1 <?xml version="1.0" encoding="UTF-8"?>
3 <title>Installing the First AFS Machine</title>
7 <primary>file server machine</primary>
9 <seealso>first AFS machine</seealso>
11 <seealso>file server machine, additional</seealso>
15 <primary>instructions</primary>
17 <secondary>first AFS machine</secondary>
21 <primary>installing</primary>
23 <secondary>first AFS machine</secondary>
26 This chapter describes how to install the first AFS machine in your cell, configuring it as both a file server machine and a
27 client machine. After completing all procedures in this chapter, you can remove the client functionality if you wish, as described
28 in <link linkend="HDRWQ98">Removing Client Functionality</link>.</para>
30 <para>To install additional file server machines after completing this chapter, see <link linkend="HDRWQ99">Installing Additional
31 Server Machines</link>.</para>
33 <para>To install additional client machines after completing this chapter, see <link linkend="HDRWQ133">Installing Additional
34 Client Machines</link>. <indexterm>
35 <primary>requirements</primary>
37 <secondary>first AFS machine</secondary>
40 <sect1 id="Header_29">
41 <title>Requirements and Configuration Decisions</title>
43 <para>The instructions in this chapter assume that you meet the following requirements.
46 <para>You are logged onto the machine's console as the local superuser <emphasis role="bold">root</emphasis></para>
50 <para>A standard version of one of the operating systems supported by the current version of AFS is running on the
55 <para>You have either installed the provided OpenAFS packages for
56 your system, have access to a binary distribution tarball, or have
57 successfully built OpenAFS from source</para>
61 <para>You have a Kerberos v5 realm running for your site. If you are
62 working with an existing cell which uses legacy
63 <emphasis role="bold">kaserver</emphasis> or Kerberos v4 for
64 authentication, please see
65 <link linkend="KAS001">kaserver and Legacy Kerberos v4 Authentication</link>
66 for the modifications required to this installation procedure.</para>
70 <para>You have NTP or a similar time service deployed to ensure
71 rough clock syncronistation between your clients and servers.</para>
73 </itemizedlist></para>
75 <para>You must make the following configuration decisions while installing the first AFS machine. To speed the installation
76 itself, it is best to make the decisions before beginning. See the chapter in the <emphasis>OpenAFS Administration
77 Guide</emphasis> about issues in cell administration and configuration for detailed guidelines. <indexterm>
78 <primary>cell name</primary>
80 <secondary>choosing</secondary>
81 </indexterm> <indexterm>
82 <primary>AFS filespace</primary>
84 <secondary>deciding how to configure</secondary>
85 </indexterm> <indexterm>
86 <primary>filespace</primary>
88 <see>AFS filespace</see>
89 </indexterm> <itemizedlist>
91 <para>Select the first AFS machine</para>
95 <para>Select the cell name</para>
99 <para>Decide which partitions or logical volumes to configure as AFS server partitions, and choose the directory names on
100 which to mount them</para>
104 <para>Decide how big to make the client cache</para>
108 <para>Decide how to configure the top levels of your cell's AFS filespace</para>
110 </itemizedlist></para>
112 <para>This chapter is divided into three large sections corresponding to the three parts of installing the first AFS machine.
113 Perform all of the steps in the order they appear. Each functional section begins with a summary of the procedures to perform.
114 The sections are as follows: <itemizedlist>
116 <para>Installing server functionality (begins in <link linkend="HDRWQ18">Overview: Installing Server
117 Functionality</link>)</para>
121 <para>Installing client functionality (begins in <link linkend="HDRWQ63">Overview: Installing Client
122 Functionality</link>)</para>
126 <para>Configuring your cell's filespace, establishing further security mechanisms, and enabling access to foreign cells
127 (begins in <link linkend="HDRWQ71">Overview: Completing the Installation of the First AFS Machine</link>)</para>
129 </itemizedlist></para>
132 <primary>overview</primary>
134 <secondary>installing server functionality on first AFS machine</secondary>
138 <primary>first AFS machine</primary>
140 <secondary>server functionality</secondary>
144 <primary>installing</primary>
146 <secondary>server functionality</secondary>
148 <tertiary>first AFS machine</tertiary>
153 <title>Overview: Installing Server Functionality</title>
155 <para>In the first phase of installing your cell's first AFS machine, you install file server and database server functionality
156 by performing the following procedures:
159 <para>Choose which machine to install as the first AFS machine</para>
163 <para>Create AFS-related directories on the local disk</para>
167 <para>Incorporate AFS modifications into the machine's kernel</para>
171 <para>Configure partitions or logical volumes for storing AFS volumes</para>
175 <para>On some system types (very rare), install and configure
176 an AFS-modified version of the <emphasis role="bold">fsck</emphasis>
181 <para>If the machine is to remain a client machine, incorporate AFS into its authentication system</para>
185 <para>Start the Basic OverSeer (BOS) Server</para>
189 <para>Define the cell name and the machine's cell membership</para>
193 <para>Start the database server processes: Backup Server, Protection Server, and Volume Location
198 <para>Configure initial security mechanisms</para>
202 <para>Start the <emphasis role="bold">fs</emphasis> process, which incorporates three component processes: the File
203 Server, Volume Server, and Salvager</para>
207 <para>Optionally, start the server portion of the Update Server</para>
210 </orderedlist></para>
214 <title>Choosing the First AFS Machine</title>
216 <para>The first AFS machine you install must have sufficient disk space to store AFS volumes.
217 When you later install additional file server
218 machines in your cell, you can distribute these volumes among the different machines as you see fit.</para>
220 <para>These instructions configure the first AFS machine as a <emphasis>database server machine</emphasis>, and optionally as the <emphasis>binary
221 distribution machine</emphasis> for its system type and the cell's <emphasis>system control machine</emphasis>. For a
222 description of these roles, see the <emphasis>OpenAFS Administration Guide</emphasis>.</para>
224 <para>Installation of additional machines is simplest if the first machine has the lowest IP address of any database server
225 machine you currently plan to install. If you later install database server functionality on a machine with a lower IP address,
226 you must first update the <emphasis role="bold">/usr/vice/etc/CellServDB</emphasis> file on all of your cell's client machines.
227 For more details, see <link linkend="HDRWQ114">Installing Database Server Functionality</link>.</para>
230 <sect1 id="Header_32">
231 <title>Creating AFS Directories</title>
234 <primary>usr/afs directory</primary>
236 <secondary>first AFS machine</secondary>
240 <primary>first AFS machine</primary>
242 <secondary>/usr/afs directory</secondary>
246 <primary>creating</primary>
248 <secondary>/usr/afs directory</secondary>
250 <tertiary>first AFS machine</tertiary>
254 <primary>usr/vice/etc directory</primary>
256 <secondary>first AFS machine</secondary>
260 <primary>first AFS machine</primary>
262 <secondary>/usr/vice/etc directory</secondary>
266 <primary>creating</primary>
268 <secondary>/usr/vice/etc directory</secondary>
270 <tertiary>first AFS machine</tertiary>
274 <primary>/ as start to file and directory names</primary>
276 <secondary>see alphabetized entries without initial slash</secondary>
279 <para>If you are installing from packages (such as Debian .deb or
280 Fedora/SuSe .rpm files), you should now install all of the available
281 OpenAFS packages for your system type. Typically, these will include
282 packages for client and server functionality, and a seperate package
283 containing a suitable kernel module for your running kernel. Consult
284 the package lists on the OpenAFS website to determine the packages
285 appropriate for your system. The preparer of such packages may
286 have included some helper scripts to partially automate the
287 creation of a new cell; such scripts can supersede much of the
288 procedures described in the rest of this document.</para>
290 <para>If you are installing from a tarfile, or from a locally compiled
291 source tree you should create the <emphasis role="bold">/usr/afs</emphasis>
292 and <emphasis role="bold">/usr/vice/etc</emphasis> directories on the
293 local disk, to house server and client files respectively. Subsequent
294 instructions copy files from the distribution tarfile into them. </para>
296 # <emphasis role="bold">mkdir /usr/afs</emphasis>
297 # <emphasis role="bold">mkdir /usr/vice</emphasis>
298 # <emphasis role="bold">mkdir /usr/vice/etc</emphasis>
303 <title>Performing Platform-Specific Procedures</title>
305 <para>Several of the initial procedures for installing a file server machine differ for each system type. For convenience, the
306 following sections group them together for each system type: <itemizedlist>
308 <primary>kernel extensions</primary>
310 <see>AFS kernel extensions</see>
314 <primary>loading AFS kernel extensions</primary>
316 <see>incorporating</see>
320 <primary>building</primary>
322 <secondary>AFS extensions into kernel</secondary>
324 <see>incorporating AFS kernel extensions</see>
328 <para>Incorporate AFS modifications into the kernel.</para>
330 <para>The kernel on every AFS client machine and, on some systems,
331 the AFS fileservers, must incorporate AFS extensions. On machines
332 that use a dynamic kernel module loader, it is conventional to
333 alter the machine's initialization script to load the AFS extensions
334 at each reboot. The preparer of OS-format binary packages
335 may have included an init script which automates the loading
336 of the needed kernel module, eliminating a need to manually
337 configure this step. <indexterm>
338 <primary>AFS server partition</primary>
340 <secondary>mounted on /vicep directory</secondary>
341 </indexterm> <indexterm>
342 <primary>partition</primary>
344 <see>AFS server partition</see>
345 </indexterm> <indexterm>
346 <primary>logical volume</primary>
348 <see>AFS server partition</see>
349 </indexterm> <indexterm>
350 <primary>requirements</primary>
352 <secondary>AFS server partition name and location</secondary>
353 </indexterm> <indexterm>
354 <primary>naming conventions for AFS server partition</primary>
355 </indexterm> <indexterm>
356 <primary>vicep<emphasis>xx</emphasis> directory</primary>
358 <see>AFS server partition</see>
359 </indexterm> <indexterm>
360 <primary>directories</primary>
362 <secondary>/vicep<emphasis>xx</emphasis></secondary>
364 <see>AFS server partition</see>
369 <para>Configure server partitions or logical volumes to house AFS volumes.</para>
371 <para>Every AFS file server machine should have at least one partition or logical volume dedicated to storing AFS volumes
372 (for convenience, the documentation hereafter refers to partitions only). Each server partition is mounted at a directory
373 named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where <replaceable>xx</replaceable> is one or
374 two lowercase letters. By convention, the first 26 partitions are mounted on the directories called <emphasis
375 role="bold">/vicepa</emphasis> through <emphasis role="bold">/vicepz</emphasis>, the 27th one is mounted on the <emphasis
376 role="bold">/vicepaa</emphasis> directory, and so on through <emphasis role="bold">/vicepaz</emphasis> and <emphasis
377 role="bold">/vicepba</emphasis>, continuing up to the index corresponding to the maximum number of server partitions
378 supported in the current version of AFS (which is specified in the <emphasis>OpenAFS Release Notes</emphasis>).</para>
380 <para>The <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server
381 machine's root directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is
382 not an acceptable directory location).
384 The <emphasis role="bold">fileserver</emphasis> will refuse to
386 any <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>
387 folders that are not separate partitions without additional
388 configuration. </para>
391 <para>The separate partition requirement may be overridden by
392 creating a file named
393 <emphasis role="bold">/vicep<replaceable>xx</replaceable>/AlwaysAttach</emphasis>;
394 however, mixed-use partitions, whether cache or fileserver,
395 have the risk that a non-AFS use will fill the partition and
396 not leave enough free space for AFS. Even though it is
397 allowed, be wary of configuring a mixed-use partition
398 without understanding the ramifications of doing so with the
399 workload on your filesystem.
401 <primary>AFS server partition</primary>
402 <secondary>AlwaysAttach</secondary>
407 <para>You can also add or remove server partitions on an existing file server machine. For instructions, see the chapter
408 in the <emphasis>OpenAFS Administration Guide</emphasis> about maintaining server machines.</para>
411 <para>Not all file system types supported by an operating system are necessarily supported as AFS server partitions. For
412 possible restrictions, see the <emphasis>OpenAFS Release Notes</emphasis>.</para>
417 <para>On (rare) system types using the <emphasis role="bold">inode</emphasis> storage format, install and configure a modified <emphasis role="bold">fsck</emphasis> program which
418 recognizes the structures that the File Server uses to organize volume data on AFS server partitions. The <emphasis
419 role="bold">fsck</emphasis> program provided with the operating system does not understand the AFS data structures, and so
420 removes them to the <emphasis role="bold">lost+found</emphasis> directory.</para>
424 <para>If the machine is to remain an AFS client machine, modify the machine's authentication system so that users obtain
425 an AFS token as they log into the local file system. Using AFS is simpler and more convenient for your users if you make
426 the modifications on all client machines. Otherwise, users must perform a two or three step login procedure (login to the local
427 system, then obtain Kerberos credentials, and then issue the <emphasis role="bold">aklog</emphasis> command). For further discussion of AFS
428 authentication, see the chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about cell configuration and
429 administration issues.</para>
431 </itemizedlist></para>
433 <para>To continue, proceed to the appropriate section: <itemizedlist>
435 <para><link linkend="HDRWQ41">Getting Started on Linux Systems</link></para>
439 <para><link linkend="HDRWQ45">Getting Started on Solaris Systems</link></para>
443 <para><link linkend="HDRWQ21">Getting Started on AIX Systems</link></para>
445 </itemizedlist></para>
449 <title>Getting Started on Linux Systems</title>
452 <primary>replacing fsck program</primary>
454 <secondary>not necessary on Linux</secondary>
458 <primary>fsck program</primary>
460 <secondary>on first AFS machine</secondary>
462 <tertiary>Linux</tertiary>
466 <primary>first AFS machine</primary>
468 <secondary>fsck program</secondary>
470 <tertiary>on Linux</tertiary>
474 <primary>Linux</primary>
476 <secondary>fsck program replacement not necessary</secondary>
479 <para>Since this guide was originally written, the procedure for starting
480 OpenAFS has diverged significantly between different Linux distributions.
481 The instructions that follow are appropriate for both the Fedora and
482 RedHat Enterprise Linux packages distributed by OpenAFS. Additional
483 instructions are provided for those building from source.</para>
485 <para>Begin by running the AFS client startup scripts, which call the
486 <emphasis role="bold">modprobe</emphasis> program to dynamically
487 load the AFS modifications into the kernel. Then create partitions for
488 storing AFS volumes. You do not need to replace the Linux <emphasis
489 role="bold">fsck</emphasis> program. If the machine is to remain an
490 AFS client machine, incorporate AFS into the machine's Pluggable
491 Authentication Module (PAM) scheme. <indexterm>
492 <primary>incorporating AFS kernel extensions</primary>
494 <secondary>first AFS machine</secondary>
496 <tertiary>Linux</tertiary>
497 </indexterm> <indexterm>
498 <primary>AFS kernel extensions</primary>
500 <secondary>on first AFS machine</secondary>
502 <tertiary>Linux</tertiary>
503 </indexterm> <indexterm>
504 <primary>first AFS machine</primary>
506 <secondary>AFS kernel extensions</secondary>
508 <tertiary>on Linux</tertiary>
509 </indexterm> <indexterm>
510 <primary>Linux</primary>
512 <secondary>AFS kernel extensions</secondary>
514 <tertiary>on first AFS machine</tertiary>
518 <title>Loading AFS into the Linux Kernel</title>
520 <para>The <emphasis role="bold">modprobe</emphasis> program is the dynamic kernel loader for Linux. Linux does not support
521 incorporation of AFS modifications during a kernel build.</para>
523 <para>For AFS to function correctly, the <emphasis role="bold">modprobe</emphasis> program must run each time the machine
524 reboots, so your distribution's AFS initialization script invokes it automatically. The script also includes
525 commands that select the appropriate AFS library file automatically. In this section you run the script.</para>
527 <para>In later sections you verify that the script correctly initializes all AFS components, then activate a configuration
528 variable, which results in the script being incorporated into the Linux startup and shutdown sequence.</para>
530 <para>The procedure for starting up OpenAFS depends upon your distribution</para>
532 <title>Fedora and RedHat Enterprise Linux</title>
533 <para>OpenAFS provides RPMS for all current Fedora and
534 RedHat Enterprise Linux (RHEL) releases prior to EL7 on the
535 OpenAFS web site and the OpenAFS yum repository.
539 http://dl.openafs.org/dl/openafs/<replaceable>VERSION</replaceable>,
540 where VERSION is the latest stable release of
541 OpenAFS for Unix. Download the
542 openafs-repository-<replaceable>VERSION</replaceable>.noarch.rpm
543 file for Fedora systems or the
544 openafs-repository-rhel-<replaceable>VERSION</replaceable>.noarch.rpm
545 file for RedHat-based systems.
549 <para>Install the downloaded RPM file using the following command:
551 # rpm -U openafs-repository*.rpm
556 <para>Install the RPM set for your operating system using the yum command as follows:
558 # yum -y install openafs-client openafs-server openafs-krb5 kmod-openafs
562 <para>Alternatively, you may use dynamically-compiled kernel
563 modules if you have the kernel headers, a compiler, and the
565 <ulink url="http://fedoraproject.org/wiki/EPEL"><citetitle>EPEL</citetitle></ulink> installed.
568 <para>To use dynamically-compiled kernel modules instead of statically compiled modules, use the following command instead of the kmod-openafs as shown above:
570 # yum install openafs-client openafs-server openafs-krb5 dkms-openafs
574 <!-- If you do this with current RHEL and Fedora releases you end up with
575 a dynroot'd client running - this breaks setting up the root.afs volume
576 as described later in this guide
578 <para>Run the AFS initialization script to load AFS extensions into
579 the kernel. You can ignore any error messages about the inability
580 to start the BOS Server or the Cache Manager or AFS client.</para>
582 # <emphasis role="bold">/etc/rc.d/init.d/openafs-client start</emphasis>
590 <title>Debian and Ubuntu Linux</title>
591 <para>OpenAFS is available as binary packages from the Debian
592 linux distribution and its derivatives such as Ubuntu.
595 <para>Install the client and server packages using the following command:
597 # apt-get install openafs-client openafs-modules-dkms openafs-krb5 \
598 openafs-fileserver openafs-dbserver
600 You will be prompted by debconf to select your cell name and
601 the size of your local cache.
606 <para>The Debian package also includes helper scripts
607 <literal>afs-newcell</literal> and <literal>afs-rootvol</literal>,
608 which can automate much of the remainder of this document.
612 <title>Systems built from source</title>
613 <para>If you are running a system where
614 you have built the system from
615 source yourself, you need to install the relevant components by hand:
620 <para>Unpack the distribution tarball. The examples below assume
621 that you have extracted and built OpenAFS in the
622 <emphasis role="bold">/tmp/afsdist</emphasis> directory. If you
623 pick a different location, substitute this in all of the following
624 examples. Once you have compiled the distribution,
625 change to the source directory as indicated.
627 # <emphasis role="bold">cd /tmp/afsdist</emphasis>
628 </programlisting></para>
632 <para>Copy the AFS kernel library files to the local <emphasis role="bold">/usr/vice/etc/modload</emphasis> directory.
633 The filenames for the libraries have the format <emphasis
634 role="bold">libafs-</emphasis><replaceable>version</replaceable><emphasis role="bold">.o</emphasis>, where
635 <replaceable>version</replaceable> indicates the kernel build level. The string <emphasis role="bold">.mp</emphasis> in
636 the <replaceable>version</replaceable> indicates that the file is appropriate for machines running a multiprocessor
637 kernel. <programlisting>
638 # <emphasis role="bold">mkdir -p /usr/vice/etc/modload</emphasis>
639 # <emphasis role="bold">cp -rp src/libafs/*.ko /usr/vice/etc/modload</emphasis>
640 </programlisting></para>
644 <para>Copy the AFS initialization script to the local directory for initialization files (by convention, <emphasis
645 role="bold">/etc/rc.d/init.d</emphasis> on Linux machines). Note the removal of the <emphasis role="bold">.rc</emphasis>
646 extension as you copy the script. <programlisting>
647 # <emphasis role="bold">cp -p src/afsd/afs.rc.linux /etc/rc.d/init.d/afs</emphasis>
648 </programlisting></para>
654 <primary>configuring</primary>
656 <secondary>AFS server partition on first AFS machine</secondary>
658 <tertiary>Linux</tertiary>
662 <primary>AFS server partition</primary>
664 <secondary>configuring on first AFS machine</secondary>
666 <tertiary>Linux</tertiary>
670 <primary>first AFS machine</primary>
672 <secondary>AFS server partition</secondary>
674 <tertiary>on Linux</tertiary>
678 <primary>Linux</primary>
680 <secondary>AFS server partition</secondary>
682 <tertiary>on first AFS machine</tertiary>
688 <title>Configuring Server Partitions on Linux Systems</title>
690 <para>Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes. Each
691 server partition is mounted at a directory named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where
692 <replaceable>xx</replaceable> is one or two lowercase letters. The <emphasis
693 role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server machine's root
694 directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is not an acceptable
695 directory location). For additional information, see <link linkend="HDRWQ20">Performing Platform-Specific Procedures</link>.
698 <para>Create a directory called <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> for each AFS server
699 partition you are configuring (there must be at least one). Repeat the command for each partition. <programlisting>
700 # <emphasis role="bold">mkdir /vicep</emphasis><replaceable>xx</replaceable>
701 </programlisting></para>
705 <para>Add a line with the following format to the file systems registry file, <emphasis
706 role="bold">/etc/fstab</emphasis>, for each directory just created. The entry maps the directory name to the disk
707 partition to be mounted on it. <programlisting>
708 /dev/<replaceable>disk</replaceable> /vicep<replaceable>xx</replaceable> ext2 defaults 0 2
709 </programlisting></para>
711 <para>The following is an example for the first partition being configured.</para>
714 /dev/sda8 /vicepa ext2 defaults 0 2
719 <para>Create a file system on each partition that is to be mounted at a <emphasis
720 role="bold">/vicep</emphasis><replaceable>xx</replaceable> directory. The following command is probably appropriate, but
721 consult the Linux documentation for more information. <programlisting>
722 # <emphasis role="bold">mkfs -v /dev/</emphasis><replaceable>disk</replaceable>
723 </programlisting></para>
727 <para>Mount each partition by issuing either the <emphasis role="bold">mount -a</emphasis> command to mount all
728 partitions at once or the <emphasis role="bold">mount</emphasis> command to mount each partition in turn.</para>
732 <para>If you plan to retain client functionality on this machine after completing the installation, proceed to <link
733 linkend="HDRWQ44">Enabling AFS Login on Linux Systems</link>. Otherwise, proceed to <link linkend="HDRWQ50">Starting the
734 BOS Server</link>.</para>
736 </orderedlist></para>
739 <primary>enabling AFS login</primary>
741 <secondary>file server machine</secondary>
743 <tertiary>Linux</tertiary>
747 <primary>AFS login</primary>
749 <secondary>on file server machine</secondary>
751 <tertiary>Linux</tertiary>
755 <primary>first AFS machine</primary>
757 <secondary>AFS login</secondary>
759 <tertiary>on Linux</tertiary>
763 <primary>Linux</primary>
765 <secondary>AFS login</secondary>
767 <tertiary>on file server machine</tertiary>
771 <primary>PAM</primary>
773 <secondary>on Linux</secondary>
775 <tertiary>file server machine</tertiary>
780 <title>Enabling AFS Login on Linux Systems</title>
783 <para>If you plan to remove client functionality from this machine
784 after completing the installation, skip this section and proceed
785 to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
788 <para>At this point you incorporate AFS into the operating system's
789 Pluggable Authentication Module (PAM) scheme. PAM integrates all
790 authentication mechanisms on the machine, including login, to provide
791 the security infrastructure for authenticated access to and from the
794 <para>You should first configure your system to obtain Kerberos v5
795 tickets as part of the authentication process, and then run an AFS PAM
796 module to obtain tokens from those tickets after authentication. Many
797 Linux distributions come with a Kerberos v5 PAM module (usually called
798 pam-krb5 or pam_krb5), or you can download and install <ulink
799 url="http://www.eyrie.org/~eagle/software/pam-krb5">Russ Allbery's
800 Kerberos v5 PAM module</ulink>, which is tested regularly with AFS.
801 See the instructions of whatever PAM module you use for how to
804 <para>Some Kerberos v5 PAM modules do come with native AFS support
805 (usually requiring the Heimdal Kerberos implementation rather than the
806 MIT Kerberos implementation). If you are using one of those PAM
807 modules, you can configure it to obtain AFS tokens. It's more common,
808 however, to separate the AFS token acquisition into a separate PAM
811 <para>The recommended AFS PAM module is <ulink
812 url="http://www.eyrie.org/~eagle/software/pam-afs-session/">Russ
813 Allbery's pam-afs-session module</ulink>. It should work with any of
814 the Kerberos v5 PAM modules. To add it to the PAM configuration, you
815 often only need to add configuration to the session group:</para>
818 <title>Linux PAM session example</title>
819 <literallayout>session required pam_afs_session.so</literallayout>
822 <para>If you also want to obtain AFS tokens for <command>scp</command>
823 and similar commands that don't open a session, you will also need to
824 add the AFS PAM module to the auth group so that the PAM
825 <function>setcred</function> call will obtain tokens. The
826 <literal>pam_afs_session</literal> module will always return success
827 for authentication so that it can be added to the auth group only for
828 <function>setcred</function>, so make sure that it's not marked as
829 <literal>sufficient</literal>.</para>
832 <title>Linux PAM auth example</title>
833 <literallayout>auth [success=ok default=1] pam_krb5.so
834 auth [default=done] pam_afs_session.so
835 auth required pam_unix.so try_first_pass</literallayout>
838 <para>This example will work if you want to try Kerberos v5 first and
839 then fall back to regular Unix authentication.
840 <literal>success=ok</literal> for the Kerberos PAM module followed by
841 <literal>default=done</literal> for the AFS PAM module will cause a
842 successful Kerberos login to run the AFS PAM module and then skip the
843 Unix authentication module. <literal>default=1</literal> on the
844 Kerberos PAM module causes failure of that module to skip the next
845 module (the AFS PAM module) and fall back to the Unix module. If you
846 want to try Unix authentication first and rearrange the order, be sure
847 to use <literal>default=die</literal> instead.</para>
849 <para>The PAM configuration is stored in different places in different
850 Linux distributions. On Red Hat, look in
851 <filename>/etc/pam.d/system-auth</filename>. On Debian and
852 derivatives, look in <filename>/etc/pam.d/common-session</filename>
853 and <filename>/etc/pam.d/common-auth</filename>.</para>
855 <para>For additional configuration examples and the configuration
856 options of the AFS PAM module, see its documentation. For more
857 details on the available options for the PAM configuration, see the
858 Linux PAM documentation.</para>
860 <para>Sites which still require the deprecated
861 <command>kaserver</command> or
862 external Kerberos v4 authentication should consult <link
863 linkend="KAS015">Enabling kaserver based AFS Login on Linux
864 Systems</link> for details of how to enable AFS login on Linux.</para>
866 <para>Proceed to <link linkend="HDRWQ50">Starting the BOS
867 Server</link> (or if referring to these instructions while installing
868 an additional file server machine, return to <link
869 linkend="HDRWQ108">Starting Server Programs</link>).</para>
874 <title>Getting Started on Solaris Systems</title>
876 <para>Begin by running the AFS initialization script to call the <emphasis role="bold">modload</emphasis> program distributed by
877 Sun Microsystems, which dynamically loads AFS modifications into the kernel. Then create partitions for storing AFS volumes, and
878 install and configure the AFS-modified <emphasis role="bold">fsck</emphasis> program to run on AFS server partitions. If the
879 machine is to remain an AFS client machine, incorporate AFS into the machine's Pluggable Authentication Module (PAM) scheme.
881 <primary>incorporating AFS kernel extensions</primary>
883 <secondary>first AFS machine</secondary>
885 <tertiary>Solaris</tertiary>
886 </indexterm> <indexterm>
887 <primary>AFS kernel extensions</primary>
889 <secondary>on first AFS machine</secondary>
891 <tertiary>Solaris</tertiary>
892 </indexterm> <indexterm>
893 <primary>first AFS machine</primary>
895 <secondary>AFS kernel extensions</secondary>
897 <tertiary>on Solaris</tertiary>
898 </indexterm> <indexterm>
899 <primary>Solaris</primary>
901 <secondary>AFS kernel extensions</secondary>
903 <tertiary>on first AFS machine</tertiary>
907 <title>Loading AFS into the Solaris Kernel</title>
909 <para>The <emphasis role="bold">modload</emphasis> program is the dynamic kernel loader provided by Sun Microsystems for
910 Solaris systems. Solaris does not support incorporation of AFS modifications during a kernel build.</para>
912 <para>For AFS to function correctly, the <emphasis role="bold">modload</emphasis> program must run each time the machine
913 reboots, so the AFS initialization script (included on the AFS CD-ROM) invokes it automatically. In this section you copy the
914 appropriate AFS library file to the location where the <emphasis role="bold">modload</emphasis> program accesses it and then
915 run the script.</para>
917 <para>In later sections you verify that the script correctly initializes all AFS components, then create the links that
918 incorporate AFS into the Solaris startup and shutdown sequence. <orderedlist>
920 <para>Unpack the OpenAFS Solaris distribution tarball. The examples
921 below assume that you have unpacked the files into the
922 <emphasis role="bold">/tmp/afsdist</emphasis> directory. If you
923 pick a diferent location, substitute this in all of the following
924 exmaples. Once you have unpacked the distribution, change directory
927 # <emphasis role="bold">cd /tmp/afsdist/sun4x_56/dest/root.client/usr/vice/etc</emphasis>
928 </programlisting></para>
932 <para>Copy the AFS initialization script to the local directory for initialization files (by convention, <emphasis
933 role="bold">/etc/init.d</emphasis> on Solaris machines). Note the removal of the <emphasis role="bold">.rc</emphasis>
934 extension as you copy the script. <programlisting>
935 # <emphasis role="bold">cp -p afs.rc /etc/init.d/afs</emphasis>
936 </programlisting></para>
940 <para>Copy the appropriate AFS kernel library file to the local file <emphasis
941 role="bold">/kernel/fs/afs</emphasis>.</para>
943 <para>If the machine is running Solaris 11 on the x86_64 platform:</para>
946 # <emphasis role="bold">cp -p modload/libafs64.o /kernel/drv/amd64/afs</emphasis>
949 <para>If the machine is running Solaris 10 on the x86_64 platform:</para>
952 # <emphasis role="bold">cp -p modload/libafs64.o /kernel/fs/amd64/afs</emphasis>
955 <para>If the machine is running Solaris 2.6 or the 32-bit version of Solaris 7, its kernel supports NFS server
956 functionality, and the <emphasis role="bold">nfsd</emphasis> process is running:</para>
959 # <emphasis role="bold">cp -p modload/libafs.o /kernel/fs/afs</emphasis>
962 <para>If the machine is running Solaris 2.6 or the 32-bit version of Solaris 7, and its kernel does not support NFS
963 server functionality or the <emphasis role="bold">nfsd</emphasis> process is not running:</para>
966 # <emphasis role="bold">cp -p modload/libafs.nonfs.o /kernel/fs/afs</emphasis>
969 <para>If the machine is running the 64-bit version of Solaris 7, its kernel supports NFS server functionality, and the
970 <emphasis role="bold">nfsd</emphasis> process is running:</para>
973 # <emphasis role="bold">cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</emphasis>
976 <para>If the machine is running the 64-bit version of Solaris 7, and its kernel does not support NFS server
977 functionality or the <emphasis role="bold">nfsd</emphasis> process is not running:</para>
980 # <emphasis role="bold">cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</emphasis>
985 <para>Run the AFS initialization script to load AFS modifications into the kernel. You can ignore any error messages
986 about the inability to start the BOS Server or the Cache Manager or AFS client. <programlisting>
987 # <emphasis role="bold">/etc/init.d/afs start</emphasis>
988 </programlisting></para>
990 <para>When an entry called <computeroutput>afs</computeroutput> does not already exist in the local <emphasis
991 role="bold">/etc/name_to_sysnum</emphasis> file, the script automatically creates it and reboots the machine to start
992 using the new version of the file. If this happens, log in again as the superuser <emphasis role="bold">root</emphasis>
993 after the reboot and run the initialization script again. This time the required entry exists in the <emphasis
994 role="bold">/etc/name_to_sysnum</emphasis> file, and the <emphasis role="bold">modload</emphasis> program runs.</para>
997 login: <emphasis role="bold">root</emphasis>
998 Password: <replaceable>root_password</replaceable>
999 # <emphasis role="bold">/etc/init.d/afs start</emphasis>
1002 </orderedlist></para>
1005 <primary>replacing fsck program</primary>
1007 <secondary>first AFS machine</secondary>
1009 <tertiary>Solaris</tertiary>
1013 <primary>fsck program</primary>
1015 <secondary>on first AFS machine</secondary>
1017 <tertiary>Solaris</tertiary>
1021 <primary>first AFS machine</primary>
1023 <secondary>fsck program</secondary>
1025 <tertiary>on Solaris</tertiary>
1029 <primary>Solaris</primary>
1031 <secondary>fsck program</secondary>
1033 <tertiary>on first AFS machine</tertiary>
1037 <sect2 id="HDRWQ47">
1038 <title>Configuring the AFS-modified fsck Program on Solaris Systems</title>
1040 <para>In this section, you make modifications to guarantee that the appropriate <emphasis role="bold">fsck</emphasis> program
1041 runs on AFS server partitions. The <emphasis role="bold">fsck</emphasis> program provided with the operating system must never
1042 run on AFS server partitions. Because it does not recognize the structures that the File Server uses to organize volume data,
1043 it removes all of the data. To repeat:</para>
1045 <para><emphasis role="bold">Never run the standard fsck program on AFS server partitions. It discards AFS volumes.</emphasis>
1048 <para>Create the <emphasis role="bold">/usr/lib/fs/afs</emphasis> directory to house the AFS-modified <emphasis
1049 role="bold">fsck</emphasis> program and related files. <programlisting>
1050 # <emphasis role="bold">mkdir /usr/lib/fs/afs</emphasis>
1051 # <emphasis role="bold">cd /usr/lib/fs/afs</emphasis>
1052 </programlisting></para>
1056 <para>Copy the <emphasis role="bold">vfsck</emphasis> binary to the newly created directory, changing the name as you do
1057 so. <programlisting>
1058 # <emphasis role="bold">cp /tmp/afsdist/sun4x_56/dest/root.server/etc/vfsck fsck</emphasis>
1059 </programlisting></para>
1063 <para>Working in the <emphasis role="bold">/usr/lib/fs/afs</emphasis> directory, create the following links to Solaris
1064 libraries: <programlisting>
1065 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/clri</emphasis>
1066 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/df</emphasis>
1067 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/edquota</emphasis>
1068 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/ff</emphasis>
1069 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/fsdb</emphasis>
1070 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/fsirand</emphasis>
1071 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/fstyp</emphasis>
1072 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/labelit</emphasis>
1073 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/lockfs</emphasis>
1074 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/mkfs</emphasis>
1075 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/mount</emphasis>
1076 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/ncheck</emphasis>
1077 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/newfs</emphasis>
1078 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/quot</emphasis>
1079 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/quota</emphasis>
1080 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/quotaoff</emphasis>
1081 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/quotaon</emphasis>
1082 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/repquota</emphasis>
1083 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/tunefs</emphasis>
1084 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/ufsdump</emphasis>
1085 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/ufsrestore</emphasis>
1086 # <emphasis role="bold">ln -s /usr/lib/fs/ufs/volcopy</emphasis>
1087 </programlisting></para>
1091 <para>Append the following line to the end of the file <emphasis role="bold">/etc/dfs/fstypes</emphasis>.
1094 </programlisting></para>
1098 <para>Edit the <emphasis role="bold">/sbin/mountall</emphasis> file, making two changes. <itemizedlist>
1100 <para>Add an entry for AFS to the <computeroutput>case</computeroutput> statement for option 2, so that it reads
1101 as follows: <programlisting>
1103 ufs) foptions="-o p"
1105 afs) foptions="-o p"
1107 s5) foptions="-y -t /var/tmp/tmp$$ -D"
1111 </programlisting></para>
1115 <para>Edit the file so that all AFS and UFS partitions are checked in parallel. Replace the following section of
1116 code: <programlisting>
1117 # For fsck purposes, we make a distinction between ufs and
1118 # other file systems
1120 if [ "$fstype" = "ufs" ]; then
1121 ufs_fscklist="$ufs_fscklist $fsckdev"
1122 saveentry $fstype "$OPTIONS" $special $mountp
1125 </programlisting></para>
1127 <para>with the following section of code:</para>
1130 # For fsck purposes, we make a distinction between ufs/afs
1131 # and other file systems.
1133 if [ "$fstype" = "ufs" -o "$fstype" = "afs" ]; then
1134 ufs_fscklist="$ufs_fscklist $fsckdev"
1135 saveentry $fstype "$OPTIONS" $special $mountp
1140 </itemizedlist></para>
1142 </orderedlist></para>
1145 <primary>configuring</primary>
1147 <secondary>AFS server partition on first AFS machine</secondary>
1149 <tertiary>Solaris</tertiary>
1153 <primary>AFS server partition</primary>
1155 <secondary>configuring on first AFS machine</secondary>
1157 <tertiary>Solaris</tertiary>
1161 <primary>first AFS machine</primary>
1163 <secondary>AFS server partition</secondary>
1165 <tertiary>on Solaris</tertiary>
1169 <primary>Solaris</primary>
1171 <secondary>AFS server partition</secondary>
1173 <tertiary>on first AFS machine</tertiary>
1177 <sect2 id="HDRWQ48">
1178 <title>Configuring Server Partitions on Solaris Systems</title>
1180 <para>Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes. Each
1181 server partition is mounted at a directory named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where
1182 <replaceable>xx</replaceable> is one or two lowercase letters. The <emphasis
1183 role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server machine's root
1184 directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is not an acceptable
1185 directory location). For additional information, see <link linkend="HDRWQ20">Performing Platform-Specific Procedures</link>.
1188 <para>Create a directory called <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> for each AFS server
1189 partition you are configuring (there must be at least one). Repeat the command for each partition. <programlisting>
1190 # <emphasis role="bold">mkdir /vicep</emphasis><replaceable>xx</replaceable>
1191 </programlisting></para>
1195 <para>Add a line with the following format to the file systems registry file, <emphasis
1196 role="bold">/etc/vfstab</emphasis>, for each partition to be mounted on a directory created in the previous step. Note
1197 the value <computeroutput>afs</computeroutput> in the fourth field, which tells Solaris to use the AFS-modified
1198 <emphasis role="bold">fsck</emphasis> program on this partition. <programlisting>
1199 /dev/dsk/<replaceable>disk</replaceable> /dev/rdsk/<replaceable>disk</replaceable> /vicep<replaceable>xx</replaceable> afs <replaceable>boot_order</replaceable> yes
1200 </programlisting></para>
1202 <para>The following is an example for the first partition being configured.</para>
1205 /dev/dsk/c0t6d0s1 /dev/rdsk/c0t6d0s1 /vicepa afs 3 yes
1210 <para>Create a file system on each partition that is to be mounted at a <emphasis
1211 role="bold">/vicep</emphasis><replaceable>xx</replaceable> directory. The following command is probably appropriate, but
1212 consult the Solaris documentation for more information. <programlisting>
1213 # <emphasis role="bold">newfs -v /dev/rdsk/</emphasis><replaceable>disk</replaceable>
1214 </programlisting></para>
1218 <para>Issue the <emphasis role="bold">mountall</emphasis> command to mount all partitions at once.</para>
1222 <para>If you plan to retain client functionality on this machine after completing the installation, proceed to <link
1223 linkend="HDRWQ49">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</link>. Otherwise,
1224 proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
1226 </orderedlist></para>
1229 <sect2 id="HDRWQ49">
1230 <title>Enabling AFS Login on Solaris Systems</title>
1232 <primary>enabling AFS login</primary>
1234 <secondary>file server machine</secondary>
1236 <tertiary>Solaris</tertiary>
1240 <primary>AFS login</primary>
1242 <secondary>on file server machine</secondary>
1244 <tertiary>Solaris</tertiary>
1248 <primary>first AFS machine</primary>
1250 <secondary>AFS login</secondary>
1252 <tertiary>on Solaris</tertiary>
1256 <primary>Solaris</primary>
1258 <secondary>AFS login</secondary>
1260 <tertiary>on file server machine</tertiary>
1264 <primary>PAM</primary>
1266 <secondary>on Solaris</secondary>
1268 <tertiary>file server machine</tertiary>
1272 <para>If you plan to remove client functionality from this machine after completing the installation, skip this section and
1273 proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
1276 <para>At this point you incorporate AFS into the operating system's
1277 Pluggable Authentication Module (PAM) scheme. PAM integrates all
1278 authentication mechanisms on the machine, including login, to provide
1279 the security infrastructure for authenticated access to and from the
1282 <para>Explaining PAM is beyond the scope of this document. It is
1283 assumed that you understand the syntax and meanings of settings in the
1284 PAM configuration file (for example, how the
1285 <computeroutput>other</computeroutput> entry works, the effect of
1286 marking an entry as <computeroutput>required</computeroutput>,
1287 <computeroutput>optional</computeroutput>, or
1288 <computeroutput>sufficient</computeroutput>, and so on).</para>
1290 <para>You should first configure your system to obtain Kerberos v5
1291 tickets as part of the authentication process, and then run an AFS PAM
1292 module to obtain tokens from those tickets after authentication.
1293 Current versions of Solaris come with a Kerberos v5 PAM module that
1294 will work, or you can download and install <ulink
1295 url="http://www.eyrie.org/~eagle/software/pam-krb5">Russ Allbery's
1296 Kerberos v5 PAM module</ulink>, which is tested regularly with AFS.
1297 See the instructions of whatever PAM module you use for how to
1298 configure it.</para>
1300 <para>Some Kerberos v5 PAM modules do come with native AFS support
1301 (usually requiring the Heimdal Kerberos implementation rather than the
1302 MIT Kerberos implementation). If you are using one of those PAM
1303 modules, you can configure it to obtain AFS tokens. It's more common,
1304 however, to separate the AFS token acquisition into a separate PAM
1307 <para>The recommended AFS PAM module is <ulink
1308 url="http://www.eyrie.org/~eagle/software/pam-afs-session/">Russ
1309 Allbery's pam-afs-session module</ulink>. It should work with any of
1310 the Kerberos v5 PAM modules. To add it to the PAM configuration, you
1311 often only need to add configuration to the session group in
1312 <filename>pam.conf</filename>:</para>
1315 <title>Solaris PAM session example</title>
1316 <literallayout>login session required pam_afs_session.so</literallayout>
1319 <para>This example enables PAM authentication only for console login.
1320 You may want to add a similar line for the ssh service and for any
1321 other login service that you use, including possibly the
1322 <literal>other</literal> service (which serves as a catch-all). You
1323 may also want to add options to the AFS PAM session module
1324 (particularly <literal>retain_after_close</literal>, which is
1325 necessary for some versions of Solaris.</para>
1327 <para>For additional configuration examples and the configuration
1328 options of the AFS PAM module, see its documentation. For more
1329 details on the available options for the PAM configuration, see the
1330 <filename>pam.conf</filename> manual page.</para>
1332 <para>Sites which still require <emphasis
1333 role="bold">kaserver</emphasis> or external Kerberos v4 authentication
1334 should consult <link linkend="KAS016">"Enabling kaserver based AFS
1335 Login on Solaris Systems"</link> for details of how to enable AFS
1336 login on Solaris.</para>
1338 <para>Proceed to <link linkend="HDRWQ49a">Editing the File Systems
1339 Clean-up Script on Solaris Systems</link></para>
1341 <sect2 id="HDRWQ49a">
1342 <title>Editing the File Systems Clean-up Script on Solaris Systems</title>
1344 <primary>Solaris</primary>
1346 <secondary>file systems clean-up script</secondary>
1348 <tertiary>on file server machine</tertiary>
1352 <primary>file systems clean-up script (Solaris)</primary>
1354 <secondary>file server machine</secondary>
1358 <primary>scripts</primary>
1360 <secondary>file systems clean-up (Solaris)</secondary>
1362 <tertiary>file server machine</tertiary>
1368 <para>Some Solaris distributions include a script that locates and removes unneeded files from various file systems. Its
1369 conventional location is <emphasis role="bold">/usr/lib/fs/nfs/nfsfind</emphasis>. The script generally uses an argument
1370 to the <emphasis role="bold">find</emphasis> command to define which file systems to search. In this step you modify the
1371 command to exclude the <emphasis role="bold">/afs</emphasis> directory. Otherwise, the command traverses the AFS
1372 filespace of every cell that is accessible from the machine, which can take many hours. The following alterations are
1373 possibilities, but you must verify that they are appropriate for your cell.</para>
1375 <para>The first possible alteration is to add the <emphasis role="bold">-local</emphasis> flag to the existing command,
1376 so that it looks like the following:</para>
1379 find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;
1382 <para>Another alternative is to exclude any directories whose names begin with the lowercase letter <emphasis
1383 role="bold">a</emphasis> or a non-alphabetic character.</para>
1386 find /[A-Zb-z]* <replaceable>remainder of existing command</replaceable>
1389 <para>Do not use the following command, which still searches under the <emphasis role="bold">/afs</emphasis> directory,
1390 looking for a subdirectory of type <emphasis role="bold">4.2</emphasis>.</para>
1393 find / -fstype 4.2 /* <replaceable>do not use</replaceable> */
1398 <para>Proceed to <link linkend="HDRWQ50">Starting the BOS Server</link> (or if referring to these instructions while
1399 installing an additional file server machine, return to <link linkend="HDRWQ108">Starting Server
1400 Programs</link>).</para>
1405 <primary>Basic OverSeer Server</primary>
1407 <see>BOS Server</see>
1411 <primary>BOS Server</primary>
1413 <secondary>starting</secondary>
1415 <tertiary>first AFS machine</tertiary>
1419 <primary>starting</primary>
1421 <secondary>BOS Server</secondary>
1423 <tertiary>first AFS machine</tertiary>
1427 <primary>first AFS machine</primary>
1429 <secondary>BOS Server</secondary>
1433 <primary>authorization checking (disabling)</primary>
1435 <secondary>first AFS machine</secondary>
1439 <primary>disabling authorization checking</primary>
1441 <secondary>first AFS machine</secondary>
1445 <primary>first AFS machine</primary>
1447 <secondary>authorization checking (disabling)</secondary>
1452 <sect1 id="HDRWQ21">
1453 <title>Getting Started on AIX Systems</title>
1455 <para>Begin by running the AFS initialization script to call the AIX kernel extension facility, which dynamically loads AFS
1456 modifications into the kernel. Then use the <emphasis role="bold">SMIT</emphasis> program to configure partitions for storing
1457 AFS volumes, and replace the AIX <emphasis role="bold">fsck</emphasis> program helper with a version that correctly handles AFS
1458 volumes. If the machine is to remain an AFS client machine, incorporate AFS into the AIX secondary authentication system.
1460 <primary>incorporating AFS kernel extensions</primary>
1462 <secondary>first AFS machine</secondary>
1464 <tertiary>AIX</tertiary>
1465 </indexterm> <indexterm>
1466 <primary>AFS kernel extensions</primary>
1468 <secondary>on first AFS machine</secondary>
1470 <tertiary>AIX</tertiary>
1471 </indexterm> <indexterm>
1472 <primary>first AFS machine</primary>
1474 <secondary>AFS kernel extensions</secondary>
1476 <tertiary>on AIX</tertiary>
1477 </indexterm> <indexterm>
1478 <primary>AIX</primary>
1480 <secondary>AFS kernel extensions</secondary>
1482 <tertiary>on first AFS machine</tertiary>
1485 <sect2 id="HDRWQ22">
1486 <title>Loading AFS into the AIX Kernel</title>
1488 <para>The AIX kernel extension facility is the dynamic kernel loader
1489 provided by IBM Corporation. AIX does not support incorporation of
1490 AFS modifications during a kernel build.</para>
1492 <para>For AFS to function correctly, the kernel extension facility must run each time the machine reboots, so the AFS
1493 initialization script (included in the AFS distribution) invokes it automatically. In this section you copy the script to the
1494 conventional location and edit it to select the appropriate options depending on whether NFS is also to run.</para>
1496 <para>After editing the script, you run it to incorporate AFS into the kernel. In later sections you verify that the script
1497 correctly initializes all AFS components, then configure the AIX <emphasis role="bold">inittab</emphasis> file so that the
1498 script runs automatically at reboot. <orderedlist>
1500 <para>Unpack the distribution tarball. The examples below assume
1501 that you have unpacked the files into the
1502 <emphasis role="bold">/tmp/afsdist</emphasis> directory. If you
1503 pick a different location, substitute this in all of the following
1504 examples. Once you have unpacked the distribution,
1505 change directory as indicated.
1507 # <emphasis role="bold">cd /tmp/afsdist/rs_aix42/dest/root.client/usr/vice/etc</emphasis>
1508 </programlisting></para>
1512 <para>Copy the AFS kernel library files to the local <emphasis role="bold">/usr/vice/etc/dkload</emphasis> directory,
1513 and the AFS initialization script to the <emphasis role="bold">/etc</emphasis> directory. <programlisting>
1514 # <emphasis role="bold">cp -rp dkload /usr/vice/etc</emphasis>
1515 # <emphasis role="bold">cp -p rc.afs /etc/rc.afs</emphasis>
1516 </programlisting></para>
1520 <para>Edit the <emphasis role="bold">/etc/rc.afs</emphasis> script, setting the <computeroutput>NFS</computeroutput>
1521 variable as indicated.</para>
1523 <para>If the machine is not to function as an NFS/AFS Translator, set the <computeroutput>NFS</computeroutput> variable
1530 <para>If the machine is to function as an NFS/AFS Translator and is running AIX 4.2.1 or higher, set the
1531 <computeroutput>NFS</computeroutput> variable as follows. Note that NFS must already be loaded into the kernel, which
1532 happens automatically on systems running AIX 4.1.1 and later, as long as the file <emphasis
1533 role="bold">/etc/exports</emphasis> exists.</para>
1541 <para>Invoke the <emphasis role="bold">/etc/rc.afs</emphasis> script to load AFS modifications into the kernel. You can
1542 ignore any error messages about the inability to start the BOS Server or the Cache Manager or AFS client.
1544 # <emphasis role="bold">/etc/rc.afs</emphasis>
1545 </programlisting></para>
1547 </orderedlist></para>
1550 <primary>configuring</primary>
1552 <secondary>AFS server partition on first AFS machine</secondary>
1554 <tertiary>AIX</tertiary>
1558 <primary>AFS server partition</primary>
1560 <secondary>configuring on first AFS machine</secondary>
1562 <tertiary>AIX</tertiary>
1566 <primary>first AFS machine</primary>
1568 <secondary>AFS server partition</secondary>
1570 <tertiary>on AIX</tertiary>
1574 <primary>AIX</primary>
1576 <secondary>AFS server partition</secondary>
1578 <tertiary>on first AFS machine</tertiary>
1582 <sect2 id="HDRWQ23">
1583 <title>Configuring Server Partitions on AIX Systems</title>
1585 <para>Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes. Each
1586 server partition is mounted at a directory named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where
1587 <replaceable>xx</replaceable> is one or two lowercase letters. The <emphasis
1588 role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server machine's root
1589 directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is not an acceptable
1590 directory location). For additional information, see <link linkend="HDRWQ20">Performing Platform-Specific
1591 Procedures</link>.</para>
1593 <para>To configure server partitions on an AIX system, perform the following procedures: <orderedlist>
1595 <para>Create a directory called <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> for each AFS server
1596 partition you are configuring (there must be at least one). Repeat the command for each partition. <programlisting>
1597 # <emphasis role="bold">mkdir /vicep</emphasis><replaceable>xx</replaceable>
1598 </programlisting></para>
1602 <para>Use the <emphasis role="bold">SMIT</emphasis> program to create a journaling file system on each partition to be
1603 configured as an AFS server partition.</para>
1607 <para>Mount each partition at one of the <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>
1608 directories. Choose one of the following three methods: <itemizedlist>
1610 <para>Use the <emphasis role="bold">SMIT</emphasis> program</para>
1614 <para>Use the <emphasis role="bold">mount -a</emphasis> command to mount all partitions at once</para>
1618 <para>Use the <emphasis role="bold">mount</emphasis> command on each partition in turn</para>
1620 </itemizedlist></para>
1622 <para>Also configure the partitions so that they are mounted automatically at each reboot. For more information, refer
1623 to the AIX documentation.</para>
1625 </orderedlist></para>
1628 <primary>replacing fsck program</primary>
1630 <secondary>first AFS machine</secondary>
1632 <tertiary>AIX</tertiary>
1636 <primary>fsck program</primary>
1638 <secondary>on first AFS machine</secondary>
1640 <tertiary>AIX</tertiary>
1644 <primary>first AFS machine</primary>
1646 <secondary>fsck program</secondary>
1648 <tertiary>on AIX</tertiary>
1652 <primary>AIX</primary>
1654 <secondary>fsck program</secondary>
1656 <tertiary>on first AFS machine</tertiary>
1660 <sect2 id="HDRWQ24">
1661 <title>Replacing the fsck Program Helper on AIX Systems</title>
1663 <note><para>The AFS modified fsck program is not required on AIX 5.1
1664 systems, and the <emphasis role="bold">v3fshelper</emphasis> program
1665 refered to below is not shipped for these systems.</para></note>
1667 <para>In this section, you make modifications to guarantee that the appropriate <emphasis role="bold">fsck</emphasis> program
1668 runs on AFS server partitions. The <emphasis role="bold">fsck</emphasis> program provided with the operating system must never
1669 run on AFS server partitions. Because it does not recognize the structures that the File Server uses to organize volume data,
1670 it removes all of the data. To repeat:</para>
1672 <para><emphasis role="bold">Never run the standard fsck program on AFS server partitions. It discards AFS
1673 volumes.</emphasis></para>
1675 <para>On AIX systems, you do not replace the <emphasis role="bold">fsck</emphasis> binary itself, but rather the
1676 <emphasis>program helper</emphasis> file included in the AIX distribution as <emphasis
1677 role="bold">/sbin/helpers/v3fshelper</emphasis>. <orderedlist>
1679 <para>Move the AIX <emphasis role="bold">fsck</emphasis> program helper to a safe location and install the version from
1680 the AFS distribution in its place.
1682 # <emphasis role="bold">cd /sbin/helpers</emphasis>
1683 # <emphasis role="bold">mv v3fshelper v3fshelper.noafs</emphasis>
1684 # <emphasis role="bold">cp -p /tmp/afsdist/rs_aix42/dest/root.server/etc/v3fshelper v3fshelper</emphasis>
1685 </programlisting></para>
1689 <para>If you plan to retain client functionality on this machine after completing the installation, proceed to <link
1690 linkend="HDRWQ25">Enabling AFS Login on AIX Systems</link>. Otherwise, proceed to <link linkend="HDRWQ50">Starting the
1691 BOS Server</link>.</para>
1693 </orderedlist></para>
1696 <primary>enabling AFS login</primary>
1698 <secondary>file server machine</secondary>
1700 <tertiary>AIX</tertiary>
1704 <primary>AFS login</primary>
1706 <secondary>on file server machine</secondary>
1708 <tertiary>AIX</tertiary>
1712 <primary>first AFS machine</primary>
1714 <secondary>AFS login</secondary>
1716 <tertiary>on AIX</tertiary>
1720 <primary>AIX</primary>
1722 <secondary>AFS login</secondary>
1724 <tertiary>on file server machine</tertiary>
1728 <primary>secondary authentication system (AIX)</primary>
1730 <secondary>server machine</secondary>
1734 <sect2 id="HDRWQ25">
1735 <title>Enabling AFS Login on AIX Systems</title>
1738 <para>If you plan to remove client functionality from this machine after completing the installation, skip this section and
1739 proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
1742 <para>In modern AFS installations, you should be using Kerberos v5
1743 for user login, and obtaining AFS tokens following this authentication
1746 <para>There are currently no instructions available on configuring AIX to
1747 automatically obtain AFS tokens at login. Following login, users can
1748 obtain tokens by running the <emphasis role="bold">aklog</emphasis>
1751 <para>Sites which still require <emphasis role="bold">kaserver</emphasis>
1752 or external Kerberos v4 authentication should consult
1753 <link linkend="KAS012">Enabling kaserver based AFS login on AIX systems</link>
1754 for details of how to enable AIX login.</para>
1756 <para>Proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>
1757 (or if referring to these instructions while installing an additional
1758 file server machine, return to <link linkend="HDRWQ108">Starting Server
1759 Programs</link>).</para>
1762 <sect1 id="HDRWQ50">
1763 <title>Starting the BOS Server</title>
1765 <para>You are now ready to start the AFS server processes on this machine.
1766 If you are not working from a packaged distribution, begin by installing the
1767 AFS server binaries to the conventional local disk
1768 location, the <emphasis role="bold">/usr/afs/bin</emphasis> directory. The
1769 following instructions also create files in other subdirectories of the
1770 <emphasis role="bold">/usr/afs</emphasis> directory.</para>
1772 <para>Then obtain a krb5 keytab for use by the servers in the cell.
1773 Once the keytab is in place, issue the
1774 <emphasis role="bold">bosserver</emphasis> command to initialize
1775 the Basic OverSeer (BOS) Server, which
1776 monitors and controls other AFS server processes on its server machine.
1777 Because you have not yet configured your cell's AFS authentication and authorization
1778 mechanisms, you must always use the
1779 <emphasis role="bold">-localauth</emphasis> flag to commands, to use a
1780 printed token that does not correspond to a normal krb5 identity.</para>
1781 <para>Older versions of these instructions used the
1782 <emphasis role="bold">-noauth</emphasis> flag, which completely disables
1783 all authentication and authorization checking, allowing anyone at all
1784 to control the system. Do not use this flag! It is highly insecure,
1785 and is no longer needed.</para>
1787 <para>As it initializes for the first time, the BOS Server creates the following directories and files, setting the owner to the
1788 local superuser <emphasis role="bold">root</emphasis> and the mode bits to limit the ability to write (and in some cases, read)
1789 them. For a description of the contents and function of these directories and files, see the chapter in the <emphasis>OpenAFS
1790 Administration Guide</emphasis> about administering server machines. For further discussion of the mode bit settings, see <link
1791 linkend="HDRWQ96">Protecting Sensitive AFS Directories</link>. <indexterm>
1792 <primary>Binary Distribution</primary>
1794 <secondary>copying server files from</secondary>
1796 <tertiary>first AFS machine</tertiary>
1797 </indexterm> <indexterm>
1798 <primary>first AFS machine</primary>
1800 <secondary>subdirectories of /usr/afs</secondary>
1801 </indexterm> <indexterm>
1802 <primary>creating</primary>
1804 <secondary>/usr/afs/bin directory</secondary>
1806 <tertiary>first AFS machine</tertiary>
1807 </indexterm> <indexterm>
1808 <primary>creating</primary>
1810 <secondary>/usr/afs/etc directory</secondary>
1812 <tertiary>first AFS machine</tertiary>
1813 </indexterm> <indexterm>
1814 <primary>copying</primary>
1816 <secondary>server files to local disk</secondary>
1818 <tertiary>first AFS machine</tertiary>
1819 </indexterm> <indexterm>
1820 <primary>first AFS machine</primary>
1822 <secondary>copying</secondary>
1824 <tertiary>server files to local disk</tertiary>
1825 </indexterm> <indexterm>
1826 <primary>usr/afs/bin directory</primary>
1828 <secondary>first AFS machine</secondary>
1829 </indexterm> <indexterm>
1830 <primary>usr/afs/etc directory</primary>
1832 <secondary>first AFS machine</secondary>
1833 </indexterm> <indexterm>
1834 <primary>usr/afs/db directory</primary>
1835 </indexterm> <indexterm>
1836 <primary>usr/afs/local directory</primary>
1837 </indexterm> <indexterm>
1838 <primary>usr/afs/logs directory</primary>
1839 </indexterm> <itemizedlist>
1841 <para><emphasis role="bold">/usr/afs/db</emphasis></para>
1845 <para><emphasis role="bold">/usr/afs/etc/CellServDB</emphasis></para>
1849 <para><emphasis role="bold">/usr/afs/etc/ThisCell</emphasis></para>
1853 <para><emphasis role="bold">/usr/afs/local</emphasis></para>
1857 <para><emphasis role="bold">/usr/afs/logs</emphasis></para>
1859 </itemizedlist></para>
1861 <para>The BOS Server also creates symbolic links called <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> and <emphasis
1862 role="bold">/usr/vice/etc/CellServDB</emphasis> to the corresponding files in the <emphasis role="bold">/usr/afs/etc</emphasis>
1863 directory. The AFS command interpreters consult the <emphasis role="bold">CellServDB</emphasis> and <emphasis
1864 role="bold">ThisCell</emphasis> files in the <emphasis role="bold">/usr/vice/etc</emphasis> directory because they generally run
1865 on client machines. On machines that are AFS servers only (as this machine currently is), the files reside only in the <emphasis
1866 role="bold">/usr/afs/etc</emphasis> directory; the links enable the command interpreters to retrieve the information they need.
1867 Later instructions for installing the client functionality replace the links with actual files.</para>
1869 <title>Generating the Cell's Kerberos V5 Keys</title>
1871 <para>This guide uses krb5 for authentication; do not use the
1872 legacy <emphasis role="bold">kaserver</emphasis> for new
1873 installations.</para>
1874 <para>This section creates only the cell-wide shared secret key;
1875 administrative users will be created later in the procedure.
1876 This cell-wide key has the principal name
1877 <emphasis role="bold">afs/<replaceable>cell</replaceable></emphasis>.
1878 No user logs in under this identity, but it is used to encrypt the
1879 server tickets that the KDC grants to AFS clients for presentation
1880 to server processes during mutual authentication. (The
1881 chapter in the <emphasis>OpenAFS Administration Guide</emphasis>
1882 about cell configuration and administration describes the
1883 role of server encryption keys in mutual authentication.)</para>
1884 <para>The OpenAFS 1.8.x series stores the cell-wide shared keys in
1885 the file <emphasis role="bold">/usr/afs/etc/KeyFileExt</emphasis>,
1886 whereas the 1.6.x series uses a krb5 keytab format file in
1887 <emphasis role="bold">/usr/afs/etc/rxkad.keytab</emphasis>.
1888 These instructions create both files, but populating the
1889 <emphasis role="bold">KeyFileExt</emphasis> file will only succeed
1890 using the version of <emphasis role="bold">asetkey</emphasis>
1891 from OpenAFS 1.8.x.</para>
1892 <para>The examples below assume you are using MIT Kerberos. Please refer
1893 to the documentation for your KDC's administrative interface if you are
1894 using a different vendor</para>
1898 <para>Enter <emphasis role="bold">kadmin</emphasis> interactive mode.
1900 # <emphasis role="bold">kadmin</emphasis>
1901 Authenticating as principal <replaceable>you</replaceable>/admin@<replaceable>YOUR REALM</replaceable> with password
1902 Password for <replaceable>you/admin@REALM</replaceable>: <replaceable>your_password</replaceable>
1903 </programlisting> <indexterm>
1904 <primary>server encryption key</primary>
1906 <secondary>in Kerberos Database</secondary>
1907 </indexterm> <indexterm>
1908 <primary>creating</primary>
1910 <secondary>server encryption key</secondary>
1912 <tertiary>Kerberos Database</tertiary>
1918 <emphasis role="bold">add_principal</emphasis> command to create
1919 a Kerberos Database entry for
1920 <emphasis role="bold">afs/<<replaceable>cell name</replaceable>></emphasis>.</para>
1922 <para>Note that when creating the
1923 <emphasis role="bold">afs/<<replaceable>cell name</replaceable>></emphasis>
1924 entry, the encryption type list does not include any single-DES
1925 encryption types. If such encryption types are included,
1926 additional <emphasis role="bold">asetkey</emphasis> commands
1927 will be needed to place those keys in the legacy
1928 <emphasis role="bold">KeyFile</emphasis> and ensure proper
1929 operation of the cell.
1930 For more details regarding encryption types, see the documentation
1931 for your Kerberos installation.
1934 kadmin: <emphasis role="bold">add_principal -randkey -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal afs/</emphasis><<replaceable>cell name</replaceable>>
1935 Principal "afs/<replaceable>cell name</replaceable>@<replaceable>REALM</replaceable>" created.
1941 <para>Extract the newly created key for
1942 <emphasis role="bold">afs/<replaceable>cell</replaceable></emphasis>
1943 to a keytab on the local machine.</para>
1945 <para>The keytab contains the key material that ensures the security of your AFS cell. You should ensure that it is kept in a secure location at all times.</para>
1948 kadmin: <emphasis role="bold">ktadd -k /usr/afs/etc/rxkad.keytab -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal afs/<<replaceable>cell name</replaceable>></emphasis>
1949 Entry for principal afs/<<replaceable>cell name</replaceable>> with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/usr/afs/etc/rxkad.keytab
1950 Entry for principal afs/<<replaceable>cell name</replaceable>> with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/usr/afs/etc/rxkad.keytab
1952 <para>Make a note of the key version number (kvno) given in the
1953 response, as you will need it to load the key into
1954 the <emphasis role="bold">KeyFileExt</emphasis> in a later
1957 <note><para>Note that each time you run
1958 <emphasis role="bold">ktadd</emphasis> a new key is generated
1959 for the item being extracted. This means that you cannot run ktadd
1960 multiple times and end up with the same key material each time.
1965 <para>Issue the <emphasis role="bold">quit</emphasis> command to leave <emphasis role="bold">kadmin</emphasis>
1966 interactive mode. <programlisting>
1967 kadmin: <emphasis role="bold">quit</emphasis>
1968 </programlisting></para>
1971 <listitem id="LIWQ58">
1973 <emphasis role="bold">asetkey</emphasis> command to set the AFS
1974 server encryption key in the
1975 <emphasis role="bold">/usr/afs/etc/KeyFileExt</emphasis> file.
1977 is created from the <emphasis role="bold">rxkad.keytab</emphasis>
1978 file created earlier.</para>
1980 <para>asetkey requires the key version number (or kvno) of the
1981 <emphasis role="bold">afs/</emphasis><replaceable>cell</replaceable>
1982 key, as well as the encryption type number of the key.
1983 You should have made note of the kvno when creating the key
1984 earlier. The key version number can also be found by running the
1985 <emphasis role="bold">kvno</emphasis> command</para>
1987 # <emphasis role="bold">kvno -kt /usr/afs/etc/rxkad.keytab</emphasis>
1989 <para>The encryption type numbers can be found in the local krb5
1990 headers or the IANA registry. The most common numbers are
1991 18 for <emphasis role="bold">aes256-cts-hmac-sha1-96</emphasis> and
1992 17 for <emphasis role="bold">aes128-cts-hmac-sha1-96</emphasis>.
1995 <para>Once the kvno and enctypes are known, the keys
1996 can then be extracted using asetkey</para>
1998 # <emphasis role="bold">asetkey add rxkad_krb5</emphasis> <<replaceable>kvno</replaceable>> <emphasis role="bold">18 /usr/afs/etc/rxkad.keytab afs/</emphasis><<replaceable>cell name</replaceable>>
1999 # <emphasis role="bold">asetkey add rxkad_krb5</emphasis> <<replaceable>kvno</replaceable>> <emphasis role="bold">17 /usr/afs/etc/rxkad.keytab afs/</emphasis><<replaceable>cell name</replaceable>>
2005 <title>Starting the Server Processes</title>
2007 <para>Now that the keys are in place, proceed to start the server
2011 <para>If you are building from source, you need to install the
2012 compiled files to the local
2013 <emphasis role="bold">/usr/afs</emphasis> directory. <indexterm>
2014 <primary>commands</primary>
2016 <secondary>bosserver</secondary>
2017 </indexterm> <indexterm>
2018 <primary>bosserver command</primary>
2023 <para>Issue the <emphasis role="bold">bosserver</emphasis> command.
2025 # <emphasis role="bold">/usr/afs/bin/bosserver</emphasis>
2026 </programlisting></para>
2030 <para>Verify that the BOS Server created <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> and <emphasis
2031 role="bold">/usr/vice/etc/CellServDB</emphasis> as symbolic links to the corresponding files in the <emphasis
2032 role="bold">/usr/afs/etc</emphasis> directory. <programlisting>
2033 # <emphasis role="bold">ls -l /usr/vice/etc</emphasis>
2034 </programlisting></para>
2036 <para>If either or both of <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> and <emphasis
2037 role="bold">/usr/vice/etc/CellServDB</emphasis> do not exist, or are not links, issue the following commands.</para>
2040 # <emphasis role="bold">cd /usr/vice/etc</emphasis>
2041 # <emphasis role="bold">ln -s /usr/afs/etc/ThisCell</emphasis>
2042 # <emphasis role="bold">ln -s /usr/afs/etc/CellServDB</emphasis>
2045 </orderedlist></para>
2048 <primary>cell name</primary>
2050 <secondary>defining during installation of first machine</secondary>
2054 <primary>defining</primary>
2056 <secondary>cell name during installation of first machine</secondary>
2060 <primary>cell name</primary>
2062 <secondary>setting in server ThisCell file</secondary>
2064 <tertiary>first AFS machine</tertiary>
2068 <primary>setting</primary>
2070 <secondary>cell name in server ThisCell file</secondary>
2072 <tertiary>first AFS machine</tertiary>
2076 <primary>first AFS machine</primary>
2078 <secondary>ThisCell file (server)</secondary>
2082 <primary>usr/afs/etc/ThisCell</primary>
2084 <see>ThisCell file (server)</see>
2088 <primary>ThisCell file (server)</primary>
2090 <secondary>first AFS machine</secondary>
2094 <primary>files</primary>
2096 <secondary>ThisCell (server)</secondary>
2100 <primary>database server machine</primary>
2102 <secondary>entry in server CellServDB file</secondary>
2104 <tertiary>on first AFS machine</tertiary>
2108 <primary>first AFS machine</primary>
2110 <secondary>cell membership, defining</secondary>
2112 <tertiary>for server processes</tertiary>
2116 <primary>usr/afs/etc/CellServDB file</primary>
2118 <see>CellServDB file (server)</see>
2122 <primary>CellServDB file (server)</primary>
2124 <secondary>creating</secondary>
2126 <tertiary>on first AFS machine</tertiary>
2130 <primary>creating</primary>
2132 <secondary>CellServDB file (server)</secondary>
2134 <tertiary>first AFS machine</tertiary>
2138 <primary>files</primary>
2140 <secondary>CellServDB (server)</secondary>
2144 <primary>first AFS machine</primary>
2146 <secondary>CellServDB file (server)</secondary>
2150 <primary>first AFS machine</primary>
2152 <secondary>defining</secondary>
2154 <tertiary>as database server</tertiary>
2158 <primary>defining</primary>
2160 <secondary>first AFS machine as database server</secondary>
2165 <sect1 id="HDRWQ51">
2166 <title>Defining Cell Name and Membership for Server Processes</title>
2168 <para>Now assign your cell's name. The chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about cell configuration
2169 and administration issues discusses the important considerations, explains why changing the name is difficult, and outlines the
2170 restrictions on name format. Two of the most important restrictions are that the name cannot include uppercase letters or more
2171 than 64 characters.</para>
2173 <para>Use the <emphasis role="bold">bos setcellname</emphasis> command to assign the cell name. It creates two files:
2176 <para><emphasis role="bold">/usr/afs/etc/ThisCell</emphasis>, which defines this machine's cell membership</para>
2180 <para><emphasis role="bold">/usr/afs/etc/CellServDB</emphasis>, which lists the cell's database server machines; the
2181 machine named on the command line is placed on the list automatically</para>
2183 </itemizedlist> <note>
2184 <para>In the following and every instruction in this guide, for the <replaceable>machine name</replaceable> argument
2185 substitute the fully-qualified hostname (such as <emphasis role="bold">fs1.example.com</emphasis>) of the machine you are
2186 installing. For the <replaceable>cell name</replaceable> argument substitute your cell's complete name (such as <emphasis
2187 role="bold">example.com</emphasis>).</para>
2191 <primary>commands</primary>
2193 <secondary>bos setcellname</secondary>
2197 <primary>bos commands</primary>
2199 <secondary>setcellname</secondary>
2204 <para>If necessary, add the directory containing the <emphasis role="bold">bos</emphasis> command to your path.
2206 # <emphasis role="bold">export PATH=$PATH:/usr/afs/bin</emphasis>
2212 <para>Issue the <emphasis role="bold">bos setcellname</emphasis> command to set the cell name. <programlisting>
2213 # <emphasis role="bold">bos setcellname</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>cell name</replaceable>> <emphasis
2214 role="bold">-localauth</emphasis>
2215 </programlisting></para> <indexterm>
2216 <primary>commands</primary>
2218 <secondary>bos listhosts</secondary>
2219 </indexterm> <indexterm>
2220 <primary>bos commands</primary>
2222 <secondary>listhosts</secondary>
2223 </indexterm> <indexterm>
2224 <primary>CellServDB file (server)</primary>
2226 <secondary>displaying entries</secondary>
2227 </indexterm> <indexterm>
2228 <primary>displaying</primary>
2230 <secondary>CellServDB file (server) entries</secondary>
2235 <para>Issue the <emphasis role="bold">bos listhosts</emphasis> command to verify that the machine you are installing is now
2236 registered as the cell's first database server machine. <programlisting>
2237 # <emphasis role="bold">bos listhosts</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">-localauth</emphasis>
2238 Cell name is <replaceable>cell_name</replaceable>
2239 Host 1 is <replaceable>machine_name</replaceable>
2240 </programlisting></para>
2245 <primary>database server machine</primary>
2247 <secondary>installing</secondary>
2249 <tertiary>first</tertiary>
2253 <primary>instructions</primary>
2255 <secondary>database server machine, installing first</secondary>
2259 <primary>installing</primary>
2261 <secondary>database server machine</secondary>
2263 <tertiary>first</tertiary>
2267 <primary>Backup Server</primary>
2269 <secondary>starting</secondary>
2271 <tertiary>first AFS machine</tertiary>
2275 <primary>buserver process</primary>
2277 <see>Backup Server</see>
2281 <primary>starting</primary>
2283 <secondary>Backup Server</secondary>
2285 <tertiary>first AFS machine</tertiary>
2289 <primary>first AFS machine</primary>
2291 <secondary>Backup Server</secondary>
2295 <primary>Protection Server</primary>
2297 <secondary>starting</secondary>
2299 <tertiary>first AFS machine</tertiary>
2303 <primary>ptserver process</primary>
2305 <see>Protection Server</see>
2309 <primary>starting</primary>
2311 <secondary>Protection Server</secondary>
2313 <tertiary>first AFS machine</tertiary>
2317 <primary>first AFS machine</primary>
2319 <secondary>Protection Server</secondary>
2323 <primary>VL Server (vlserver process)</primary>
2325 <secondary>starting</secondary>
2327 <tertiary>first AFS machine</tertiary>
2331 <primary>Volume Location Server</primary>
2333 <see>VL Server</see>
2337 <primary>starting</primary>
2339 <secondary>VL Server</secondary>
2341 <tertiary>first AFS machine</tertiary>
2345 <primary>first AFS machine</primary>
2347 <secondary>VL Server</secondary>
2351 <primary>usr/afs/local/BosConfig</primary>
2353 <see>BosConfig file</see>
2357 <primary>BosConfig file</primary>
2359 <secondary>adding entries</secondary>
2361 <tertiary>first AFS machine</tertiary>
2365 <primary>adding</primary>
2367 <secondary>entries to BosConfig file</secondary>
2369 <tertiary>first AFS machine</tertiary>
2373 <primary>files</primary>
2375 <secondary>BosConfig</secondary>
2379 <primary>initializing</primary>
2381 <secondary>server process</secondary>
2387 <primary>server process</primary>
2389 <secondary>see also entry for each server's name</secondary>
2393 <sect1 id="HDRWQ52">
2394 <title>Starting the Database Server Processes</title>
2396 <para>Next use the <emphasis role="bold">bos create</emphasis> command to create entries for the three database server processes
2397 in the <emphasis role="bold">/usr/afs/local/BosConfig</emphasis> file and start them running. The three processes run on database
2398 server machines only: <itemizedlist>
2401 <para>The Protection Server (the <emphasis role="bold">ptserver</emphasis> process) maintains the Protection
2406 <para>The Volume Location (VL) Server (the <emphasis role="bold">vlserver</emphasis> process) maintains the Volume
2407 Location Database (VLDB)</para>
2411 <para>The optional Backup Server (the <emphasis role="bold">buserver</emphasis> process) maintains the Backup Database</para>
2413 </itemizedlist></para>
2416 <primary>Kerberos</primary>
2420 <para>AFS ships with an additional database server named 'kaserver', which
2421 was historically used to provide authentication services to AFS cells.
2422 kaserver was based on <emphasis>Kerberos v4</emphasis>, as such, it is
2423 not recommended for new cells. This guide assumes you have already
2424 configured a Kerberos v5 realm for your site, and details the procedures
2425 required to use AFS with this realm. If you do wish to use
2426 <emphasis role="bold">kaserver</emphasis>, please see the modifications
2427 to these instructions detailed in
2428 <link linkend="KAS006">Starting the kaserver Database Server Process</link>
2432 <para>The remaining instructions in this chapter include the <emphasis role="bold">-cell</emphasis> argument on all applicable
2433 commands. Provide the cell name you assigned in <link linkend="HDRWQ51">Defining Cell Name and Membership for Server
2434 Processes</link>. If a command appears on multiple lines, it is only for legibility. <indexterm>
2435 <primary>commands</primary>
2437 <secondary>bos create</secondary>
2438 </indexterm> <indexterm>
2439 <primary>bos commands</primary>
2441 <secondary>create</secondary>
2442 </indexterm> <orderedlist>
2444 <para>Issue the <emphasis role="bold">bos create</emphasis> command to start the Protection Server. <programlisting>
2445 # <emphasis role="bold">./bos create</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">ptserver simple /usr/afs/bin/ptserver</emphasis> <emphasis role="bold">-localauth</emphasis>
2446 </programlisting></para>
2450 <para>Issue the <emphasis role="bold">bos create</emphasis> command to start the VL Server. <programlisting>
2451 # <emphasis role="bold">./bos create</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">vlserver simple /usr/afs/bin/vlserver</emphasis> <emphasis role="bold">-localauth</emphasis>
2452 </programlisting></para>
2456 <para>Optionally, issue the <emphasis role="bold">bos create</emphasis> command to start the Backup Server. <programlisting>
2457 # <emphasis role="bold">./bos create</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">buserver simple /usr/afs/bin/buserver</emphasis> <emphasis role="bold">-localauth</emphasis>
2458 </programlisting></para>
2460 </orderedlist></para>
2463 <primary>admin account</primary>
2465 <secondary>creating</secondary>
2469 <primary>afs entry in Kerberos Database</primary>
2473 <primary>Kerberos Database</primary>
2477 <primary>creating</primary>
2479 <secondary>afs entry in Kerberos Database</secondary>
2483 <primary>creating</primary>
2485 <secondary>admin account in Kerberos Database</secondary>
2489 <primary>security</primary>
2491 <secondary>initializing cell-wide</secondary>
2495 <primary>cell</primary>
2497 <secondary>initializing security mechanisms</secondary>
2501 <primary>initializing</primary>
2503 <secondary>cell security mechanisms</secondary>
2507 <primary>usr/afs/etc/KeyFile</primary>
2509 <see>KeyFile file</see>
2513 <primary>KeyFile file</primary>
2515 <secondary>first AFS machine</secondary>
2519 <primary>files</primary>
2521 <secondary>KeyFile</secondary>
2525 <primary>key</primary>
2527 <see>server encryption key</see>
2531 <primary>encryption key</primary>
2533 <see>server encryption key</see>
2537 <sect1 id="HDRWQ53">
2538 <title>Initializing Cell Security </title>
2540 <para>If you are working with an existing cell which uses
2541 <emphasis role="bold">kaserver</emphasis> or Kerberos v4 for authentication,
2543 <link linkend="HDRWQ53">Initializing Cell Security with kaserver</link>
2544 for installation instructions which replace this section.</para>
2546 <para>Now finish initializing the cell's security mechanisms. Begin by creating the following entry in your site's Kerberos database: <itemizedlist>
2548 <para>A generic administrative account, called <emphasis role="bold">admin</emphasis> by convention. If you choose to
2549 assign a different name, substitute it throughout the remainder of this document.</para>
2551 <para>After you complete the installation of the first machine, you can continue to have all administrators use the
2552 <emphasis role="bold">admin</emphasis> account, or you can create a separate administrative account for each of them. The
2553 latter scheme implies somewhat more overhead, but provides a more informative audit trail for administrative
2556 </itemizedlist></para>
2558 <para>You also issue several commands that enable the new <emphasis role="bold">admin</emphasis> user to issue privileged
2559 commands in all of the AFS suites.</para>
2561 <para>The following instructions do not configure all of the security mechanisms related to the AFS Backup System. See the
2562 chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about configuring the Backup System.</para>
2564 <para>The examples below assume you are using MIT Kerberos. Please refer
2565 to the documentation for your KDC's administrative interface if you are
2566 using a different vendor</para>
2570 <para>Enter <emphasis role="bold">kadmin</emphasis> interactive mode.
2572 # <emphasis role="bold">kadmin</emphasis>
2573 Authenticating as principal <replaceable>you</replaceable>/admin@<replaceable>YOUR REALM</replaceable> with password
2574 Password for <replaceable>you/admin@REALM</replaceable>: <replaceable>your_password</replaceable>
2575 </programlisting> </para>
2580 <emphasis role="bold">add_principal</emphasis> command to create
2581 the Kerberos Database entry for
2582 <emphasis role="bold">admin</emphasis>.</para>
2584 <para>You should make the <replaceable>admin_passwd</replaceable> as
2585 long and complex as possible, but keep in mind that administrators
2586 need to enter it often. It must be at least six characters long.
2588 kadmin: <emphasis role="bold">add_principal admin</emphasis>
2589 Enter password for principal "admin@<replaceable>REALM</replaceable>": <emphasis role="bold"><replaceable>admin_password</replaceable></emphasis>
2590 Principal "admin@<replaceable>REALM</replaceable>" created.
2595 <primary>displaying</primary>
2597 <secondary>server encryption key</secondary>
2599 <tertiary>Authentication Database</tertiary>
2604 <para>Issue the <emphasis role="bold">quit</emphasis> command to leave <emphasis role="bold">kadmin</emphasis>
2605 interactive mode. <programlisting>
2606 kadmin: <emphasis role="bold">quit</emphasis>
2607 </programlisting> <indexterm>
2608 <primary>commands</primary>
2610 <secondary>bos adduser</secondary>
2611 </indexterm> <indexterm>
2612 <primary>bos commands</primary>
2614 <secondary>adduser</secondary>
2615 </indexterm> <indexterm>
2616 <primary>usr/afs/etc/UserList</primary>
2618 <see>UserList file</see>
2619 </indexterm> <indexterm>
2620 <primary>UserList file</primary>
2622 <secondary>first AFS machine</secondary>
2623 </indexterm> <indexterm>
2624 <primary>files</primary>
2626 <secondary>UserList</secondary>
2627 </indexterm> <indexterm>
2628 <primary>creating</primary>
2630 <secondary>UserList file entry</secondary>
2631 </indexterm> <indexterm>
2632 <primary>admin account</primary>
2634 <secondary>adding</secondary>
2636 <tertiary>to UserList file</tertiary>
2640 <listitem id="LIWQ57">
2641 <para>Issue the <emphasis role="bold">bos adduser</emphasis> command to add the <emphasis
2642 role="bold">admin</emphasis> user to the <emphasis role="bold">/usr/afs/etc/UserList</emphasis> file. This enables the
2643 <emphasis role="bold">admin</emphasis> user to issue privileged <emphasis role="bold">bos</emphasis> and <emphasis
2644 role="bold">vos</emphasis> commands. <programlisting>
2645 # <emphasis role="bold">./bos adduser</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">admin -localauth</emphasis>
2648 <primary>commands</primary>
2649 <secondary>asetkey</secondary>
2652 <primary>creating</primary>
2653 <secondary>server encryption key</secondary>
2654 <tertiary>KeyFile file</tertiary>
2657 <primary>server encryption key</primary>
2658 <secondary>in KeyFile file</secondary>
2663 <sect1 id="HDRWQ53a">
2664 <title>Initializing the Protection Database</title>
2666 <para>Now continue to configure your cell's security systems by
2667 populating the Protection Database with the newly created
2668 <emphasis role="bold">admin</emphasis> user, and permitting it
2669 to issue priviledged commands on the AFS filesystem.
2670 There is nothing special about the name "admin"; it is just a
2671 convenient name for these instructions. An other name could
2672 be used throughout this document, or multiple privileged
2673 accounts created.</para>
2677 <para>Issue the <emphasis role="bold">pts createuser</emphasis> command to create a Protection Database entry for the
2678 <emphasis role="bold">admin</emphasis> user.
2680 <primary>commands</primary>
2681 <secondary>pts createuser</secondary>
2685 <primary>pts commands</primary>
2686 <secondary>createuser</secondary>
2690 <primary>Protection Database</primary>
2693 <para>By default, the Protection Server assigns AFS UID 1 (one) to the <emphasis role="bold">admin</emphasis> user,
2694 because it is the first user entry you are creating. If the local password file (<emphasis
2695 role="bold">/etc/passwd</emphasis> or equivalent) already has an entry for <emphasis role="bold">admin</emphasis> that
2696 assigns it a UNIX UID other than 1, it is best to use the <emphasis role="bold">-id</emphasis> argument to the <emphasis
2697 role="bold">pts createuser</emphasis> command to make the new AFS UID match the existing UNIX UID. Otherwise, it is best
2698 to accept the default.</para>
2701 # <emphasis role="bold">pts createuser -name admin</emphasis> [<emphasis
2702 role="bold">-id</emphasis> <<replaceable>AFS UID</replaceable>>] <emphasis role="bold">-localauth</emphasis>
2703 User admin has id <replaceable>AFS UID</replaceable>
2707 <primary>commands</primary>
2708 <secondary>pts adduser</secondary>
2712 <primary>pts commands</primary>
2713 <secondary>adduser</secondary>
2717 <primary>system:administrators group</primary>
2721 <primary>admin account</primary>
2722 <secondary>adding</secondary>
2723 <tertiary>to system:administrators group</tertiary>
2728 <para>Issue the <emphasis role="bold">pts adduser</emphasis> command to make the <emphasis role="bold">admin</emphasis>
2729 user a member of the <emphasis role="bold">system:administrators</emphasis> group, and the <emphasis role="bold">pts
2730 membership</emphasis> command to verify the new membership. Membership in the group enables the <emphasis
2731 role="bold">admin</emphasis> user to issue privileged <emphasis role="bold">pts</emphasis> commands and some privileged
2732 <emphasis role="bold">fs</emphasis> commands. <programlisting>
2733 # <emphasis role="bold">./pts adduser admin system:administrators</emphasis> <emphasis role="bold">-localauth</emphasis>
2734 # <emphasis role="bold">./pts membership admin</emphasis> <emphasis role="bold">-localauth</emphasis>
2735 Groups admin (id: 1) is a member of:
2736 system:administrators
2737 </programlisting> <indexterm>
2738 <primary>commands</primary>
2739 <secondary>bos restart</secondary>
2740 <tertiary>on first AFS machine</tertiary>
2741 </indexterm> <indexterm>
2742 <primary>bos commands</primary>
2743 <secondary>restart</secondary>
2744 <tertiary>on first AFS machine</tertiary>
2745 </indexterm> <indexterm>
2746 <primary>restarting server process</primary>
2747 <secondary>on first AFS machine</secondary>
2748 </indexterm> <indexterm>
2749 <primary>server process</primary>
2750 <secondary>restarting</secondary>
2751 <tertiary>on first AFS machine</tertiary>
2757 <primary>File Server</primary>
2759 <secondary>first AFS machine</secondary>
2763 <primary>fileserver process</primary>
2765 <see>File Server</see>
2769 <primary>starting</primary>
2771 <secondary>File Server</secondary>
2773 <tertiary>first AFS machine</tertiary>
2777 <primary>first AFS machine</primary>
2779 <secondary>File Server, fs process</secondary>
2783 <primary>Volume Server</primary>
2785 <secondary>first AFS machine</secondary>
2789 <primary>volserver process</primary>
2791 <see>Volume Server</see>
2795 <primary>starting</primary>
2797 <secondary>Volume Server</secondary>
2799 <tertiary>first AFS machine</tertiary>
2803 <primary>first AFS machine</primary>
2805 <secondary>Volume Server</secondary>
2809 <primary>Salvager (salvager process)</primary>
2811 <secondary>first AFS machine</secondary>
2815 <primary>fs process</primary>
2817 <secondary>first AFS machine</secondary>
2821 <primary>starting</primary>
2823 <secondary>fs process</secondary>
2825 <tertiary>first AFS machine</tertiary>
2829 <primary>first AFS machine</primary>
2831 <secondary>Salvager</secondary>
2835 <sect1 id="HDRWQ60">
2836 <title>Starting the File Server processes</title>
2839 <emphasis role="bold">dafs</emphasis> process.
2840 The <emphasis role="bold">dafs</emphasis> process consists of the
2841 Demand-Attach File Server, Volume Server, Salvage Server, and Salvager (<emphasis role="bold">dafileserver</emphasis>,
2842 <emphasis role="bold"> davolserver</emphasis>, <emphasis role="bold">salvageserver</emphasis>, and <emphasis
2843 role="bold">dasalvager</emphasis> processes). Most sites should run the
2844 Demand-Attach File Server, but the traditional/legacy File Server remains
2845 an option. If you are uncertain whether to run the legacy File Server,
2846 see <link linkend="DAFS">Appendix C, The Demand-Attach File Server</link>.
2849 <para>Issue the <emphasis role="bold">bos create</emphasis> command to start the
2850 <emphasis role="bold">dafs</emphasis> process. The commands appear here on multiple lines only for legibility.
2854 <para>Create the <emphasis
2855 role="bold">dafs</emphasis> process:
2857 # <emphasis role="bold">./bos create</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">dafs dafs /usr/afs/bin/dafileserver</emphasis> \
2858 <emphasis role="bold">/usr/afs/bin/davolserver /usr/afs/bin/salvageserver</emphasis> \
2859 <emphasis role="bold">/usr/afs/bin/dasalvager</emphasis> <emphasis role="bold">-localauth</emphasis>
2860 </programlisting></para>
2865 <para>Sometimes a message about Volume Location Database (VLDB) initialization appears, along with one or more instances
2866 of an error message similar to the following:</para>
2869 FSYNC_clientInit temporary failure (will retry)
2872 <para>This message appears when the <emphasis role="bold">volserver</emphasis> process tries to start before the <emphasis
2873 role="bold">fileserver</emphasis> process has completed its initialization. Wait a few minutes after the last such message
2874 before continuing, to guarantee that both processes have started successfully. <indexterm>
2875 <primary>commands</primary>
2877 <secondary>bos status</secondary>
2878 </indexterm> <indexterm>
2879 <primary>bos commands</primary>
2881 <secondary>status</secondary>
2884 <para>You can verify that the <emphasis role="bold">dafs</emphasis> process has started
2885 successfully by issuing the <emphasis role="bold">bos status</emphasis> command. Its output mentions two <computeroutput>proc
2886 starts</computeroutput>.</para>
2890 # <emphasis role="bold">./bos status</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">dafs -long -localauth</emphasis>
2891 </programlisting></para>
2895 <para>Your next action depends on whether you have ever run AFS file server machines in the cell: <itemizedlist>
2897 <primary>commands</primary>
2899 <secondary>vos create</secondary>
2901 <tertiary>root.afs volume</tertiary>
2905 <primary>vos commands</primary>
2907 <secondary>create</secondary>
2909 <tertiary>root.afs volume</tertiary>
2913 <primary>root.afs volume</primary>
2915 <secondary>creating</secondary>
2919 <primary>volume</primary>
2921 <secondary>creating</secondary>
2923 <tertiary>root.afs</tertiary>
2927 <primary>creating</primary>
2929 <secondary>root.afs volume</secondary>
2933 <para>If you are installing the first AFS server machine ever in the cell (that is, you are not upgrading the AFS
2934 software from a previous version), create the first AFS volume, <emphasis role="bold">root.afs</emphasis>.</para>
2936 <para>For the <replaceable>partition name</replaceable> argument, substitute the name of one of the machine's AFS
2937 server partitions (such as <emphasis role="bold">/vicepa</emphasis>).</para>
2940 # <emphasis role="bold">./vos create</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <emphasis
2941 role="bold">root.afs</emphasis> \
2942 <emphasis role="bold">-localauth</emphasis>
2945 <para>The Volume Server produces a message confirming that it created the volume on the specified partition. <indexterm>
2946 <primary>commands</primary>
2948 <secondary>vos syncvldb</secondary>
2949 </indexterm> <indexterm>
2950 <primary>vos commands</primary>
2952 <secondary>syncvldb</secondary>
2953 </indexterm> <indexterm>
2954 <primary>commands</primary>
2956 <secondary>vos syncserv</secondary>
2957 </indexterm> <indexterm>
2958 <primary>vos commands</primary>
2960 <secondary>syncserv</secondary>
2963 </itemizedlist></para>
2965 </orderedlist></para>
2968 <primary>Update Server</primary>
2970 <secondary>starting server portion</secondary>
2972 <tertiary>first AFS machine</tertiary>
2976 <primary>upserver process</primary>
2978 <see>Update Server</see>
2982 <primary>starting</primary>
2984 <secondary>Update Server server portion</secondary>
2986 <tertiary>first AFS machine</tertiary>
2990 <primary>first AFS machine</primary>
2992 <secondary>Update Server server portion</secondary>
2996 <primary>first AFS machine</primary>
2998 <secondary>defining</secondary>
3000 <tertiary>as binary distribution machine</tertiary>
3004 <primary>first AFS machine</primary>
3006 <secondary>defining</secondary>
3008 <tertiary>as system control machine</tertiary>
3012 <primary>system control machine</primary>
3016 <primary>binary distribution machine</primary>
3020 <sect1 id="HDRWQ62">
3021 <title>Clock Sync Considerations</title>
3023 <para>Keeping the clocks on all server and client machines in your cell synchronized is crucial to several functions, and in
3024 particular to the correct operation of AFS's distributed database technology, Ubik. The chapter in the <emphasis>OpenAFS
3025 Administration Guide</emphasis> about administering server machines explains how time skew can disturb Ubik's performance and
3026 cause service outages in your cell.</para>
3028 <para>You should install and configure your time service independently of
3029 AFS. Your Kerberos realm will also require a reliable time source, so your site
3030 may already have one available.</para>
3033 <primary>overview</primary>
3035 <secondary>installing client functionality on first machine</secondary>
3039 <primary>first AFS machine</primary>
3041 <secondary>client functionality</secondary>
3043 <tertiary>installing</tertiary>
3047 <primary>installing</primary>
3049 <secondary>client functionality</secondary>
3051 <tertiary>first AFS machine</tertiary>
3055 <sect1 id="HDRWQ63">
3056 <title>Overview: Installing Client Functionality</title>
3058 <para>The machine you are installing is now an AFS file server machine
3059 and database server machine.
3060 Now make it a client machine by completing the following tasks:
3063 <para>Define the machine's cell membership for client processes</para>
3067 <para>Create the client version of the <emphasis role="bold">CellServDB</emphasis> file</para>
3071 <para>Define cache location and size</para>
3075 <para>Create the <emphasis role="bold">/afs</emphasis> directory and start the Cache Manager</para>
3077 </orderedlist></para>
3080 <primary>Distribution</primary>
3082 <secondary>copying client files from</secondary>
3084 <tertiary>first AFS machine</tertiary>
3088 <primary>first AFS machine</primary>
3090 <secondary>copying</secondary>
3092 <tertiary>client files to local disk</tertiary>
3096 <primary>copying</primary>
3098 <secondary>client files to local disk</secondary>
3100 <tertiary>first AFS machine</tertiary>
3104 <sect1 id="HDRWQ64">
3105 <title>Copying Client Files to the Local Disk</title>
3107 <para>You need only undertake the steps in this section, if you are using
3108 a tar file distribution, or one built from scratch. Packaged distributions,
3109 such as RPMs or DEBs will already have installed the necessary files in
3110 the correct locations.</para>
3112 <para>Before installing and configuring the AFS client, copy the necessary files from the tarball to the local <emphasis
3113 role="bold">/usr/vice/etc</emphasis> directory. <orderedlist>
3115 <para>If you have not already done so, unpack the distribution
3116 tarball for this machine's system type into a suitable location on
3117 the filesystem, such as <emphasis role="bold">/tmp/afsdist</emphasis>.
3118 If you use a different location, substitue that in the examples that
3123 <para>Copy files to the local <emphasis role="bold">/usr/vice/etc</emphasis> directory.</para>
3125 <para>This step places a copy of the AFS initialization script (and related files, if applicable) into the <emphasis
3126 role="bold">/usr/vice/etc</emphasis> directory. In the preceding instructions for incorporating AFS into the kernel, you
3127 copied the script directly to the operating system's conventional location for initialization files. When you incorporate
3128 AFS into the machine's startup sequence in a later step, you can choose to link the two files.</para>
3130 <para>On some system types that use a dynamic kernel loader program, you previously copied AFS library files into a
3131 subdirectory of the <emphasis role="bold">/usr/vice/etc</emphasis> directory. On other system types, you copied the
3132 appropriate AFS library file directly to the directory where the operating system accesses it. The following commands do
3133 not copy or recopy the AFS library files into the <emphasis role="bold">/usr/vice/etc</emphasis> directory, because on
3134 some system types the library files consume a large amount of space. If you want to copy them, add the <emphasis
3135 role="bold">-r</emphasis> flag to the first <emphasis role="bold">cp</emphasis> command and skip the second <emphasis
3136 role="bold">cp</emphasis> command.</para>
3139 # <emphasis role="bold">cd /tmp/afsdist/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/root.client/usr/vice/etc</emphasis>
3140 # <emphasis role="bold">cp -p * /usr/vice/etc</emphasis>
3141 # <emphasis role="bold">cp -rp C /usr/vice/etc</emphasis>
3144 </orderedlist></para>
3147 <primary>cell name</primary>
3149 <secondary>setting in client ThisCell file</secondary>
3151 <tertiary>first AFS machine</tertiary>
3155 <primary>setting</primary>
3157 <secondary>cell name in client ThisCell file</secondary>
3159 <tertiary>first AFS machine</tertiary>
3163 <primary>first AFS machine</primary>
3165 <secondary>ThisCell file (client)</secondary>
3169 <primary>first AFS machine</primary>
3171 <secondary>cell membership, defining</secondary>
3173 <tertiary>for client processes</tertiary>
3177 <primary>usr/vice/etc/ThisCell</primary>
3179 <see>ThisCell file (client)</see>
3183 <primary>ThisCell file (client)</primary>
3185 <secondary>first AFS machine</secondary>
3189 <primary>files</primary>
3191 <secondary>ThisCell (client)</secondary>
3195 <sect1 id="HDRWQ65">
3196 <title>Defining Cell Membership for Client Processes</title>
3198 <para>Every AFS client machine has a copy of the <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> file on its local disk
3199 to define the machine's cell membership for the AFS client programs that run on it. The <emphasis
3200 role="bold">ThisCell</emphasis> file you created in the <emphasis role="bold">/usr/afs/etc</emphasis> directory (in <link
3201 linkend="HDRWQ51">Defining Cell Name and Membership for Server Processes</link>) is used only by server processes.</para>
3203 <para>Among other functions, the <emphasis role="bold">ThisCell</emphasis> file on a client machine determines the following:
3206 <para>The cell in which users gain tokens when they log onto the
3207 machine, assuming it is using an AFS-modified login utility</para>
3211 <para>The cell in which users gain tokens by default when they issue
3212 the <emphasis role="bold">aklog</emphasis> command</para>
3216 <para>The cell membership of the AFS server processes that the AFS
3217 command interpreters on this machine contact by default</para>
3222 <para>Change to the <emphasis role="bold">/usr/vice/etc</emphasis> directory and remove the symbolic link created in <link
3223 linkend="HDRWQ50">Starting the BOS Server</link>. <programlisting>
3224 # <emphasis role="bold">cd /usr/vice/etc</emphasis>
3225 # <emphasis role="bold">rm ThisCell</emphasis>
3226 </programlisting></para>
3230 <para>Create the <emphasis role="bold">ThisCell</emphasis> file as a copy of the <emphasis
3231 role="bold">/usr/afs/etc/ThisCell</emphasis> file. Defining the same local cell for both server and client processes leads
3232 to the most consistent AFS performance. <programlisting>
3233 # <emphasis role="bold">cp /usr/afs/etc/ThisCell ThisCell</emphasis>
3234 </programlisting></para>
3236 </orderedlist></para>
3239 <primary>database server machine</primary>
3241 <secondary>entry in client CellServDB file</secondary>
3243 <tertiary>on first AFS machine</tertiary>
3247 <primary>usr/vice/etc/CellServDB</primary>
3249 <see>CellServDB file (client)</see>
3253 <primary>CellServDB file (client)</primary>
3255 <secondary>creating</secondary>
3257 <tertiary>on first AFS machine</tertiary>
3261 <primary>creating</primary>
3263 <secondary>CellServDB file (client)</secondary>
3265 <tertiary>first AFS machine</tertiary>
3269 <primary>CellServDB file (client)</primary>
3271 <secondary>required format</secondary>
3275 <primary>requirements</primary>
3277 <secondary>CellServDB file format (client version)</secondary>
3281 <primary>files</primary>
3283 <secondary>CellServDB (client)</secondary>
3287 <primary>first AFS machine</primary>
3289 <secondary>CellServDB file (client)</secondary>
3293 <sect1 id="HDRWQ66">
3294 <title>Creating the Client CellServDB File</title>
3296 <para>The <emphasis role="bold">/usr/vice/etc/CellServDB</emphasis> file on a client machine's local disk lists the database
3297 server machines for each cell that the local Cache Manager can contact. If there is no entry in the file for a cell, or if the
3298 list of database server machines is wrong, then users working on this machine cannot access the cell. The chapter in the
3299 <emphasis>OpenAFS Administration Guide</emphasis> about administering client machines explains how to maintain the file after
3302 <para>As the <emphasis role="bold">afsd</emphasis> program initializes the Cache Manager, it copies the contents of the
3303 <emphasis role="bold">CellServDB</emphasis> file into kernel memory. The Cache Manager always consults the list in kernel memory
3304 rather than the <emphasis role="bold">CellServDB</emphasis> file itself. Between reboots of the machine, you can use the
3305 <emphasis role="bold">fs newcell</emphasis> command to update the list in kernel memory directly; see the chapter in the
3306 <emphasis>OpenAFS Administration Guide</emphasis> about administering client machines.</para>
3308 <para>The AFS distribution includes the file
3309 <emphasis role="bold">CellServDB.dist</emphasis>. It includes an entry for
3310 all AFS cells that agreed to share their database server machine
3311 information at the time the distribution was
3312 created. The definitive copy of this file is maintained at
3313 grand.central.org, and updates may be obtained from
3314 /afs/grand.central.org/service/CellServDB or
3315 <ulink url="http://grand.central.org/dl/cellservdb/CellServDB">
3316 http://grand.central.org/dl/cellservdb/CellServDB</ulink></para>
3318 <para>The <emphasis role="bold">CellServDB.dist</emphasis> file can be a
3319 good basis for the client <emphasis role="bold">CellServDB</emphasis> file,
3320 because all of the entries in it use the correct format. You can add or
3321 remove cell entries as you see fit. Depending on your cache manager
3322 configuration, additional steps (as detailed in
3323 <link linkend="HDRWQ91">Enabling Access to Foreign Cells</link>) may be
3324 required to enable the Cache Manager to actually reach the cells.</para>
3326 <para>In this section, you add an entry for the local cell to the local <emphasis role="bold">CellServDB</emphasis> file. The
3327 current working directory is still <emphasis role="bold">/usr/vice/etc</emphasis>. <orderedlist>
3329 <para>Remove the symbolic link created in <link linkend="HDRWQ50">Starting the BOS Server</link> and rename the <emphasis
3330 role="bold">CellServDB.sample</emphasis> file to <emphasis role="bold">CellServDB</emphasis>. <programlisting>
3331 # <emphasis role="bold">rm CellServDB</emphasis>
3332 # <emphasis role="bold">mv CellServDB.sample CellServDB</emphasis>
3333 </programlisting></para>
3337 <para>Add an entry for the local cell to the <emphasis role="bold">CellServDB</emphasis> file. One easy method is to use
3338 the <emphasis role="bold">cat</emphasis> command to append the contents of the server <emphasis
3339 role="bold">/usr/afs/etc/CellServDB</emphasis> file to the client version. <programlisting>
3340 # <emphasis role="bold">cat /usr/afs/etc/CellServDB >> CellServDB</emphasis>
3341 </programlisting></para>
3343 <para>Then open the file in a text editor to verify that there are no blank lines, and that all entries have the required
3344 format, which is described just following. The ordering of cells is not significant, but it can be convenient to have the
3345 client machine's home cell at the top; move it there now if you wish. <itemizedlist>
3347 <para>The first line of a cell's entry has the following format: <programlisting>
3348 ><replaceable>cell_name</replaceable> #<replaceable>organization</replaceable>
3349 </programlisting></para>
3351 <para>where <replaceable>cell_name</replaceable> is the cell's complete Internet domain name (for example, <emphasis
3352 role="bold">example.com</emphasis>) and <replaceable>organization</replaceable> is an optional field that follows any
3353 number of spaces and the number sign (<computeroutput>#</computeroutput>). By convention it names the organization
3354 to which the cell corresponds (for example, the Example Corporation).</para>
3358 <para>After the first line comes a separate line for each database server machine. Each line has the following
3359 format: <programlisting>
3360 <replaceable>IP_address</replaceable> #<replaceable>machine_name</replaceable>
3361 </programlisting></para>
3363 <para>where <replaceable>IP_address</replaceable> is the machine's IP address in dotted decimal format (for example,
3364 192.12.105.3). Following any number of spaces and the number sign (<computeroutput>#</computeroutput>) is
3365 <replaceable>machine_name</replaceable>, the machine's fully-qualified hostname (for example, <emphasis
3366 role="bold">db1.example.com</emphasis>). In this case, the number sign does not indicate a comment;
3367 <replaceable>machine_name</replaceable> is a required field.</para>
3369 </itemizedlist></para>
3373 <para>If the file includes cells that you do not wish users of this machine to access, remove their entries.</para>
3375 </orderedlist></para>
3377 <para>The following example shows entries for two cells, each of which has three database server machines:</para>
3380 >example.com #Example Corporation (home cell)
3381 192.12.105.3 #db1.example.com
3382 192.12.105.4 #db2.example.com
3383 192.12.105.55 #db3.example.com
3384 >example.org #Example Organization cell
3385 138.255.68.93 #serverA.example.org
3386 138.255.68.72 #serverB.example.org
3387 138.255.33.154 #serverC.example.org
3391 <primary>cache</primary>
3393 <secondary>configuring</secondary>
3395 <tertiary>first AFS machine</tertiary>
3399 <primary>configuring</primary>
3401 <secondary>cache</secondary>
3403 <tertiary>first AFS machine</tertiary>
3407 <primary>setting</primary>
3409 <secondary>cache size and location</secondary>
3411 <tertiary>first AFS machine</tertiary>
3415 <primary>first AFS machine</primary>
3417 <secondary>cache size and location</secondary>
3421 <sect1 id="HDRWQ67">
3422 <title>Configuring the Cache</title>
3424 <para>The Cache Manager uses a cache on the local disk or in machine memory to store local copies of files fetched from file
3425 server machines. As the <emphasis role="bold">afsd</emphasis> program initializes the Cache Manager, it sets basic cache
3426 configuration parameters according to definitions in the local <emphasis role="bold">/usr/vice/etc/cacheinfo</emphasis> file.
3427 The file has three fields: <orderedlist>
3429 <para>The first field names the local directory on which to mount the AFS filespace. The conventional location is the
3430 <emphasis role="bold">/afs</emphasis> directory.</para>
3434 <para>The second field defines the local disk directory to use for the disk cache. The conventional location is the
3435 <emphasis role="bold">/usr/vice/cache</emphasis> directory, but you can specify an alternate directory if another
3436 partition has more space available. There must always be a value in this field, but the Cache Manager ignores it if the
3437 machine uses a memory cache.</para>
3441 <para>The third field specifies the number of kilobyte (1024 byte) blocks to allocate for the cache.</para>
3443 </orderedlist></para>
3445 <para>The values you define must meet the following requirements. <itemizedlist>
3447 <para>On a machine using a disk cache, the Cache Manager expects always to be able to use the amount of space specified in
3448 the third field. Failure to meet this requirement can cause serious problems, some of which can be repaired only by
3449 rebooting. You must prevent non-AFS processes from filling up the cache partition. The simplest way is to devote a
3450 partition to the cache exclusively.</para>
3454 <para>The amount of space available in memory or on the partition housing the disk cache directory imposes an absolute
3455 limit on cache size.</para>
3459 <para>The maximum supported cache size can vary in each AFS release; see the <emphasis>OpenAFS Release Notes</emphasis>
3460 for the current version.</para>
3464 <para>For a disk cache, you cannot specify a value in the third field that exceeds 95% of the space available on the
3465 partition mounted at the directory named in the second field. If you violate this restriction, the <emphasis
3466 role="bold">afsd</emphasis> program exits without starting the Cache Manager and prints an appropriate message on the
3467 standard output stream. A value of 90% is more appropriate on most machines. Some operating systems (such as AIX) do not
3468 automatically reserve some space to prevent the partition from filling completely; for them, a smaller value (say, 80% to
3469 85% of the space available) is more appropriate.</para>
3473 <para>For a memory cache, you must leave enough memory for other processes and applications to run. If you try to allocate
3474 more memory than is actually available, the <emphasis role="bold">afsd</emphasis> program exits without initializing the
3475 Cache Manager and produces the following message on the standard output stream. <programlisting>
3476 afsd: memCache allocation failure at <replaceable>number</replaceable> KB
3477 </programlisting></para>
3479 <para>The <replaceable>number</replaceable> value is how many kilobytes were allocated just before the failure, and so
3480 indicates the approximate amount of memory available.</para>
3482 </itemizedlist></para>
3484 <para>Within these hard limits, the factors that determine appropriate cache size include the number of users working on the
3485 machine, the size of the files with which they work, and (for a memory cache) the number of processes that run on the machine.
3486 The higher the demand from these factors, the larger the cache needs to be to maintain good performance.</para>
3488 <para>Disk caches smaller than 10 MB do not generally perform well. Machines serving multiple users usually perform better with
3489 a cache of at least 60 to 70 MB. The point at which enlarging the cache further does not really improve performance depends on
3490 the factors mentioned previously and is difficult to predict.</para>
3492 <para>Memory caches smaller than 1 MB are nonfunctional, and the performance of caches smaller than 5 MB is usually
3493 unsatisfactory. Suitable upper limits are similar to those for disk caches but are probably determined more by the demands on
3494 memory from other sources on the machine (number of users and processes). Machines running only a few processes possibly can use
3495 a smaller memory cache.</para>
3497 <sect2 id="HDRWQ68">
3498 <title>Configuring a Disk Cache</title>
3501 <para>Not all file system types that an operating system supports are necessarily supported for use as the cache partition.
3502 For possible restrictions, see the <emphasis>OpenAFS Release Notes</emphasis>.</para>
3505 <para>To configure the disk cache, perform the following procedures: <orderedlist>
3507 <para>Create the local directory to use for caching. The following instruction shows the conventional location,
3508 <emphasis role="bold">/usr/vice/cache</emphasis>. If you are devoting a partition exclusively to caching, as
3509 recommended, you must also configure it, make a file system on it, and mount it at the directory created in this step.
3511 # <emphasis role="bold">mkdir /usr/vice/cache</emphasis>
3512 </programlisting></para>
3516 <para>Create the <emphasis role="bold">cacheinfo</emphasis> file to define the configuration parameters discussed
3517 previously. The following instruction shows the standard mount location, <emphasis role="bold">/afs</emphasis>, and the
3518 standard cache location, <emphasis role="bold">/usr/vice/cache</emphasis>. <programlisting>
3519 # <emphasis role="bold">echo "/afs:/usr/vice/cache:</emphasis><replaceable>#blocks</replaceable><emphasis role="bold">" > /usr/vice/etc/cacheinfo</emphasis>
3520 </programlisting></para>
3522 <para>The following example defines the disk cache size as 50,000 KB:</para>
3525 # <emphasis role="bold">echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo</emphasis>
3528 </orderedlist></para>
3531 <sect2 id="HDRWQ69">
3532 <title>Configuring a Memory Cache</title>
3534 <para>To configure a memory cache, create the <emphasis role="bold">cacheinfo</emphasis> file to define the configuration
3535 parameters discussed previously. The following instruction shows the standard mount location, <emphasis
3536 role="bold">/afs</emphasis>, and the standard cache location, <emphasis role="bold">/usr/vice/cache</emphasis> (though the
3537 exact value of the latter is irrelevant for a memory cache).</para>
3540 # <emphasis role="bold">echo "/afs:/usr/vice/cache:</emphasis><replaceable>#blocks</replaceable><emphasis role="bold">" > /usr/vice/etc/cacheinfo</emphasis>
3543 <para>The following example allocates 25,000 KB of memory for the cache.</para>
3546 # <emphasis role="bold">echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo</emphasis>
3550 <primary>Cache Manager</primary>
3552 <secondary>first AFS machine</secondary>
3556 <primary>configuring</primary>
3558 <secondary>Cache Manager</secondary>
3560 <tertiary>first AFS machine</tertiary>
3564 <primary>first AFS machine</primary>
3566 <secondary>Cache Manager</secondary>
3570 <primary>afs (/afs) directory</primary>
3572 <secondary>creating</secondary>
3574 <tertiary>first AFS machine</tertiary>
3578 <primary>AFS initialization script</primary>
3580 <secondary>setting afsd parameters</secondary>
3582 <tertiary>first AFS machine</tertiary>
3586 <primary>first AFS machine</primary>
3588 <secondary>afsd command parameters</secondary>
3593 <sect1 id="HDRWQ70">
3594 <title>Configuring the Cache Manager</title>
3596 <para>By convention, the Cache Manager mounts the AFS filespace on the local <emphasis role="bold">/afs</emphasis> directory. In
3597 this section you create that directory.</para>
3599 <para>The <emphasis role="bold">afsd</emphasis> program sets several cache configuration parameters as it initializes the Cache
3600 Manager, and starts daemons that improve performance. You can use the <emphasis role="bold">afsd</emphasis> command's arguments
3601 to override the parameters' default values and to change the number of some of the daemons. Depending on the machine's cache
3602 size, its amount of RAM, and how many people work on it, you can sometimes improve Cache Manager performance by overriding the
3603 default values. For a discussion of all of the <emphasis role="bold">afsd</emphasis> command's arguments, see its reference page
3604 in the <emphasis>OpenAFS Administration Reference</emphasis>.</para>
3606 <para>On platforms using the standard 'afs' initialisation script (this does not apply to Fedora or RHEL based distributions), the <emphasis role="bold">afsd</emphasis> command line in the AFS initialization script on each system type includes an
3607 <computeroutput>OPTIONS</computeroutput> variable. You can use it to set nondefault values for the command's arguments, in one
3608 of the following ways: <itemizedlist>
3610 <para>You can create an <emphasis role="bold">afsd</emphasis> <emphasis>options file</emphasis> that sets values for
3611 arguments to the <emphasis role="bold">afsd</emphasis> command. If the file exists, its contents are automatically
3612 substituted for the <computeroutput>OPTIONS</computeroutput> variable in the AFS initialization script. The AFS
3613 distribution for some system types includes an options file; on other system types, you must create it.</para>
3615 <para>You use two variables in the AFS initialization script to specify the path to the options file:
3616 <computeroutput>CONFIG</computeroutput> and <computeroutput>AFSDOPT</computeroutput>. On system types that define a
3617 conventional directory for configuration files, the <computeroutput>CONFIG</computeroutput> variable indicates it by
3618 default; otherwise, the variable indicates an appropriate location.</para>
3620 <para>List the desired <emphasis role="bold">afsd</emphasis> options on a single line in the options file, separating each
3621 option with one or more spaces. The following example sets the <emphasis role="bold">-stat</emphasis> argument to 2500,
3622 the <emphasis role="bold">-daemons</emphasis> argument to 4, and the <emphasis role="bold">-volumes</emphasis> argument to
3626 -stat 2500 -daemons 4 -volumes 100
3631 <para>On a machine that uses a disk cache, you can set the <computeroutput>OPTIONS</computeroutput> variable in the AFS
3632 initialization script to one of <computeroutput>$SMALL</computeroutput>, <computeroutput>$MEDIUM</computeroutput>, or
3633 <computeroutput>$LARGE</computeroutput>. The AFS initialization script uses one of these settings if the <emphasis
3634 role="bold">afsd</emphasis> options file named by the <computeroutput>AFSDOPT</computeroutput> variable does not exist. In
3635 the script as distributed, the <computeroutput>OPTIONS</computeroutput> variable is set to the value
3636 <computeroutput>$MEDIUM</computeroutput>.</para>
3639 <para>Do not set the <computeroutput>OPTIONS</computeroutput> variable to <computeroutput>$SMALL</computeroutput>,
3640 <computeroutput>$MEDIUM</computeroutput>, or <computeroutput>$LARGE</computeroutput> on a machine that uses a memory
3641 cache. The arguments it sets are appropriate only on a machine that uses a disk cache.</para>
3644 <para>The script (or on some system types the <emphasis role="bold">afsd</emphasis> options file named by the
3645 <computeroutput>AFSDOPT</computeroutput> variable) defines a value for each of <computeroutput>SMALL</computeroutput>,
3646 <computeroutput>MEDIUM</computeroutput>, and <computeroutput>LARGE</computeroutput> that sets <emphasis
3647 role="bold">afsd</emphasis> command arguments appropriately for client machines of different sizes: <itemizedlist>
3649 <para><computeroutput>SMALL</computeroutput> is suitable for a small machine that serves one or two users and has
3650 approximately 8 MB of RAM and a 20-MB cache</para>
3654 <para><computeroutput>MEDIUM</computeroutput> is suitable for a medium-sized machine that serves two to six users
3655 and has 16 MB of RAM and a 40-MB cache</para>
3659 <para><computeroutput>LARGE</computeroutput> is suitable for a large machine that serves five to ten users and has
3660 32 MB of RAM and a 100-MB cache</para>
3662 </itemizedlist></para>
3666 <para>You can choose not to create an <emphasis role="bold">afsd</emphasis> options file and to set the
3667 <computeroutput>OPTIONS</computeroutput> variable in the initialization script to a null value rather than to the default
3668 <computeroutput>$MEDIUM</computeroutput> value. You can then either set arguments directly on the <emphasis
3669 role="bold">afsd</emphasis> command line in the script, or set no arguments (and so accept default values for all Cache
3670 Manager parameters).</para>
3675 <para>If you are running on a Fedora or RHEL based system, the
3676 openafs-client initialization script behaves differently from that
3677 described above. It sources /etc/sysconfig/openafs, in which the
3678 AFSD_ARGS variable may be set to contain any, or all, of the afsd options
3679 detailed. Note that this script does not support setting an OPTIONS
3680 variable, or the SMALL, MEDIUM and LARGE methods of defining cache size
3686 <para>Create the local directory on which to mount the AFS filespace, by convention <emphasis role="bold">/afs</emphasis>.
3687 If the directory already exists, verify that it is empty. <programlisting>
3688 # <emphasis role="bold">mkdir /afs</emphasis>
3689 </programlisting></para>
3693 <para>On AIX systems, add the following line to the <emphasis role="bold">/etc/vfs</emphasis> file. It enables AIX to
3694 unmount AFS correctly during shutdown. <programlisting>
3696 </programlisting></para>
3700 <para>On non-package based Linux systems, copy the <emphasis role="bold">afsd</emphasis> options file from the <emphasis
3701 role="bold">/usr/vice/etc</emphasis> directory to the <emphasis role="bold">/etc/sysconfig</emphasis> directory, removing
3702 the <emphasis role="bold">.conf</emphasis> extension as you do so. <programlisting>
3703 # <emphasis role="bold">cp /usr/vice/etc/afs.conf /etc/sysconfig/afs</emphasis>
3704 </programlisting></para>
3708 <para>Edit the machine's AFS initialization script or <emphasis role="bold">afsd</emphasis> options file to set
3709 appropriate values for <emphasis role="bold">afsd</emphasis> command parameters. The script resides in the indicated
3710 location on each system type: <itemizedlist>
3712 <para>On AIX systems, <emphasis role="bold">/etc/rc.afs</emphasis></para>
3716 <para>On Fedora and RHEL systems, <emphasis role="bold">/etc/sysconfg/openafs</emphasis></para>
3720 <para>On non-package based Linux systems, <emphasis role="bold">/etc/sysconfig/afs</emphasis> (the <emphasis
3721 role="bold">afsd</emphasis> options file)</para>
3725 <para>On Solaris systems, <emphasis role="bold">/etc/init.d/afs</emphasis></para>
3727 </itemizedlist></para>
3729 <para>Use one of the methods described in the introduction to this section to add the following flags to the <emphasis
3730 role="bold">afsd</emphasis> command line. If you intend for the machine to remain an AFS client, also set any
3731 performance-related arguments you wish. <itemizedlist>
3733 <para>Add the <emphasis role="bold">-memcache</emphasis> flag if the machine is to use a memory cache.</para>
3737 <para>Add the <emphasis role="bold">-verbose</emphasis> flag to display a trace of the Cache Manager's
3738 initialization on the standard output stream.</para>
3740 </itemizedlist></para>
3743 <note><para>In order to successfully complete the instructions in the
3744 remainder of this guide, it is important that the machine does not have
3745 a synthetic root (as discussed in <link linkend="HDRWQ91">Enabling Access
3746 to Foreign Cells</link>). As some distributions ship with this enabled, it
3747 may be necessary to remove any occurences of the
3748 <emphasis role="bold">-dynroot</emphasis> and
3749 <emphasis role="bold">-afsdb</emphasis> options from both the AFS
3750 initialisation script and options file. If this functionality is
3751 required it may be renabled as detailed in
3752 <link linkend="HDRWQ91">Enabling Access to Foreign Cells</link>.
3757 <primary>overview</primary>
3759 <secondary>completing installation of first machine</secondary>
3763 <primary>first AFS machine</primary>
3765 <secondary>completion of installation</secondary>
3769 <sect1 id="HDRWQ71">
3770 <title>Overview: Completing the Installation of the First AFS Machine</title>
3772 <para>The machine is now configured as an AFS file server and client machine. In this final phase of the installation, you
3773 initialize the Cache Manager and then create the upper levels of your AFS filespace, among other procedures. The procedures are:
3776 <para>Verify that the initialization script works correctly, and incorporate it into the operating system's startup and
3777 shutdown sequence</para>
3781 <para>Create and mount top-level volumes</para>
3785 <para>Create and mount volumes to store system binaries in AFS</para>
3789 <para>Enable access to foreign cells</para>
3793 <para>Institute additional security measures</para>
3797 <para>Remove client functionality if desired</para>
3799 </orderedlist></para>
3802 <primary>AFS initialization script</primary>
3804 <secondary>verifying on first AFS machine</secondary>
3808 <primary>AFS initialization script</primary>
3810 <secondary>running</secondary>
3812 <tertiary>first AFS machine</tertiary>
3816 <primary>first AFS machine</primary>
3818 <secondary>AFS initialization script</secondary>
3820 <tertiary>running/verifying</tertiary>
3824 <primary>running AFS init. script</primary>
3826 <secondary>first AFS machine</secondary>
3830 <primary>invoking AFS init. script</primary>
3836 <sect1 id="HDRWQ72">
3837 <title>Verifying the AFS Initialization Script</title>
3839 <para>At this point you run the AFS initialization script to verify that it correctly invokes all of the necessary programs and
3840 AFS processes, and that they start correctly. The following are the relevant commands: <itemizedlist>
3842 <para>The command that dynamically loads AFS modifications into the kernel, on some system types (not applicable if the
3843 kernel has AFS modifications built in)</para>
3847 <para>The <emphasis role="bold">bosserver</emphasis> command, which starts the BOS Server; it in turn starts the server
3848 processes for which you created entries in the <emphasis role="bold">/usr/afs/local/BosConfig</emphasis> file</para>
3852 <para>The <emphasis role="bold">afsd</emphasis> command, which initializes the Cache Manager</para>
3854 </itemizedlist></para>
3856 <para>On system types that use a dynamic loader program, you must reboot the machine before running the initialization script,
3857 so that it can freshly load AFS modifications into the kernel.</para>
3859 <para>If there are problems during the initialization, attempt to resolve them. The OpenAFS mailing lists can provide assistance if necessary.
3863 <primary>commands</primary>
3865 <secondary>bos shutdown</secondary>
3869 <primary>bos commands</primary>
3871 <secondary>shutdown</secondary>
3875 <para>Issue the <emphasis role="bold">bos shutdown</emphasis> command to shut down the AFS server processes other than the
3876 BOS Server. Include the <emphasis role="bold">-wait</emphasis> flag to delay return of the command shell prompt until all
3877 processes shut down completely. <programlisting>
3878 # <emphasis role="bold">/usr/afs/bin/bos shutdown</emphasis> <<replaceable>machine name</replaceable>> <emphasis
3879 role="bold">-wait</emphasis>
3880 </programlisting></para>
3884 <para>Issue the <emphasis role="bold">ps</emphasis> command to learn the <emphasis role="bold">bosserver</emphasis>
3885 process's process ID number (PID), and then the <emphasis role="bold">kill</emphasis> command to stop it. <programlisting>
3886 # <emphasis role="bold">ps</emphasis> <replaceable>appropriate_ps_options</replaceable> <emphasis role="bold">| grep bosserver</emphasis>
3887 # <emphasis role="bold">kill</emphasis> <replaceable>bosserver_PID</replaceable>
3888 </programlisting></para>
3892 <para>Issue the appropriate commands to run the AFS initialization script for this system type.</para>
3895 <primary>AIX</primary>
3897 <secondary>AFS initialization script</secondary>
3899 <tertiary>on first AFS machine</tertiary>
3902 <para><emphasis role="bold">On AIX systems:</emphasis> <orderedlist>
3904 <para>Reboot the machine and log in again as the local superuser <emphasis role="bold">root</emphasis>.
3906 # <emphasis role="bold">cd /</emphasis>
3907 # <emphasis role="bold">shutdown -r now</emphasis>
3908 login: <emphasis role="bold">root</emphasis>
3909 Password: <replaceable>root_password</replaceable>
3910 </programlisting></para>
3914 <para>Run the AFS initialization script. <programlisting>
3915 # <emphasis role="bold">/etc/rc.afs</emphasis>
3916 </programlisting></para>
3918 </orderedlist></para>
3920 <para><emphasis role="bold">On Linux systems:</emphasis> <orderedlist>
3922 <para>Reboot the machine and log in again as the local superuser <emphasis role="bold">root</emphasis>.
3924 # <emphasis role="bold">cd /</emphasis>
3925 # <emphasis role="bold">shutdown -r now</emphasis>
3926 login: <emphasis role="bold">root</emphasis>
3927 Password: <replaceable>root_password</replaceable>
3928 </programlisting></para>
3932 <para>Run the AFS initialization scripts.
3934 # <emphasis role="bold">/etc/rc.d/init.d/openafs-client start</emphasis>
3935 # <emphasis role="bold">/etc/rc.d/init.d/openafs-server start</emphasis>
3936 </programlisting></para>
3938 </orderedlist></para>
3941 <primary>Solaris</primary>
3943 <secondary>AFS initialization script</secondary>
3945 <tertiary>on first AFS machine</tertiary>
3948 <para><emphasis role="bold">On Solaris systems:</emphasis> <orderedlist>
3950 <para>Reboot the machine and log in again as the local superuser <emphasis role="bold">root</emphasis>.
3952 # <emphasis role="bold">cd /</emphasis>
3953 # <emphasis role="bold">shutdown -i6 -g0 -y</emphasis>
3954 login: <emphasis role="bold">root</emphasis>
3955 Password: <replaceable>root_password</replaceable>
3956 </programlisting></para>
3960 <para>Run the AFS initialization script. <programlisting>
3961 # <emphasis role="bold">/etc/init.d/afs start</emphasis>
3962 </programlisting></para>
3964 </orderedlist></para>
3968 <para>Wait for the message that confirms that Cache Manager initialization is complete.</para>
3970 <para>On machines that use a disk cache, it can take a while to initialize the Cache Manager for the first time, because
3971 the <emphasis role="bold">afsd</emphasis> program must create all of the <emphasis
3972 role="bold">V</emphasis><replaceable>n</replaceable> files in the cache directory. Subsequent Cache Manager
3973 initializations do not take nearly as long, because the <emphasis role="bold">V</emphasis><replaceable>n</replaceable>
3974 files already exist.</para>
3979 <primary>commands</primary>
3980 <secondary>aklog</secondary>
3984 <primary>aklog command</primary>
3987 <para>If you are working with an existing cell which uses
3988 <emphasis role="bold">kaserver</emphasis> for authentication,
3989 please recall the note in
3990 <link linkend="KAS003">Using this Appendix</link> detailing the
3991 substitution of <emphasis role="bold">kinit</emphasis> and
3992 <emphasis role="bold">aklog</emphasis> with
3993 <emphasis role="bold">klog</emphasis>.</para>
3995 <para>As a basic test of correct AFS functioning, issue the
3996 <emphasis role="bold">kinit</emphasis> and
3997 <emphasis role="bold">aklog</emphasis> commands to authenticate
3998 as the <emphasis role="bold">admin</emphasis> user.
3999 Provide the password (<replaceable>admin_passwd</replaceable>) you
4000 defined in <link linkend="HDRWQ53">Initializing Cell Security</link>.</para>
4003 # <emphasis role="bold">kinit admin</emphasis>
4004 Password: <replaceable>admin_passwd</replaceable>
4005 # <emphasis role="bold">aklog</emphasis>
4009 <primary>commands</primary>
4011 <secondary>tokens</secondary>
4015 <primary>tokens command</primary>
4020 <para>Issue the <emphasis role="bold">tokens</emphasis> command to
4021 verify that the <emphasis role="bold">aklog</emphasis>
4022 command worked correctly. If it did, the output looks similar to the following example for the <emphasis
4023 role="bold">example.com</emphasis> cell, where <emphasis role="bold">admin</emphasis>'s AFS UID is 1. If the output does not
4024 seem correct, resolve the problem. Changes to the AFS initialization script are possibly necessary. The OpenAFS mailing lists can provide assistance as necessary. <programlisting>
4025 # <emphasis role="bold">tokens</emphasis>
4026 Tokens held by the Cache Manager:
4027 User's (AFS ID 1) tokens for afs@example.com [Expires May 22 11:52]
4029 </programlisting></para>
4033 <para>Issue the <emphasis role="bold">bos status</emphasis> command to verify that the output for each process reads
4034 <computeroutput>Currently running normally</computeroutput>. <programlisting>
4035 # <emphasis role="bold">/usr/afs/bin/bos status</emphasis> <<replaceable>machine name</replaceable>>
4036 </programlisting> <indexterm>
4037 <primary>fs commands</primary>
4039 <secondary>checkvolumes</secondary>
4040 </indexterm> <indexterm>
4041 <primary>commands</primary>
4043 <secondary>fs checkvolumes</secondary>
4048 <para>Change directory to the local file system root (<emphasis role="bold">/</emphasis>) and issue the <emphasis
4049 role="bold">fs checkvolumes</emphasis> command. <programlisting>
4050 # <emphasis role="bold">cd /</emphasis>
4051 # <emphasis role="bold">/usr/afs/bin/fs checkvolumes</emphasis>
4052 </programlisting></para>
4054 </orderedlist></para>
4057 <primary>AFS initialization script</primary>
4059 <secondary>adding to machine startup sequence</secondary>
4061 <tertiary>first AFS machine</tertiary>
4065 <primary>installing</primary>
4067 <secondary>AFS initialization script</secondary>
4069 <tertiary>first AFS machine</tertiary>
4073 <primary>first AFS machine</primary>
4075 <secondary>AFS initialization script</secondary>
4077 <tertiary>activating</tertiary>
4081 <primary>activating AFS init. script</primary>
4083 <see>installing</see>
4087 <sect1 id="HDRWQ73">
4088 <title>Activating the AFS Initialization Script</title>
4090 <para>Now that you have confirmed that the AFS initialization script works correctly, take the action necessary to have it run
4091 automatically at each reboot. Proceed to the instructions for your system type: <itemizedlist>
4093 <para><link linkend="HDRWQ74">Activating the Script on AIX Systems</link></para>
4097 <para><link linkend="HDRWQ78">Activating the Script on Linux Systems</link></para>
4101 <para><link linkend="HDRWQ79">Activating the Script on Solaris Systems</link></para>
4103 </itemizedlist></para>
4106 <primary>AIX</primary>
4108 <secondary>AFS initialization script</secondary>
4110 <tertiary>on first AFS machine</tertiary>
4113 <sect2 id="HDRWQ74">
4114 <title>Activating the Script on AIX Systems</title>
4118 <para>Edit the AIX initialization file, <emphasis role="bold">/etc/inittab</emphasis>, adding the following line to invoke
4119 the AFS initialization script. Place it just after the line that starts NFS daemons. <programlisting>
4120 rcafs:2:wait:/etc/rc.afs > /dev/console 2>&1 # Start AFS services
4121 </programlisting></para>
4125 <para><emphasis role="bold">(Optional)</emphasis> There are now copies of the AFS initialization file in both the
4126 <emphasis role="bold">/usr/vice/etc</emphasis> and <emphasis role="bold">/etc</emphasis> directories. If you want to avoid
4127 potential confusion by guaranteeing that they are always the same, create a link between them. You can always retrieve the
4128 original script from the AFS CD-ROM if necessary. <programlisting>
4129 # <emphasis role="bold">cd /usr/vice/etc</emphasis>
4130 # <emphasis role="bold">rm rc.afs</emphasis>
4131 # <emphasis role="bold">ln -s /etc/rc.afs</emphasis>
4132 </programlisting></para>
4136 <para>Proceed to <link linkend="HDRWQ80">Configuring the Top Levels of the AFS Filespace</link>.</para>
4141 <primary>Linux</primary>
4143 <secondary>AFS initialization script</secondary>
4145 <tertiary>on first AFS machine</tertiary>
4149 <sect2 id="HDRWQ78">
4150 <title>Activating the Script on Linux Systems</title>
4154 <para>Issue the <emphasis role="bold">chkconfig</emphasis> command to activate the <emphasis role="bold">openafs-client</emphasis> and <emphasis role="bold">openafs-server</emphasis>
4155 configuration variables. Based on the instruction in the AFS initialization file that begins with the string
4156 <computeroutput>#chkconfig</computeroutput>, the command automatically creates the symbolic links that incorporate the
4157 script into the Linux startup and shutdown sequence. <programlisting>
4158 # <emphasis role="bold">/sbin/chkconfig --add openafs-client</emphasis>
4159 # <emphasis role="bold">/sbin/chkconfig --add openafs-server</emphasis>
4160 </programlisting></para>
4164 <para><emphasis role="bold">(Optional)</emphasis> There are now copies of the AFS initialization file in both the
4165 <emphasis role="bold">/usr/vice/etc</emphasis> and <emphasis role="bold">/etc/rc.d/init.d</emphasis> directories, and
4166 copies of the <emphasis role="bold">afsd</emphasis> options file in both the <emphasis
4167 role="bold">/usr/vice/etc</emphasis> and <emphasis role="bold">/etc/sysconfig</emphasis> directories. If you want to avoid
4168 potential confusion by guaranteeing that the two copies of each file are always the same, create a link between them. You
4169 can always retrieve the original script or options file from the AFS CD-ROM if necessary. <programlisting>
4170 # <emphasis role="bold">cd /usr/vice/etc</emphasis>
4171 # <emphasis role="bold">rm afs.rc afs.conf</emphasis>
4172 # <emphasis role="bold">ln -s /etc/rc.d/init.d/afs afs.rc</emphasis>
4173 # <emphasis role="bold">ln -s /etc/sysconfig/afs afs.conf</emphasis>
4174 </programlisting></para>
4178 <para>Proceed to <link linkend="HDRWQ80">Configuring the Top Levels of the AFS Filespace</link>.</para>
4183 <primary>Solaris</primary>
4185 <secondary>AFS initialization script</secondary>
4187 <tertiary>on first AFS machine</tertiary>
4191 <sect2 id="HDRWQ79">
4192 <title>Activating the Script on Solaris Systems</title>
4196 <para>Change to the <emphasis role="bold">/etc/init.d</emphasis> directory and issue the <emphasis role="bold">ln
4197 -s</emphasis> command to create symbolic links that incorporate the AFS initialization script into the Solaris startup and
4198 shutdown sequence. <programlisting>
4199 # <emphasis role="bold">cd /etc/init.d</emphasis>
4200 # <emphasis role="bold">ln -s ../init.d/afs /etc/rc3.d/S99afs</emphasis>
4201 # <emphasis role="bold">ln -s ../init.d/afs /etc/rc0.d/K66afs</emphasis>
4202 </programlisting></para>
4206 <para><emphasis role="bold">(Optional)</emphasis> There are now copies of the AFS initialization file in both the
4207 <emphasis role="bold">/usr/vice/etc</emphasis> and <emphasis role="bold">/etc/init.d</emphasis> directories. If you want
4208 to avoid potential confusion by guaranteeing that they are always the same, create a link between them. You can always
4209 retrieve the original script from the AFS CD-ROM if necessary. <programlisting>
4210 # <emphasis role="bold">cd /usr/vice/etc</emphasis>
4211 # <emphasis role="bold">rm afs.rc</emphasis>
4212 # <emphasis role="bold">ln -s /etc/init.d/afs afs.rc</emphasis>
4213 </programlisting></para>
4218 <primary>AFS filespace</primary>
4220 <secondary>configuring top levels</secondary>
4224 <primary>configuring</primary>
4226 <secondary>AFS filespace (top levels)</secondary>
4231 <sect1 id="HDRWQ80">
4232 <title>Configuring the Top Levels of the AFS Filespace</title>
4234 <para>If you have not previously run AFS in your cell, you now configure the top levels of your cell's AFS filespace. If you
4235 have run a previous version of AFS, the filespace is already configured. Proceed to <link linkend="HDRWQ83">Storing AFS Binaries
4236 in AFS</link>. <indexterm>
4237 <primary>root.cell volume</primary>
4239 <secondary>creating and replicating</secondary>
4240 </indexterm> <indexterm>
4241 <primary>volume</primary>
4243 <secondary>creating</secondary>
4245 <tertiary>root.cell</tertiary>
4246 </indexterm> <indexterm>
4247 <primary>creating</primary>
4249 <secondary>root.cell volume</secondary>
4252 <para>You created the <emphasis role="bold">root.afs</emphasis> volume in <link linkend="HDRWQ60">Starting the File Server,
4253 Volume Server, and Salvager</link>, and the Cache Manager mounted it automatically on the local <emphasis
4254 role="bold">/afs</emphasis> directory when you ran the AFS initialization script in <link linkend="HDRWQ72">Verifying the AFS
4255 Initialization Script</link>. You now set the access control list (ACL) on the <emphasis role="bold">/afs</emphasis> directory;
4256 creating, mounting, and setting the ACL are the three steps required when creating any volume.</para>
4258 <para>After setting the ACL on the <emphasis role="bold">root.afs</emphasis> volume, you create your cell's <emphasis
4259 role="bold">root.cell</emphasis> volume, mount it as a subdirectory of the <emphasis role="bold">/afs</emphasis> directory, and
4260 set the ACL. Create both a read/write and a regular mount point for the <emphasis role="bold">root.cell</emphasis> volume. The
4261 read/write mount point enables you to access the read/write version of replicated volumes when necessary. Creating both mount
4262 points essentially creates separate read-only and read-write copies of your filespace, and enables the Cache Manager to traverse
4263 the filespace on a read-only path or read/write path as appropriate. For further discussion of these concepts, see the chapter
4264 in the <emphasis>OpenAFS Administration Guide</emphasis> about administering volumes. <indexterm>
4265 <primary>root.afs volume</primary>
4267 <secondary>replicating</secondary>
4268 </indexterm> <indexterm>
4269 <primary>volume</primary>
4271 <secondary>replicating root.afs and root.cell</secondary>
4272 </indexterm> <indexterm>
4273 <primary>replicating volumes</primary>
4276 <para>Then replicate both the <emphasis role="bold">root.afs</emphasis> and <emphasis role="bold">root.cell</emphasis> volumes.
4277 This is required if you want to replicate any other volumes in your cell, because all volumes mounted above a replicated volume
4278 must themselves be replicated in order for the Cache Manager to access the replica.</para>
4280 <para>When the <emphasis role="bold">root.afs</emphasis> volume is replicated, the Cache Manager is programmed to access its
4281 read-only version (<emphasis role="bold">root.afs.readonly</emphasis>) whenever possible. To make changes to the contents of the
4282 <emphasis role="bold">root.afs</emphasis> volume (when, for example, you mount another cell's <emphasis
4283 role="bold">root.cell</emphasis> volume at the second level in your filespace), you must mount the <emphasis
4284 role="bold">root.afs</emphasis> volume temporarily, make the changes, release the volume and remove the temporary mount point.
4285 For instructions, see <link linkend="HDRWQ91">Enabling Access to Foreign Cells</link>. <indexterm>
4286 <primary>fs commands</primary>
4288 <secondary>setacl</secondary>
4289 </indexterm> <indexterm>
4290 <primary>commands</primary>
4292 <secondary>fs setacl</secondary>
4293 </indexterm> <indexterm>
4294 <primary>access control list (ACL), setting</primary>
4295 </indexterm> <indexterm>
4296 <primary>setting</primary>
4298 <secondary>ACL</secondary>
4299 </indexterm> <orderedlist>
4301 <para>Issue the <emphasis role="bold">fs setacl</emphasis> command to edit the ACL on the <emphasis
4302 role="bold">/afs</emphasis> directory. Add an entry that grants the <emphasis role="bold">l</emphasis> (<emphasis
4303 role="bold">lookup</emphasis>) and <emphasis role="bold">r</emphasis> (<emphasis role="bold">read</emphasis>) permissions
4304 to the <emphasis role="bold">system:anyuser</emphasis> group, to enable all AFS users who can reach your cell to traverse
4305 through the directory. If you prefer to enable access only to locally authenticated users, substitute the <emphasis
4306 role="bold">system:authuser</emphasis> group.</para>
4308 <para>Note that there is already an ACL entry that grants all seven access rights to the <emphasis
4309 role="bold">system:administrators</emphasis> group. It is a default entry that AFS places on every new volume's root
4312 <para>The top-level AFS directory, typically /afs, is a special case:
4313 when the client is configured to run in dynroot mode (e.g.
4314 <emphasis role="bold">afsd -dynroot</emphasis>, attempts to set
4315 the ACL on this directory will return <emphasis role="bold">
4316 Connection timed out</emphasis>. This is because the dynamically-
4317 generated root directory is not a part of the global AFS space,
4318 and cannot have an access control list set on it.</para>
4321 # <emphasis role="bold">/usr/afs/bin/fs setacl /afs system:anyuser rl</emphasis>
4325 <primary>commands</primary>
4327 <secondary>vos create</secondary>
4329 <tertiary>root.cell volume</tertiary>
4333 <primary>vos commands</primary>
4335 <secondary>create</secondary>
4337 <tertiary>root.cell volume</tertiary>
4341 <primary>fs commands</primary>
4343 <secondary>mkmount</secondary>
4347 <primary>commands</primary>
4349 <secondary>fs mkmount</secondary>
4353 <primary>mount point</primary>
4357 <primary>creating</primary>
4359 <secondary>mount point</secondary>
4363 <primary>volume</primary>
4365 <secondary>mounting</secondary>
4369 <listitem id="LIWQ81">
4370 <para>Issue the <emphasis role="bold">vos create</emphasis> command to create the <emphasis
4371 role="bold">root.cell</emphasis> volume. Then issue the <emphasis role="bold">fs mkmount</emphasis> command to mount it as
4372 a subdirectory of the <emphasis role="bold">/afs</emphasis> directory, where it serves as the root of your cell's local
4373 AFS filespace. Finally, issue the <emphasis role="bold">fs setacl</emphasis> command to create an ACL entry for the
4374 <emphasis role="bold">system:anyuser</emphasis> group (or <emphasis role="bold">system:authuser</emphasis> group).</para>
4376 <para>For the <replaceable>partition name</replaceable> argument, substitute the name of one of the machine's AFS server
4377 partitions (such as <emphasis role="bold">/vicepa</emphasis>). For the <replaceable>cellname</replaceable> argument,
4378 substitute your cell's fully-qualified Internet domain name (such as <emphasis role="bold">example.com</emphasis>).</para>
4381 # <emphasis role="bold">/usr/afs/bin/vos create</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <emphasis
4382 role="bold">root.cell</emphasis>
4383 # <emphasis role="bold">/usr/afs/bin/fs mkmount /afs/</emphasis><replaceable>cellname</replaceable> <emphasis role="bold">root.cell</emphasis>
4384 # <emphasis role="bold">/usr/afs/bin/fs setacl /afs/</emphasis><replaceable>cellname</replaceable> <emphasis role="bold">system:anyuser rl</emphasis>
4388 <primary>creating</primary>
4390 <secondary>symbolic link</secondary>
4392 <tertiary>for abbreviated cell name</tertiary>
4396 <primary>symbolic link</primary>
4398 <secondary>for abbreviated cell name</secondary>
4402 <primary>cell name</primary>
4404 <secondary>symbolic link for abbreviated</secondary>
4409 <para><emphasis role="bold">(Optional)</emphasis> Create a symbolic link to a shortened cell name, to reduce the length of
4410 pathnames for users in the local cell. For example, in the <emphasis role="bold">example.com</emphasis> cell, <emphasis
4411 role="bold">/afs/example</emphasis> is a link to <emphasis role="bold">/afs/example.com</emphasis>. <programlisting>
4412 # <emphasis role="bold">cd /afs</emphasis>
4413 # <emphasis role="bold">ln -s</emphasis> <replaceable>full_cellname</replaceable> <replaceable>short_cellname</replaceable>
4414 </programlisting> <indexterm>
4415 <primary>read/write mount point for root.afs volume</primary>
4416 </indexterm> <indexterm>
4417 <primary>root.afs volume</primary>
4419 <secondary>read/write mount point</secondary>
4420 </indexterm> <indexterm>
4421 <primary>creating</primary>
4423 <secondary>read/write mount point</secondary>
4428 <para>Issue the <emphasis role="bold">fs mkmount</emphasis> command to create a read/write mount point for the <emphasis
4429 role="bold">root.cell</emphasis> volume (you created a regular mount point in Step <link
4430 linkend="LIWQ81">2</link>).</para>
4432 <para>By convention, the name of a read/write mount point begins with a period, both to distinguish it from the regular
4433 mount point and to make it visible only when the <emphasis role="bold">-a</emphasis> flag is used on the <emphasis
4434 role="bold">ls</emphasis> command.</para>
4436 <para>Change directory to <emphasis role="bold">/usr/afs/bin</emphasis> to make it easier to access the command
4440 # <emphasis role="bold">cd /usr/afs/bin</emphasis>
4441 # <emphasis role="bold">./fs mkmount /afs/.</emphasis><replaceable>cellname</replaceable> <emphasis role="bold">root.cell -rw</emphasis>
4445 <primary>commands</primary>
4447 <secondary>vos addsite</secondary>
4451 <primary>vos commands</primary>
4453 <secondary>addsite</secondary>
4457 <primary>volume</primary>
4459 <secondary>defining replication site</secondary>
4463 <primary>defining</primary>
4465 <secondary>replication site for volume</secondary>
4469 <listitem id="LIWQ82">
4470 <para>Issue the <emphasis role="bold">vos addsite</emphasis> command to define a replication site
4471 for both the <emphasis role="bold">root.afs</emphasis> and <emphasis role="bold">root.cell</emphasis> volumes. In each
4472 case, substitute for the <replaceable>partition name</replaceable> argument the partition where the volume's read/write
4473 version resides. When you install additional file server machines, it is a good idea to create replication sites on them
4474 as well. <programlisting>
4475 # <emphasis role="bold">./vos addsite</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <emphasis
4476 role="bold">root.afs</emphasis>
4477 # <emphasis role="bold">./vos addsite</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <emphasis
4478 role="bold">root.cell</emphasis>
4479 </programlisting> <indexterm>
4480 <primary>fs commands</primary>
4482 <secondary>examine</secondary>
4483 </indexterm> <indexterm>
4484 <primary>commands</primary>
4486 <secondary>fs examine</secondary>
4491 <para>Issue the <emphasis role="bold">fs examine</emphasis> command to verify that the Cache Manager can access both the
4492 <emphasis role="bold">root.afs</emphasis> and <emphasis role="bold">root.cell</emphasis> volumes, before you attempt to
4493 replicate them. The output lists each volume's name, volumeID number, quota, size, and the size of the partition that
4494 houses them. If you get an error message instead, do not continue before taking corrective action. <programlisting>
4495 # <emphasis role="bold">./fs examine /afs</emphasis>
4496 # <emphasis role="bold">./fs examine /afs/</emphasis><replaceable>cellname</replaceable>
4497 </programlisting> <indexterm>
4498 <primary>commands</primary>
4500 <secondary>vos release</secondary>
4501 </indexterm> <indexterm>
4502 <primary>vos commands</primary>
4504 <secondary>release</secondary>
4505 </indexterm> <indexterm>
4506 <primary>volume</primary>
4508 <secondary>releasing replicated</secondary>
4509 </indexterm> <indexterm>
4510 <primary>releasing replicated volume</primary>
4515 <para>Issue the <emphasis role="bold">vos release</emphasis> command to release a replica of the <emphasis
4516 role="bold">root.afs</emphasis> and <emphasis role="bold">root.cell</emphasis> volumes to the sites you defined in Step
4517 <link linkend="LIWQ82">5</link>. <programlisting>
4518 # <emphasis role="bold">./vos release root.afs</emphasis>
4519 # <emphasis role="bold">./vos release root.cell</emphasis>
4520 </programlisting> <indexterm>
4521 <primary>fs commands</primary>
4523 <secondary>checkvolumes</secondary>
4524 </indexterm> <indexterm>
4525 <primary>commands</primary>
4527 <secondary>fs checkvolumes</secondary>
4532 <para>Issue the <emphasis role="bold">fs checkvolumes</emphasis> to force the Cache Manager to notice that you have
4533 released read-only versions of the volumes, then issue the <emphasis role="bold">fs examine</emphasis> command again. This
4534 time its output mentions the read-only version of the volumes (<emphasis role="bold">root.afs.readonly</emphasis> and
4535 <emphasis role="bold">root.cell.readonly</emphasis>) instead of the read/write versions, because of the Cache Manager's
4536 bias to access the read-only version of the <emphasis role="bold">root.afs</emphasis> volume if it exists.
4538 # <emphasis role="bold">./fs checkvolumes</emphasis>
4539 # <emphasis role="bold">./fs examine /afs</emphasis>
4540 # <emphasis role="bold">./fs examine /afs/</emphasis><replaceable>cellname</replaceable>
4541 </programlisting></para>
4543 </orderedlist></para>
4546 <primary>storing</primary>
4548 <secondary>AFS binaries in volumes</secondary>
4552 <primary>creating</primary>
4554 <secondary>volume</secondary>
4556 <tertiary>for AFS binaries</tertiary>
4560 <primary>volume</primary>
4562 <secondary>for AFS binaries</secondary>
4566 <primary>binaries</primary>
4568 <secondary>storing AFS in volume</secondary>
4572 <primary>usr/afsws directory</primary>
4576 <primary>directories</primary>
4578 <secondary>/usr/afsws</secondary>
4582 <sect1 id="HDRWQ83">
4583 <title>Storing AFS Binaries in AFS</title>
4585 <note><para>Sites with existing binary distribution mechanisms, including
4586 those which use packaging systems such as RPM, may wish to skip this step,
4587 and use tools native to their operating system to manage AFS configuration
4588 information.</para></note>
4590 <para>In the conventional configuration, you make AFS client binaries and configuration files available in the subdirectories of
4591 the <emphasis role="bold">/usr/afsws</emphasis> directory on client machines (<emphasis role="bold">afsws</emphasis> is an
4592 acronym for <emphasis role="bold">AFS w</emphasis><emphasis>ork</emphasis><emphasis
4593 role="bold">s</emphasis><emphasis>tation</emphasis>). You can conserve local disk space by creating <emphasis
4594 role="bold">/usr/afsws</emphasis> as a link to an AFS volume that houses the AFS client binaries and configuration files for
4595 this system type.</para>
4597 <para>In this section you create the necessary volumes. The conventional location to which to link <emphasis
4598 role="bold">/usr/afsws</emphasis> is <emphasis role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis
4599 role="bold">/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/usr/afsws</emphasis>, where
4600 <replaceable>sysname</replaceable> is the appropriate system type name as specified in the <emphasis>OpenAFS Release
4601 Notes</emphasis>. The instructions in <link linkend="HDRWQ133">Installing Additional Client Machines</link> assume that you have
4602 followed the instructions in this section.</para>
4604 <para>If you have previously run AFS in the cell, the volumes possibly already exist. If so, you need to perform Step <link
4605 linkend="LIWQ86">8</link> only.</para>
4607 <para>The current working directory is still <emphasis role="bold">/usr/afs/bin</emphasis>, which houses the <emphasis
4608 role="bold">fs</emphasis> and <emphasis role="bold">vos</emphasis> command suite binaries. In the following commands, it is
4609 possible you still need to specify the pathname to the commands, depending on how your PATH environment variable is set.
4612 <primary>commands</primary>
4614 <secondary>vos create</secondary>
4616 <tertiary>volume for AFS binaries</tertiary>
4620 <primary>vos commands</primary>
4622 <secondary>create</secondary>
4624 <tertiary>volume for AFS binaries</tertiary>
4627 <listitem id="LIWQ84">
4628 <para>Issue the <emphasis role="bold">vos create</emphasis> command to create volumes for storing
4629 the AFS client binaries for this system type. The following example instruction creates volumes called
4630 <replaceable>sysname</replaceable>, <replaceable>sysname</replaceable>.<emphasis role="bold">usr</emphasis>, and
4631 <replaceable>sysname</replaceable>.<emphasis role="bold">usr.afsws</emphasis>. Refer to the <emphasis>OpenAFS Release
4632 Notes</emphasis> to learn the proper value of <replaceable>sysname</replaceable> for this system type. <programlisting>
4633 # <emphasis role="bold">vos create</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <replaceable>sysname</replaceable>
4634 # <emphasis role="bold">vos create</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <replaceable>sysname</replaceable><emphasis
4635 role="bold">.usr</emphasis>
4636 # <emphasis role="bold">vos create</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <replaceable>sysname</replaceable><emphasis
4637 role="bold">.usr.afsws</emphasis>
4638 </programlisting></para>
4642 <para>Issue the <emphasis role="bold">fs mkmount</emphasis> command to mount the newly created volumes. Because the
4643 <emphasis role="bold">root.cell</emphasis> volume is replicated, you must precede the <emphasis>cellname</emphasis> part
4644 of the pathname with a period to specify the read/write mount point, as shown. Then issue the <emphasis role="bold">vos
4645 release</emphasis> command to release a new replica of the <emphasis role="bold">root.cell</emphasis> volume, and the
4646 <emphasis role="bold">fs checkvolumes</emphasis> command to force the local Cache Manager to access them. <programlisting>
4647 # <emphasis role="bold">fs mkmount -dir /afs/.</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/</emphasis><replaceable>sysname</replaceable> <emphasis
4648 role="bold">-vol</emphasis> <replaceable>sysname</replaceable>
4649 # <emphasis role="bold">fs mkmount -dir /afs/.</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/</emphasis><replaceable>sysname</replaceable><emphasis
4650 role="bold">/usr</emphasis> <emphasis role="bold">-vol</emphasis> <replaceable>sysname</replaceable><emphasis
4651 role="bold">.usr</emphasis>
4652 # <emphasis role="bold">fs mkmount -dir /afs/.</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/</emphasis><replaceable>sysname</replaceable><emphasis
4653 role="bold">/usr/afsws</emphasis> <emphasis role="bold">-vol</emphasis> <replaceable>sysname</replaceable><emphasis
4654 role="bold">.usr.afsws</emphasis>
4655 # <emphasis role="bold">vos release root.cell</emphasis>
4656 # <emphasis role="bold">fs checkvolumes</emphasis>
4657 </programlisting></para>
4661 <para>Issue the <emphasis role="bold">fs setacl</emphasis> command to grant the <emphasis role="bold">l</emphasis>
4662 (<emphasis role="bold">lookup</emphasis>) and <emphasis role="bold">r</emphasis> (<emphasis role="bold">read</emphasis>)
4663 permissions to the <emphasis role="bold">system:anyuser</emphasis> group on each new directory's ACL. <programlisting>
4664 # <emphasis role="bold">cd /afs/.</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/</emphasis><replaceable>sysname</replaceable>
4665 # <emphasis role="bold">fs setacl -dir . usr usr/afsws -acl system:anyuser rl</emphasis>
4666 </programlisting> <indexterm>
4667 <primary>commands</primary>
4669 <secondary>fs setquota</secondary>
4670 </indexterm> <indexterm>
4671 <primary>fs commands</primary>
4673 <secondary>setquota</secondary>
4674 </indexterm> <indexterm>
4675 <primary>quota for volume</primary>
4676 </indexterm> <indexterm>
4677 <primary>volume</primary>
4679 <secondary>setting quota</secondary>
4680 </indexterm> <indexterm>
4681 <primary>setting</primary>
4683 <secondary>volume quota</secondary>
4687 <listitem id="LIWQ85">
4688 <para>Issue the <emphasis role="bold">fs setquota</emphasis> command to set an unlimited quota on
4689 the volume mounted at the <emphasis role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis
4690 role="bold">/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/usr/afsws</emphasis> directory. This
4691 enables you to copy all of the appropriate files from the CD-ROM into the volume without exceeding the volume's
4694 <para>If you wish, you can set the volume's quota to a finite value after you complete the copying operation. At that
4695 point, use the <emphasis role="bold">vos examine</emphasis> command to determine how much space the volume is occupying.
4696 Then issue the <emphasis role="bold">fs setquota</emphasis> command to set a quota that is slightly larger.</para>
4699 # <emphasis role="bold">fs setquota /afs/.</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/</emphasis><replaceable>sysname</replaceable><emphasis
4700 role="bold">/usr/afsws 0</emphasis>
4705 <para>Unpack the distribution tarball into the <emphasis role="bold">/tmp/afsdist</emphasis> directory,
4706 if it is not already. <indexterm>
4707 <primary>copying</primary>
4709 <secondary>AFS binaries into volume</secondary>
4710 </indexterm> <indexterm>
4711 <primary>CD-ROM</primary>
4713 <secondary>copying AFS binaries into volume</secondary>
4714 </indexterm> <indexterm>
4715 <primary>first AFS machine</primary>
4717 <secondary>copying</secondary>
4719 <tertiary>AFS binaries into volume</tertiary>
4724 <para>Copy the contents of the indicated directories from the
4725 distribution into the <emphasis
4726 role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis
4727 role="bold">/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/usr/afsws</emphasis> directory.
4729 # <emphasis role="bold">cd /afs/.</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/</emphasis><replaceable>sysname</replaceable><emphasis
4730 role="bold">/usr/afsws</emphasis>
4731 # <emphasis role="bold">cp -rp /tmp/afsdist/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/bin .</emphasis>
4732 # <emphasis role="bold">cp -rp /tmp/afsdist/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/etc .</emphasis>
4733 # <emphasis role="bold">cp -rp /tmp/afsdist/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/include .</emphasis>
4734 # <emphasis role="bold">cp -rp /tmp/afsdist/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/lib .</emphasis>
4737 <primary>creating</primary>
4739 <secondary>symbolic link</secondary>
4741 <tertiary>to AFS binaries</tertiary>
4742 </indexterm> <indexterm>
4743 <primary>symbolic link</primary>
4745 <secondary>to AFS binaries from local disk</secondary>
4749 <listitem id="LIWQ86">
4750 <para>Create <emphasis role="bold">/usr/afsws</emphasis> on the local disk as a symbolic link to the
4751 directory <emphasis role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis
4752 role="bold">/@sys/usr/afsws</emphasis>. You can specify the actual system name instead of <emphasis
4753 role="bold">@sys</emphasis> if you wish, but the advantage of using <emphasis role="bold">@sys</emphasis> is that it
4754 remains valid if you upgrade this machine to a different system type. <programlisting>
4755 # <emphasis role="bold">ln -s /afs/</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/@sys/usr/afsws /usr/afsws</emphasis>
4756 </programlisting> <indexterm>
4757 <primary>PATH environment variable for users</primary>
4758 </indexterm> <indexterm>
4759 <primary>variables</primary>
4761 <secondary>PATH, setting for users</secondary>
4766 <para><emphasis role="bold">(Optional)</emphasis> To enable users to issue commands from the AFS suites (such as <emphasis
4767 role="bold">fs</emphasis>) without having to specify a pathname to their binaries, include the <emphasis
4768 role="bold">/usr/afsws/bin</emphasis> and <emphasis role="bold">/usr/afsws/etc</emphasis> directories in the PATH
4769 environment variable you define in each user's shell initialization file (such as <emphasis
4770 role="bold">.cshrc</emphasis>).</para>
4772 </orderedlist></para>
4775 <primary>storing</primary>
4777 <secondary>AFS documentation in volumes</secondary>
4781 <primary>creating</primary>
4783 <secondary>volume</secondary>
4785 <tertiary>for AFS documentation</tertiary>
4789 <primary>volume</primary>
4791 <secondary>for AFS documentation</secondary>
4795 <primary>documentation, creating volume for AFS</primary>
4799 <primary>usr/afsdoc directory</primary>
4803 <primary>directories</primary>
4805 <secondary>/usr/afsdoc</secondary>
4809 <sect1 id="HDRWQ87">
4810 <title>Storing AFS Documents in AFS</title>
4812 <para>The AFS distribution includes the following documents: <itemizedlist>
4814 <para><emphasis>OpenAFS Release Notes</emphasis></para>
4818 <para><emphasis>OpenAFS Quick Beginnings</emphasis></para>
4822 <para><emphasis>OpenAFS User Guide</emphasis></para>
4826 <para><emphasis>OpenAFS Administration Reference</emphasis></para>
4830 <para><emphasis>OpenAFS Administration Guide</emphasis></para>
4832 </itemizedlist></para>
4834 <note><para>OpenAFS Documentation is not currently provided with all
4835 distributions, but may be downloaded separately from the OpenAFS
4836 website</para></note>
4838 <para>The OpenAFS Documentation Distribution has a directory for each
4839 document format provided. The different formats are suitable for online
4840 viewing, printing, or both.</para>
4842 <para>This section explains how to create and mount a volume to house the documents, making them available to your users. The
4843 recommended mount point for the volume is <emphasis role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis
4844 role="bold">/afsdoc</emphasis>. If you wish, you can create a link to the mount point on each client machine's local disk,
4845 called <emphasis role="bold">/usr/afsdoc</emphasis>. Alternatively, you can create a link to the mount point in each user's home
4846 directory. You can also choose to permit users to access only certain documents (most probably, the <emphasis>OpenAFS User
4847 Guide</emphasis>) by creating different mount points or setting different ACLs on different document directories.</para>
4849 <para>The current working directory is still <emphasis role="bold">/usr/afs/bin</emphasis>, which houses the <emphasis
4850 role="bold">fs</emphasis> and <emphasis role="bold">vos</emphasis> command suite binaries you use to create and mount volumes.
4851 In the following commands, it is possible you still need to specify the pathname to the commands, depending on how your PATH
4852 environment variable is set. <orderedlist>
4854 <primary>commands</primary>
4856 <secondary>vos create</secondary>
4858 <tertiary>volume for AFS documentation</tertiary>
4862 <primary>vos commands</primary>
4864 <secondary>create</secondary>
4866 <tertiary>volume for AFS documentation</tertiary>
4870 <para>Issue the <emphasis role="bold">vos create</emphasis> command to create a volume for storing the AFS documentation.
4871 Include the <emphasis role="bold">-maxquota</emphasis> argument to set an unlimited quota on the volume. This enables you
4872 to copy all of the appropriate files from the CD-ROM into the volume without exceeding the volume's quota.</para>
4874 <para>If you wish, you can set the volume's quota to a finite value after you complete the copying operations. At that
4875 point, use the <emphasis role="bold">vos examine</emphasis> command to determine how much space the volume is occupying.
4876 Then issue the <emphasis role="bold">fs setquota</emphasis> command to set a quota that is slightly larger.</para>
4879 # <emphasis role="bold">vos create</emphasis> <<replaceable>machine name</replaceable>> <<replaceable>partition name</replaceable>> <emphasis
4880 role="bold">afsdoc -maxquota 0</emphasis>
4885 <para>Issue the <emphasis role="bold">fs mkmount</emphasis> command to mount the new volume. Because the <emphasis
4886 role="bold">root.cell</emphasis> volume is replicated, you must precede the <emphasis>cellname</emphasis> with a period to
4887 specify the read/write mount point, as shown. Then issue the <emphasis role="bold">vos release</emphasis> command to
4888 release a new replica of the <emphasis role="bold">root.cell</emphasis> volume, and the <emphasis role="bold">fs
4889 checkvolumes</emphasis> command to force the local Cache Manager to access them. <programlisting>
4890 # <emphasis role="bold">fs mkmount -dir /afs/.</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/afsdoc</emphasis> <emphasis
4891 role="bold">-vol</emphasis> <emphasis role="bold">afsdoc</emphasis>
4892 # <emphasis role="bold">vos release root.cell</emphasis>
4893 # <emphasis role="bold">fs checkvolumes</emphasis>
4894 </programlisting></para>
4898 <para>Issue the <emphasis role="bold">fs setacl</emphasis> command to grant the <emphasis role="bold">rl</emphasis>
4899 permissions to the <emphasis role="bold">system:anyuser</emphasis> group on the new directory's ACL. <programlisting>
4900 # <emphasis role="bold">cd /afs/.</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/afsdoc</emphasis>
4901 # <emphasis role="bold">fs setacl . system:anyuser rl</emphasis>
4902 </programlisting></para>
4906 <para>Unpack the OpenAFS documentation distribution into the
4907 <emphasis role="bold">/tmp/afsdocs</emphasis> directory. You may use
4908 a different directory, in which case the location you use should be
4909 subsituted in the following examples. For instructions on unpacking
4910 the distribution, consult the documentation for your operating
4911 system's <emphasis role="bold">tar</emphasis> command.
4913 <primary>copying</primary>
4915 <secondary>AFS documentation from distribution</secondary>
4916 </indexterm> <indexterm>
4917 <primary>OpenAFS Distribution</primary>
4919 <secondary>copying AFS documentation from</secondary>
4920 </indexterm> <indexterm>
4921 <primary>first AFS machine</primary>
4923 <secondary>copying</secondary>
4925 <tertiary>AFS documentation from OpenAFS distribution</tertiary>
4926 </indexterm> <indexterm>
4927 <primary>index.htm file</primary>
4928 </indexterm> <indexterm>
4929 <primary>files</primary>
4931 <secondary>index.htm</secondary>
4936 <para>Copy the AFS documents in one or more formats from the unpacked distribution into subdirectories of the <emphasis
4937 role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/afsdoc</emphasis> directory. Repeat
4938 the commands for each format. <programlisting>
4939 # <emphasis role="bold">mkdir</emphasis> <replaceable>format_name</replaceable>
4940 # <emphasis role="bold">cd</emphasis> <replaceable>format_name</replaceable>
4941 # <emphasis role="bold">cp -rp /tmp/afsdocs/</emphasis><replaceable>format</replaceable> <emphasis role="bold">.</emphasis>
4942 </programlisting></para>
4944 <para>If you choose to store the HTML version of the documents in AFS, note that in addition to a subdirectory for each
4945 document there are several files with a <emphasis role="bold">.gif</emphasis> extension, which enable readers to move
4946 easily between sections of a document. The file called <emphasis role="bold">index.htm</emphasis> is an introductory HTML
4947 page that contains a hyperlink to each of the documents. For online viewing to work properly, these files must remain in
4948 the top-level HTML directory (the one named, for example, <emphasis
4949 role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/afsdoc/html</emphasis>).</para>
4953 <para><emphasis role="bold">(Optional)</emphasis> If you believe it is helpful to your users to access the AFS documents
4954 in a certain format via a local disk directory, create <emphasis role="bold">/usr/afsdoc</emphasis> on the local disk as a
4955 symbolic link to the documentation directory in AFS (<emphasis
4956 role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis
4957 role="bold">/afsdoc/</emphasis><replaceable>format_name</replaceable>). <programlisting>
4958 # <emphasis role="bold">ln -s /afs/</emphasis><replaceable>cellname</replaceable><emphasis role="bold">/afsdoc/</emphasis><replaceable>format_name</replaceable> <emphasis
4959 role="bold">/usr/afsdoc</emphasis>
4960 </programlisting></para>
4962 <para>An alternative is to create a link in each user's home directory to the <emphasis
4963 role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis
4964 role="bold">/afsdoc/</emphasis><replaceable>format_name</replaceable> directory.</para>
4966 </orderedlist></para>
4969 <primary>storing</primary>
4971 <secondary>system binaries in volumes</secondary>
4975 <primary>creating</primary>
4977 <secondary>volume</secondary>
4979 <tertiary>for system binaries</tertiary>
4983 <primary>volume</primary>
4985 <secondary>for system binaries</secondary>
4989 <primary>binaries</primary>
4991 <secondary>storing system in volumes</secondary>
4995 <sect1 id="HDRWQ88">
4996 <title>Storing System Binaries in AFS</title>
4998 <para>You can also choose to store other system binaries in AFS volumes, such as the standard UNIX programs conventionally
4999 located in local disk directories such as <emphasis role="bold">/etc</emphasis>, <emphasis role="bold">/bin</emphasis>, and
5000 <emphasis role="bold">/lib</emphasis>. Storing such binaries in an AFS volume not only frees local disk space, but makes it
5001 easier to update binaries on all client machines.</para>
5003 <para>The following is a suggested scheme for storing system binaries in AFS. It does not include instructions, but you can use
5004 the instructions in <link linkend="HDRWQ83">Storing AFS Binaries in AFS</link> (which are for AFS-specific binaries) as a
5007 <para>Some files must remain on the local disk for use when AFS is inaccessible (during bootup and file server or network
5008 outages). The required binaries include the following: <itemizedlist>
5010 <para>A text editor, network commands, and so on</para>
5014 <para>Files used during the boot sequence before the <emphasis role="bold">afsd</emphasis> program runs, such as
5015 initialization and configuration files, and binaries for commands that mount file systems</para>
5019 <para>Files used by dynamic kernel loader programs</para>
5021 </itemizedlist></para>
5023 <para>In most cases, it is more secure to enable only locally authenticated users to access system binaries, by granting the
5024 <emphasis role="bold">l</emphasis> (<emphasis role="bold">lookup</emphasis>) and <emphasis role="bold">r</emphasis> (<emphasis
5025 role="bold">read</emphasis>) permissions to the <emphasis role="bold">system:authuser</emphasis> group on the ACLs of
5026 directories that contain the binaries. If users need to access a binary while unauthenticated, however, the ACL on its directory
5027 must grant those permissions to the <emphasis role="bold">system:anyuser</emphasis> group.</para>
5029 <para>The following chart summarizes the suggested volume and mount point names for storing system binaries. It uses a separate
5030 volume for each directory. You already created a volume called <replaceable>sysname</replaceable> for this machine's system type
5031 when you followed the instructions in <link linkend="HDRWQ83">Storing AFS Binaries in AFS</link>.</para>
5033 <para>You can name volumes in any way you wish, and mount them at other locations than those suggested here. However, this
5034 scheme has several advantages: <itemizedlist>
5036 <para>Volume names clearly identify volume contents</para>
5040 <para>Using the <replaceable>sysname</replaceable> prefix on every volume makes it is easy to back up all of the volumes
5041 together, because the AFS Backup System enables you to define sets of volumes based on a string included in all of their
5046 <para>It makes it easy to track related volumes, keeping them together on the same file server machine if desired</para>
5050 <para>There is a clear relationship between volume name and mount point name</para>
5052 </itemizedlist></para>
5054 <informaltable frame="none">
5056 <colspec colwidth="50*" />
5058 <colspec colwidth="50*" />
5062 <entry><emphasis role="bold">Volume Name</emphasis></entry>
5064 <entry><emphasis role="bold">Mount Point</emphasis></entry>
5070 <entry><replaceable>sysname</replaceable></entry>
5073 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable></entry>
5077 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">bin</emphasis></entry>
5080 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5081 role="bold">/bin</emphasis></entry>
5085 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">etc</emphasis></entry>
5088 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5089 role="bold">/etc</emphasis></entry>
5093 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr</emphasis></entry>
5096 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5097 role="bold">/usr</emphasis></entry>
5101 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr.afsws</emphasis></entry>
5104 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5105 role="bold">/usr/afsws</emphasis></entry>
5109 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr.bin</emphasis></entry>
5112 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5113 role="bold">/usr/bin</emphasis></entry>
5117 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr.etc</emphasis></entry>
5120 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5121 role="bold">/usr/etc</emphasis></entry>
5125 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr.inc</emphasis></entry>
5128 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5129 role="bold">/usr/include</emphasis></entry>
5133 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr.lib</emphasis></entry>
5136 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5137 role="bold">/usr/lib</emphasis></entry>
5141 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr.loc</emphasis></entry>
5144 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5145 role="bold">/usr/local</emphasis></entry>
5149 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr.man</emphasis></entry>
5152 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5153 role="bold">/usr/man</emphasis></entry>
5157 <entry><replaceable>sysname</replaceable>.<emphasis role="bold">usr.sys</emphasis></entry>
5160 role="bold">/afs/</emphasis><replaceable>cellname</replaceable>/<replaceable>sysname</replaceable><emphasis
5161 role="bold">/usr/sys</emphasis></entry>
5168 <primary>foreign cell, enabling access</primary>
5172 <primary>cell</primary>
5174 <secondary>enabling access to foreign</secondary>
5178 <primary>access</primary>
5180 <secondary>to local and foreign cells</secondary>
5184 <primary>AFS filespace</primary>
5186 <secondary>enabling access to foreign cells</secondary>
5190 <primary>root.cell volume</primary>
5192 <secondary>mounting for foreign cells in local filespace</secondary>
5196 <primary>database server machine</primary>
5198 <secondary>entry in client CellServDB file</secondary>
5200 <tertiary>for foreign cell</tertiary>
5204 <primary>CellServDB file (client)</primary>
5206 <secondary>adding entry</secondary>
5208 <tertiary>for foreign cell</tertiary>
5212 <sect1 id="HDRWQ91">
5213 <title>Enabling Access to Foreign Cells</title>
5215 <para>With current OpenAFS releases, there exist a number of mechanisms for
5216 providing access to foreign cells. You may add mount points in your AFS
5217 filespace for each foreign cell you wish users to access, or you can
5218 enable a 'synthetic' AFS root, which contains mountpoints for either all
5219 AFS cells defined in the client machine's local
5220 <emphasis role="bold">/usr/vice/etc/CellServDB</emphasis>, or for all cells
5221 providing location information in the DNS.
5225 <title>Enabling a Synthetic AFS root</title>
5227 <para>When a synthetic root is enabled, the client cache machine creates its
5228 own root.afs volume, rather than using the one provided with your cell. This
5229 allows clients to access all cells in the
5230 <emphasis role="bold">CellServDB</emphasis> file and, optionally, all cells
5231 registered in the DNS, without requiring system administrator action to
5232 enable this access. Using a synthetic root has the additional advantage that
5233 it allows a client to start its AFS service without a network available, as
5234 it is no longer necessary to contact a fileserver to obtain the root volume.
5237 <para>OpenAFS supports two complimentary mechanisms for creating the
5238 synthetic root. Starting the cache manager with the
5239 <emphasis role="bold">-dynroot</emphasis> option adds all cells listed
5240 in <emphasis role="bold">/usr/vice/etc/CellServDB</emphasis> to the client's
5241 AFS root. Adding the <emphasis role="bold">-afsdb</emphasis> option in
5242 addition to this enables DNS lookups for any cells that are not found in
5243 the client's CellServDB file. Both of these options are added to the AFS
5244 initialisation script, or options file, as detailed in
5245 <link linkend="HDRWQ70">Configuring the Cache Manager</link>.</para>
5248 <title>Adding foreign cells to a conventional root volume</title>
5250 <para>In this section you create a mount point in your AFS filespace for the <emphasis role="bold">root.cell</emphasis> volume
5251 of each foreign cell that you want to enable your users to access. For users working on a client machine to access the cell,
5252 there must in addition be an entry for it in the client machine's local <emphasis
5253 role="bold">/usr/vice/etc/CellServDB</emphasis> file. (The instructions in <link linkend="HDRWQ66">Creating the Client
5254 CellServDB File</link> suggest that you use the <emphasis role="bold">CellServDB.sample</emphasis> file included in the AFS
5255 distribution as the basis for your cell's client <emphasis role="bold">CellServDB</emphasis> file. The sample file lists all of
5256 the cells that had agreed to participate in the AFS global namespace at the time your AFS CD-ROM was created. As mentioned in
5257 that section, the AFS Product Support group also maintains a copy of the file, updating it as necessary.)</para>
5259 <para>The chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about cell administration and configuration issues
5260 discusses the implications of participating in the global AFS namespace. The chapter about administering client machines
5261 explains how to maintain knowledge of foreign cells on client machines, and includes suggestions for maintaining a central
5262 version of the file in AFS. <orderedlist>
5264 <para>Issue the <emphasis role="bold">fs mkmount</emphasis> command to mount each foreign cell's <emphasis
5265 role="bold">root.cell</emphasis> volume on a directory called <emphasis
5266 role="bold">/afs/</emphasis><replaceable>foreign_cell</replaceable>. Because the <emphasis role="bold">root.afs</emphasis>
5267 volume is replicated, you must create a temporary mount point for its read/write version in a directory to which you have
5268 write access (such as your cell's <emphasis role="bold">/afs/.</emphasis><replaceable>cellname</replaceable> directory).
5269 Create the mount points, issue the <emphasis role="bold">vos release</emphasis> command to release new replicas to the
5270 read-only sites for the <emphasis role="bold">root.afs</emphasis> volume, and issue the <emphasis role="bold">fs
5271 checkvolumes</emphasis> command to force the local Cache Manager to access the new replica.</para>
5274 <para>You need to issue the <emphasis role="bold">fs mkmount</emphasis> command only once for each foreign cell's
5275 <emphasis role="bold">root.cell</emphasis> volume. You do not need to repeat the command on each client machine.</para>
5278 <para>Substitute your cell's name for <replaceable>cellname</replaceable>.</para>
5281 # <emphasis role="bold">cd /afs/.</emphasis><replaceable>cellname</replaceable>
5282 # <emphasis role="bold">/usr/afs/bin/fs mkmount temp root.afs</emphasis>
5285 <para>Repeat the <emphasis role="bold">fs mkmount</emphasis> command for each foreign cell you wish to mount at this
5289 # <emphasis role="bold">/usr/afs/bin/fs mkmount temp/</emphasis><replaceable>foreign_cell</replaceable> <emphasis role="bold">root.cell -c</emphasis> <replaceable>foreign_cell</replaceable>
5292 <para>Issue the following commands only once.</para>
5295 # <emphasis role="bold">/usr/afs/bin/fs rmmount temp</emphasis>
5296 # <emphasis role="bold">/usr/afs/bin/vos release root.afs</emphasis>
5297 # <emphasis role="bold">/usr/afs/bin/fs checkvolumes</emphasis>
5301 <primary>fs commands</primary>
5303 <secondary>newcell</secondary>
5307 <primary>commands</primary>
5309 <secondary>fs newcell</secondary>
5313 <listitem id="LIWQ92">
5314 <para>If this machine is going to remain an AFS client after you complete the installation, verify
5315 that the local <emphasis role="bold">/usr/vice/etc/CellServDB</emphasis> file includes an entry for each foreign
5318 <para>For each cell that does not already have an entry, complete the following instructions: <orderedlist>
5320 <para>Create an entry in the <emphasis role="bold">CellServDB</emphasis> file. Be sure to comply with the formatting
5321 instructions in <link linkend="HDRWQ66">Creating the Client CellServDB File</link>.</para>
5325 <para>Issue the <emphasis role="bold">fs newcell</emphasis> command to add an entry for the cell directly to the
5326 list that the Cache Manager maintains in kernel memory. Provide each database server machine's fully qualified
5327 hostname. <programlisting>
5328 # <emphasis role="bold">/usr/afs/bin/fs newcell</emphasis> <<replaceable>foreign_cell</replaceable>> <<replaceable>dbserver1></replaceable> \
5329 [<<replaceable>dbserver2></replaceable>] [<<replaceable>dbserver3></replaceable>]
5330 </programlisting></para>
5334 <para>If you plan to maintain a central version of the <emphasis role="bold">CellServDB</emphasis> file (the
5335 conventional location is <emphasis role="bold">/afs/</emphasis><replaceable>cellname</replaceable><emphasis
5336 role="bold">/common/etc/CellServDB</emphasis>), create it now as a copy of the local <emphasis
5337 role="bold">/usr/vice/etc/CellServDB</emphasis> file. Verify that it includes an entry for each foreign cell you
5338 want your users to be able to access. <programlisting>
5339 # <emphasis role="bold">mkdir common</emphasis>
5340 # <emphasis role="bold">mkdir common/etc</emphasis>
5341 # <emphasis role="bold">cp /usr/vice/etc/CellServDB common/etc</emphasis>
5342 # <emphasis role="bold">/usr/afs/bin/vos release root.cell</emphasis>
5343 </programlisting></para>
5345 </orderedlist></para>
5349 <para>Issue the <emphasis role="bold">ls</emphasis> command to verify that the new cell's mount point is visible in your
5350 filespace. The output lists the directories at the top level of the new cell's AFS filespace. <programlisting>
5351 # <emphasis role="bold">ls /afs/</emphasis><replaceable>foreign_cell</replaceable>
5352 </programlisting></para>
5356 <para>If you wish to participate in the global AFS namespace, and only
5357 intend running one database server, please
5358 register your cell with grand.central.org at this time.
5359 To do so, email the <emphasis role="bold">CellServDB</emphasis> fragment
5360 describing your cell, together with a contact name and email address
5361 for any queries, to cellservdb@grand.central.org. If you intend
5362 on deploying multiple database servers, please wait until you have
5363 installed all of them before registering your cell.</para>
5366 <para>If you wish to allow your cell to be located through DNS lookups,
5367 at this time you should also add the necessary configuration to your
5370 <para>AFS database servers may be located by creating AFSDB records
5371 in the DNS for the domain name corresponding to the name of your cell.
5372 It's outside the scope of this guide to give an indepth description of
5373 managing, or configuring, your site's DNS. You should consult the
5374 documentation for your DNS server for further details on AFSDB
5377 </orderedlist></para>
5381 <sect1 id="HDRWQ93">
5382 <title>Improving Cell Security</title>
5385 <primary>cell</primary>
5387 <secondary>improving security</secondary>
5391 <primary>security</primary>
5393 <secondary>improving</secondary>
5397 <primary>root superuser</primary>
5399 <secondary>controlling access</secondary>
5403 <primary>access</primary>
5405 <secondary>to root and admin accounts</secondary>
5409 <primary>admin account</primary>
5411 <secondary>controlling access to</secondary>
5415 <primary>AFS filespace</primary>
5417 <secondary>controlling access by root superuser</secondary>
5420 <para>This section discusses ways to improve the security of AFS data
5421 in your cell. Also see the chapter in the <emphasis>OpenAFS
5422 Administration Guide</emphasis> about configuration and administration
5425 <sect2 id="HDRWQ94">
5426 <title>Controlling root Access</title>
5428 <para>As on any machine, it is important to prevent unauthorized users from logging onto an AFS server or client machine as
5429 the local superuser <emphasis role="bold">root</emphasis>. Take care to keep the <emphasis role="bold">root</emphasis>
5430 password secret.</para>
5432 <para>The local <emphasis role="bold">root</emphasis> superuser does not have special access to AFS data through the Cache
5433 Manager (as members of the <emphasis role="bold">system:administrators</emphasis> group do), but it does have the following
5434 privileges: <itemizedlist>
5436 <para>On client machines, the ability to issue commands from the <emphasis role="bold">fs</emphasis> suite that affect
5437 AFS performance</para>
5441 <para>On server machines, the ability to disable authorization checking, or to install rogue process binaries</para>
5443 </itemizedlist></para>
5446 <sect2 id="HDRWQ95">
5447 <title>Controlling System Administrator Access</title>
5449 <para>Following are suggestions for managing AFS administrative privilege: <itemizedlist>
5451 <para>Create an administrative account for each administrator named
5453 <replaceable>username</replaceable><emphasis role="bold">.admin</emphasis>.
5454 Administrators authenticate under these identities only when
5455 performing administrative tasks, and destroy the administrative
5456 tokens immediately after finishing the task (either by issuing the
5457 <emphasis role="bold">unlog</emphasis> command, or the
5458 <emphasis role="bold">kinit</emphasis> and
5459 <emphasis role="bold">aklog</emphasis> commands to adopt their
5460 regular identity).</para>
5464 <para>Set a short ticket lifetime for administrator accounts (for example, 20 minutes) by using the
5465 facilities of your KDC. For instance, with a MIT Kerberos KDC, this
5466 can be performed using the
5467 <emphasis role="bold">--max-ticket-life</emphasis> argument to
5468 the <emphasis role="bold">kadmin modify_principal</emphasis>
5469 command. Do not however, use a short lifetime for users
5470 who issue long-running <emphasis role="bold">backup</emphasis> commands.</para>
5474 <para>Limit the number of system administrators in your cell, especially those who belong to the <emphasis
5475 role="bold">system:administrators</emphasis> group. By default they have all ACL rights on all directories in the local
5476 AFS filespace, and therefore must be trusted not to examine private files.</para>
5480 <para>Limit the use of system administrator accounts on machines in public areas. It is especially important not to
5481 leave such machines unattended without first destroying the administrative tokens.</para>
5485 <para>Limit the use by administrators of standard UNIX commands that make connections to remote machines (such as the
5486 <emphasis role="bold">telnet</emphasis> utility). Many of these programs send passwords across the network without
5487 encrypting them.</para>
5489 </itemizedlist></para>
5492 <primary>BOS Server</primary>
5494 <secondary>checking mode bits on AFS directories</secondary>
5498 <primary>mode bits on local AFS directories</primary>
5502 <primary>UNIX mode bits on local AFS directories</primary>
5506 <sect2 id="HDRWQ96">
5507 <title>Protecting Sensitive AFS Directories</title>
5509 <para>Some subdirectories of the <emphasis role="bold">/usr/afs</emphasis> directory contain files crucial to cell security.
5510 Unauthorized users must not read or write to these files because of the potential for misuse of the information they
5513 <para>As the BOS Server initializes for the first time on a server machine, it creates several files and directories (as
5514 mentioned in <link linkend="HDRWQ50">Starting the BOS Server</link>). It sets their owner to the local superuser <emphasis
5515 role="bold">root</emphasis> and sets their mode bits to enable writing by the owner only; in some cases, it also restricts
5518 <para>At each subsequent restart, the BOS Server checks that the owner and mode bits on these files are still set
5519 appropriately. If they are not, it write the following message to the <emphasis role="bold">/usr/afs/logs/BosLog</emphasis>
5523 Bosserver reports inappropriate access on server directories
5526 <para>The BOS Server does not reset the mode bits, which enables you to set alternate values if you wish.</para>
5528 <para>The following charts lists the expected mode bit settings. A question mark indicates that the BOS Server does not check
5529 that mode bit.</para>
5531 <informaltable frame="none">
5533 <colspec colwidth="30*" />
5535 <colspec colwidth="70*" />
5539 <entry><emphasis role="bold">/usr/afs</emphasis></entry>
5541 <entry><computeroutput>drwxr</computeroutput>?<computeroutput>xr-x</computeroutput></entry>
5545 <entry><emphasis role="bold">/usr/afs/backup</emphasis></entry>
5547 <entry><computeroutput>drwx</computeroutput>???<computeroutput>---</computeroutput></entry>
5551 <entry><emphasis role="bold">/usr/afs/bin</emphasis></entry>
5553 <entry><computeroutput>drwxr</computeroutput>?<computeroutput>xr-x</computeroutput></entry>
5557 <entry><emphasis role="bold">/usr/afs/db</emphasis></entry>
5559 <entry><computeroutput>drwx</computeroutput>???<computeroutput>---</computeroutput></entry>
5563 <entry><emphasis role="bold">/usr/afs/etc</emphasis></entry>
5565 <entry><computeroutput>drwxr</computeroutput>?<computeroutput>xr-x</computeroutput></entry>
5569 <entry><emphasis role="bold">/usr/afs/etc/KeyFile</emphasis></entry>
5571 <entry><computeroutput>-rw</computeroutput>????<computeroutput>---</computeroutput></entry>
5575 <entry><emphasis role="bold">/usr/afs/etc/UserList</emphasis></entry>
5577 <entry><computeroutput>-rw</computeroutput>?????<computeroutput>--</computeroutput></entry>
5581 <entry><emphasis role="bold">/usr/afs/local</emphasis></entry>
5583 <entry><computeroutput>drwx</computeroutput>???<computeroutput>---</computeroutput></entry>
5587 <entry><emphasis role="bold">/usr/afs/logs</emphasis></entry>
5589 <entry><computeroutput>drwxr</computeroutput>?<computeroutput>xr-x</computeroutput></entry>
5596 <primary>first AFS machine</primary>
5598 <secondary>client functionality</secondary>
5600 <tertiary>removing</tertiary>
5604 <primary>removing</primary>
5606 <secondary>client functionality from first AFS machine</secondary>
5611 <sect1 id="HDRWQ98">
5612 <title>Removing Client Functionality</title>
5614 <para>Follow the instructions in this section only if you do not wish this machine to remain an AFS client. Removing client
5615 functionality means that you cannot use this machine to access AFS files. <orderedlist>
5617 <para>Remove the files from the <emphasis role="bold">/usr/vice/etc</emphasis> directory. The command does not remove the
5618 directory for files used by the dynamic kernel loader program, if it exists on this system type. Those files are still
5619 needed on a server-only machine. <programlisting>
5620 # <emphasis role="bold">cd /usr/vice/etc</emphasis>
5621 # <emphasis role="bold">rm *</emphasis>
5622 # <emphasis role="bold">rm -rf C</emphasis>
5623 </programlisting></para>
5627 <para>Create symbolic links to the <emphasis role="bold">ThisCell</emphasis> and <emphasis
5628 role="bold">CellServDB</emphasis> files in the <emphasis role="bold">/usr/afs/etc</emphasis> directory. This makes it
5629 possible to issue commands from the AFS command suites (such as <emphasis role="bold">bos</emphasis> and <emphasis
5630 role="bold">fs</emphasis>) on this machine. <programlisting>
5631 # <emphasis role="bold">ln -s /usr/afs/etc/ThisCell ThisCell</emphasis>
5632 # <emphasis role="bold">ln -s /usr/afs/etc/CellServDB CellServDB</emphasis>
5633 </programlisting></para>
5637 <para>Reboot the machine. Most system types use the <emphasis role="bold">shutdown</emphasis> command, but the appropriate
5638 options vary. <programlisting>
5639 # <emphasis role="bold">cd /</emphasis>
5640 # <emphasis role="bold">shutdown</emphasis> <replaceable>appropriate_options</replaceable>
5641 </programlisting></para>
5643 </orderedlist></para>