989 <P>The first possible alteration is to add the <B>-local</B> flag to the
1990 existing command, so that it looks like the following:
1992 find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;
1994 <P>Another alternative is to exclude any directories whose names begin with
1995 the lowercase letter <B>a</B> or a non-alphabetic character.
1997 find /[A-Zb-z]* <VAR>remainder of existing command</VAR>
1999 <P>Do not use the following command, which still searches under the
2000 <B>/afs</B> directory, looking for a subdirectory of type
2003 find / -fstype 4.2 /* <VAR>do not use</VAR> */
2006 <P><LI>Proceed to <A HREF="#HDRWQ50">Starting the BOS Server</A> (or if referring to these instructions while installing an
2007 additional file server machine, return to <A HREF="auqbg006.htm#HDRWQ108">Starting Server Programs</A>).
2009 <A NAME="IDX2362"></A>
2010 <A NAME="IDX2363"></A>
2011 <A NAME="IDX2364"></A>
2012 <A NAME="IDX2365"></A>
2013 <A NAME="IDX2366"></A>
2014 <A NAME="IDX2367"></A>
2015 <A NAME="IDX2368"></A>
2016 <HR><H2><A NAME="HDRWQ50" HREF="auqbg002.htm#ToC_63">Starting the BOS Server</A></H2>
2017 <P>You are now ready to start the AFS server processes on this
2018 machine. Begin by copying the AFS server binaries from the CD-ROM to
2019 the conventional local disk location, the <B>/usr/afs/bin</B>
2020 directory. The following instructions also create files in other
2021 subdirectories of the <B>/usr/afs</B> directory.
2022 <P>Then issue the <B>bosserver</B> command to initialize the Basic
2023 OverSeer (BOS) Server, which monitors and controls other AFS server processes
2024 on its server machine. Include the <B>-noauth</B> flag to disable
2025 authorization checking. Because you have not yet configured your
2026 cell's AFS authentication and authorization mechanisms, the BOS Server
2027 cannot perform authorization checking as it does during normal
2028 operation. In no-authorization mode, it does not verify the identity or
2029 privilege of the issuer of a <B>bos</B> command, and so performs any
2030 operation for anyone.
2031 <P>Disabling authorization checking gravely compromises cell security.
2032 You must complete all subsequent steps in one uninterrupted pass and must not
2033 leave the machine unattended until you restart the BOS Server with
2034 authorization checking enabled, in <A HREF="#HDRWQ72">Verifying the AFS Initialization Script</A>.
2035 <P>As it initializes for the first time, the BOS Server creates the following
2036 directories and files, setting the owner to the local superuser
2037 <B>root</B> and the mode bits to limit the ability to write (and in some
2038 cases, read) them. For a description of the contents and function of
2039 these directories and files, see the chapter in the <I>IBM AFS
2040 Administration Guide</I> about administering server machines. For
2041 further discussion of the mode bit settings, see <A HREF="#HDRWQ96">Protecting Sensitive AFS Directories</A>.
2042 <A NAME="IDX2369"></A>
2043 <A NAME="IDX2370"></A>
2044 <A NAME="IDX2371"></A>
2045 <A NAME="IDX2372"></A>
2046 <A NAME="IDX2373"></A>
2047 <A NAME="IDX2374"></A>
2048 <A NAME="IDX2375"></A>
2049 <A NAME="IDX2376"></A>
2050 <A NAME="IDX2377"></A>
2051 <A NAME="IDX2378"></A>
2052 <A NAME="IDX2379"></A>
2054 <P><LI><B>/usr/afs/db</B>
2055 <P><LI><B>/usr/afs/etc/CellServDB</B>
2056 <P><LI><B>/usr/afs/etc/ThisCell</B>
2057 <P><LI><B>/usr/afs/local</B>
2058 <P><LI><B>/usr/afs/logs</B>
2060 <P>The BOS Server also creates symbolic links called
2061 <B>/usr/vice/etc/ThisCell</B> and <B>/usr/vice/etc/CellServDB</B> to
2062 the corresponding files in the <B>/usr/afs/etc</B> directory. The
2063 AFS command interpreters consult the <B>CellServDB</B> and
2064 <B>ThisCell</B> files in the <B>/usr/vice/etc</B> directory because
2065 they generally run on client machines. On machines that are AFS servers
2066 only (as this machine currently is), the files reside only in the
2067 <B>/usr/afs/etc</B> directory; the links enable the command
2068 interpreters to retrieve the information they need. Later instructions
2069 for installing the client functionality replace the links with actual
2072 <P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
2073 machine's system type, if it is not already. For instructions on
2074 mounting CD-ROMs (either locally or remotely via NFS), consult the operating
2075 system documentation.
2076 <P><LI>Copy files from the CD-ROM to the local <B>/usr/afs</B>
2079 # <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.server/usr/afs</B>
2081 # <B>cp -rp * /usr/afs</B>
2084 <A NAME="IDX2380"></A>
2085 <A NAME="IDX2381"></A>
2086 <P><LI>Issue the <B>bosserver</B> command. Include the
2087 <B>-noauth</B> flag to disable authorization checking.
2089 # <B>/usr/afs/bin/bosserver -noauth &</B>
2092 <P><LI>Verify that the BOS Server created <B>/usr/vice/etc/ThisCell</B> and
2093 <B>/usr/vice/etc/CellServDB</B> as symbolic links to the corresponding
2094 files in the <B>/usr/afs/etc</B> directory.
2096 # <B>ls -l /usr/vice/etc</B>
2098 <P>If either or both of <B>/usr/vice/etc/ThisCell</B> and
2099 <B>/usr/vice/etc/CellServDB</B> do not exist, or are not links, issue the
2102 # <B>cd /usr/vice/etc</B>
2104 # <B>ln -s /usr/afs/etc/ThisCell</B>
2106 # <B>ln -s /usr/afs/etc/CellServDB</B>
2110 <A NAME="IDX2382"></A>
2111 <A NAME="IDX2383"></A>
2112 <A NAME="IDX2384"></A>
2113 <A NAME="IDX2385"></A>
2114 <A NAME="IDX2386"></A>
2115 <A NAME="IDX2387"></A>
2116 <A NAME="IDX2388"></A>
2117 <A NAME="IDX2389"></A>
2118 <A NAME="IDX2390"></A>
2119 <A NAME="IDX2391"></A>
2120 <A NAME="IDX2392"></A>
2121 <A NAME="IDX2393"></A>
2122 <A NAME="IDX2394"></A>
2123 <A NAME="IDX2395"></A>
2124 <A NAME="IDX2396"></A>
2125 <A NAME="IDX2397"></A>
2126 <A NAME="IDX2398"></A>
2127 <HR><H2><A NAME="HDRWQ51" HREF="auqbg002.htm#ToC_64">Defining Cell Name and Membership for Server Processes</A></H2>
2128 <P>Now assign your cell's name. The chapter in the
2129 <I>IBM AFS Administration Guide</I> about cell configuration and
2130 administration issues discusses the important considerations, explains why
2131 changing the name is difficult, and outlines the restrictions on name
2132 format. Two of the most important restrictions are that the name cannot
2133 include uppercase letters or more than 64 characters.
2134 <P>Use the <B>bos setcellname</B> command to assign the cell name.
2135 It creates two files:
2137 <P><LI><B>/usr/afs/etc/ThisCell</B>, which defines this machine's cell
2139 <P><LI><B>/usr/afs/etc/CellServDB</B>, which lists the cell's database
2140 server machines; the machine named on the command line is placed on the
2143 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">In the following and every instruction in this guide, for the
2144 <VAR>machine name</VAR> argument substitute the fully-qualified hostname
2145 (such as <B>fs1.abc.com</B>) of the machine you are
2146 installing. For the <VAR>cell name</VAR> argument substitute your
2147 cell's complete name (such as <B>abc.com</B>).
2149 <A NAME="IDX2399"></A>
2150 <A NAME="IDX2400"></A>
2152 <P><LI>Issue the <B>bos setcellname</B> command to set the cell name.
2154 # <B>cd /usr/afs/bin</B>
2156 # <B>./bos setcellname</B> <<VAR>machine name</VAR>> <<VAR>cell name</VAR>> <B>-noauth</B>
2158 <P>Because you are not authenticated and authorization checking is disabled,
2159 the <B>bos</B> command interpreter possibly produces error messages about
2160 being unable to obtain tickets and running unauthenticated. You can
2161 safely ignore the messages.
2162 <A NAME="IDX2401"></A>
2163 <A NAME="IDX2402"></A>
2164 <A NAME="IDX2403"></A>
2165 <A NAME="IDX2404"></A>
2166 <P><LI>Issue the <B>bos listhosts</B> command to verify that the machine you
2167 are installing is now registered as the cell's first database server
2170 # <B>./bos listhosts</B> <<VAR>machine name</VAR>> <B>-noauth</B>
2171 Cell name is <VAR>cell_name</VAR>
2172 Host 1 is <VAR>machine_name</VAR>
2176 <A NAME="IDX2405"></A>
2177 <A NAME="IDX2406"></A>
2178 <A NAME="IDX2407"></A>
2179 <A NAME="IDX2408"></A>
2180 <A NAME="IDX2409"></A>
2181 <A NAME="IDX2410"></A>
2182 <A NAME="IDX2411"></A>
2183 <A NAME="IDX2412"></A>
2184 <A NAME="IDX2413"></A>
2185 <A NAME="IDX2414"></A>
2186 <A NAME="IDX2415"></A>
2187 <A NAME="IDX2416"></A>
2188 <A NAME="IDX2417"></A>
2189 <A NAME="IDX2418"></A>
2190 <A NAME="IDX2419"></A>
2191 <A NAME="IDX2420"></A>
2192 <A NAME="IDX2421"></A>
2193 <A NAME="IDX2422"></A>
2194 <A NAME="IDX2423"></A>
2195 <A NAME="IDX2424"></A>
2196 <A NAME="IDX2425"></A>
2197 <A NAME="IDX2426"></A>
2198 <A NAME="IDX2427"></A>
2199 <A NAME="IDX2428"></A>
2200 <A NAME="IDX2429"></A>
2201 <HR><H2><A NAME="HDRWQ52" HREF="auqbg002.htm#ToC_65">Starting the Database Server Processes</A></H2>
2202 <P>Next use the <B>bos create</B> command to create entries
2203 for the four database server processes in the
2204 <B>/usr/afs/local/BosConfig</B> file and start them running. The
2205 four processes run on database server machines only:
2207 <P><LI>The Authentication Server (the <B>kaserver</B> process) maintains the
2208 Authentication Database
2209 <P><LI>The Backup Server (the <B>buserver</B> process) maintains the Backup
2211 <P><LI>The Protection Server (the <B>ptserver</B> process) maintains the
2213 <P><LI>The Volume Location (VL) Server (the <B>vlserver</B> process)
2214 maintains the Volume Location Database (VLDB)
2216 <A NAME="IDX2430"></A>
2217 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">AFS's authentication and authorization software is based on algorithms
2218 and other procedures known as <I>Kerberos</I>, as originally developed by
2219 Project Athena at the Massachusetts Institute of Technology. Some cells
2220 choose to replace the AFS Authentication Server and other security-related
2221 protocols with Kerberos as obtained directly from Project Athena or other
2222 sources. If you wish to do this, contact the AFS Product Support group
2223 now to learn about necessary modifications to the installation.
2225 <P>The remaining instructions in this chapter include the <B>-cell</B>
2226 argument on all applicable commands. Provide the cell name you assigned
2227 in <A HREF="#HDRWQ51">Defining Cell Name and Membership for Server Processes</A>. If a command appears on multiple lines, it is only
2229 <A NAME="IDX2431"></A>
2230 <A NAME="IDX2432"></A>
2232 <P><LI>Issue the <B>bos create</B> command to start the Authentication
2233 Server. The current working directory is still
2234 <B>/usr/afs/bin</B>.
2236 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>kaserver simple /usr/afs/bin/kaserver</B> \
2237 <B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2239 <P>You can safely ignore the messages that tell you to add Kerberos to the
2240 <B>/etc/services</B> file; AFS uses a default value that makes the
2241 addition unnecessary. You can also ignore messages about the failure of
2243 <P><LI>Issue the <B>bos create</B> command to start the Backup Server.
2245 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>buserver simple /usr/afs/bin/buserver</B> \
2246 <B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2249 <P><LI>Issue the <B>bos create</B> command to start the Protection
2252 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>ptserver simple /usr/afs/bin/ptserver</B> \
2253 <B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2256 <P><LI>Issue the <B>bos create</B> command to start the VL Server.
2258 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>vlserver simple /usr/afs/bin/vlserver</B> \
2259 <B> -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2263 <A NAME="IDX2433"></A>
2264 <A NAME="IDX2434"></A>
2265 <A NAME="IDX2435"></A>
2266 <A NAME="IDX2436"></A>
2267 <A NAME="IDX2437"></A>
2268 <A NAME="IDX2438"></A>
2269 <A NAME="IDX2439"></A>
2270 <A NAME="IDX2440"></A>
2271 <A NAME="IDX2441"></A>
2272 <A NAME="IDX2442"></A>
2273 <A NAME="IDX2443"></A>
2274 <A NAME="IDX2444"></A>
2275 <A NAME="IDX2445"></A>
2276 <HR><H2><A NAME="HDRWQ53" HREF="auqbg002.htm#ToC_66">Initializing Cell Security</A></H2>
2277 <P>Now initialize the cell's security mechanisms.
2278 Begin by creating the following two initial entries in the Authentication
2281 <P><LI>A generic administrative account, called <B>admin</B> by
2282 convention. If you choose to assign a different name, substitute it
2283 throughout the remainder of this document.
2284 <P>After you complete the installation of the first machine, you can continue
2285 to have all administrators use the <B>admin</B> account, or you can create
2286 a separate administrative account for each of them. The latter scheme
2287 implies somewhat more overhead, but provides a more informative audit trail
2288 for administrative operations.
2289 <P><LI>The entry for AFS server processes, called <B>afs</B>. No user
2290 logs in under this identity, but the Authentication Server's Ticket
2291 Granting Service (TGS) module uses the associated key to encrypt the server
2292 tickets that it grants to AFS clients for presentation to server processes
2293 during mutual authentication. (The chapter in the <I>IBM AFS
2294 Administration Guide</I> about cell configuration and administration
2295 describes the role of server encryption keys in mutual authentication.)
2296 <P>In Step <A HREF="#LIWQ58">7</A>, you also place the initial AFS server encryption key into
2297 the <B>/usr/afs/etc/KeyFile</B> file. The AFS server processes
2298 refer to this file to learn the server encryption key when they need to
2299 decrypt server tickets.
2301 <P>You also issue several commands that enable the new <B>admin</B> user
2302 to issue privileged commands in all of the AFS suites.
2303 <P>The following instructions do not configure all of the security mechanisms
2304 related to the AFS Backup System. See the chapter in the <I>IBM AFS
2305 Administration Guide</I> about configuring the Backup System.
2307 <A NAME="IDX2446"></A>
2308 <A NAME="IDX2447"></A>
2309 <A NAME="IDX2448"></A>
2310 <P><LI>Enter <B>kas</B> interactive mode. Because the machine is in
2311 no-authorization checking mode, include the <B>-noauth</B> flag to
2312 suppress the Authentication Server's usual prompt for a password.
2314 # <B>kas -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2318 <A NAME="IDX2449"></A>
2319 <A NAME="IDX2450"></A>
2320 <A NAME="IDX2451"></A>
2321 <A NAME="IDX2452"></A>
2322 <P><LI><A NAME="LIWQ54"></A>Issue the <B>kas create</B> command to create Authentication
2323 Database entries called <B>admin</B> and <B>afs</B>.
2324 <P>Do not provide passwords on the command line. Instead provide them
2325 as <VAR>afs_passwd</VAR> and <VAR>admin_passwd</VAR> in response to the
2326 <B>kas</B> command interpreter's prompts as shown, so that they do
2327 not appear on the standard output stream.
2328 <P>You need to enter the <VAR>afs_passwd</VAR> string only in this step and in
2329 Step <A HREF="#LIWQ58">7</A>, so provide a value that is as long and complex as possible,
2330 preferably including numerals, punctuation characters, and both uppercase and
2331 lowercase letters. Also make the <VAR>admin_passwd</VAR> as long and
2332 complex as possible, but keep in mind that administrators need to enter it
2333 often. Both passwords must be at least six characters long.
2335 ka> <B>create afs</B>
2336 initial_password: <VAR>afs_passwd</VAR>
2337 Verifying, please re-enter initial_password: <VAR>afs_passwd</VAR>
2339 ka> <B>create admin</B>
2340 initial_password: <VAR>admin_passwd</VAR>
2341 Verifying, please re-enter initial_password: <VAR>admin_passwd</VAR>
2344 <A NAME="IDX2453"></A>
2345 <A NAME="IDX2454"></A>
2346 <A NAME="IDX2455"></A>
2347 <P><LI><A NAME="LIWQ55"></A>Issue the <B>kas examine</B> command to display the
2348 <B>afs</B> entry. The output includes a checksum generated by
2349 encrypting a constant with the server encryption key derived from the
2350 <VAR>afs_passwd</VAR> string. In Step <A HREF="#LIWQ59">8</A> you issue the <B>bos listkeys</B> command to verify
2351 that the checksum in its output matches the checksum in this output.
2353 ka> <B>examine afs</B>
2355 key (0) cksum is <VAR>checksum</VAR> . . .
2358 <A NAME="IDX2456"></A>
2359 <A NAME="IDX2457"></A>
2360 <A NAME="IDX2458"></A>
2361 <P><LI><A NAME="LIWQ56"></A>Issue the <B>kas setfields</B> command to turn on the
2362 <TT>ADMIN</TT> flag in the <B>admin</B> entry. This enables the
2363 <B>admin</B> user to issue privileged <B>kas</B> commands. Then
2364 issue the <B> kas examine</B> command to verify that the <TT>ADMIN</TT>
2365 flag appears in parentheses on the first line of the output, as shown in the
2368 ka> <B>setfields admin -flags admin</B>
2370 ka> <B>examine admin </B>
2371 User data for admin (ADMIN) . . .
2374 <A NAME="IDX2459"></A>
2375 <A NAME="IDX2460"></A>
2376 <A NAME="IDX2461"></A>
2377 <P><LI>Issue the <B>kas quit</B> command to leave <B>kas</B> interactive
2383 <A NAME="IDX2462"></A>
2384 <A NAME="IDX2463"></A>
2385 <A NAME="IDX2464"></A>
2386 <A NAME="IDX2465"></A>
2387 <A NAME="IDX2466"></A>
2388 <A NAME="IDX2467"></A>
2389 <A NAME="IDX2468"></A>
2390 <P><LI><A NAME="LIWQ57"></A>Issue the <B>bos adduser</B> command to add the
2391 <B>admin</B> user to the <B>/usr/afs/etc/UserList</B> file.
2392 This enables the <B>admin</B> user to issue privileged <B>bos</B> and
2393 <B>vos</B> commands.
2395 # <B>./bos adduser</B> <<VAR>machine name</VAR>> <B>admin -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2398 <A NAME="IDX2469"></A>
2399 <A NAME="IDX2470"></A>
2400 <A NAME="IDX2471"></A>
2401 <A NAME="IDX2472"></A>
2402 <P><LI><A NAME="LIWQ58"></A>Issue the <B>bos addkey</B> command to define the AFS server
2403 encryption key in the <B>/usr/afs/etc/KeyFile</B> file.
2404 <P>Do not provide the password on the command line. Instead provide it
2405 as <VAR>afs_passwd</VAR> in response to the <B>bos</B> command
2406 interpreter's prompts, as shown. Provide the same string as in
2407 Step <A HREF="#LIWQ54">2</A>.
2409 # <B>./bos addkey</B> <<VAR>machine name</VAR>> <B>-kvno 0 -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2410 Input key: <VAR>afs_passwd</VAR>
2411 Retype input key: <VAR>afs_passwd</VAR>
2414 <A NAME="IDX2473"></A>
2415 <A NAME="IDX2474"></A>
2416 <A NAME="IDX2475"></A>
2417 <P><LI><A NAME="LIWQ59"></A>Issue the <B>bos listkeys</B> command to verify that the
2418 checksum for the new key in the <B>KeyFile</B> file is the same as the
2419 checksum for the key in the Authentication Database's <B>afs</B>
2420 entry, which you displayed in Step <A HREF="#LIWQ55">3</A>.
2422 # <B>./bos listkeys</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2423 key 0 has cksum <VAR>checksum</VAR>
2425 <P>You can safely ignore any error messages indicating that <B>bos</B>
2426 failed to get tickets or that authentication failed.
2427 <P>If the keys are different, issue the following commands, making sure that
2428 the <VAR>afs_passwd</VAR> string is the same in each case. The
2429 <VAR>checksum</VAR> strings reported by the <B>kas examine</B> and <B>bos
2430 listkeys</B> commands must match; if they do not, repeat these
2431 instructions until they do, using the <B>-kvno</B> argument to increment
2432 the key version number each time.
2434 # <B>./kas -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2436 ka> <B>setpassword afs -kvno 1</B>
2437 new_password: <VAR>afs_passwd</VAR>
2438 Verifying, please re-enter initial_password: <VAR>afs_passwd</VAR>
2440 ka> <B>examine afs</B>
2442 key (1) cksum is <VAR>checksum</VAR> . . .
2446 # <B>./bos addkey</B> <<VAR>machine name</VAR>> <B>-kvno 1 -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2447 Input key: <VAR>afs_passwd</VAR>
2448 Retype input key: <VAR>afs_passwd</VAR>
2450 # <B>./bos listkeys</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2451 key 1 has cksum <VAR>checksum</VAR>
2454 <A NAME="IDX2476"></A>
2455 <A NAME="IDX2477"></A>
2456 <A NAME="IDX2478"></A>
2457 <P><LI>Issue the <B>pts createuser</B> command to create a Protection
2458 Database entry for the <B>admin</B> user.
2459 <P>By default, the Protection Server assigns AFS UID 1 (one) to the
2460 <B>admin</B> user, because it is the first user entry you are
2461 creating. If the local password file (<B>/etc/passwd</B> or
2462 equivalent) already has an entry for <B>admin</B> that assigns it a UNIX
2463 UID other than 1, it is best to use the <B>-id</B> argument to the
2464 <B>pts createuser</B> command to make the new AFS UID match the existing
2465 UNIX UID. Otherwise, it is best to accept the default.
2467 # <B>./pts createuser -name admin -cell</B> <<VAR>cell name</VAR>> [<B>-id</B> <<VAR>AFS UID</VAR>>] <B>-noauth</B>
2468 User admin has id <VAR>AFS UID</VAR>
2471 <A NAME="IDX2479"></A>
2472 <A NAME="IDX2480"></A>
2473 <A NAME="IDX2481"></A>
2474 <A NAME="IDX2482"></A>
2475 <P><LI>Issue the <B>pts adduser</B> command to make the <B>admin</B> user
2476 a member of the <B>system:administrators</B> group, and the <B>pts
2477 membership</B> command to verify the new membership. Membership in
2478 the group enables the <B>admin</B> user to issue privileged <B>pts</B>
2479 commands and some privileged <B>fs</B> commands.
2481 # <B>./pts adduser admin system:administrators -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2483 # <B>./pts membership admin -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2484 Groups admin (id: 1) is a member of:
2485 system:administrators
2488 <A NAME="IDX2483"></A>
2489 <A NAME="IDX2484"></A>
2490 <A NAME="IDX2485"></A>
2491 <A NAME="IDX2486"></A>
2492 <P><LI>Issue the <B>bos restart</B> command with the <B>-all</B> flag to
2493 restart the database server processes, so that they start using the new server
2496 # <B>./bos restart</B> <<VAR>machine name</VAR>> <B>-all -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2500 <A NAME="IDX2487"></A>
2501 <A NAME="IDX2488"></A>
2502 <A NAME="IDX2489"></A>
2503 <A NAME="IDX2490"></A>
2504 <A NAME="IDX2491"></A>
2505 <A NAME="IDX2492"></A>
2506 <A NAME="IDX2493"></A>
2507 <A NAME="IDX2494"></A>
2508 <A NAME="IDX2495"></A>
2509 <A NAME="IDX2496"></A>
2510 <A NAME="IDX2497"></A>
2511 <A NAME="IDX2498"></A>
2512 <HR><H2><A NAME="HDRWQ60" HREF="auqbg002.htm#ToC_67">Starting the File Server, Volume Server, and Salvager</A></H2>
2513 <P>Start the <B>fs</B> process, which consists of the File
2514 Server, Volume Server, and Salvager (<B>fileserver</B>,
2515 <B>volserver</B> and <B>salvager</B> processes).
2517 <P><LI>Issue the <B>bos create</B> command to start the <B>fs</B>
2518 process. The command appears here on multiple lines only for
2521 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>fs fs /usr/afs/bin/fileserver</B> \
2522 <B>/usr/afs/bin/volserver /usr/afs/bin/salvager</B> \
2523 <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2525 <P>Sometimes a message about Volume Location Database (VLDB) initialization
2526 appears, along with one or more instances of an error message similar to the
2529 FSYNC_clientInit temporary failure (will retry)
2531 <P>This message appears when the <B>volserver</B> process tries to start
2532 before the <B>fileserver</B> process has completed its
2533 initialization. Wait a few minutes after the last such message before
2534 continuing, to guarantee that both processes have started successfully.
2535 <A NAME="IDX2499"></A>
2536 <A NAME="IDX2500"></A>
2537 <P>You can verify that the <B>fs</B> process has started successfully by
2538 issuing the <B>bos status</B> command. Its output mentions two
2539 <TT>proc starts</TT>.
2541 # <B>./bos status</B> <<VAR>machine name</VAR>> <B>fs -long -noauth</B>
2544 <P><LI>Your next action depends on whether you have ever run AFS file server
2545 machines in the cell:
2547 <A NAME="IDX2501"></A>
2548 <A NAME="IDX2502"></A>
2549 <A NAME="IDX2503"></A>
2550 <A NAME="IDX2504"></A>
2551 <A NAME="IDX2505"></A>
2552 <P><LI>If you are installing the first AFS server machine ever in the cell (that
2553 is, you are not upgrading the AFS software from a previous version), create
2554 the first AFS volume, <B>root.afs</B>.
2555 <P>For the <VAR>partition name</VAR> argument, substitute the name of one of
2556 the machine's AFS server partitions (such as <B>/vicepa</B>).
2558 # <B>./vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.afs</B> \
2559 <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2561 <P>The Volume Server produces a message confirming that it created the volume
2562 on the specified partition. You can ignore error messages indicating
2563 that tokens are missing, or that authentication failed.
2564 <A NAME="IDX2506"></A>
2565 <A NAME="IDX2507"></A>
2566 <A NAME="IDX2508"></A>
2567 <A NAME="IDX2509"></A>
2568 <P><LI>If there are existing AFS file server machines and volumes in the cell,
2569 issue the <B>vos syncvldb</B> and <B>vos syncserv</B> commands to
2570 synchronize the VLDB with the actual state of volumes on the local
2571 machine. To follow the progress of the synchronization operation, which
2572 can take several minutes, use the <B>-verbose</B> flag.
2574 # <B>./vos syncvldb</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-verbose -noauth</B>
2576 # <B>./vos syncserv</B> <<VAR>machine name</VAR>> <B>-cell</B> <<VAR>cell name</VAR>> <B>-verbose -noauth</B>
2578 <P>You can ignore error messages indicating that tokens are missing, or that
2579 authentication failed.
2582 <A NAME="IDX2510"></A>
2583 <A NAME="IDX2511"></A>
2584 <A NAME="IDX2512"></A>
2585 <A NAME="IDX2513"></A>
2586 <A NAME="IDX2514"></A>
2587 <A NAME="IDX2515"></A>
2588 <A NAME="IDX2516"></A>
2589 <A NAME="IDX2517"></A>
2590 <HR><H2><A NAME="HDRWQ61" HREF="auqbg002.htm#ToC_68">Starting the Server Portion of the Update Server</A></H2>
2591 <P>Start the server portion of the Update Server (the
2592 <B>upserver</B> process), to distribute the contents of directories on
2593 this machine to other server machines in the cell. It becomes active
2594 when you configure the client portion of the Update Server on additional
2596 <P>Distributing the contents of its <B>/usr/afs/etc</B> directory makes
2597 this machine the cell's <I>system control machine</I>. The
2598 other server machines in the cell run the <B>upclientetc</B> process (an
2599 instance of the client portion of the Update Server) to retrieve the
2600 configuration files. Use the <B>-crypt</B> argument to the
2601 <B>upserver</B> initialization command to specify that the Update Server
2602 distributes the contents of the <B>/usr/afs/etc</B> directory only in
2603 encrypted form, as shown in the following instruction. Several of the
2604 files in the directory, particularly the <B>KeyFile</B> file, are crucial
2605 to cell security and so must never cross the network unencrypted.
2606 <P>(You can choose not to configure a system control machine, in which case
2607 you must update the configuration files in each server machine's
2608 <B>/usr/afs/etc</B> directory individually. The <B>bos</B>
2609 commands used for this purpose also encrypt data before sending it across the
2611 <P>Distributing the contents of its <B>/usr/afs/bin</B> directory to other
2612 server machines of its system type makes this machine a <I>binary
2613 distribution machine</I>. The other server machines of its system
2614 type run the <B>upclientbin</B> process (an instance of the client portion
2615 of the Update Server) to retrieve the binaries.
2616 <P>The binaries in the <B>/usr/afs/bin</B> directory are not sensitive, so
2617 it is not necessary to encrypt them before transfer across the network.
2618 Include the <B>-clear</B> argument to the <B>upserver</B>
2619 initialization command to specify that the Update Server distributes the
2620 contents of the <B>/usr/afs/bin</B> directory in unencrypted form unless
2621 an <B>upclientbin</B> process requests encrypted transfer.
2622 <P>Note that the server and client portions of the Update Server always
2623 mutually authenticate with one another, regardless of whether you use the
2624 <B>-clear</B> or <B>-crypt</B> arguments. This protects their
2625 communications from eavesdropping to some degree.
2626 <P>For more information on the <B>upclient</B> and <B>upserver</B>
2627 processes, see their reference pages in the <I>IBM AFS Administration
2628 Reference</I>. The commands appear on multiple lines here only for
2631 <P><LI>Issue the <B>bos create</B> command to start the <B>upserver</B>
2634 # <B>./bos create</B> <<VAR>machine name></VAR> <B>upserver simple</B> \
2635 <B>"/usr/afs/bin/upserver -crypt /usr/afs/etc </B> \
2636 <B>-clear /usr/afs/bin" -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2640 <A NAME="IDX2518"></A>
2641 <A NAME="IDX2519"></A>
2642 <A NAME="IDX2520"></A>
2643 <A NAME="IDX2521"></A>
2644 <A NAME="IDX2522"></A>
2645 <A NAME="IDX2523"></A>
2646 <HR><H2><A NAME="HDRWQ62" HREF="auqbg002.htm#ToC_69">Starting the Controller for NTPD</A></H2>
2647 <P>Keeping the clocks on all server and client machines in your
2648 cell synchronized is crucial to several functions, and in particular to the
2649 correct operation of AFS's distributed database technology, Ubik.
2650 The chapter in the <I>IBM AFS Administration Guide</I> about administering
2651 server machines explains how time skew can disturb Ubik's performance and
2652 cause service outages in your cell.
2653 <P>The AFS distribution includes a version of the Network Time Protocol Daemon
2654 (NTPD) for synchronizing the clocks on server machines. If a time
2655 synchronization program is not already running on the machine, then in this
2656 section you start the <B>runntp</B> process to configure NTPD for use with
2658 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not run the <B>runntp</B> process if NTPD or another time
2659 synchronization protocol is already running on the machine. Some
2660 versions of some operating systems run a time synchronization program by
2661 default, as detailed in the <I>IBM AFS Release Notes</I>.
2662 <P>Attempting to run multiple instances of the NTPD causes an error.
2663 Running NTPD together with another time synchronization protocol is
2664 unnecessary and can cause instability in the clock setting.
2666 <P>If you run the <B>runntp</B> process and your cell has reliable network
2667 connectivity to machines outside your cell, then it is conventional to
2668 configure the first AFS machine to refer to a time source outside the
2669 cell. When you later install the <B>runntp</B> program on other
2670 server machines in the cell, it configures NTPD to choose a time source at
2671 random from among the database server machines listed in the
2672 <B>/usr/afs/etc/CellServDB</B> file. Time synchronization therefore
2673 works in a chained manner: this database server machine refers to a time
2674 source outside the cell, the database server machines refer to the machine
2675 among them that has access to the most accurate time (NTPD itself includes
2676 code for determining this), and each non-database server machine refers to a
2677 local database server machine chosen at random from the
2678 <B>/usr/afs/etc/CellServDB</B> file. If you ever decide to remove
2679 database server functionality from this machine, it is best to transfer
2680 responsibility for consulting an external time source to a remaining database
2682 <P>If your cell does not have network connectivity to external machines, or if
2683 the connectivity is not reliable, include the <B>-localclock</B> flag to
2684 the <B>runntp</B> command as indicated in the following
2685 instructions. The flag tells NTPD to rely on the machine's
2686 internal clock when all external time sources are inaccessible. The
2687 <B>runntp</B> command has other arguments that are possibly useful given
2688 your cell configuration; see the <I>IBM AFS Administration
2690 <P>Choosing an appropriate external time source is important, but involves
2691 more considerations than can be discussed here. If you need help in
2692 selecting a source, contact the AFS Product Support group.
2693 <P>As the <B>runntp</B> process initializes NTPD, trace messages sometimes
2694 appear on the standard output stream. You can ignore them, but they can
2695 be informative if you understand how NTPD works.
2697 <P><LI>Issue the <B>bos create</B> command to start the <B>runntp</B>
2698 process. For the <VAR>host</VAR> argument, substitute the fully-qualified
2699 hostname or IP address of one or more machines outside the cell that are to
2700 serve as time sources. Separate each name with a space.
2702 <P><LI>If your cell usually has reliable network connectivity to an external time
2703 source, use the following command:
2705 # <B>./bos create </B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
2706 <B>"/usr/afs/bin/runntp</B> <<VAR>host</VAR>>+<B>" -cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2709 <P><LI>If your cell does not have network connectivity to an external time
2710 source, use the following command:
2712 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
2713 <B>"/usr/afs/bin/runntp -localclock"</B> <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2716 <P><LI>If your cell has network connectivity to an external time source, but the
2717 network connection is frequently interrupted, use the following command:
2720 # <B>./bos create</B> <<VAR>machine name</VAR>> <B>runntp simple</B> \
2721 <B>"/usr/afs/bin/runntp -localclock</B> <<VAR>host</VAR>>+<B>"</B> \
2722 <B>-cell</B> <<VAR>cell name</VAR>> <B>-noauth</B>
2727 <A NAME="IDX2524"></A>
2728 <A NAME="IDX2525"></A>
2729 <A NAME="IDX2526"></A>
2730 <HR><H2><A NAME="HDRWQ63" HREF="auqbg002.htm#ToC_70">Overview: Installing Client Functionality</A></H2>
2731 <P>The machine you are installing is now an AFS file server
2732 machine, database server machine, system control machine, and binary
2733 distribution machine. Now make it a client machine by completing the
2736 <P><LI>Define the machine's cell membership for client processes
2737 <P><LI>Create the client version of the <B>CellServDB</B> file
2738 <P><LI>Define cache location and size
2739 <P><LI>Create the <B>/afs</B> directory and start the Cache Manager
2741 <A NAME="IDX2527"></A>
2742 <A NAME="IDX2528"></A>
2743 <A NAME="IDX2529"></A>
2744 <HR><H2><A NAME="HDRWQ64" HREF="auqbg002.htm#ToC_71">Copying Client Files to the Local Disk</A></H2>
2745 <P>Before installing and configuring the AFS client, copy the
2746 necessary files from the AFS CD-ROM to the local <B>/usr/vice/etc</B>
2749 <P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
2750 machine's system type, if it is not already. For instructions on
2751 mounting CD-ROMs (either locally or remotely via NFS), consult the operating
2752 system documentation.
2753 <P><LI>Copy files to the local <B>/usr/vice/etc</B> directory.
2754 <P>This step places a copy of the AFS initialization script (and related
2755 files, if applicable) into the <B>/usr/vice/etc</B> directory. In
2756 the preceding instructions for incorporating AFS into the kernel, you copied
2757 the script directly to the operating system's conventional location for
2758 initialization files. When you incorporate AFS into the machine's
2759 startup sequence in a later step, you can choose to link the two files.
2760 <P>On some system types that use a dynamic kernel loader program, you
2761 previously copied AFS library files into a subdirectory of the
2762 <B>/usr/vice/etc</B> directory. On other system types, you copied
2763 the appropriate AFS library file directly to the directory where the operating
2764 system accesses it. The following commands do not copy or recopy the
2765 AFS library files into the <B>/usr/vice/etc</B> directory, because on some
2766 system types the library files consume a large amount of space. If you
2767 want to copy them, add the <B>-r</B> flag to the first <B>cp</B>
2768 command and skip the second <B>cp</B> command.
2770 # <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.client/usr/vice/etc</B>
2772 # <B>cp -p * /usr/vice/etc</B>
2774 # <B>cp -rp C /usr/vice/etc</B>
2778 <A NAME="IDX2530"></A>
2779 <A NAME="IDX2531"></A>
2780 <A NAME="IDX2532"></A>
2781 <A NAME="IDX2533"></A>
2782 <A NAME="IDX2534"></A>
2783 <A NAME="IDX2535"></A>
2784 <A NAME="IDX2536"></A>
2785 <HR><H2><A NAME="HDRWQ65" HREF="auqbg002.htm#ToC_72">Defining Cell Membership for Client Processes</A></H2>
2786 <P>Every AFS client machine has a copy of the
2787 <B>/usr/vice/etc/ThisCell</B> file on its local disk to define the
2788 machine's cell membership for the AFS client programs that run on
2789 it. The <B>ThisCell</B> file you created in the
2790 <B>/usr/afs/etc</B> directory (in <A HREF="#HDRWQ51">Defining Cell Name and Membership for Server Processes</A>) is used only by server processes.
2791 <P>Among other functions, the <B>ThisCell</B> file on a client machine
2792 determines the following:
2794 <P><LI>The cell in which users authenticate when they log onto the machine,
2795 assuming it is using an AFS-modified login utility
2796 <P><LI>The cell in which users authenticate by default when they issue the
2798 <P><LI>The cell membership of the AFS server processes that the AFS command
2799 interpreters on this machine contact by default
2802 <P><LI>Change to the <B>/usr/vice/etc</B> directory and remove the symbolic
2803 link created in <A HREF="#HDRWQ50">Starting the BOS Server</A>.
2805 # <B>cd /usr/vice/etc</B>
2807 # <B>rm ThisCell</B>
2810 <P><LI>Create the <B>ThisCell</B> file as a copy of the
2811 <B>/usr/afs/etc/ThisCell</B> file. Defining the same local cell for
2812 both server and client processes leads to the most consistent AFS
2815 # <B>cp /usr/afs/etc/ThisCell ThisCell</B>
2819 <A NAME="IDX2537"></A>
2820 <A NAME="IDX2538"></A>
2821 <A NAME="IDX2539"></A>
2822 <A NAME="IDX2540"></A>
2823 <A NAME="IDX2541"></A>
2824 <A NAME="IDX2542"></A>
2825 <A NAME="IDX2543"></A>
2826 <A NAME="IDX2544"></A>
2827 <HR><H2><A NAME="HDRWQ66" HREF="auqbg002.htm#ToC_73">Creating the Client CellServDB File</A></H2>
2828 <P>The <B>/usr/vice/etc/CellServDB</B> file on a client
2829 machine's local disk lists the database server machines for each cell
2830 that the local Cache Manager can contact. If there is no entry in the
2831 file for a cell, or if the list of database server machines is wrong, then
2832 users working on this machine cannot access the cell. The chapter in
2833 the <I>IBM AFS Administration Guide</I> about administering client
2834 machines explains how to maintain the file after creating it.
2835 <P>As the <B>afsd</B> program initializes the Cache Manager, it copies the
2836 contents of the <B>CellServDB</B> file into kernel memory. The
2837 Cache Manager always consults the list in kernel memory rather than the
2838 <B>CellServDB</B> file itself. Between reboots of the machine, you
2839 can use the <B>fs newcell</B> command to update the list in kernel memory
2840 directly; see the chapter in the <I>IBM AFS Administration Guide</I>
2841 about administering client machines.
2842 <P>The AFS distribution includes the file <B>CellServDB.sample</B>,
2843 and you have already copied it to the <B>/usr/vice/etc</B>
2844 directory. It includes an entry for all AFS cells that agreed to share
2845 their database server machine information at the time your AFS CD-ROM was
2846 created. The AFS Product Support group also maintains a copy of the
2847 file, updating it as necessary. If you are interested in participating
2848 in the global AFS namespace, it is a good policy to consult the file
2849 occasionally for updates. Ask the AFS Product Support group for a
2850 pointer to its location.
2851 <P>The <B>CellServDB.sample</B> file can be a good basis for the
2852 client <B>CellServDB</B> file, because all of the entries in it use the
2853 correct format. You can add or remove cell entries as you see
2854 fit. Later (in <A HREF="#HDRWQ91">Enabling Access to Foreign Cells</A>) you perform additional steps that enable the Cache
2855 Manager actually to reach the cells.
2856 <P>In this section, you add an entry for the local cell to the local
2857 <B>CellServDB</B> file. The current working directory is still
2858 <B>/usr/vice/etc</B>.
2860 <P><LI>Remove the symbolic link created in <A HREF="#HDRWQ50">Starting the BOS Server</A> and rename the <B>CellServDB.sample</B> file to
2863 # <B>rm CellServDB</B>
2865 # <B>mv CellServDB.sample CellServDB</B>
2868 <P><LI>Add an entry for the local cell to the <B>CellServDB</B> file.
2869 One easy method is to use the <B>cat</B> command to append the contents of
2870 the server <B>/usr/afs/etc/CellServDB</B> file to the client
2873 # <B>cat /usr/afs/etc/CellServDB >> CellServDB</B>
2875 <P>Then open the file in a text editor to verify that there are no blank
2876 lines, and that all entries have the required format, which is described just
2877 following. The ordering of cells is not significant, but it can be
2878 convenient to have the client machine's home cell at the top; move
2879 it there now if you wish.
2881 <P><LI>The first line of a cell's entry has the following format:
2883 ><VAR>cell_name</VAR> #<VAR>organization</VAR>
2885 <P>where <VAR>cell_name</VAR> is the cell's complete Internet domain name
2886 (for example, <B>abc.com</B>) and <VAR>organization</VAR> is an
2887 optional field that follows any number of spaces and the number sign
2888 (<TT>#</TT>). By convention it names the organization to which the
2889 cell corresponds (for example, the ABC Corporation).
2890 <P><LI>After the first line comes a separate line for each database server
2891 machine. Each line has the following format:
2893 <VAR>IP_address</VAR> #<VAR>machine_name</VAR>
2895 <P>where <VAR>IP_address</VAR> is the machine's IP address in dotted
2896 decimal format (for example, 192.12.105.3).
2897 Following any number of spaces and the number sign (<TT>#</TT>) is
2898 <VAR>machine_name</VAR>, the machine's fully-qualified hostname (for
2899 example, <B>db1.abc.com</B>). In this case, the
2900 number sign does not indicate a comment; <VAR>machine_name</VAR> is a
2903 <P><LI>If the file includes cells that you do not wish users of this machine to
2904 access, remove their entries.
2906 <P>The following example shows entries for two cells, each of which has three
2907 database server machines:
2910 >abc.com #ABC Corporation (home cell)
2911 192.12.105.3 #db1.abc.com
2912 192.12.105.4 #db2.abc.com
2913 192.12.105.55 #db3.abc.com
2914 >stateu.edu #State University cell
2915 138.255.68.93 #serverA.stateu.edu
2916 138.255.68.72 #serverB.stateu.edu
2917 138.255.33.154 #serverC.stateu.edu
2920 <A NAME="IDX2545"></A>
2921 <A NAME="IDX2546"></A>
2922 <A NAME="IDX2547"></A>
2923 <A NAME="IDX2548"></A>
2924 <HR><H2><A NAME="HDRWQ67" HREF="auqbg002.htm#ToC_74">Configuring the Cache</A></H2>
2925 <P>The Cache Manager uses a cache on the local disk or in
2926 machine memory to store local copies of files fetched from file server
2927 machines. As the <B>afsd</B> program initializes the Cache Manager,
2928 it sets basic cache configuration parameters according to definitions in the
2929 local <B>/usr/vice/etc/cacheinfo</B> file. The file has three
2932 <P><LI>The first field names the local directory on which to mount the AFS
2933 filespace. The conventional location is the <B>/afs</B>
2935 <P><LI>The second field defines the local disk directory to use for the disk
2936 cache. The conventional location is the <B>/usr/vice/cache</B>
2937 directory, but you can specify an alternate directory if another partition has
2938 more space available. There must always be a value in this field, but
2939 the Cache Manager ignores it if the machine uses a memory cache.
2940 <P><LI>The third field specifies the number of kilobyte (1024 byte) blocks to
2941 allocate for the cache.
2943 <P>The values you define must meet the following requirements.
2945 <P><LI>On a machine using a disk cache, the Cache Manager expects always to be
2946 able to use the amount of space specified in the third field. Failure
2947 to meet this requirement can cause serious problems, some of which can be
2948 repaired only by rebooting. You must prevent non-AFS processes from
2949 filling up the cache partition. The simplest way is to devote a
2950 partition to the cache exclusively.
2951 <P><LI>The amount of space available in memory or on the partition housing the
2952 disk cache directory imposes an absolute limit on cache size.
2953 <P><LI>The maximum supported cache size can vary in each AFS release; see
2954 the <I>IBM AFS Release Notes</I> for the current version.
2955 <P><LI>For a disk cache, you cannot specify a value in the third field that
2956 exceeds 95% of the space available on the partition mounted at the directory
2957 named in the second field. If you violate this restriction, the
2958 <B>afsd</B> program exits without starting the Cache Manager and prints an
2959 appropriate message on the standard output stream. A value of 90% is
2960 more appropriate on most machines. Some operating systems (such as AIX)
2961 do not automatically reserve some space to prevent the partition from filling
2962 completely; for them, a smaller value (say, 80% to 85% of the space
2963 available) is more appropriate.
2964 <P><LI>For a memory cache, you must leave enough memory for other processes and
2965 applications to run. If you try to allocate more memory than is
2966 actually available, the <B>afsd</B> program exits without initializing the
2967 Cache Manager and produces the following message on the standard output
2970 afsd: memCache allocation failure at <VAR>number</VAR> KB
2972 <P>The <VAR>number</VAR> value is how many kilobytes were allocated just before
2973 the failure, and so indicates the approximate amount of memory
2976 <P>Within these hard limits, the factors that determine appropriate cache size
2977 include the number of users working on the machine, the size of the files with
2978 which they work, and (for a memory cache) the number of processes that run on
2979 the machine. The higher the demand from these factors, the larger the
2980 cache needs to be to maintain good performance.
2981 <P>Disk caches smaller than 10 MB do not generally perform well.
2982 Machines serving multiple users usually perform better with a cache of at
2983 least 60 to 70 MB. The point at which enlarging the cache further does
2984 not really improve performance depends on the factors mentioned previously and
2985 is difficult to predict.
2986 <P>Memory caches smaller than 1 MB are nonfunctional, and the performance of
2987 caches smaller than 5 MB is usually unsatisfactory. Suitable upper
2988 limits are similar to those for disk caches but are probably determined more
2989 by the demands on memory from other sources on the machine (number of users
2990 and processes). Machines running only a few processes possibly can use
2991 a smaller memory cache.
2992 <P><H3><A NAME="HDRWQ68" HREF="auqbg002.htm#ToC_75">Configuring a Disk Cache</A></H3>
2993 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types that an operating system supports are
2994 necessarily supported for use as the cache partition. For possible
2995 restrictions, see the <I>IBM AFS Release Notes</I>.
2997 <P>To configure the disk cache, perform the following procedures:
2999 <P><LI>Create the local directory to use for caching. The following
3000 instruction shows the conventional location,
3001 <B>/usr/vice/cache</B>. If you are devoting a partition exclusively
3002 to caching, as recommended, you must also configure it, make a file system on
3003 it, and mount it at the directory created in this step.
3005 # <B>mkdir /usr/vice/cache</B>
3008 <P><LI>Create the <B>cacheinfo</B> file to define the configuration
3009 parameters discussed previously. The following instruction shows the
3010 standard mount location, <B>/afs</B>, and the standard cache location,
3011 <B>/usr/vice/cache</B>.
3013 # <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
3015 <P>The following example defines the disk cache size as 50,000 KB:
3017 # <B>echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo</B>
3020 <P><H3><A NAME="HDRWQ69" HREF="auqbg002.htm#ToC_76">Configuring a Memory Cache</A></H3>
3021 <P>To configure a memory cache, create the <B>cacheinfo</B>
3022 file to define the configuration parameters discussed previously. The
3023 following instruction shows the standard mount location, <B>/afs</B>, and
3024 the standard cache location, <B>/usr/vice/cache</B> (though the exact
3025 value of the latter is irrelevant for a memory cache).
3027 # <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
3029 <P>The following example allocates 25,000 KB of memory for the cache.
3031 # <B>echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo</B>
3033 <A NAME="IDX2549"></A>
3034 <A NAME="IDX2550"></A>
3035 <A NAME="IDX2551"></A>
3036 <A NAME="IDX2552"></A>
3037 <A NAME="IDX2553"></A>
3038 <A NAME="IDX2554"></A>
3039 <HR><H2><A NAME="HDRWQ70" HREF="auqbg002.htm#ToC_77">Configuring the Cache Manager</A></H2>
3040 <P>By convention, the Cache Manager mounts the AFS filespace on
3041 the local <B>/afs</B> directory. In this section you create that
3043 <P>The <B>afsd</B> program sets several cache configuration parameters as
3044 it initializes the Cache Manager, and starts daemons that improve
3045 performance. You can use the <B>afsd</B> command's arguments
3046 to override the parameters' default values and to change the number of
3047 some of the daemons. Depending on the machine's cache size, its
3048 amount of RAM, and how many people work on it, you can sometimes improve Cache
3049 Manager performance by overriding the default values. For a discussion
3050 of all of the <B>afsd</B> command's arguments, see its reference page
3051 in the <I>IBM AFS Administration Reference</I>.
3052 <P>The <B>afsd</B> command line in the AFS initialization script on each
3053 system type includes an <TT>OPTIONS</TT> variable. You can use it to
3054 set nondefault values for the command's arguments, in one of the
3057 <P><LI>You can create an <B>afsd</B> <I>options file</I> that sets values
3058 for arguments to the <B>afsd</B> command. If the file exists, its
3059 contents are automatically substituted for the <TT>OPTIONS</TT> variable in
3060 the AFS initialization script. The AFS distribution for some system
3061 types includes an options file; on other system types, you must create
3063 <P>You use two variables in the AFS initialization script to specify the path
3064 to the options file: <TT>CONFIG</TT> and <TT>AFSDOPT</TT>. On
3065 system types that define a conventional directory for configuration files, the
3066 <TT>CONFIG</TT> variable indicates it by default; otherwise, the
3067 variable indicates an appropriate location.
3068 <P>List the desired <B>afsd</B> options on a single line in the options
3069 file, separating each option with one or more spaces. The following
3070 example sets the <B>-stat</B> argument to 2500, the <B>-daemons</B>
3071 argument to 4, and the <B>-volumes</B> argument to 100.
3073 -stat 2500 -daemons 4 -volumes 100
3076 <P><LI>On a machine that uses a disk cache, you can set the <TT>OPTIONS</TT>
3077 variable in the AFS initialization script to one of <TT>$SMALL</TT>,
3078 <TT>$MEDIUM</TT>, or <TT>$LARGE</TT>. The AFS initialization script
3079 uses one of these settings if the <B>afsd</B> options file named by the
3080 <TT>AFSDOPT</TT> variable does not exist. In the script as
3081 distributed, the <TT>OPTIONS</TT> variable is set to the value
3083 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not set the <TT>OPTIONS</TT> variable to <TT>$SMALL</TT>,
3084 <TT>$MEDIUM</TT>, or <TT>$LARGE</TT> on a machine that uses a memory
3085 cache. The arguments it sets are appropriate only on a machine that
3088 <P>The script (or on some system types the <B>afsd</B> options file named
3089 by the <TT>AFSDOPT</TT> variable) defines a value for each of
3090 <TT>SMALL</TT>, <TT>MEDIUM</TT>, and <TT>LARGE</TT> that sets
3091 <B>afsd</B> command arguments appropriately for client machines of
3094 <P><LI><TT>SMALL</TT> is suitable for a small machine that serves one or two
3095 users and has approximately 8 MB of RAM and a 20-MB cache
3096 <P><LI><TT>MEDIUM</TT> is suitable for a medium-sized machine that serves two
3097 to six users and has 16 MB of RAM and a 40-MB cache
3098 <P><LI><TT>LARGE</TT> is suitable for a large machine that serves five to ten
3099 users and has 32 MB of RAM and a 100-MB cache
3101 <P><LI>You can choose not to create an <B>afsd</B> options file and to set
3102 the <TT>OPTIONS</TT> variable in the initialization script to a null value
3103 rather than to the default <TT>$MEDIUM</TT> value. You can then
3104 either set arguments directly on the <B>afsd</B> command line in the
3105 script, or set no arguments (and so accept default values for all Cache
3106 Manager parameters).
3109 <P><LI>Create the local directory on which to mount the AFS filespace, by
3110 convention <B>/afs</B>. If the directory already exists, verify
3116 <P><LI>On AIX systems, add the following line to the <B>/etc/vfs</B>
3117 file. It enables AIX to unmount AFS correctly during shutdown.
3122 <P><LI>On Linux systems, copy the <B>afsd</B> options file from the
3123 <B>/usr/vice/etc</B> directory to the <B>/etc/sysconfig</B> directory,
3124 removing the <B>.conf</B> extension as you do so.
3126 # <B>cp /usr/vice/etc/afs.conf /etc/sysconfig/afs</B>
3129 <P><LI>Edit the machine's AFS initialization script or <B>afsd</B>
3130 options file to set appropriate values for <B>afsd</B> command
3131 parameters. The script resides in the indicated location on each system
3134 <P><LI>On AIX systems, <B>/etc/rc.afs</B>
3135 <P><LI>On Digital UNIX systems, <B>/sbin/init.d/afs</B>
3136 <P><LI>On HP-UX systems, <B>/sbin/init.d/afs</B>
3137 <P><LI>On IRIX systems, <B>/etc/init.d/afs</B>
3138 <P><LI>On Linux systems, <B>/etc/sysconfig/afs</B> (the <B>afsd</B>
3140 <P><LI>On Solaris systems, <B>/etc/init.d/afs</B>
3142 <P>Use one of the methods described in the introduction to this section to add
3143 the following flags to the <B>afsd</B> command line. If you intend
3144 for the machine to remain an AFS client, also set any performance-related
3147 <P><LI>Add the <B>-nosettime</B> flag, because this is a file server machine
3148 that is also a client. The flag prevents the machine from picking a
3149 file server machine in the cell as its source for the correct time, which
3150 client machines normally do. File server machines instead use NTPD (as
3151 controlled by the <B>runntp</B> process) or another protocol to
3152 synchronize their clocks.
3153 <P><LI>Add the <B>-memcache</B> flag if the machine is to use a memory
3155 <P><LI>Add the <B>-verbose</B> flag to display a trace of the Cache
3156 Manager's initialization on the standard output stream.
3159 <A NAME="IDX2555"></A>
3160 <A NAME="IDX2556"></A>
3161 <HR><H2><A NAME="HDRWQ71" HREF="auqbg002.htm#ToC_78">Overview: Completing the Installation of the First AFS Machine</A></H2>
3162 <P>The machine is now configured as an AFS file server and
3163 client machine. In this final phase of the installation, you initialize
3164 the Cache Manager and then create the upper levels of your AFS filespace,
3165 among other procedures. The procedures are:
3167 <P><LI>Verify that the initialization script works correctly, and incorporate it
3168 into the operating system's startup and shutdown sequence
3169 <P><LI>Create and mount top-level volumes
3170 <P><LI>Create and mount volumes to store system binaries in AFS
3171 <P><LI>Enable access to foreign cells
3172 <P><LI>Institute additional security measures
3173 <P><LI>Remove client functionality if desired
3175 <A NAME="IDX2557"></A>
3176 <A NAME="IDX2558"></A>
3177 <A NAME="IDX2559"></A>
3178 <A NAME="IDX2560"></A>
3179 <A NAME="IDX2561"></A>
3180 <HR><H2><A NAME="HDRWQ72" HREF="auqbg002.htm#ToC_79">Verifying the AFS Initialization Script</A></H2>
3181 <P>At this point you run the AFS initialization script to verify
3182 that it correctly invokes all of the necessary programs and AFS processes, and
3183 that they start correctly. The following are the relevant
3186 <P><LI>The command that dynamically loads AFS modifications into the kernel, on
3187 some system types (not applicable if the kernel has AFS modifications built
3189 <P><LI>The <B>bosserver</B> command, which starts the BOS Server; it in
3190 turn starts the server processes for which you created entries in the
3191 <B>/usr/afs/local/BosConfig</B> file
3192 <P><LI>The <B>afsd</B> command, which initializes the Cache Manager
3194 <P>On system types that use a dynamic loader program, you must reboot the
3195 machine before running the initialization script, so that it can freshly load
3196 AFS modifications into the kernel.
3197 <P>If there are problems during the initialization, attempt to resolve
3198 them. The AFS Product Support group can provide assistance if
3201 <A NAME="IDX2562"></A>
3202 <A NAME="IDX2563"></A>
3203 <P><LI>Issue the <B>bos shutdown</B> command to shut down the AFS server
3204 processes other than the BOS Server. Include the <B>-wait</B> flag
3205 to delay return of the command shell prompt until all processes shut down
3208 # <B>/usr/afs/bin/bos shutdown</B> <<VAR>machine name</VAR>> <B>-wait</B>
3211 <P><LI>Issue the <B>ps</B> command to learn the <B>bosserver</B>
3212 process's process ID number (PID), and then the <B>kill</B> command
3215 # <B>ps</B> <VAR>appropriate_ps_options</VAR> <B>| grep bosserver</B>
3217 # <B>kill</B> <VAR>bosserver_PID</VAR>
3220 <P><LI>Issue the appropriate commands to run the AFS initialization script for
3222 <A NAME="IDX2564"></A>
3223 <P><B>On AIX systems:</B>
3225 <P><LI>Reboot the machine and log in again as the local superuser
3230 # <B>shutdown -r now</B>
3233 Password: <VAR>root_password</VAR>
3236 <P><LI>Run the AFS initialization script.
3238 # <B>/etc/rc.afs</B>
3242 <A NAME="IDX2565"></A>
3243 <P><B>On Digital UNIX systems:</B>
3245 <P><LI>Run the AFS initialization script.
3247 # <B>/sbin/init.d/afs start</B>
3251 <A NAME="IDX2566"></A>
3252 <P><B>On HP-UX systems:</B>
3254 <P><LI>Run the AFS initialization script.
3256 # <B>/sbin/init.d/afs start</B>
3260 <A NAME="IDX2567"></A>
3261 <A NAME="IDX2568"></A>
3262 <A NAME="IDX2569"></A>
3263 <A NAME="IDX2570"></A>
3264 <A NAME="IDX2571"></A>
3265 <A NAME="IDX2572"></A>
3266 <A NAME="IDX2573"></A>
3267 <P><B>On IRIX systems:</B>
3269 <P><LI>If you have configured the machine to use the <B>ml</B> dynamic loader
3270 program, reboot the machine and log in again as the local superuser
3275 # <B>shutdown -i6 -g0 -y</B>
3278 Password: <VAR>root_password</VAR>
3281 <P><LI>Issue the <B>chkconfig</B> command to activate the
3282 <B>afsserver</B> and <B>afsclient</B> configuration variables.
3284 # <B>/etc/chkconfig -f afsserver on</B>
3286 # <B>/etc/chkconfig -f afsclient on</B>
3289 <P><LI>Run the AFS initialization script.
3291 # <B>/etc/init.d/afs start</B>
3295 <A NAME="IDX2574"></A>
3296 <P><B>On Linux systems:</B>
3298 <P><LI>Reboot the machine and log in again as the local superuser
3303 # <B>shutdown -r now</B>
3306 Password: <VAR>root_password</VAR>
3309 <P><LI>Run the AFS initialization script.
3311 # <B>/etc/rc.d/init.d/afs start</B>
3315 <A NAME="IDX2575"></A>
3316 <P><B>On Solaris systems:</B>
3318 <P><LI>Reboot the machine and log in again as the local superuser
3323 # <B>shutdown -i6 -g0 -y</B>
3326 Password: <VAR>root_password</VAR>
3329 <P><LI>Run the AFS initialization script.
3331 # <B>/etc/init.d/afs start</B>
3335 <A NAME="IDX2576"></A>
3336 <A NAME="IDX2577"></A>
3337 <P><LI>Wait for the message that confirms that Cache Manager initialization is
3339 <P>On machines that use a disk cache, it can take a while to initialize the
3340 Cache Manager for the first time, because the <B>afsd</B> program must
3341 create all of the <B>V</B><VAR>n</VAR> files in the cache directory.
3342 Subsequent Cache Manager initializations do not take nearly as long, because
3343 the <B>V</B><VAR>n</VAR> files already exist.
3344 <P>As a basic test of correct AFS functioning, issue the <B>klog</B>
3345 command to authenticate as the <B>admin</B> user. Provide the
3346 password (<VAR>admin_passwd</VAR>) you defined in <A HREF="#HDRWQ53">Initializing Cell Security</A>.
3348 # <B>/usr/afs/bin/klog admin</B>
3349 Password: <VAR>admin_passwd</VAR>
3352 <A NAME="IDX2578"></A>
3353 <A NAME="IDX2579"></A>
3354 <P><LI>Issue the <B>tokens</B> command to verify that the <B>klog</B>
3355 command worked correctly. If it did, the output looks similar to the
3356 following example for the <B>abc.com</B> cell, where
3357 <B>admin</B>'s AFS UID is 1. If the output does not seem
3358 correct, resolve the problem. Changes to the AFS initialization script
3359 are possibly necessary. The AFS Product Support group can provide
3360 assistance as necessary.
3362 # <B>/usr/afs/bin/tokens</B>
3363 Tokens held by the Cache Manager:
3365 User's (AFS ID 1) tokens for afs@abc.com [Expires May 22 11:52]
3369 <P><LI>Issue the <B>bos status</B> command to verify that the output for each
3370 process reads <TT>Currently running normally</TT>.
3372 # <B>/usr/afs/bin/bos status</B> <<VAR>machine name</VAR>>
3375 <A NAME="IDX2580"></A>
3376 <A NAME="IDX2581"></A>
3377 <P><LI>Change directory to the local file system root (<B>/</B>) and issue
3378 the <B>fs checkvolumes</B> command.
3382 # <B>/usr/afs/bin/fs checkvolumes</B>
3386 <A NAME="IDX2582"></A>
3387 <A NAME="IDX2583"></A>
3388 <A NAME="IDX2584"></A>
3389 <A NAME="IDX2585"></A>
3390 <HR><H2><A NAME="HDRWQ73" HREF="auqbg002.htm#ToC_80">Activating the AFS Initialization Script</A></H2>
3391 <P>Now that you have confirmed that the AFS initialization
3392 script works correctly, take the action necessary to have it run automatically
3393 at each reboot. Proceed to the instructions for your system type:
3395 <P><LI><A HREF="#HDRWQ74">Activating the Script on AIX Systems</A>
3396 <P><LI><A HREF="#HDRWQ75">Activating the Script on Digital UNIX Systems</A>
3397 <P><LI><A HREF="#HDRWQ76">Activating the Script on HP-UX Systems</A>
3398 <P><LI><A HREF="#HDRWQ77">Activating the Script on IRIX Systems</A>
3399 <P><LI><A HREF="#HDRWQ78">Activating the Script on Linux Systems</A>
3400 <P><LI><A HREF="#HDRWQ79">Activating the Script on Solaris Systems</A>
3402 <A NAME="IDX2586"></A>
3403 <P><H3><A NAME="HDRWQ74" HREF="auqbg002.htm#ToC_81">Activating the Script on AIX Systems</A></H3>
3405 <P><LI>Edit the AIX initialization file, <B>/etc/inittab</B>, adding the
3406 following line to invoke the AFS initialization script. Place it just
3407 after the line that starts NFS daemons.
3409 rcafs:2:wait:/etc/rc.afs > /dev/console 2>&1 # Start AFS services
3412 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3413 in both the <B>/usr/vice/etc</B> and <B>/etc</B> directories.
3414 If you want to avoid potential confusion by guaranteeing that they are always
3415 the same, create a link between them. You can always retrieve the
3416 original script from the AFS CD-ROM if necessary.
3418 # <B>cd /usr/vice/etc</B>
3422 # <B>ln -s /etc/rc.afs</B>
3425 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3427 <A NAME="IDX2587"></A>
3428 <P><H3><A NAME="HDRWQ75" HREF="auqbg002.htm#ToC_82">Activating the Script on Digital UNIX Systems</A></H3>
3430 <P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
3431 <B>ln -s</B> command to create symbolic links that incorporate the AFS
3432 initialization script into the Digital UNIX startup and shutdown
3435 # <B>cd /sbin/init.d</B>
3437 # <B>ln -s ../init.d/afs /sbin/rc3.d/S67afs</B>
3439 # <B>ln -s ../init.d/afs /sbin/rc0.d/K66afs</B>
3442 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3443 in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
3444 directories. If you want to avoid potential confusion by guaranteeing
3445 that they are always the same, create a link between them. You can
3446 always retrieve the original script from the AFS CD-ROM if necessary.
3448 # <B>cd /usr/vice/etc</B>
3452 # <B>ln -s /sbin/init.d/afs afs.rc</B>
3455 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3457 <A NAME="IDX2588"></A>
3458 <P><H3><A NAME="HDRWQ76" HREF="auqbg002.htm#ToC_83">Activating the Script on HP-UX Systems</A></H3>
3460 <P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
3461 <B>ln -s</B> command to create symbolic links that incorporate the AFS
3462 initialization script into the HP-UX startup and shutdown sequence.
3464 # <B>cd /sbin/init.d</B>
3466 # <B>ln -s ../init.d/afs /sbin/rc2.d/S460afs</B>
3468 # <B>ln -s ../init.d/afs /sbin/rc2.d/K800afs</B>
3471 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3472 in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
3473 directories. If you want to avoid potential confusion by guaranteeing
3474 that they are always the same, create a link between them. You can
3475 always retrieve the original script from the AFS CD-ROM if necessary.
3477 # <B>cd /usr/vice/etc</B>
3481 # <B>ln -s /sbin/init.d/afs afs.rc</B>
3484 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3486 <A NAME="IDX2589"></A>
3487 <P><H3><A NAME="HDRWQ77" HREF="auqbg002.htm#ToC_84">Activating the Script on IRIX Systems</A></H3>
3489 <P><LI>Change to the <B>/etc/init.d</B> directory and issue the
3490 <B>ln -s</B> command to create symbolic links that incorporate the AFS
3491 initialization script into the IRIX startup and shutdown sequence.
3493 # <B>cd /etc/init.d</B>
3495 # <B>ln -s ../init.d/afs /etc/rc2.d/S35afs</B>
3497 # <B>ln -s ../init.d/afs /etc/rc0.d/K35afs</B>
3500 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3501 in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
3502 directories. If you want to avoid potential confusion by guaranteeing
3503 that they are always the same, create a link between them. You can
3504 always retrieve the original script from the AFS CD-ROM if necessary.
3506 # <B>cd /usr/vice/etc</B>
3510 # <B>ln -s /etc/init.d/afs afs.rc</B>
3513 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3515 <A NAME="IDX2590"></A>
3516 <P><H3><A NAME="HDRWQ78" HREF="auqbg002.htm#ToC_85">Activating the Script on Linux Systems</A></H3>
3518 <P><LI>Issue the <B>chkconfig</B> command to activate the <B>afs</B>
3519 configuration variable. Based on the instruction in the AFS
3520 initialization file that begins with the string <TT>#chkconfig</TT>, the
3521 command automatically creates the symbolic links that incorporate the script
3522 into the Linux startup and shutdown sequence.
3524 # <B>/sbin/chkconfig --add afs</B>
3527 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3528 in both the <B>/usr/vice/etc</B> and
3529 <B>/etc/rc.d/init.d</B> directories, and copies of the
3530 <B>afsd</B> options file in both the <B>/usr/vice/etc</B> and
3531 <B>/etc/sysconfig</B> directories. If you want to avoid potential
3532 confusion by guaranteeing that the two copies of each file are always the
3533 same, create a link between them. You can always retrieve the original
3534 script or options file from the AFS CD-ROM if necessary.
3536 # <B>cd /usr/vice/etc</B>
3538 # <B>rm afs.rc afs.conf</B>
3540 # <B>ln -s /etc/rc.d/init.d/afs afs.rc</B>
3542 # <B>ln -s /etc/sysconfig/afs afs.conf</B>
3545 <P><LI>Proceed to <A HREF="#HDRWQ80">Configuring the Top Levels of the AFS Filespace</A>.
3547 <A NAME="IDX2591"></A>
3548 <P><H3><A NAME="HDRWQ79" HREF="auqbg002.htm#ToC_86">Activating the Script on Solaris Systems</A></H3>
3550 <P><LI>Change to the <B>/etc/init.d</B> directory and issue the
3551 <B>ln -s</B> command to create symbolic links that incorporate the AFS
3552 initialization script into the Solaris startup and shutdown sequence.
3554 # <B>cd /etc/init.d</B>
3556 # <B>ln -s ../init.d/afs /etc/rc3.d/S99afs</B>
3558 # <B>ln -s ../init.d/afs /etc/rc0.d/K66afs</B>
3561 <P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
3562 in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
3563 directories. If you want to avoid potential confusion by guaranteeing
3564 that they are always the same, create a link between them. You can
3565 always retrieve the original script from the AFS CD-ROM if necessary.
3567 # <B>cd /usr/vice/etc</B>
3571 # <B>ln -s /etc/init.d/afs afs.rc</B>
3575 <A NAME="IDX2592"></A>
3576 <A NAME="IDX2593"></A>
3577 <HR><H2><A NAME="HDRWQ80" HREF="auqbg002.htm#ToC_87">Configuring the Top Levels of the AFS Filespace</A></H2>
3578 <P>If you have not previously run AFS in your cell, you now
3579 configure the top levels of your cell's AFS filespace. If you have
3580 run a previous version of AFS, the filespace is already configured.
3581 Proceed to <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A>.
3582 <A NAME="IDX2594"></A>
3583 <A NAME="IDX2595"></A>
3584 <A NAME="IDX2596"></A>
3585 <P>You created the <B>root.afs</B> volume in <A HREF="#HDRWQ60">Starting the File Server, Volume Server, and Salvager</A>, and the Cache Manager mounted it automatically on the local
3586 <B>/afs</B> directory when you ran the AFS initialization script in <A HREF="#HDRWQ72">Verifying the AFS Initialization Script</A>. You now set the access control list (ACL) on the
3587 <B>/afs</B> directory; creating, mounting, and setting the ACL are
3588 the three steps required when creating any volume.
3589 <P>After setting the ACL on the <B>root.afs</B> volume, you create
3590 your cell's <B>root.cell</B> volume, mount it as a
3591 subdirectory of the <B>/afs</B> directory, and set the ACL. Create
3592 both a read/write and a regular mount point for the
3593 <B>root.cell</B> volume. The read/write mount point enables
3594 you to access the read/write version of replicated volumes when
3595 necessary. Creating both mount points essentially creates separate
3596 read-only and read-write copies of your filespace, and enables the Cache
3597 Manager to traverse the filespace on a read-only path or read/write path as
3598 appropriate. For further discussion of these concepts, see the chapter
3599 in the <I>IBM AFS Administration Guide</I> about administering
3601 <A NAME="IDX2597"></A>
3602 <A NAME="IDX2598"></A>
3603 <A NAME="IDX2599"></A>
3604 <P>Then replicate both the <B>root.afs</B> and
3605 <B>root.cell</B> volumes. This is required if you want to
3606 replicate any other volumes in your cell, because all volumes mounted above a
3607 replicated volume must themselves be replicated in order for the Cache Manager
3608 to access the replica.
3609 <P>When the <B>root.afs</B> volume is replicated, the Cache Manager
3610 is programmed to access its read-only version
3611 (<B>root.afs.readonly</B>) whenever possible. To make
3612 changes to the contents of the <B>root.afs</B> volume (when, for
3613 example, you mount another cell's <B>root.cell</B> volume at
3614 the second level in your filespace), you must mount the
3615 <B>root.afs</B> volume temporarily, make the changes, release the
3616 volume and remove the temporary mount point. For instructions, see <A HREF="#HDRWQ91">Enabling Access to Foreign Cells</A>.
3617 <A NAME="IDX2600"></A>
3618 <A NAME="IDX2601"></A>
3619 <A NAME="IDX2602"></A>
3620 <A NAME="IDX2603"></A>
3622 <P><LI>Issue the <B>fs setacl</B> command to edit the ACL on the
3623 <B>/afs</B> directory. Add an entry that grants the <B>l</B>
3624 (<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
3625 <B>system:anyuser</B> group, to enable all AFS users who can reach
3626 your cell to traverse through the directory. If you prefer to enable
3627 access only to locally authenticated users, substitute the
3628 <B>system:authuser</B> group.
3629 <P>Note that there is already an ACL entry that grants all seven access rights
3630 to the <B>system:administrators</B> group. It is a default
3631 entry that AFS places on every new volume's root directory.
3633 # <B>/usr/afs/bin/fs setacl /afs system:anyuser rl</B>
3636 <A NAME="IDX2604"></A>
3637 <A NAME="IDX2605"></A>
3638 <A NAME="IDX2606"></A>
3639 <A NAME="IDX2607"></A>
3640 <A NAME="IDX2608"></A>
3641 <A NAME="IDX2609"></A>
3642 <A NAME="IDX2610"></A>
3643 <P><LI><A NAME="LIWQ81"></A>Issue the <B>vos create</B> command to create the
3644 <B>root.cell</B> volume. Then issue the <B>fs
3645 mkmount</B> command to mount it as a subdirectory of the <B>/afs</B>
3646 directory, where it serves as the root of your cell's local AFS
3647 filespace. Finally, issue the <B>fs setacl</B> command to create an
3648 ACL entry for the <B>system:anyuser</B> group (or
3649 <B>system:authuser</B> group).
3650 <P>For the <VAR>partition name</VAR> argument, substitute the name of one of the
3651 machine's AFS server partitions (such as <B>/vicepa</B>). For
3652 the <VAR>cellname</VAR> argument, substitute your cell's fully-qualified
3653 Internet domain name (such as <B>abc.com</B>).
3655 # <B>/usr/afs/bin/vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.cell</B>
3657 # <B>/usr/afs/bin/fs mkmount /afs/</B><VAR>cellname</VAR> <B>root.cell</B>
3659 # <B>/usr/afs/bin/fs setacl /afs/</B><VAR>cellname</VAR> <B>system:anyuser rl</B>
3662 <A NAME="IDX2611"></A>
3663 <A NAME="IDX2612"></A>
3664 <A NAME="IDX2613"></A>
3665 <P><LI><B>(Optional)</B> Create a symbolic link to a shortened cell name, to
3666 reduce the length of pathnames for users in the local cell. For
3667 example, in the <B>abc.com</B> cell, <B>/afs/abc</B> is a link
3668 to <B>/afs/abc.com</B>.
3672 # <B>ln -s</B> <VAR>full_cellname</VAR> <VAR>short_cellname</VAR>
3675 <A NAME="IDX2614"></A>
3676 <A NAME="IDX2615"></A>
3677 <A NAME="IDX2616"></A>
3678 <P><LI>Issue the <B>fs mkmount</B> command to create a read/write mount point
3679 for the <B>root.cell</B> volume (you created a regular mount point
3680 in Step <A HREF="#LIWQ81">2</A>).
3681 <P>By convention, the name of a read/write mount point begins with a period,
3682 both to distinguish it from the regular mount point and to make it visible
3683 only when the <B>-a</B> flag is used on the <B>ls</B> command.
3684 <P>Change directory to <B>/usr/afs/bin</B> to make it easier to access the
3687 # <B>cd /usr/afs/bin</B>
3689 # <B>./fs mkmount /afs/.</B><VAR>cellname</VAR> <B>root.cell -rw</B>
3692 <A NAME="IDX2617"></A>
3693 <A NAME="IDX2618"></A>
3694 <A NAME="IDX2619"></A>
3695 <A NAME="IDX2620"></A>
3696 <P><LI><A NAME="LIWQ82"></A>Issue the <B>vos addsite</B> command to define a replication
3697 site for both the <B>root.afs</B> and <B>root.cell</B>
3698 volumes. In each case, substitute for the <VAR>partition name</VAR>
3699 argument the partition where the volume's read/write version
3700 resides. When you install additional file server machines, it is a good
3701 idea to create replication sites on them as well.
3703 # <B>./vos addsite</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.afs</B>
3705 # <B>./vos addsite</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>root.cell</B>
3708 <A NAME="IDX2621"></A>
3709 <A NAME="IDX2622"></A>
3710 <P><LI>Issue the <B>fs examine</B> command to verify that the Cache Manager
3711 can access both the <B>root.afs</B> and <B>root.cell</B>
3712 volumes, before you attempt to replicate them. The output lists each
3713 volume's name, volumeID number, quota, size, and the size of the
3714 partition that houses them. If you get an error message instead, do not
3715 continue before taking corrective action.
3717 # <B>./fs examine /afs</B>
3719 # <B>./fs examine /afs/</B><VAR>cellname</VAR>
3722 <A NAME="IDX2623"></A>
3723 <A NAME="IDX2624"></A>
3724 <A NAME="IDX2625"></A>
3725 <A NAME="IDX2626"></A>
3726 <P><LI>Issue the <B>vos release</B> command to release a replica of the
3727 <B>root.afs</B> and <B>root.cell</B> volumes to the
3728 sites you defined in Step <A HREF="#LIWQ82">5</A>.
3730 # <B>./vos release root.afs</B>
3732 # <B>./vos release root.cell</B>
3735 <A NAME="IDX2627"></A>
3736 <A NAME="IDX2628"></A>
3737 <P><LI>Issue the <B>fs checkvolumes</B> to force the Cache Manager to notice
3738 that you have released read-only versions of the volumes, then issue the
3739 <B>fs examine</B> command again. This time its output mentions the
3740 read-only version of the volumes (<B>root.afs.readonly</B>
3741 and <B>root.cell.readonly</B>) instead of the read/write
3742 versions, because of the Cache Manager's bias to access the read-only
3743 version of the <B>root.afs</B> volume if it exists.
3745 # <B>./fs checkvolumes</B>
3747 # <B>./fs examine /afs</B>
3749 # <B>./fs examine /afs/</B><VAR>cellname</VAR>
3753 <A NAME="IDX2629"></A>
3754 <A NAME="IDX2630"></A>
3755 <A NAME="IDX2631"></A>
3756 <A NAME="IDX2632"></A>
3757 <A NAME="IDX2633"></A>
3758 <A NAME="IDX2634"></A>
3759 <HR><H2><A NAME="HDRWQ83" HREF="auqbg002.htm#ToC_88">Storing AFS Binaries in AFS</A></H2>
3760 <P>In the conventional configuration, you make AFS client
3761 binaries and configuration files available in the subdirectories of the
3762 <B>/usr/afsws</B> directory on client machines (<B>afsws</B> is an
3764 w</B><I>ork</I><B>s</B><I>tation</I>). You can conserve
3765 local disk space by creating <B>/usr/afsws</B> as a link to an AFS volume
3766 that houses the AFS client binaries and configuration files for this system
3768 <P>In this section you create the necessary volumes. The conventional
3769 location to which to link <B>/usr/afsws</B> is
3770 <B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>,
3771 where <VAR>sysname</VAR> is the appropriate system type name as specified in the
3772 <I>IBM AFS Release Notes</I>. The instructions in <A HREF="auqbg007.htm#HDRWQ133">Installing Additional Client Machines</A> assume that you have followed the instructions in this
3774 <P>If you have previously run AFS in the cell, the volumes possibly already
3775 exist. If so, you need to perform Step <A HREF="#LIWQ86">8</A> only.
3776 <P>The current working directory is still <B>/usr/afs/bin</B>, which
3777 houses the <B>fs</B> and <B>vos</B> command suite binaries. In
3778 the following commands, it is possible you still need to specify the pathname
3779 to the commands, depending on how your PATH environment variable is
3782 <A NAME="IDX2635"></A>
3783 <A NAME="IDX2636"></A>
3784 <P><LI><A NAME="LIWQ84"></A>Issue the <B>vos create</B> command to create volumes for
3785 storing the AFS client binaries for this system type. The following
3786 example instruction creates volumes called <VAR>sysname</VAR>,
3787 <VAR>sysname</VAR>.<B>usr</B>, and
3788 <VAR>sysname</VAR>.<B>usr.afsws</B>. Refer to the
3789 <I>IBM AFS Release Notes</I> to learn the proper value of <VAR>sysname</VAR>
3790 for this system type.
3792 # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR>
3794 # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr</B>
3796 # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr.afsws</B>
3799 <P><LI>Issue the <B>fs mkmount</B> command to mount the newly created
3800 volumes. Because the <B>root.cell</B> volume is replicated,
3801 you must precede the <I>cellname</I> part of the pathname with a period to
3802 specify the read/write mount point, as shown. Then issue the <B>vos
3803 release</B> command to release a new replica of the
3804 <B>root.cell</B> volume, and the <B>fs checkvolumes</B> command
3805 to force the local Cache Manager to access them.
3807 # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR> <B>-vol</B> <VAR>sysname</VAR>
3809 # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr</B>
3811 # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr.afsws</B>
3813 # <B>vos release root.cell</B>
3815 # <B>fs checkvolumes</B>
3818 <P><LI>Issue the <B>fs setacl</B> command to grant the <B>l</B>
3819 (<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
3820 <B>system:anyuser</B> group on each new directory's ACL.
3822 # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>
3824 # <B>fs setacl -dir . usr usr/afsws -acl system:anyuser rl</B>
3827 <A NAME="IDX2637"></A>
3828 <A NAME="IDX2638"></A>
3829 <A NAME="IDX2639"></A>
3830 <A NAME="IDX2640"></A>
3831 <A NAME="IDX2641"></A>
3832 <P><LI><A NAME="LIWQ85"></A>Issue the <B>fs setquota</B> command to set an unlimited
3833 quota on the volume mounted at the
3834 <B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
3835 directory. This enables you to copy all of the appropriate files from
3836 the CD-ROM into the volume without exceeding the volume's quota.
3837 <P>If you wish, you can set the volume's quota to a finite value after
3838 you complete the copying operation. At that point, use the <B>vos
3839 examine</B> command to determine how much space the volume is
3840 occupying. Then issue the <B>fs setquota</B> command to set a quota
3841 that is slightly larger.
3843 # <B>fs setquota /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws 0</B>
3846 <P><LI>Mount the AFS CD-ROM for this machine's system type on the local
3847 <B>/cdrom</B> directory, if it is not already. For instructions on
3848 mounting CD-ROMs (either locally or remotely via NFS), consult the operating
3849 system documentation.
3850 <A NAME="IDX2642"></A>
3851 <A NAME="IDX2643"></A>
3852 <A NAME="IDX2644"></A>
3853 <P><LI>Copy the contents of the indicated directories from the CD-ROM into the
3854 <B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
3857 # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
3859 # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/bin .</B>
3861 # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/etc .</B>
3863 # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/include .</B>
3865 # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/lib .</B>
3868 <A NAME="IDX2645"></A>
3869 <A NAME="IDX2646"></A>
3870 <P><LI>Issue the <B>fs setacl</B> command to set the ACL on each directory
3871 appropriately. To comply with the terms of your AFS License agreement,
3872 you must prevent unauthorized users from accessing AFS software. To
3873 enable access for locally authenticated users only, set the ACL on the
3874 <B>etc</B>, <B>include</B>, and <B>lib</B> subdirectories to grant
3875 the <B>l</B> and <B>r</B> permissions to the
3876 <B>system:authuser</B> group rather than the
3877 <B>system:anyuser</B> group. The
3878 <B>system:anyuser</B> group must retain the <B>l</B> and
3879 <B>r</B> permissions on the <B>bin</B> subdirectory to enable
3880 unauthenticated users to access the <B>klog</B> binary. To ensure
3881 that unauthorized users are not accessing AFS software, check periodically
3882 that the ACLs on these directories are set properly.
3884 # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
3886 # <B>fs setacl -dir etc include lib -acl system:authuser rl</B> \
3887 <B>system:anyuser none</B>
3890 <A NAME="IDX2647"></A>
3891 <A NAME="IDX2648"></A>
3892 <P><LI><A NAME="LIWQ86"></A>Create <B>/usr/afsws</B> on the local disk as a symbolic
3893 link to the directory
3894 <B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>. You can
3895 specify the actual system name instead of <B>@sys</B> if you wish, but the
3896 advantage of using <B>@sys</B> is that it remains valid if you upgrade
3897 this machine to a different system type.
3899 # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
3902 <A NAME="IDX2649"></A>
3903 <A NAME="IDX2650"></A>
3904 <P><LI><B>(Optional)</B> To enable users to issue commands from the AFS
3905 suites (such as <B>fs</B>) without having to specify a pathname to their
3906 binaries, include the <B>/usr/afsws/bin</B> and <B>/usr/afsws/etc</B>
3907 directories in the PATH environment variable you define in each user's
3908 shell initialization file (such as <B>.cshrc</B>).
3910 <A NAME="IDX2651"></A>
3911 <A NAME="IDX2652"></A>
3912 <A NAME="IDX2653"></A>
3913 <A NAME="IDX2654"></A>
3914 <A NAME="IDX2655"></A>
3915 <A NAME="IDX2656"></A>
3916 <HR><H2><A NAME="HDRWQ87" HREF="auqbg002.htm#ToC_89">Storing AFS Documents in AFS</A></H2>
3917 <P>The AFS distribution includes the following documents:
3919 <P><LI><I>IBM AFS Release Notes</I>
3920 <P><LI><I>IBM AFS Quick Beginnings</I>
3921 <P><LI><I>IBM AFS User Guide</I>
3922 <P><LI><I>IBM AFS Administration Reference</I>
3923 <P><LI><I>IBM AFS Administration Guide</I>
3925 <P>The AFS CD-ROM for each system type has a top-level
3926 <B>Documentation</B> directory, with a subdirectory for each document
3927 format provided. The different formats are suitable for online viewing,
3929 <P>This section explains how to create and mount a volume to house the
3930 documents, making them available to your users. The recommended mount
3931 point for the volume is
3932 <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc</B>. If you wish, you
3933 can create a link to the mount point on each client machine's local disk,
3934 called <B>/usr/afsdoc</B>. Alternatively, you can create a link to
3935 the mount point in each user's home directory. You can also choose
3936 to permit users to access only certain documents (most probably, the <I>IBM
3937 AFS User Guide</I>) by creating different mount points or setting different
3938 ACLs on different document directories.
3939 <P>The current working directory is still <B>/usr/afs/bin</B>, which
3940 houses the <B>fs</B> and <B>vos</B> command suite binaries you use to
3941 create and mount volumes. In the following commands, it is possible you
3942 still need to specify the pathname to the commands, depending on how your PATH
3943 environment variable is set.
3945 <A NAME="IDX2657"></A>
3946 <A NAME="IDX2658"></A>
3947 <P><LI>Issue the <B>vos create</B> command to create a volume for storing the
3948 AFS documentation. Include the <B>-maxquota</B> argument to set an
3949 unlimited quota on the volume. This enables you to copy all of the
3950 appropriate files from the CD-ROM into the volume without exceeding the
3952 <P>If you wish, you can set the volume's quota to a finite value after
3953 you complete the copying operations. At that point, use the <B>vos
3954 examine</B> command to determine how much space the volume is
3955 occupying. Then issue the <B>fs setquota</B> command to set a quota
3956 that is slightly larger.
3958 # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <B>afsdoc -maxquota 0</B>
3961 <P><LI>Issue the <B>fs mkmount</B> command to mount the new volume.
3962 Because the <B>root.cell</B> volume is replicated, you must precede
3963 the <I>cellname</I> with a period to specify the read/write mount point,
3964 as shown. Then issue the <B>vos release</B> command to release a
3965 new replica of the <B>root.cell</B> volume, and the <B>fs
3966 checkvolumes</B> command to force the local Cache Manager to access
3969 # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/afsdoc</B> <B>-vol</B> <B>afsdoc</B>
3971 # <B>vos release root.cell</B>
3973 # <B>fs checkvolumes</B>
3976 <P><LI>Issue the <B>fs setacl</B> command to grant the <B>rl</B>
3977 permissions to the <B>system:anyuser</B> group on the new
3980 # <B>cd /afs/.</B><VAR>cellname</VAR><B>/afsdoc</B>
3982 # <B>fs setacl . system:anyuser rl</B>
3985 <P><LI>Mount the AFS CD-ROM for any system type on the local <B>/cdrom</B>
3986 directory, if one is not already. For instructions on mounting CD-ROMs
3987 (either locally or remotely via NFS), consult the operating system
3989 <A NAME="IDX2659"></A>
3990 <A NAME="IDX2660"></A>
3991 <A NAME="IDX2661"></A>
3992 <A NAME="IDX2662"></A>
3993 <A NAME="IDX2663"></A>
3994 <P><LI>Copy the AFS documents in one or more formats from the CD-ROM into
3995 subdirectories of the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc</B>
3996 directory. Repeat the commands for each format.
3998 # <B>mkdir</B> <VAR>format_name</VAR>
4000 # <B>cd</B> <VAR>format_name</VAR>
4002 # <B>cp -rp /cdrom/Documentation/</B><VAR>format</VAR> <B>.</B>
4004 <P>If you choose to store the HTML version of the documents in AFS, note that
4005 in addition to a subdirectory for each document there are several files with a
4006 <B>.gif</B> extension, which enable readers to move easily between
4007 sections of a document. The file called <B>index.htm</B> is
4008 an introductory HTML page that contains a hyperlink to each of the
4009 documents. For online viewing to work properly, these files must remain
4010 in the top-level HTML directory (the one named, for example,
4011 <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/html</B>).
4012 <P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
4013 the AFS documents in a certain format via a local disk directory, create
4014 <B>/usr/afsdoc</B> on the local disk as a symbolic link to the
4015 documentation directory in AFS
4016 (<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
4019 # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
4021 <P>An alternative is to create a link in each user's home directory to
4022 the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
4025 <A NAME="IDX2664"></A>
4026 <A NAME="IDX2665"></A>
4027 <A NAME="IDX2666"></A>
4028 <A NAME="IDX2667"></A>
4029 <HR><H2><A NAME="HDRWQ88" HREF="auqbg002.htm#ToC_90">Storing System Binaries in AFS</A></H2>
4030 <P>You can also choose to store other system binaries in AFS
4031 volumes, such as the standard UNIX programs conventionally located in local
4032 disk directories such as <B>/etc</B>, <B>/bin</B>, and
4033 <B>/lib</B>. Storing such binaries in an AFS volume not only frees
4034 local disk space, but makes it easier to update binaries on all client
4036 <P>The following is a suggested scheme for storing system binaries in
4037 AFS. It does not include instructions, but you can use the instructions
4038 in <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A> (which are for AFS-specific binaries) as a template.
4039 <P>Some files must remain on the local disk for use when AFS is inaccessible
4040 (during bootup and file server or network outages). The required
4041 binaries include the following:
4043 <P><LI>A text editor, network commands, and so on
4044 <P><LI>Files used during the boot sequence before the <B>afsd</B> program
4045 runs, such as initialization and configuration files, and binaries for
4046 commands that mount file systems
4047 <P><LI>Files used by dynamic kernel loader programs
4049 <P>In most cases, it is more secure to enable only locally authenticated users
4050 to access system binaries, by granting the <B>l</B> (<B>lookup</B>)
4051 and <B>r</B> (<B>read</B>) permissions to the
4052 <B>system:authuser</B> group on the ACLs of directories that contain
4053 the binaries. If users need to access a binary while unauthenticated,
4054 however, the ACL on its directory must grant those permissions to the
4055 <B>system:anyuser</B> group.
4056 <P>The following chart summarizes the suggested volume and mount point names
4057 for storing system binaries. It uses a separate volume for each
4058 directory. You already created a volume called <VAR>sysname</VAR> for
4059 this machine's system type when you followed the instructions in <A HREF="#HDRWQ83">Storing AFS Binaries in AFS</A>.
4060 <P>You can name volumes in any way you wish, and mount them at other locations
4061 than those suggested here. However, this scheme has several
4064 <P><LI>Volume names clearly identify volume contents
4065 <P><LI>Using the <VAR>sysname</VAR> prefix on every volume makes it is easy to back
4066 up all of the volumes together, because the AFS Backup System enables you to
4067 define sets of volumes based on a string included in all of their names
4068 <P><LI>It makes it easy to track related volumes, keeping them together on the
4069 same file server machine if desired
4070 <P><LI>There is a clear relationship between volume name and mount point name
4073 <TABLE WIDTH="100%">
4075 <TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="30%"><B>Volume Name</B>
4076 </TH><TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="70%"><B>Mount Point</B>
4078 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>
4079 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR>
4081 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>bin</B>
4082 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/bin</B>
4084 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>etc</B>
4085 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/etc</B>
4087 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr</B>
4088 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr</B>
4090 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.afsws</B>
4091 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/afsws</B>
4093 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.bin</B>
4094 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/bin</B>
4096 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.etc</B>
4097 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/etc</B>
4099 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.inc</B>
4100 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/include</B>
4102 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.lib</B>
4103 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/lib</B>
4105 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.loc</B>
4106 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/local</B>
4108 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.man</B>
4109 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/man</B>
4111 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="30%"><VAR>sysname</VAR>.<B>usr.sys</B>
4112 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="70%"><B>/afs/</B><VAR>cellname</VAR>/<VAR>sysname</VAR><B>/usr/sys</B>
4115 <A NAME="IDX2668"></A>
4116 <A NAME="IDX2669"></A>
4117 <A NAME="IDX2670"></A>
4118 <A NAME="IDX2671"></A>
4119 <A NAME="IDX2672"></A>
4120 <A NAME="IDX2673"></A>
4121 <A NAME="IDX2674"></A>
4122 <HR><H2><A NAME="HDRWQ91" HREF="auqbg002.htm#ToC_91">Enabling Access to Foreign Cells</A></H2>
4123 <P>In this section you create a mount point in your AFS
4124 filespace for the <B>root.cell</B> volume of each foreign cell that
4125 you want to enable your users to access. For users working on a client
4126 machine to access the cell, there must in addition be an entry for it in the
4127 client machine's local <B>/usr/vice/etc/CellServDB</B> file.
4128 (The instructions in <A HREF="#HDRWQ66">Creating the Client CellServDB File</A> suggest that you use the <B>CellServDB.sample</B>
4129 file included in the AFS distribution as the basis for your cell's client
4130 <B>CellServDB</B> file. The sample file lists all of the cells that
4131 had agreed to participate in the AFS global namespace at the time your AFS
4132 CD-ROM was created. As mentioned in that section, the AFS Product
4133 Support group also maintains a copy of the file, updating it as
4135 <P>The chapter in the <I>IBM AFS Administration Guide</I> about cell
4136 administration and configuration issues discusses the implications of
4137 participating in the global AFS namespace. The chapter about
4138 administering client machines explains how to maintain knowledge of foreign
4139 cells on client machines, and includes suggestions for maintaining a central
4140 version of the file in AFS.
4142 <P><LI>Issue the <B>fs mkmount</B> command to mount each foreign cell's
4143 <B>root.cell</B> volume on a directory called
4144 <B>/afs/</B><VAR>foreign_cell</VAR>. Because the
4145 <B>root.afs</B> volume is replicated, you must create a temporary
4146 mount point for its read/write version in a directory to which you have write
4147 access (such as your cell's <B>/afs/.</B><VAR>cellname</VAR>
4148 directory). Create the mount points, issue the <B>vos release</B>
4149 command to release new replicas to the read-only sites for the
4150 <B>root.afs</B> volume, and issue the <B>fs checkvolumes</B>
4151 command to force the local Cache Manager to access the new replica.
4152 <TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">You need to issue the <B>fs mkmount</B> command only once for each
4153 foreign cell's <B>root.cell</B> volume. You do not need
4154 to repeat the command on each client machine.
4156 <P>Substitute your cell's name for <VAR>cellname</VAR>.
4158 # <B>cd /afs/.</B><VAR>cellname</VAR>
4160 # <B>/usr/afs/bin/fs mkmount temp root.afs</B>
4162 <P>Repeat the <B>fs mkmount</B> command for each foreign cell you wish to
4165 # <B>/usr/afs/bin/fs mkmount temp/</B><VAR>foreign_cell</VAR> <B>root.cell -c</B> <VAR>foreign_cell</VAR>
4167 <P>Issue the following commands only once.
4169 # <B>/usr/afs/bin/fs rmmount temp</B>
4171 # <B>/usr/afs/bin/vos release root.afs</B>
4173 # <B>/usr/afs/bin/fs checkvolumes</B>
4176 <A NAME="IDX2675"></A>
4177 <A NAME="IDX2676"></A>
4178 <P><LI><A NAME="LIWQ92"></A>If this machine is going to remain an AFS client after you
4179 complete the installation, verify that the local
4180 <B>/usr/vice/etc/CellServDB</B> file includes an entry for each foreign
4182 <P>For each cell that does not already have an entry, complete the following
4185 <P><LI>Create an entry in the <B>CellServDB</B> file. Be sure to
4186 comply with the formatting instructions in <A HREF="#HDRWQ66">Creating the Client CellServDB File</A>.
4187 <P><LI>Issue the <B>fs newcell</B> command to add an entry for the cell
4188 directly to the list that the Cache Manager maintains in kernel memory.
4189 Provide each database server machine's fully qualified hostname.
4191 # <B>/usr/afs/bin/fs newcell</B> <<VAR>foreign_cell</VAR>> <<VAR>dbserver1></VAR> \
4192 [<<VAR>dbserver2></VAR>] [<<VAR>dbserver3></VAR>]
4195 <P><LI>If you plan to maintain a central version of the <B>CellServDB</B>
4196 file (the conventional location is
4197 <B>/afs/</B><VAR>cellname</VAR><B>/common/etc/CellServDB</B>), create it
4198 now as a copy of the local <B>/usr/vice/etc/CellServDB</B> file.
4199 Verify that it includes an entry for each foreign cell you want your users to
4202 # <B>mkdir common</B>
4204 # <B>mkdir common/etc</B>
4206 # <B>cp /usr/vice/etc/CellServDB common/etc</B>
4208 # <B>/usr/afs/bin/vos release root.cell</B>
4212 <P><LI>Issue the <B>ls</B> command to verify that the new cell's mount
4213 point is visible in your filespace. The output lists the directories at
4214 the top level of the new cell's AFS filespace.
4216 # <B>ls /afs/</B><VAR>foreign_cell</VAR>
4219 <P><LI>Please register your cell with the AFS Product Support group at this
4220 time. If you do not want to participate in the global AFS namespace,
4221 they list your cell in a private <B>CellServDB</B> file that is not
4222 available to other AFS cells.
4224 <A NAME="IDX2677"></A>
4225 <A NAME="IDX2678"></A>
4226 <A NAME="IDX2679"></A>
4227 <A NAME="IDX2680"></A>
4228 <A NAME="IDX2681"></A>
4229 <A NAME="IDX2682"></A>
4230 <HR><H2><A NAME="HDRWQ93" HREF="auqbg002.htm#ToC_92">Improving Cell Security</A></H2>
4231 <P>This section discusses ways to improve the security of AFS
4232 data in your cell. Also see the chapter in the <I>IBM AFS
4233 Administration Guide</I> about configuration and administration
4235 <P><H3><A NAME="HDRWQ94" HREF="auqbg002.htm#ToC_93">Controlling root Access</A></H3>
4236 <P>As on any machine, it is important to prevent unauthorized
4237 users from logging onto an AFS server or client machine as the local superuser
4238 <B>root</B>. Take care to keep the <B>root</B> password
4240 <P>The local <B>root</B> superuser does not have special access to AFS
4241 data through the Cache Manager (as members of the
4242 <B>system:administrators</B> group do), but it does have the
4243 following privileges:
4245 <P><LI>On client machines, the ability to issue commands from the <B>fs</B>
4246 suite that affect AFS performance
4247 <P><LI>On server machines, the ability to disable authorization checking, or to
4248 install rogue process binaries
4250 <P><H3><A NAME="HDRWQ95" HREF="auqbg002.htm#ToC_94">Controlling System Administrator Access</A></H3>
4251 <P>Following are suggestions for managing AFS administrative
4254 <P><LI>Create an administrative account for each administrator named something
4255 like <VAR>username</VAR><B>.admin</B>. Administrators
4256 authenticate under these identities only when performing administrative tasks,
4257 and destroy the administrative tokens immediately after finishing the task
4258 (either by issuing the <B>unlog</B> command, or the <B>klog</B>
4259 command to adopt their regular identity).
4260 <P><LI>Set a short ticket lifetime for administrator accounts (for example, 20
4261 minutes) by using the <B>-lifetime</B> argument to the <B>kas
4262 setfields</B> command, which is described in the <I>IBM AFS Administration
4263 Reference</I>. Do not however, use a short lifetime for users who
4264 issue long-running <B>backup</B> commands.
4265 <P><LI>Limit the number of system administrators in your cell, especially those
4266 who belong to the <B>system:administrators</B> group. By
4267 default they have all ACL rights on all directories in the local AFS
4268 filespace, and therefore must be trusted not to examine private files.
4269 <P><LI>Limit the use of system administrator accounts on machines in public
4270 areas. It is especially important not to leave such machines unattended
4271 without first destroying the administrative tokens.
4272 <P><LI>Limit the use by administrators of standard UNIX commands that make
4273 connections to remote machines (such as the <B>telnet</B> utility).
4274 Many of these programs send passwords across the network without encrypting
4277 <A NAME="IDX2683"></A>
4278 <A NAME="IDX2684"></A>
4279 <A NAME="IDX2685"></A>
4280 <P><H3><A NAME="HDRWQ96" HREF="auqbg002.htm#ToC_95">Protecting Sensitive AFS Directories</A></H3>
4281 <P>Some subdirectories of the <B>/usr/afs</B> directory
4282 contain files crucial to cell security. Unauthorized users must not
4283 read or write to these files because of the potential for misuse of the
4284 information they contain.
4285 <P>As the BOS Server initializes for the first time on a server machine, it
4286 creates several files and directories (as mentioned in <A HREF="#HDRWQ50">Starting the BOS Server</A>). It sets their owner to the local superuser
4287 <B>root</B> and sets their mode bits to enable writing by the owner
4288 only; in some cases, it also restricts reading.
4289 <P>At each subsequent restart, the BOS Server checks that the owner and mode
4290 bits on these files are still set appropriately. If they are not, it
4291 write the following message to the <B>/usr/afs/logs/BosLog</B> file:
4293 Bosserver reports inappropriate access on server directories
4295 <P>The BOS Server does not reset the mode bits, which enables you to set
4296 alternate values if you wish.
4297 <P>The following charts lists the expected mode bit settings. A
4298 question mark indicates that the BOS Server does not check that mode
4301 <TABLE WIDTH="100%">
4303 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs</B>
4304 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
4306 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/backup</B>
4307 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
4309 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/bin</B>
4310 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
4312 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/db</B>
4313 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
4315 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc</B>
4316 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
4318 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc/KeyFile</B>
4319 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>-rw</TT>????<TT>---</TT>
4321 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/etc/UserList</B>
4322 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>-rw</TT>?????<TT>--</TT>
4324 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/local</B>
4325 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwx</TT>???<TT>---</TT>
4327 <TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><B>/usr/afs/logs</B>
4328 </TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="50%"><TT>drwxr</TT>?<TT>xr-x</TT>
4331 <A NAME="IDX2686"></A>
4332 <A NAME="IDX2687"></A>
4333 <HR><H2><A NAME="HDRWQ98" HREF="auqbg002.htm#ToC_96">Removing Client Functionality</A></H2>
4334 <P>Follow the instructions in this section only if you do not
4335 wish this machine to remain an AFS client. Removing client
4336 functionality means that you cannot use this machine to access AFS
4339 <P><LI>Remove the files from the <B>/usr/vice/etc</B> directory. The
4340 command does not remove the directory for files used by the dynamic kernel
4341 loader program, if it exists on this system type. Those files are still
4342 needed on a server-only machine.
4344 # <B>cd /usr/vice/etc</B>
4351 <P><LI>Create symbolic links to the <B>ThisCell</B> and <B>CellServDB</B>
4352 files in the <B>/usr/afs/etc</B> directory. This makes it possible
4353 to issue commands from the AFS command suites (such as <B>bos</B> and
4354 <B>fs</B>) on this machine.
4356 # <B>ln -s /usr/afs/etc/ThisCell ThisCell</B>
4358 # <B>ln -s /usr/afs/etc/CellServDB CellServDB</B>
4361 <P><LI>On IRIX systems, issue the <B>chkconfig</B> command to deactivate the
4362 <B>afsclient</B> configuration variable.
4364 # <B>/etc/chkconfig -f afsclient off</B>
4367 <P><LI>Reboot the machine. Most system types use the <B>shutdown</B>
4368 command, but the appropriate options vary.
4372 # <B>shutdown</B> <VAR>appropriate_options</VAR>
4376 <HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg004.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auqbg006.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
4377 <!-- Begin Footer Records ========================================== -->
4379 <br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
4381 <!-- End Footer Records ============================================ -->
4382 <A NAME="Bot_Of_Page"></A>