[openafs.git] / doc / xml / QuickStartUnix / auqbg005.xml

<?xml version="1.0" encoding="UTF-8"?>
<chapter id="HDRWQ17">
  <title>Installing the First AFS Machine</title>

  <para>
  <indexterm>
    <primary>file server machine</primary>

    <seealso>first AFS machine</seealso>

    <seealso>file server machine, additional</seealso>
  </indexterm>

  <indexterm>
    <primary>instructions</primary>

    <secondary>first AFS machine</secondary>
  </indexterm>

  <indexterm>
    <primary>installing</primary>

    <secondary>first AFS machine</secondary>
  </indexterm>

  This chapter describes how to install the first AFS machine in your cell, configuring it as both a file server machine and a
  client machine. After completing all procedures in this chapter, you can remove the client functionality if you wish, as described
  in <link linkend="HDRWQ98">Removing Client Functionality</link>.</para>

  <para>To install additional file server machines after completing this chapter, see <link linkend="HDRWQ99">Installing Additional
  Server Machines</link>.</para>

  <para>To install additional client machines after completing this chapter, see <link linkend="HDRWQ133">Installing Additional
  Client Machines</link>. <indexterm>
      <primary>requirements</primary>

      <secondary>first AFS machine</secondary>
    </indexterm></para>

  <sect1 id="Header_29">
    <title>Requirements and Configuration Decisions</title>

    <para>The instructions in this chapter assume that you meet the following requirements. 
      <itemizedlist>
        <listitem>
          <para>You are logged onto the machine's console as the local superuser <emphasis role="bold">root</emphasis></para>
        </listitem>

        <listitem>
          <para>A standard version of one of the operating systems supported by the current version of AFS is running on the
          machine</para>
        </listitem>

        <listitem>
          <para>You have either installed the provided OpenAFS packages for 
          your system, have access to a binary distribution tarball, or have 
          successfully built OpenAFS from source</para>
        </listitem>

        <listitem>
          <para>You have a Kerberos v5 realm running for your site. If you are
          working with an existing cell which uses 
          <emphasis role="bold">kaserver</emphasis> or Kerberos v4 for
          authentication, please see 
          <link linkend="KAS001">kaserver and Legacy Kerberos v4 Authentication</link>
          for the modifications required to this installation procedure.</para>
        </listitem>

        <listitem>
          <para>You have NTP or a similar time service deployed to ensure
          rough clock syncronistation between your clients and servers.</para>
        </listitem>
      </itemizedlist></para>

    <para>You must make the following configuration decisions while installing the first AFS machine. To speed the installation
    itself, it is best to make the decisions before beginning. See the chapter in the <emphasis>OpenAFS Administration
    Guide</emphasis> about issues in cell administration and configuration for detailed guidelines. <indexterm>
        <primary>cell name</primary>

        <secondary>choosing</secondary>
      </indexterm> <indexterm>
        <primary>AFS filespace</primary>

        <secondary>deciding how to configure</secondary>
      </indexterm> <indexterm>
        <primary>filespace</primary>

        <see>AFS filespace</see>
      </indexterm> <itemizedlist>
        <listitem>
          <para>Select the first AFS machine</para>
        </listitem>

        <listitem>
          <para>Select the cell name</para>
        </listitem>

        <listitem>
          <para>Decide which partitions or logical volumes to configure as AFS server partitions, and choose the directory names on
          which to mount them</para>
        </listitem>

        <listitem>
          <para>Decide how big to make the client cache</para>
        </listitem>

        <listitem>
          <para>Decide how to configure the top levels of your cell's AFS filespace</para>
        </listitem>
      </itemizedlist></para>

    <para>This chapter is divided into three large sections corresponding to the three parts of installing the first AFS machine.
    Perform all of the steps in the order they appear. Each functional section begins with a summary of the procedures to perform.
    The sections are as follows: <itemizedlist>
        <listitem>
          <para>Installing server functionality (begins in <link linkend="HDRWQ18">Overview: Installing Server
          Functionality</link>)</para>
        </listitem>

        <listitem>
          <para>Installing client functionality (begins in <link linkend="HDRWQ63">Overview: Installing Client
          Functionality</link>)</para>
        </listitem>

        <listitem>
          <para>Configuring your cell's filespace, establishing further security mechanisms, and enabling access to foreign cells
          (begins in <link linkend="HDRWQ71">Overview: Completing the Installation of the First AFS Machine</link>)</para>
        </listitem>
      </itemizedlist></para>

    <indexterm>
      <primary>overview</primary>

      <secondary>installing server functionality on first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>server functionality</secondary>
    </indexterm>

    <indexterm>
      <primary>installing</primary>

      <secondary>server functionality</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ18">
    <title>Overview: Installing Server Functionality</title>

    <para>In the first phase of installing your cell's first AFS machine, you install file server and database server functionality
    by performing the following procedures: 
    <orderedlist>
        <listitem>
          <para>Choose which machine to install as the first AFS machine</para>
        </listitem>

        <listitem>
          <para>Create AFS-related directories on the local disk</para>
        </listitem>

        <listitem>
          <para>Incorporate AFS modifications into the machine's kernel</para>
        </listitem>

        <listitem>
          <para>Configure partitions or logical volumes for storing AFS volumes</para>
        </listitem>

        <listitem>
          <para>On some system types, install and configure an AFS-modified version of the <emphasis role="bold">fsck</emphasis>
          program</para>
        </listitem>

        <listitem>
          <para>If the machine is to remain a client machine, incorporate AFS into its authentication system</para>
        </listitem>

        <listitem>
          <para>Start the Basic OverSeer (BOS) Server</para>
        </listitem>

        <listitem>
          <para>Define the cell name and the machine's cell membership</para>
        </listitem>

        <listitem>
          <para>Start the database server processes: Backup Server, Protection Server, and Volume Location
          (VL) Server</para>
        </listitem>

        <listitem>
          <para>Configure initial security mechanisms</para>
        </listitem>

        <listitem>
          <para>Start the <emphasis role="bold">fs</emphasis> process, which incorporates three component processes: the File
          Server, Volume Server, and Salvager</para>
        </listitem>

        <listitem>
          <para>Optionally, start the server portion of the Update Server</para>
        </listitem>

      </orderedlist></para>
  </sect1>

  <sect1 id="HDRWQ19">
    <title>Choosing the First AFS Machine</title>

    <para>The first AFS machine you install must have sufficient disk space to store AFS volumes. To take best advantage of AFS's
    capabilities, store client-side binaries as well as user files in volumes. When you later install additional file server
    machines in your cell, you can distribute these volumes among the different machines as you see fit.</para>

    <para>These instructions configure the first AFS machine as a <emphasis>database server machine</emphasis>, the <emphasis>binary
    distribution machine</emphasis> for its system type, and the cell's <emphasis>system control machine</emphasis>. For a
    description of these roles, see the <emphasis>OpenAFS Administration Guide</emphasis>.</para>

    <para>Installation of additional machines is simplest if the first machine has the lowest IP address of any database server
    machine you currently plan to install. If you later install database server functionality on a machine with a lower IP address,
    you must first update the <emphasis role="bold">/usr/vice/etc/CellServDB</emphasis> file on all of your cell's client machines.
    For more details, see <link linkend="HDRWQ114">Installing Database Server Functionality</link>.</para>
  </sect1>

  <sect1 id="Header_32">
    <title>Creating AFS Directories</title>

    <indexterm>
      <primary>usr/afs directory</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>/usr/afs directory</secondary>
    </indexterm>

    <indexterm>
      <primary>creating</primary>

      <secondary>/usr/afs directory</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>usr/vice/etc directory</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>/usr/vice/etc directory</secondary>
    </indexterm>

    <indexterm>
      <primary>creating</primary>

      <secondary>/usr/vice/etc directory</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>/ as start to file and directory names</primary>

      <secondary>see alphabetized entries without initial slash</secondary>
    </indexterm>

    <para>If you are installing from packages (such as Debian .deb or 
    Fedora/SuSe .rpm files), you should now install all of the available 
    OpenAFS packages for your system type. Typically, these will include 
    packages for client and server functionality, and a seperate package 
    containing a suitable kernel module for your running kernel. Consult 
    the package lists on the OpenAFS website to determine the packages 
    appropriate for your system.</para>

    <para>If you are installing from a tarfile, or from a locally compiled 
    source tree you should create the <emphasis role="bold">/usr/afs</emphasis>
    and <emphasis role="bold">/usr/vice/etc</emphasis> directories on the
    local disk, to house server and client files respectively. Subsequent 
    instructions copy files from the distribution tarfile into them. </para>
<programlisting>
   # <emphasis role="bold">mkdir /usr/afs</emphasis>
   # <emphasis role="bold">mkdir /usr/vice</emphasis>
   # <emphasis role="bold">mkdir /usr/vice/etc</emphasis>
</programlisting>
  </sect1>

  <sect1 id="HDRWQ20">
    <title>Performing Platform-Specific Procedures</title>

    <para>Several of the initial procedures for installing a file server machine differ for each system type. For convenience, the
    following sections group them together for each system type: <itemizedlist>
        <indexterm>
          <primary>kernel extensions</primary>

          <see>AFS kernel extensions</see>
        </indexterm>

        <indexterm>
          <primary>loading AFS kernel extensions</primary>

          <see>incorporating</see>
        </indexterm>

        <indexterm>
          <primary>building</primary>

          <secondary>AFS extensions into kernel</secondary>

          <see>incorporating AFS kernel extensions</see>
        </indexterm>

        <listitem>
          <para>Incorporate AFS modifications into the kernel.</para>

          <para>The kernel on every AFS client machine and, on some systems, 
          the AFS fileservers, must incorporate AFS extensions. On machines 
          that use a dynamic kernel module loader, it is conventional to 
          alter the machine's initialization script to load the AFS extensions
          at each reboot. <indexterm>
              <primary>AFS server partition</primary>

              <secondary>mounted on /vicep directory</secondary>
            </indexterm> <indexterm>
              <primary>partition</primary>

              <see>AFS server partition</see>
            </indexterm> <indexterm>
              <primary>logical volume</primary>

              <see>AFS server partition</see>
            </indexterm> <indexterm>
              <primary>requirements</primary>

              <secondary>AFS server partition name and location</secondary>
            </indexterm> <indexterm>
              <primary>naming conventions for AFS server partition</primary>
            </indexterm> <indexterm>
              <primary>vicep<emphasis>xx</emphasis> directory</primary>

              <see>AFS server partition</see>
            </indexterm> <indexterm>
              <primary>directories</primary>

              <secondary>/vicep<emphasis>xx</emphasis></secondary>

              <see>AFS server partition</see>
            </indexterm></para>
        </listitem>

        <listitem>
          <para>Configure server partitions or logical volumes to house AFS volumes.</para>

          <para>Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes
          (for convenience, the documentation hereafter refers to partitions only). Each server partition is mounted at a directory
          named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where <replaceable>xx</replaceable> is one or
          two lowercase letters. By convention, the first 26 partitions are mounted on the directories called <emphasis
          role="bold">/vicepa</emphasis> through <emphasis role="bold">/vicepz</emphasis>, the 27th one is mounted on the <emphasis
          role="bold">/vicepaa</emphasis> directory, and so on through <emphasis role="bold">/vicepaz</emphasis> and <emphasis
          role="bold">/vicepba</emphasis>, continuing up to the index corresponding to the maximum number of server partitions
          supported in the current version of AFS (which is specified in the <emphasis>OpenAFS Release Notes</emphasis>).</para>

          <para>The <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server
          machine's root directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is
          not an acceptable directory location).

          The <emphasis role="bold">fileserver</emphasis> will refuse to
          mount
          any <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>
          folders that are not separate partitions. </para>

          <warning>
            <para>The separate partition requirement may be overridden by
              creating a file named
              <emphasis role="bold">/vicep<replaceable>xx</replaceable>/AlwaysAttach</emphasis>;
              however, mixed-use partitions, whether cache or fileserver,
              have the risk that a non-AFS use will fill the partition and
              not leave enough free space for AFS.  Even though it is
              allowed, be wary of configuring a mixed-use partition
              without understanding the ramifications of doing so with the
              workload on your filesystem.
              <indexterm>
                <primary>AFS server partition</primary>
                <secondary>AlwaysAttach</secondary>
              </indexterm>
            </para>
          </warning>

          <para>You can also add or remove server partitions on an existing file server machine. For instructions, see the chapter
          in the <emphasis>OpenAFS Administration Guide</emphasis> about maintaining server machines.</para>

          <note>
            <para>Not all file system types supported by an operating system are necessarily supported as AFS server partitions. For
            possible restrictions, see the <emphasis>OpenAFS Release Notes</emphasis>.</para>
          </note>
        </listitem>

        <listitem>
          <para>On system types using the <emphasis role="bold">inode</emphasis> storage format, install and configure a modified <emphasis role="bold">fsck</emphasis> program which
          recognizes the structures that the File Server uses to organize volume data on AFS server partitions. The <emphasis
          role="bold">fsck</emphasis> program provided with the operating system does not understand the AFS data structures, and so
          removes them to the <emphasis role="bold">lost+found</emphasis> directory.</para>
        </listitem>

        <listitem>
          <para>If the machine is to remain an AFS client machine, modify the machine's authentication system so that users obtain
          an AFS token as they log into the local file system. Using AFS is simpler and more convenient for your users if you make
          the modifications on all client machines. Otherwise, users must perform a two or three step login procedure (login to the local
          system, then obtain Kerberos credentials, and then issue the <emphasis role="bold">aklog</emphasis> command). For further discussion of AFS
          authentication, see the chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about cell configuration and
          administration issues.</para>
        </listitem>
      </itemizedlist></para>

    <para>To continue, proceed to the appropriate section: <itemizedlist>
        <listitem>
          <para><link linkend="HDRWQ21">Getting Started on AIX Systems</link></para>
        </listitem>

        <listitem>
          <para><link linkend="HDRWQ36">Getting Started on IRIX Systems</link></para>
        </listitem>

        <listitem>
          <para><link linkend="HDRWQ41">Getting Started on Linux Systems</link></para>
        </listitem>

        <listitem>
          <para><link linkend="HDRWQ45">Getting Started on Solaris Systems</link></para>
        </listitem>
      </itemizedlist></para>
  </sect1>

  <sect1 id="HDRWQ21">
    <title>Getting Started on AIX Systems</title>

    <para>Begin by running the AFS initialization script to call the AIX kernel extension facility, which dynamically loads AFS
    modifications into the kernel. Then use the <emphasis role="bold">SMIT</emphasis> program to configure partitions for storing
    AFS volumes, and replace the AIX <emphasis role="bold">fsck</emphasis> program helper with a version that correctly handles AFS
    volumes. If the machine is to remain an AFS client machine, incorporate AFS into the AIX secondary authentication system.
    <indexterm>
        <primary>incorporating AFS kernel extensions</primary>

        <secondary>first AFS machine</secondary>

        <tertiary>AIX</tertiary>
      </indexterm> <indexterm>
        <primary>AFS kernel extensions</primary>

        <secondary>on first AFS machine</secondary>

        <tertiary>AIX</tertiary>
      </indexterm> <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS kernel extensions</secondary>

        <tertiary>on AIX</tertiary>
      </indexterm> <indexterm>
        <primary>AIX</primary>

        <secondary>AFS kernel extensions</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm></para>

    <sect2 id="HDRWQ22">
      <title>Loading AFS into the AIX Kernel</title>

      <para>The AIX kernel extension facility is the dynamic kernel loader
      provided by IBM Corporation.  AIX does not support incorporation of
      AFS modifications during a kernel build.</para>

      <para>For AFS to function correctly, the kernel extension facility must run each time the machine reboots, so the AFS
      initialization script (included in the AFS distribution) invokes it automatically. In this section you copy the script to the
      conventional location and edit it to select the appropriate options depending on whether NFS is also to run.</para>

      <para>After editing the script, you run it to incorporate AFS into the kernel. In later sections you verify that the script
      correctly initializes all AFS components, then configure the AIX <emphasis role="bold">inittab</emphasis> file so that the
      script runs automatically at reboot. <orderedlist>
          <listitem>
            <para>Unpack the distribution tarball. The examples below assume 
            that you have unpacked the files into the 
            <emphasis role="bold">/tmp/afsdist</emphasis> directory. If you 
            pick a different location, substitute this in all of the following 
            examples. Once you have unpacked the distribution, 
            change directory as indicated.
<programlisting>
   # <emphasis role="bold">cd /tmp/afsdist/rs_aix42/dest/root.client/usr/vice/etc</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Copy the AFS kernel library files to the local <emphasis role="bold">/usr/vice/etc/dkload</emphasis> directory,
            and the AFS initialization script to the <emphasis role="bold">/etc</emphasis> directory. <programlisting>
   # <emphasis role="bold">cp -rp  dkload  /usr/vice/etc</emphasis>
   # <emphasis role="bold">cp -p  rc.afs  /etc/rc.afs</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Edit the <emphasis role="bold">/etc/rc.afs</emphasis> script, setting the <computeroutput>NFS</computeroutput>
            variable as indicated.</para>

            <para>If the machine is not to function as an NFS/AFS Translator, set the <computeroutput>NFS</computeroutput> variable
            as follows.</para>

            <programlisting>
   NFS=$NFS_NONE
</programlisting>

            <para>If the machine is to function as an NFS/AFS Translator and is running AIX 4.2.1 or higher, set the
            <computeroutput>NFS</computeroutput> variable as follows. Note that NFS must already be loaded into the kernel, which
            happens automatically on systems running AIX 4.1.1 and later, as long as the file <emphasis
            role="bold">/etc/exports</emphasis> exists.</para>

            <programlisting>
   NFS=$NFS_IAUTH
</programlisting>
          </listitem>

          <listitem>
            <para>Invoke the <emphasis role="bold">/etc/rc.afs</emphasis> script to load AFS modifications into the kernel. You can
            ignore any error messages about the inability to start the BOS Server or the Cache Manager or AFS client.
            <programlisting>
   # <emphasis role="bold">/etc/rc.afs</emphasis>
</programlisting></para>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>configuring</primary>

        <secondary>AFS server partition on first AFS machine</secondary>

        <tertiary>AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>AFS server partition</primary>

        <secondary>configuring on first AFS machine</secondary>

        <tertiary>AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS server partition</secondary>

        <tertiary>on AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>AIX</primary>

        <secondary>AFS server partition</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ23">
      <title>Configuring Server Partitions on AIX Systems</title>

      <para>Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes. Each
      server partition is mounted at a directory named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where
      <replaceable>xx</replaceable> is one or two lowercase letters. The <emphasis
      role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server machine's root
      directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is not an acceptable
      directory location). For additional information, see <link linkend="HDRWQ20">Performing Platform-Specific
      Procedures</link>.</para>

      <para>To configure server partitions on an AIX system, perform the following procedures: <orderedlist>
          <listitem>
            <para>Create a directory called <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> for each AFS server
            partition you are configuring (there must be at least one). Repeat the command for each partition. <programlisting>
   # <emphasis role="bold">mkdir /vicep</emphasis><replaceable>xx</replaceable>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Use the <emphasis role="bold">SMIT</emphasis> program to create a journaling file system on each partition to be
            configured as an AFS server partition.</para>
          </listitem>

          <listitem>
            <para>Mount each partition at one of the <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>
            directories. Choose one of the following three methods: <itemizedlist>
                <listitem>
                  <para>Use the <emphasis role="bold">SMIT</emphasis> program</para>
                </listitem>

                <listitem>
                  <para>Use the <emphasis role="bold">mount -a</emphasis> command to mount all partitions at once</para>
                </listitem>

                <listitem>
                  <para>Use the <emphasis role="bold">mount</emphasis> command on each partition in turn</para>
                </listitem>
              </itemizedlist></para>

            <para>Also configure the partitions so that they are mounted automatically at each reboot. For more information, refer
            to the AIX documentation.</para>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>replacing fsck program</primary>

        <secondary>first AFS machine</secondary>

        <tertiary>AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>fsck program</primary>

        <secondary>on first AFS machine</secondary>

        <tertiary>AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>fsck program</secondary>

        <tertiary>on AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>AIX</primary>

        <secondary>fsck program</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ24">
      <title>Replacing the fsck Program Helper on AIX Systems</title>

      <note><para>The AFS modified fsck program is not required on AIX 5.1 
      systems, and the <emphasis role="bold">v3fshelper</emphasis> program
      refered to below is not shipped for these systems.</para></note>
      
      <para>In this section, you make modifications to guarantee that the appropriate <emphasis role="bold">fsck</emphasis> program
      runs on AFS server partitions. The <emphasis role="bold">fsck</emphasis> program provided with the operating system must never
      run on AFS server partitions. Because it does not recognize the structures that the File Server uses to organize volume data,
      it removes all of the data. To repeat:</para>

      <para><emphasis role="bold">Never run the standard fsck program on AFS server partitions. It discards AFS
      volumes.</emphasis></para>

      <para>On AIX systems, you do not replace the <emphasis role="bold">fsck</emphasis> binary itself, but rather the
      <emphasis>program helper</emphasis> file included in the AIX distribution as <emphasis
      role="bold">/sbin/helpers/v3fshelper</emphasis>. <orderedlist>
          <listitem>
            <para>Move the AIX <emphasis role="bold">fsck</emphasis> program helper to a safe location and install the version from
            the AFS distribution in its place. 
<programlisting>
   # <emphasis role="bold">cd /sbin/helpers</emphasis>
   # <emphasis role="bold">mv v3fshelper v3fshelper.noafs</emphasis>
   # <emphasis role="bold">cp -p /tmp/afsdist/rs_aix42/dest/root.server/etc/v3fshelper v3fshelper</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>If you plan to retain client functionality on this machine after completing the installation, proceed to <link
            linkend="HDRWQ25">Enabling AFS Login on AIX Systems</link>. Otherwise, proceed to <link linkend="HDRWQ50">Starting the
            BOS Server</link>.</para>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>enabling AFS login</primary>

        <secondary>file server machine</secondary>

        <tertiary>AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>AFS login</primary>

        <secondary>on file server machine</secondary>

        <tertiary>AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS login</secondary>

        <tertiary>on AIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>AIX</primary>

        <secondary>AFS login</secondary>

        <tertiary>on file server machine</tertiary>
      </indexterm>

      <indexterm>
        <primary>secondary authentication system (AIX)</primary>

        <secondary>server machine</secondary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ25">
      <title>Enabling AFS Login on AIX Systems</title>

      <note>
        <para>If you plan to remove client functionality from this machine after completing the installation, skip this section and
        proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
      </note>

      <para>In modern AFS installations, you should be using Kerberos v5
      for user login, and obtaining AFS tokens following this authentication
      step.</para>
      
      <para>There are currently no instructions available on configuring AIX to
      automatically obtain AFS tokens at login. Following login, users can 
      obtain tokens by running the <emphasis role="bold">aklog</emphasis> 
      command</para>
     
      <para>Sites which still require <emphasis role="bold">kaserver</emphasis>
      or external Kerberos v4 authentication should consult 
      <link linkend="KAS012">Enabling kaserver based AFS login on AIX systems</link>
      for details of how to enable AIX login.</para>
      
      <para>Proceed to <link linkend="HDRWQ50">Starting the BOS Server</link> 
      (or if referring to these instructions while installing an additional 
      file server machine, return to <link linkend="HDRWQ108">Starting Server
      Programs</link>).</para>
    </sect2>
  </sect1>

  <sect1 id="HDRWQ36">
    <title>Getting Started on IRIX Systems</title>

    <indexterm>
      <primary>incorporating AFS kernel extensions</primary>

      <secondary>first AFS machine</secondary>

      <tertiary>IRIX</tertiary>
    </indexterm>

    <indexterm>
      <primary>AFS kernel extensions</primary>

      <secondary>on first AFS machine</secondary>

      <tertiary>IRIX</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>AFS kernel extensions</secondary>

      <tertiary>on IRIX</tertiary>
    </indexterm>

    <indexterm>
      <primary>replacing fsck program</primary>

      <secondary>not necessary on IRIX</secondary>
    </indexterm>

    <indexterm>
      <primary>fsck program</primary>

      <secondary>on first AFS machine</secondary>

      <tertiary>IRIX</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>fsck program</secondary>

      <tertiary>on IRIX</tertiary>
    </indexterm>

    <indexterm>
      <primary>IRIX</primary>

      <secondary>fsck program replacement not necessary</secondary>
    </indexterm>

    <para>To incorporate AFS into the kernel on IRIX systems, choose one of two methods: <itemizedlist>
        <listitem>
          <para>Run the AFS initialization script to invoke the <emphasis role="bold">ml</emphasis> program distributed by Silicon
          Graphics, Incorporated (SGI), which dynamically loads AFS modifications into the kernel</para>
        </listitem>

        <listitem>
          <para>Build a new static kernel</para>
        </listitem>
      </itemizedlist></para>

    <para>Then create partitions for storing AFS volumes. You do not need to replace the IRIX <emphasis role="bold">fsck</emphasis>
    program because SGI has already modified it to handle AFS volumes properly. If the machine is to remain an AFS client machine,
    verify that the IRIX login utility installed on the machine grants an AFS token.</para>

    <para>In preparation for either dynamic loading or kernel building, perform the following procedures: <orderedlist>
        <listitem>
          <para>Unpack the OpenAFS IRIX distribution tarball. The examples
          below assume that you have unpacked the files into the 
          <emphasis role="bold">/tmp/afsdist</emphasis> directory. If you
          pick a different location, substitue this in all of the following
          examples. Once you have unpacked the distribution, change directory
          as indicated.
<programlisting>
   # <emphasis role="bold">cd  /tmp/afsdist/sgi_65/dest/root.client</emphasis>
</programlisting></para>
        </listitem>

        <listitem>
          <para>Copy the AFS initialization script to the local directory for initialization files (by convention, <emphasis
          role="bold">/etc/init.d</emphasis> on IRIX machines). Note the removal of the <emphasis role="bold">.rc</emphasis>
          extension as you copy the script. <programlisting>
   # <emphasis role="bold">cp -p   usr/vice/etc/afs.rc  /etc/init.d/afs</emphasis>
</programlisting></para>
        </listitem>

        <listitem>
          <para>Issue the <emphasis role="bold">uname -m</emphasis> command to determine the machine's CPU board type. The <emphasis
          role="bold">IP</emphasis><replaceable>xx</replaceable> value in the output must match one of the supported CPU board types
          listed in the <emphasis>OpenAFS Release Notes</emphasis> for the current version of AFS. <programlisting>
   # <emphasis role="bold">uname -m</emphasis>
</programlisting></para>
        </listitem>

        <listitem>
          <para>Proceed to either <link linkend="HDRWQ37">Loading AFS into the IRIX Kernel</link> or <link
          linkend="HDRWQ38">Building AFS into the IRIX Kernel</link>.</para>
        </listitem>
      </orderedlist></para>

    <indexterm>
      <primary>IRIX</primary>

      <secondary>AFS kernel extensions</secondary>

      <tertiary>on first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>afsml variable (IRIX)</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>variables</primary>

      <secondary>afsml (IRIX)</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>IRIX</primary>

      <secondary>afsml variable</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>afsxnfs variable (IRIX)</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>variables</primary>

      <secondary>afsxnfs (IRIX)</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>IRIX</primary>

      <secondary>afsxnfs variable</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <sect2 id="HDRWQ37">
      <title>Loading AFS into the IRIX Kernel</title>

      <para>The <emphasis role="bold">ml</emphasis> program is the dynamic kernel loader provided by SGI for IRIX systems. If you
      use it rather than building AFS modifications into a static kernel, then for AFS to function correctly the <emphasis
      role="bold">ml</emphasis> program must run each time the machine reboots. Therefore, the AFS initialization script (included
      on the AFS CD-ROM) invokes it automatically when the <emphasis role="bold">afsml</emphasis> configuration variable is
      activated. In this section you activate the variable and run the script.</para>

      <para>In later sections you verify that the script correctly initializes all AFS components, then create the links that
      incorporate AFS into the IRIX startup and shutdown sequence. <orderedlist>
          <listitem>
            <para>Create the local <emphasis role="bold">/usr/vice/etc/sgiload</emphasis> directory to house the AFS kernel library
            file. <programlisting>
   # <emphasis role="bold">mkdir /usr/vice/etc/sgiload</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Copy the appropriate AFS kernel library file to the <emphasis role="bold">/usr/vice/etc/sgiload</emphasis>
            directory. The <emphasis role="bold">IP</emphasis><replaceable>xx</replaceable> portion of the library file name must
            match the value previously returned by the <emphasis role="bold">uname -m</emphasis> command. Also choose the file
            appropriate to whether the machine's kernel supports NFS server functionality (NFS must be supported for the machine to
            act as an NFS/AFS Translator). Single- and multiprocessor machines use the same library file.</para>

            <para>(You can choose to copy all of the kernel library files into the <emphasis
            role="bold">/usr/vice/etc/sgiload</emphasis> directory, but they require a significant amount of space.)</para>

            <para>If the machine's kernel supports NFS server functionality:</para>

            <programlisting>
   # <emphasis role="bold">cp -p  usr/vice/etc/sgiload/libafs.IP</emphasis><replaceable>xx</replaceable><emphasis role="bold">.o  /usr/vice/etc/sgiload</emphasis>   
</programlisting>

            <para>If the machine's kernel does not support NFS server functionality:</para>

            <programlisting>
   # <emphasis role="bold">cp -p  usr/vice/etc/sgiload/libafs.IP</emphasis><replaceable>xx</replaceable><emphasis role="bold">.nonfs.o</emphasis>   \
                   <emphasis role="bold">/usr/vice/etc/sgiload</emphasis>
</programlisting>
          </listitem>

          <listitem>
            <para>Issue the <emphasis role="bold">chkconfig</emphasis> command to activate the <emphasis
            role="bold">afsml</emphasis> configuration variable. <programlisting>
   # <emphasis role="bold">/etc/chkconfig -f afsml on</emphasis>   
</programlisting></para>

            <para>If the machine is to function as an NFS/AFS Translator and the kernel supports NFS server functionality, activate
            the <emphasis role="bold">afsxnfs</emphasis> variable.</para>

            <programlisting>
   # <emphasis role="bold">/etc/chkconfig -f afsxnfs on</emphasis>
</programlisting>
          </listitem>

          <listitem>
            <para>Run the <emphasis role="bold">/etc/init.d/afs</emphasis> script to load AFS extensions into the kernel. The script
            invokes the <emphasis role="bold">ml</emphasis> command, automatically determining which kernel library file to use
            based on this machine's CPU type and the activation state of the <emphasis role="bold">afsxnfs</emphasis>
            variable.</para>

            <para>You can ignore any error messages about the inability to start the BOS Server or the Cache Manager or AFS
            client.</para>

            <programlisting>
   # <emphasis role="bold">/etc/init.d/afs start</emphasis>
</programlisting>
          </listitem>

          <listitem>
            <para>Proceed to <link linkend="HDRWQ39">Configuring Server Partitions on IRIX Systems</link>.</para>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>IRIX</primary>

        <secondary>AFS-modified kernel</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ38">
      <title>Building AFS into the IRIX Kernel</title>

      <para>Use the following instructions to build AFS modifications into the kernel on an IRIX system. <orderedlist>
          <listitem>
            <para>Copy the kernel initialization file <emphasis role="bold">afs.sm</emphasis> to the local <emphasis
            role="bold">/var/sysgen/system</emphasis> directory, and the kernel master file <emphasis role="bold">afs</emphasis> to
            the local <emphasis role="bold">/var/sysgen/master.d</emphasis> directory. <programlisting>
   # <emphasis role="bold">cp -p  bin/afs.sm  /var/sysgen/system</emphasis>
   # <emphasis role="bold">cp -p  bin/afs  /var/sysgen/master.d</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Copy the appropriate AFS kernel library file to the local file <emphasis
            role="bold">/var/sysgen/boot/afs.a</emphasis>; the <emphasis role="bold">IP</emphasis><replaceable>xx</replaceable>
            portion of the library file name must match the value previously returned by the <emphasis role="bold">uname
            -m</emphasis> command. Also choose the file appropriate to whether the machine's kernel supports NFS server
            functionality (NFS must be supported for the machine to act as an NFS/AFS Translator). Single- and multiprocessor
            machines use the same library file.</para>

            <para>If the machine's kernel supports NFS server functionality:</para>

            <programlisting>
   # <emphasis role="bold">cp -p   bin/libafs.IP</emphasis><replaceable>xx</replaceable><emphasis role="bold">.a   /var/sysgen/boot/afs.a</emphasis>   
</programlisting>

            <para>If the machine's kernel does not support NFS server functionality:</para>

            <programlisting>
   # <emphasis role="bold">cp -p  bin/libafs.IP</emphasis><replaceable>xx</replaceable><emphasis role="bold">.nonfs.a  /var/sysgen/boot/afs.a</emphasis>
</programlisting>
          </listitem>

          <listitem>
            <para>Issue the <emphasis role="bold">chkconfig</emphasis> command to deactivate the <emphasis
            role="bold">afsml</emphasis> configuration variable. <programlisting>
   # <emphasis role="bold">/etc/chkconfig -f afsml off</emphasis>   
</programlisting></para>

            <para>If the machine is to function as an NFS/AFS Translator and the kernel supports NFS server functionality, activate
            the <emphasis role="bold">afsxnfs</emphasis> variable.</para>

            <programlisting>
   # <emphasis role="bold">/etc/chkconfig -f afsxnfs on</emphasis>
</programlisting>
          </listitem>

          <listitem>
            <para>Copy the existing kernel file, <emphasis role="bold">/unix</emphasis>, to a safe location. Compile the new kernel,
            which is created in the file <emphasis role="bold">/unix.install</emphasis>. It overwrites the existing <emphasis
            role="bold">/unix</emphasis> file when the machine reboots in the next step. <programlisting>
   # <emphasis role="bold">cp /unix /unix_noafs</emphasis>
   # <emphasis role="bold">autoconfig</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Reboot the machine to start using the new kernel, and login again as the superuser <emphasis
            role="bold">root</emphasis>. <programlisting>
   # <emphasis role="bold">cd /</emphasis>
   # <emphasis role="bold">shutdown -i6 -g0 -y</emphasis>
   login: <emphasis role="bold">root</emphasis>
   Password: <replaceable>root_password</replaceable>
</programlisting></para>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>configuring</primary>

        <secondary>AFS server partition on first AFS machine</secondary>

        <tertiary>IRIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>AFS server partition</primary>

        <secondary>configuring on first AFS machine</secondary>

        <tertiary>IRIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS server partition</secondary>

        <tertiary>on IRIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>IRIX</primary>

        <secondary>AFS server partition</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ39">
      <title>Configuring Server Partitions on IRIX Systems</title>

      <para>Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes. Each
      server partition is mounted at a directory named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where
      <replaceable>xx</replaceable> is one or two lowercase letters. The <emphasis
      role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server machine's root
      directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is not an acceptable
      directory location). For additional information, see <link linkend="HDRWQ20">Performing Platform-Specific
      Procedures</link>.</para>

      <para>AFS supports use of both EFS and XFS partitions for housing AFS volumes. SGI encourages use of XFS partitions.
      <orderedlist>
          <listitem>
            <para>Create a directory called <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> for each AFS server
            partition you are configuring (there must be at least one). Repeat the command for each partition. <programlisting>
   # <emphasis role="bold">mkdir /vicep</emphasis><replaceable>xx</replaceable>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Add a line with the following format to the file systems registry file, <emphasis
            role="bold">/etc/fstab</emphasis>, for each partition (or logical volume created with the XLV volume manager) to be
            mounted on one of the directories created in the previous step.</para>

            <para>For an XFS partition or logical volume:</para>

            <programlisting>
   /dev/dsk/<replaceable>disk</replaceable>  /vicep<replaceable>xx</replaceable>  xfs  rw,raw=/dev/rdsk/<replaceable>disk</replaceable>  0  0   
</programlisting>

            <para>For an EFS partition:</para>

            <programlisting>
   /dev/dsk/<replaceable>disk</replaceable>  /vicep<replaceable>xx</replaceable>  efs  rw,raw=/dev/rdsk/<replaceable>disk</replaceable>  0  0   
</programlisting>

            <para>The following are examples of an entry for each file system type:</para>

            <programlisting>
   /dev/dsk/dks0d2s6 /vicepa  xfs rw,raw=/dev/rdsk/dks0d2s6  0 0
   /dev/dsk/dks0d3s1 /vicepb  efs rw,raw=/dev/rdsk/dks0d3s1  0 0
</programlisting>
          </listitem>

          <listitem>
            <para>Create a file system on each partition that is to be mounted on a <emphasis
            role="bold">/vicep</emphasis><replaceable>xx</replaceable> directory. The following commands are probably appropriate,
            but consult the IRIX documentation for more information. In both cases, <replaceable>raw_device</replaceable> is a raw
            device name like <emphasis role="bold">/dev/rdsk/dks0d0s0</emphasis> for a single disk partition or <emphasis
            role="bold">/dev/rxlv/xlv0</emphasis> for a logical volume.</para>

            <para>For XFS file systems, include the indicated options to configure the partition or logical volume with inodes large
            enough to accommodate AFS-specific information:</para>

            <programlisting>
   # <emphasis role="bold">mkfs -t xfs -i size=512 -l size=4000b</emphasis> <replaceable>raw_device</replaceable>   
</programlisting>

            <para>For EFS file systems:</para>

            <programlisting>
   # <emphasis role="bold">mkfs -t efs</emphasis> <replaceable>raw_device</replaceable>
</programlisting>
          </listitem>

          <listitem>
            <para>Mount each partition by issuing either the <emphasis role="bold">mount -a</emphasis> command to mount all
            partitions at once or the <emphasis role="bold">mount</emphasis> command to mount each partition in turn.</para>
          </listitem>

          <listitem>
            <para><emphasis role="bold">(Optional)</emphasis> If you have configured partitions or logical volumes to use XFS, issue
            the following command to verify that the inodes are configured properly (are large enough to accommodate AFS-specific
            information). If the configuration is correct, the command returns no output. Otherwise, it specifies the command to run
            in order to configure each partition or logical volume properly. <programlisting>
   # <emphasis role="bold">/usr/afs/bin/xfs_size_check</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>If you plan to retain client functionality on this machine after completing the installation, proceed to <link
            linkend="HDRWQ40">Enabling AFS Login on IRIX Systems</link>. Otherwise, proceed to <link linkend="HDRWQ50">Starting the
            BOS Server</link>.</para>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>enabling AFS login</primary>

        <secondary>file server machine</secondary>

        <tertiary>IRIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>AFS login</primary>

        <secondary>on file server machine</secondary>

        <tertiary>IRIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS login</secondary>

        <tertiary>on IRIX</tertiary>
      </indexterm>

      <indexterm>
        <primary>IRIX</primary>

        <secondary>AFS login</secondary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ40">
      <title>Enabling AFS Login on IRIX Systems</title>

      <note>
        <para>If you plan to remove client functionality from this machine after completing the installation, skip this section and
        proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
      </note>

      <para>Whilst the standard IRIX command-line 
      <emphasis role="bold">login</emphasis> program and the 
      graphical <emphasis role="bold">xdm</emphasis> login program both have
      the ability to grant AFS tokens, this ability relies upon the deprecated
      kaserver authentication system.</para>
        
      <para>Users who have been successfully authenticated via Kerberos 5
      authentication may obtain AFS tokens following login by running the
      <emphasis role="bold">aklog</emphasis> command.</para>

      <para>Sites which still require <emphasis role="bold">kaserver</emphasis>
      or external Kerberos v4 authentication should consult 
      <link linkend="KAS014">Enabling kaserver based AFS Login on IRIX Systems</link>
      for details of how to enable IRIX login.</para>       

      <para>After taking any necessary action, proceed to 
      <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
    </sect2>
  </sect1>

  <sect1 id="HDRWQ41">
    <title>Getting Started on Linux Systems</title>

    <indexterm>
      <primary>replacing fsck program</primary>

      <secondary>not necessary on Linux</secondary>
    </indexterm>

    <indexterm>
      <primary>fsck program</primary>

      <secondary>on first AFS machine</secondary>

      <tertiary>Linux</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>fsck program</secondary>

      <tertiary>on Linux</tertiary>
    </indexterm>

    <indexterm>
      <primary>Linux</primary>

      <secondary>fsck program replacement not necessary</secondary>
    </indexterm>

    <para>Since this guide was originally written, the procedure for starting 
    OpenAFS has diverged significantly between different Linux distributions. 
    The instructions that follow are appropriate for both the Fedora and 
    RedHat Enterprise Linux packages distributed by OpenAFS. Additional 
    instructions are provided for those building from source.</para>

    <para>Begin by running the AFS client startup scripts, which call the
    <emphasis role="bold">modprobe</emphasis> program to dynamically
    load the AFS modifications into the kernel. Then create partitions for
    storing AFS volumes. You do not need to replace the Linux <emphasis
    role="bold">fsck</emphasis> program. If the machine is to remain an
    AFS client machine, incorporate AFS into the machine's Pluggable
    Authentication Module (PAM) scheme. <indexterm>
        <primary>incorporating AFS kernel extensions</primary>

        <secondary>first AFS machine</secondary>

        <tertiary>Linux</tertiary>
      </indexterm> <indexterm>
        <primary>AFS kernel extensions</primary>

        <secondary>on first AFS machine</secondary>

        <tertiary>Linux</tertiary>
      </indexterm> <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS kernel extensions</secondary>

        <tertiary>on Linux</tertiary>
      </indexterm> <indexterm>
        <primary>Linux</primary>

        <secondary>AFS kernel extensions</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm></para>

    <sect2 id="HDRWQ42">
      <title>Loading AFS into the Linux Kernel</title>

      <para>The <emphasis role="bold">modprobe</emphasis> program is the dynamic kernel loader for Linux. Linux does not support
      incorporation of AFS modifications during a kernel build.</para>

      <para>For AFS to function correctly, the <emphasis role="bold">modprobe</emphasis> program must run each time the machine
      reboots, so your distribution's AFS initialization script invokes it automatically. The script also includes
      commands that select the appropriate AFS library file automatically. In this section you run the script.</para>

      <para>In later sections you verify that the script correctly initializes all AFS components, then activate a configuration
      variable, which results in the script being incorporated into the Linux startup and shutdown sequence.</para> 
      
      <para>The procedure for starting up OpenAFS depends upon your distribution</para>
      <sect3>
        <title>Fedora and RedHat Enterprise Linux</title>
        <para>OpenAFS provides RPMS for all current Fedora and RedHat Enterprise Linux (RHEL) releases on the OpenAFS web site and the OpenAFS yum repository.
        <orderedlist>
          <listitem>
            <para>Browse to
            http://dl.openafs.org/dl/openafs/<replaceable>VERSION</replaceable>,
            where VERSION is the latest stable release of
            OpenAFS. Download the
            openafs-repository-<replaceable>VERSION</replaceable>.noarch.rpm
            file for Fedora systems or the
            openafs-repository-rhel-<replaceable>VERSION</replaceable>.noarch.rpm
            file for RedHat-based systems.
            </para>
          </listitem>
          <listitem>
            <para>Install the downloaded RPM file using the following command:
              <programlisting>
                # rpm -U openafs-repository*.rpm
              </programlisting>
            </para>
          </listitem>
          <listitem>
            <para>Install the RPM set for your operating system using the yum command as follows:
              <programlisting>
                # yum -y install openafs-client openafs-server openafs-krb5 kmod-openafs
              </programlisting>

            </para>
            <para>Alternatively, you may use dynamically-compiled kernel
              modules if you have the kernel headers, a compiler, and the
              dkms package from
              <ulink url="http://fedoraproject.org/wiki/EPEL"><citetitle>EPEL</citetitle></ulink> installed. 

            </para>
            <para>To use dynamically-compiled kernel modules instead of statically compiled modules, use the following command instead of the kmod-openafs as shown above:
              <programlisting>
                # yum install openafs-client openafs-server openafs-krb5 dkms-openafs
              </programlisting>
            </para>
          </listitem>
<!-- If you do this with current RHEL and Fedora releases you end up with
     a dynroot'd client running - this breaks setting up the root.afs volume
     as described later in this guide
          <listitem>
            <para>Run the AFS initialization script to load AFS extensions into 
            the kernel. You can ignore any error messages about the inability 
            to start the BOS Server or the Cache Manager or AFS client.</para>
<programlisting>
   # <emphasis role="bold">/etc/rc.d/init.d/openafs-client  start</emphasis>
</programlisting>
          </listitem>
-->
        </orderedlist>
      </para>
      </sect3>
      <sect3>
         <title>Systems packaged as tar files</title>
         <para>If you are running a system where the OpenAFS Binary Distribution
         is provided as a tar file, or where you have built the system from
         source yourself, you need to install the relevant components by hand
         </para>
         <orderedlist>
           
          <listitem>
            <para>Unpack the distribution tarball. The examples below assume
            that you have unpacked the files into the
            <emphasis role="bold">/tmp/afsdist</emphasis> directory. If you
            pick a different location, substitute this in all of the following
            examples. Once you have unpacked the distribution,
            change directory as indicated.
<programlisting>
  # <emphasis role="bold">cd /tmp/afsdist/linux/dest/root.client/usr/vice/etc</emphasis>
</programlisting></para>
          </listitem>
          
          <listitem>
            <para>Copy the AFS kernel library files to the local <emphasis role="bold">/usr/vice/etc/modload</emphasis> directory.
            The filenames for the libraries have the format <emphasis
            role="bold">libafs-</emphasis><replaceable>version</replaceable><emphasis role="bold">.o</emphasis>, where
            <replaceable>version</replaceable> indicates the kernel build level. The string <emphasis role="bold">.mp</emphasis> in
            the <replaceable>version</replaceable> indicates that the file is appropriate for machines running a multiprocessor
            kernel. <programlisting>
   # <emphasis role="bold">cp -rp  modload  /usr/vice/etc</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Copy the AFS initialization script to the local directory for initialization files (by convention, <emphasis
            role="bold">/etc/rc.d/init.d</emphasis> on Linux machines). Note the removal of the <emphasis role="bold">.rc</emphasis>
            extension as you copy the script. <programlisting>
   # <emphasis role="bold">cp -p   afs.rc  /etc/rc.d/init.d/afs</emphasis> 
</programlisting></para>
          </listitem>

<!-- I don't think we need to do this for Linux, and it complicates things if
     dynroot is enabled ...
          <listitem>
            <para>Run the AFS initialization script to load AFS extensions into the kernel. You can ignore any error messages about
            the inability to start the BOS Server or the Cache Manager or AFS client.</para>
<programlisting>
   # <emphasis role="bold">/etc/rc.d/init.d/afs start</emphasis>
</programlisting>
          </listitem>
-->
        </orderedlist>

      <indexterm>
        <primary>configuring</primary>
   
        <secondary>AFS server partition on first AFS machine</secondary>

        <tertiary>Linux</tertiary>
      </indexterm>

      <indexterm>
        <primary>AFS server partition</primary>

        <secondary>configuring on first AFS machine</secondary>

        <tertiary>Linux</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS server partition</secondary>

        <tertiary>on Linux</tertiary>
      </indexterm>

      <indexterm>
        <primary>Linux</primary>

        <secondary>AFS server partition</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm>
    </sect3>
    </sect2>

    <sect2 id="HDRWQ43">
      <title>Configuring Server Partitions on Linux Systems</title>

      <para>Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes. Each
      server partition is mounted at a directory named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where
      <replaceable>xx</replaceable> is one or two lowercase letters. The <emphasis
      role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server machine's root
      directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is not an acceptable
      directory location). For additional information, see <link linkend="HDRWQ20">Performing Platform-Specific Procedures</link>.
      <orderedlist>
          <listitem>
            <para>Create a directory called <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> for each AFS server
            partition you are configuring (there must be at least one). Repeat the command for each partition. <programlisting>
   # <emphasis role="bold">mkdir /vicep</emphasis><replaceable>xx</replaceable>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Add a line with the following format to the file systems registry file, <emphasis
            role="bold">/etc/fstab</emphasis>, for each directory just created. The entry maps the directory name to the disk
            partition to be mounted on it. <programlisting>
   /dev/<replaceable>disk</replaceable>  /vicep<replaceable>xx</replaceable>  ext2  defaults  0  2   
</programlisting></para>

            <para>The following is an example for the first partition being configured.</para>

            <programlisting>
   /dev/sda8 /vicepa ext2 defaults 0 2
</programlisting>
          </listitem>

          <listitem>
            <para>Create a file system on each partition that is to be mounted at a <emphasis
            role="bold">/vicep</emphasis><replaceable>xx</replaceable> directory. The following command is probably appropriate, but
            consult the Linux documentation for more information. <programlisting>
   # <emphasis role="bold">mkfs -v /dev/</emphasis><replaceable>disk</replaceable>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Mount each partition by issuing either the <emphasis role="bold">mount -a</emphasis> command to mount all
            partitions at once or the <emphasis role="bold">mount</emphasis> command to mount each partition in turn.</para>
          </listitem>

          <listitem>
            <para>If you plan to retain client functionality on this machine after completing the installation, proceed to <link
            linkend="HDRWQ44">Enabling AFS Login on Linux Systems</link>. Otherwise, proceed to <link linkend="HDRWQ50">Starting the
            BOS Server</link>.</para>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>enabling AFS login</primary>

        <secondary>file server machine</secondary>

        <tertiary>Linux</tertiary>
      </indexterm>

      <indexterm>
        <primary>AFS login</primary>

        <secondary>on file server machine</secondary>

        <tertiary>Linux</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS login</secondary>

        <tertiary>on Linux</tertiary>
      </indexterm>

      <indexterm>
        <primary>Linux</primary>

        <secondary>AFS login</secondary>

        <tertiary>on file server machine</tertiary>
      </indexterm>

      <indexterm>
        <primary>PAM</primary>

        <secondary>on Linux</secondary>

        <tertiary>file server machine</tertiary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ44">
      <title>Enabling AFS Login on Linux Systems</title>

      <note>
        <para>If you plan to remove client functionality from this machine
        after completing the installation, skip this section and proceed
        to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
      </note>

      <para>At this point you incorporate AFS into the operating system's
      Pluggable Authentication Module (PAM) scheme.  PAM integrates all
      authentication mechanisms on the machine, including login, to provide
      the security infrastructure for authenticated access to and from the
      machine.</para>

      <para>You should first configure your system to obtain Kerberos v5
      tickets as part of the authentication process, and then run an AFS PAM
      module to obtain tokens from those tickets after authentication.  Many
      Linux distributions come with a Kerberos v5 PAM module (usually called
      pam-krb5 or pam_krb5), or you can download and install <ulink
      url="http://www.eyrie.org/~eagle/software/pam-krb5">Russ Allbery's
      Kerberos v5 PAM module</ulink>, which is tested regularly with AFS.
      See the instructions of whatever PAM module you use for how to
      configure it.</para>

      <para>Some Kerberos v5 PAM modules do come with native AFS support
      (usually requiring the Heimdal Kerberos implementation rather than the
      MIT Kerberos implementation).  If you are using one of those PAM
      modules, you can configure it to obtain AFS tokens.  It's more common,
      however, to separate the AFS token acquisition into a separate PAM
      module.</para>

      <para>The recommended AFS PAM module is <ulink
      url="http://www.eyrie.org/~eagle/software/pam-afs-session/">Russ
      Allbery's pam-afs-session module</ulink>.  It should work with any of
      the Kerberos v5 PAM modules.  To add it to the PAM configuration, you
      often only need to add configuration to the session group:</para>

      <example>
        <title>Linux PAM session example</title>
        <literallayout>session  required  pam_afs_session.so</literallayout>
      </example>

      <para>If you also want to obtain AFS tokens for <command>scp</command>
      and similar commands that don't open a session, you will also need to
      add the AFS PAM module to the auth group so that the PAM
      <function>setcred</function> call will obtain tokens.  The
      <literal>pam_afs_session</literal> module will always return success
      for authentication so that it can be added to the auth group only for
      <function>setcred</function>, so make sure that it's not marked as
      <literal>sufficient</literal>.</para>

      <example>
        <title>Linux PAM auth example</title>
<literallayout>auth  [success=ok default=1]  pam_krb5.so
auth  [default=done]          pam_afs_session.so
auth  required                pam_unix.so try_first_pass</literallayout>
      </example>

      <para>This example will work if you want to try Kerberos v5 first and
      then fall back to regular Unix authentication.
      <literal>success=ok</literal> for the Kerberos PAM module followed by
      <literal>default=done</literal> for the AFS PAM module will cause a
      successful Kerberos login to run the AFS PAM module and then skip the
      Unix authentication module.  <literal>default=1</literal> on the
      Kerberos PAM module causes failure of that module to skip the next
      module (the AFS PAM module) and fall back to the Unix module.  If you
      want to try Unix authentication first and rearrange the order, be sure
      to use <literal>default=die</literal> instead.</para>

      <para>The PAM configuration is stored in different places in different
      Linux distributions.  On Red Hat, look in
      <filename>/etc/pam.d/system-auth</filename>.  On Debian and
      derivatives, look in <filename>/etc/pam.d/common-session</filename>
      and <filename>/etc/pam.d/common-auth</filename>.</para>

      <para>For additional configuration examples and the configuration
      options of the AFS PAM module, see its documentation.  For more
      details on the available options for the PAM configuration, see the
      Linux PAM documentation.</para>

      <para>Sites which still require <command>kaserver</command> or
      external Kerberos v4 authentication should consult <link
      linkend="KAS015">Enabling kaserver based AFS Login on Linux
      Systems</link> for details of how to enable AFS login on Linux.</para>
      
      <para>Proceed to <link linkend="HDRWQ50">Starting the BOS
      Server</link> (or if referring to these instructions while installing
      an additional file server machine, return to <link
      linkend="HDRWQ108">Starting Server Programs</link>).</para>
    </sect2>
  </sect1>

  <sect1 id="HDRWQ45">
    <title>Getting Started on Solaris Systems</title>

    <para>Begin by running the AFS initialization script to call the <emphasis role="bold">modload</emphasis> program distributed by
    Sun Microsystems, which dynamically loads AFS modifications into the kernel. Then create partitions for storing AFS volumes, and
    install and configure the AFS-modified <emphasis role="bold">fsck</emphasis> program to run on AFS server partitions. If the
    machine is to remain an AFS client machine, incorporate AFS into the machine's Pluggable Authentication Module (PAM) scheme.
    <indexterm>
        <primary>incorporating AFS kernel extensions</primary>

        <secondary>first AFS machine</secondary>

        <tertiary>Solaris</tertiary>
      </indexterm> <indexterm>
        <primary>AFS kernel extensions</primary>

        <secondary>on first AFS machine</secondary>

        <tertiary>Solaris</tertiary>
      </indexterm> <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS kernel extensions</secondary>

        <tertiary>on Solaris</tertiary>
      </indexterm> <indexterm>
        <primary>Solaris</primary>

        <secondary>AFS kernel extensions</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm></para>

    <sect2 id="HDRWQ46">
      <title>Loading AFS into the Solaris Kernel</title>

      <para>The <emphasis role="bold">modload</emphasis> program is the dynamic kernel loader provided by Sun Microsystems for
      Solaris systems. Solaris does not support incorporation of AFS modifications during a kernel build.</para>

      <para>For AFS to function correctly, the <emphasis role="bold">modload</emphasis> program must run each time the machine
      reboots, so the AFS initialization script (included on the AFS CD-ROM) invokes it automatically. In this section you copy the
      appropriate AFS library file to the location where the <emphasis role="bold">modload</emphasis> program accesses it and then
      run the script.</para>

      <para>In later sections you verify that the script correctly initializes all AFS components, then create the links that
      incorporate AFS into the Solaris startup and shutdown sequence. <orderedlist>
          <listitem>
            <para>Unpack the OpenAFS Solaris distribution tarball. The examples
            below assume that you have unpacked the files into the 
            <emphasis role="bold">/tmp/afsdist</emphasis> directory. If you 
            pick a diferent location, substitute this in all of the following
            exmaples. Once you have unpacked the distribution, change directory
            as indicated. 
<programlisting>
   # <emphasis role="bold">cd  /tmp/afsdist/sun4x_56/dest/root.client/usr/vice/etc</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Copy the AFS initialization script to the local directory for initialization files (by convention, <emphasis
            role="bold">/etc/init.d</emphasis> on Solaris machines). Note the removal of the <emphasis role="bold">.rc</emphasis>
            extension as you copy the script. <programlisting>
   # <emphasis role="bold">cp -p  afs.rc  /etc/init.d/afs</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Copy the appropriate AFS kernel library file to the local file <emphasis
            role="bold">/kernel/fs/afs</emphasis>.</para>

            <para>If the machine is running Solaris 11 on the x86_64 platform:</para>

            <programlisting>
   # <emphasis role="bold">cp -p modload/libafs64.o /kernel/drv/amd64/afs</emphasis>
</programlisting>

            <para>If the machine is running Solaris 10 on the x86_64 platform:</para>

            <programlisting>
   # <emphasis role="bold">cp -p modload/libafs64.o /kernel/fs/amd64/afs</emphasis>
</programlisting>

            <para>If the machine is running Solaris 2.6 or the 32-bit version of Solaris 7, its kernel supports NFS server
            functionality, and the <emphasis role="bold">nfsd</emphasis> process is running:</para>

            <programlisting>
   # <emphasis role="bold">cp -p modload/libafs.o /kernel/fs/afs</emphasis>   
</programlisting>

            <para>If the machine is running Solaris 2.6 or the 32-bit version of Solaris 7, and its kernel does not support NFS
            server functionality or the <emphasis role="bold">nfsd</emphasis> process is not running:</para>

            <programlisting>
   # <emphasis role="bold">cp -p modload/libafs.nonfs.o /kernel/fs/afs</emphasis>   
</programlisting>

            <para>If the machine is running the 64-bit version of Solaris 7, its kernel supports NFS server functionality, and the
            <emphasis role="bold">nfsd</emphasis> process is running:</para>

            <programlisting>
   # <emphasis role="bold">cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</emphasis>   
</programlisting>

            <para>If the machine is running the 64-bit version of Solaris 7, and its kernel does not support NFS server
            functionality or the <emphasis role="bold">nfsd</emphasis> process is not running:</para>

            <programlisting>
   # <emphasis role="bold">cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</emphasis>
</programlisting>
          </listitem>

          <listitem>
            <para>Run the AFS initialization script to load AFS modifications into the kernel. You can ignore any error messages
            about the inability to start the BOS Server or the Cache Manager or AFS client. <programlisting>
   # <emphasis role="bold">/etc/init.d/afs start</emphasis>   
</programlisting></para>

            <para>When an entry called <computeroutput>afs</computeroutput> does not already exist in the local <emphasis
            role="bold">/etc/name_to_sysnum</emphasis> file, the script automatically creates it and reboots the machine to start
            using the new version of the file. If this happens, log in again as the superuser <emphasis role="bold">root</emphasis>
            after the reboot and run the initialization script again. This time the required entry exists in the <emphasis
            role="bold">/etc/name_to_sysnum</emphasis> file, and the <emphasis role="bold">modload</emphasis> program runs.</para>

            <programlisting>
   login: <emphasis role="bold">root</emphasis>
   Password: <replaceable>root_password</replaceable>
   # <emphasis role="bold">/etc/init.d/afs start</emphasis>
</programlisting>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>replacing fsck program</primary>

        <secondary>first AFS machine</secondary>

        <tertiary>Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>fsck program</primary>

        <secondary>on first AFS machine</secondary>

        <tertiary>Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>fsck program</secondary>

        <tertiary>on Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>Solaris</primary>

        <secondary>fsck program</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ47">
      <title>Configuring the AFS-modified fsck Program on Solaris Systems</title>

      <para>In this section, you make modifications to guarantee that the appropriate <emphasis role="bold">fsck</emphasis> program
      runs on AFS server partitions. The <emphasis role="bold">fsck</emphasis> program provided with the operating system must never
      run on AFS server partitions. Because it does not recognize the structures that the File Server uses to organize volume data,
      it removes all of the data. To repeat:</para>

      <para><emphasis role="bold">Never run the standard fsck program on AFS server partitions. It discards AFS volumes.</emphasis>
      <orderedlist>
          <listitem>
            <para>Create the <emphasis role="bold">/usr/lib/fs/afs</emphasis> directory to house the AFS-modified <emphasis
            role="bold">fsck</emphasis> program and related files. <programlisting>
   # <emphasis role="bold">mkdir /usr/lib/fs/afs</emphasis>
   # <emphasis role="bold">cd /usr/lib/fs/afs</emphasis>  
</programlisting></para>
          </listitem>

          <listitem>
            <para>Copy the <emphasis role="bold">vfsck</emphasis> binary to the newly created directory, changing the name as you do
            so. <programlisting>
   # <emphasis role="bold">cp  /tmp/afsdist/sun4x_56/dest/root.server/etc/vfsck  fsck</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Working in the <emphasis role="bold">/usr/lib/fs/afs</emphasis> directory, create the following links to Solaris
            libraries: <programlisting>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/clri</emphasis>  
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/df</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/edquota</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/ff</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/fsdb</emphasis>  
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/fsirand</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/fstyp</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/labelit</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/lockfs</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/mkfs</emphasis>  
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/mount</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/ncheck</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/newfs</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/quot</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/quota</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/quotaoff</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/quotaon</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/repquota</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/tunefs</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/ufsdump</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/ufsrestore</emphasis>
   # <emphasis role="bold">ln -s /usr/lib/fs/ufs/volcopy</emphasis>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Append the following line to the end of the file <emphasis role="bold">/etc/dfs/fstypes</emphasis>.
            <programlisting>
   afs AFS Utilities
</programlisting></para>
          </listitem>

          <listitem>
            <para>Edit the <emphasis role="bold">/sbin/mountall</emphasis> file, making two changes. <itemizedlist>
                <listitem>
                  <para>Add an entry for AFS to the <computeroutput>case</computeroutput> statement for option 2, so that it reads
                  as follows: <programlisting>
   case "$2" in
   ufs)    foptions="-o p"
           ;;
   afs)    foptions="-o p"
           ;;
   s5)     foptions="-y -t /var/tmp/tmp$$ -D"
           ;;
   *)      foptions="-y"
           ;;
</programlisting></para>
                </listitem>

                <listitem>
                  <para>Edit the file so that all AFS and UFS partitions are checked in parallel. Replace the following section of
                  code: <programlisting>
   # For  fsck purposes, we make a distinction between ufs and
   # other file systems
   #
   if [ "$fstype" = "ufs" ]; then
        ufs_fscklist="$ufs_fscklist $fsckdev"
        saveentry $fstype "$OPTIONS" $special $mountp
        continue
   fi  
</programlisting></para>

                  <para>with the following section of code:</para>

                  <programlisting>
   # For fsck purposes, we make a distinction between ufs/afs
   # and other file systems.
   #
   if [ "$fstype" = "ufs" -o "$fstype" = "afs" ]; then
        ufs_fscklist="$ufs_fscklist $fsckdev"
        saveentry $fstype "$OPTIONS" $special $mountp
        continue
   fi
</programlisting>
                </listitem>
              </itemizedlist></para>
          </listitem>
        </orderedlist></para>

      <indexterm>
        <primary>configuring</primary>

        <secondary>AFS server partition on first AFS machine</secondary>

        <tertiary>Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>AFS server partition</primary>

        <secondary>configuring on first AFS machine</secondary>

        <tertiary>Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS server partition</secondary>

        <tertiary>on Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>Solaris</primary>

        <secondary>AFS server partition</secondary>

        <tertiary>on first AFS machine</tertiary>
      </indexterm>
    </sect2>

    <sect2 id="HDRWQ48">
      <title>Configuring Server Partitions on Solaris Systems</title>

      <para>Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes. Each
      server partition is mounted at a directory named <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable>, where
      <replaceable>xx</replaceable> is one or two lowercase letters. The <emphasis
      role="bold">/vicep</emphasis><replaceable>xx</replaceable> directories must reside in the file server machine's root
      directory, not in one of its subdirectories (for example, <emphasis role="bold">/usr/vicepa</emphasis> is not an acceptable
      directory location). For additional information, see <link linkend="HDRWQ20">Performing Platform-Specific Procedures</link>.
      <orderedlist>
          <listitem>
            <para>Create a directory called <emphasis role="bold">/vicep</emphasis><replaceable>xx</replaceable> for each AFS server
            partition you are configuring (there must be at least one). Repeat the command for each partition. <programlisting>
   # <emphasis role="bold">mkdir /vicep</emphasis><replaceable>xx</replaceable>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Add a line with the following format to the file systems registry file, <emphasis
            role="bold">/etc/vfstab</emphasis>, for each partition to be mounted on a directory created in the previous step. Note
            the value <computeroutput>afs</computeroutput> in the fourth field, which tells Solaris to use the AFS-modified
            <emphasis role="bold">fsck</emphasis> program on this partition. <programlisting>
   /dev/dsk/<replaceable>disk</replaceable>   /dev/rdsk/<replaceable>disk</replaceable>   /vicep<replaceable>xx</replaceable>   afs   <replaceable>boot_order</replaceable>  yes  
</programlisting></para>

            <para>The following is an example for the first partition being configured.</para>

            <programlisting>
   /dev/dsk/c0t6d0s1 /dev/rdsk/c0t6d0s1 /vicepa afs 3 yes
</programlisting>
          </listitem>

          <listitem>
            <para>Create a file system on each partition that is to be mounted at a <emphasis
            role="bold">/vicep</emphasis><replaceable>xx</replaceable> directory. The following command is probably appropriate, but
            consult the Solaris documentation for more information. <programlisting>
   # <emphasis role="bold">newfs -v /dev/rdsk/</emphasis><replaceable>disk</replaceable>
</programlisting></para>
          </listitem>

          <listitem>
            <para>Issue the <emphasis role="bold">mountall</emphasis> command to mount all partitions at once.</para>
          </listitem>

          <listitem>
            <para>If you plan to retain client functionality on this machine after completing the installation, proceed to <link
            linkend="HDRWQ49">Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</link>. Otherwise,
            proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
          </listitem>
        </orderedlist></para>
    </sect2>

    <sect2 id="HDRWQ49">
      <title>Enabling AFS Login on Solaris Systems</title>
      <indexterm>
        <primary>enabling AFS login</primary>

        <secondary>file server machine</secondary>

        <tertiary>Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>AFS login</primary>

        <secondary>on file server machine</secondary>

        <tertiary>Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>AFS login</secondary>

        <tertiary>on Solaris</tertiary>
      </indexterm>

      <indexterm>
        <primary>Solaris</primary>

        <secondary>AFS login</secondary>

        <tertiary>on file server machine</tertiary>
      </indexterm>

      <indexterm>
        <primary>PAM</primary>

        <secondary>on Solaris</secondary>

        <tertiary>file server machine</tertiary>
      </indexterm>

      <note>
        <para>If you plan to remove client functionality from this machine after completing the installation, skip this section and
        proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
      </note>

      <para>At this point you incorporate AFS into the operating system's
      Pluggable Authentication Module (PAM) scheme.  PAM integrates all
      authentication mechanisms on the machine, including login, to provide
      the security infrastructure for authenticated access to and from the
      machine.</para>

      <para>Explaining PAM is beyond the scope of this document.  It is
      assumed that you understand the syntax and meanings of settings in the
      PAM configuration file (for example, how the
      <computeroutput>other</computeroutput> entry works, the effect of
      marking an entry as <computeroutput>required</computeroutput>,
      <computeroutput>optional</computeroutput>, or
      <computeroutput>sufficient</computeroutput>, and so on).</para>

      <para>You should first configure your system to obtain Kerberos v5
      tickets as part of the authentication process, and then run an AFS PAM
      module to obtain tokens from those tickets after authentication.
      Current versions of Solaris come with a Kerberos v5 PAM module that
      will work, or you can download and install <ulink
      url="http://www.eyrie.org/~eagle/software/pam-krb5">Russ Allbery's
      Kerberos v5 PAM module</ulink>, which is tested regularly with AFS.
      See the instructions of whatever PAM module you use for how to
      configure it.</para>

      <para>Some Kerberos v5 PAM modules do come with native AFS support
      (usually requiring the Heimdal Kerberos implementation rather than the
      MIT Kerberos implementation).  If you are using one of those PAM
      modules, you can configure it to obtain AFS tokens.  It's more common,
      however, to separate the AFS token acquisition into a separate PAM
      module.</para>

      <para>The recommended AFS PAM module is <ulink
      url="http://www.eyrie.org/~eagle/software/pam-afs-session/">Russ
      Allbery's pam-afs-session module</ulink>.  It should work with any of
      the Kerberos v5 PAM modules.  To add it to the PAM configuration, you
      often only need to add configuration to the session group in
      <filename>pam.conf</filename>:</para>

      <example>
        <title>Solaris PAM session example</title>
        <literallayout>login session required pam_afs_session.so</literallayout>
      </example>

      <para>This example enables PAM authentication only for console login.
      You may want to add a similar line for the ssh service and for any
      other login service that you use, including possibly the
      <literal>other</literal> service (which serves as a catch-all).  You
      may also want to add options to the AFS PAM session module
      (particularly <literal>retain_after_close</literal>, which is
      necessary for some versions of Solaris.</para>

      <para>For additional configuration examples and the configuration
      options of the AFS PAM module, see its documentation.  For more
      details on the available options for the PAM configuration, see the
      <filename>pam.conf</filename> manual page.</para>

      <para>Sites which still require <emphasis
      role="bold">kaserver</emphasis> or external Kerberos v4 authentication
      should consult <link linkend="KAS016">"Enabling kaserver based AFS
      Login on Solaris Systems"</link> for details of how to enable AFS
      login on Solaris.</para>

      <para>Proceed to <link linkend="HDRWQ49a">Editing the File Systems 
      Clean-up Script on Solaris Systems</link></para>
    </sect2>
    <sect2 id="HDRWQ49a">
      <title>Editing the File Systems Clean-up Script on Solaris Systems</title>
      <indexterm>
        <primary>Solaris</primary>

        <secondary>file systems clean-up script</secondary>

        <tertiary>on file server machine</tertiary>
      </indexterm>

      <indexterm>
        <primary>file systems clean-up script (Solaris)</primary>

        <secondary>file server machine</secondary>
      </indexterm>

      <indexterm>
        <primary>scripts</primary>

        <secondary>file systems clean-up (Solaris)</secondary>

        <tertiary>file server machine</tertiary>
      </indexterm>

      
        <orderedlist>
          <listitem>
            <para>Some Solaris distributions include a script that locates and removes unneeded files from various file systems. Its
            conventional location is <emphasis role="bold">/usr/lib/fs/nfs/nfsfind</emphasis>. The script generally uses an argument
            to the <emphasis role="bold">find</emphasis> command to define which file systems to search. In this step you modify the
            command to exclude the <emphasis role="bold">/afs</emphasis> directory. Otherwise, the command traverses the AFS
            filespace of every cell that is accessible from the machine, which can take many hours. The following alterations are
            possibilities, but you must verify that they are appropriate for your cell.</para>

            <para>The first possible alteration is to add the <emphasis role="bold">-local</emphasis> flag to the existing command,
            so that it looks like the following:</para>

            <programlisting>
   find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;   
</programlisting>

            <para>Another alternative is to exclude any directories whose names begin with the lowercase letter <emphasis
            role="bold">a</emphasis> or a non-alphabetic character.</para>

            <programlisting>
   find /[A-Zb-z]*  <replaceable>remainder of existing command</replaceable>   
</programlisting>

            <para>Do not use the following command, which still searches under the <emphasis role="bold">/afs</emphasis> directory,
            looking for a subdirectory of type <emphasis role="bold">4.2</emphasis>.</para>

            <programlisting>
   find / -fstype 4.2     /* <replaceable>do not use</replaceable> */
</programlisting>
          </listitem>

          <listitem>
            <para>Proceed to <link linkend="HDRWQ50">Starting the BOS Server</link> (or if referring to these instructions while
            installing an additional file server machine, return to <link linkend="HDRWQ108">Starting Server
            Programs</link>).</para>
          </listitem>
        </orderedlist>

      <indexterm>
        <primary>Basic OverSeer Server</primary>

        <see>BOS Server</see>
      </indexterm>

      <indexterm>
        <primary>BOS Server</primary>

        <secondary>starting</secondary>

        <tertiary>first AFS machine</tertiary>
      </indexterm>

      <indexterm>
        <primary>starting</primary>

        <secondary>BOS Server</secondary>

        <tertiary>first AFS machine</tertiary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>BOS Server</secondary>
      </indexterm>

      <indexterm>
        <primary>authorization checking (disabling)</primary>

        <secondary>first AFS machine</secondary>
      </indexterm>

      <indexterm>
        <primary>disabling authorization checking</primary>

        <secondary>first AFS machine</secondary>
      </indexterm>

      <indexterm>
        <primary>first AFS machine</primary>

        <secondary>authorization checking (disabling)</secondary>
      </indexterm>
    </sect2>
  </sect1>
  <sect1 id="HDRWQ50">
    <title>Starting the BOS Server</title>

    <para>You are now ready to start the AFS server processes on this machine. 
    If you are not working from a packaged distribution, begin by copying the 
    AFS server binaries from the distribution to the conventional local disk
    location, the <emphasis role="bold">/usr/afs/bin</emphasis> directory. The 
    following instructions also create files in other subdirectories of the 
    <emphasis role="bold">/usr/afs</emphasis> directory.</para>

    <para>Then issue the <emphasis role="bold">bosserver</emphasis> command to initialize the Basic OverSeer (BOS) Server, which
    monitors and controls other AFS server processes on its server machine. Include the <emphasis role="bold">-noauth</emphasis>
    flag to disable authorization checking. Because you have not yet configured your cell's AFS authentication and authorization
    mechanisms, the BOS Server cannot perform authorization checking as it does during normal operation. In no-authorization mode,
    it does not verify the identity or privilege of the issuer of a <emphasis role="bold">bos</emphasis> command, and so performs
    any operation for anyone.</para>

    <para>Disabling authorization checking gravely compromises cell security. You must complete all subsequent steps in one
    uninterrupted pass and must not leave the machine unattended until you restart the BOS Server with authorization checking
    enabled, in <link linkend="HDRWQ72">Verifying the AFS Initialization Script</link>.</para>

    <para>As it initializes for the first time, the BOS Server creates the following directories and files, setting the owner to the
    local superuser <emphasis role="bold">root</emphasis> and the mode bits to limit the ability to write (and in some cases, read)
    them. For a description of the contents and function of these directories and files, see the chapter in the <emphasis>OpenAFS
    Administration Guide</emphasis> about administering server machines. For further discussion of the mode bit settings, see <link
    linkend="HDRWQ96">Protecting Sensitive AFS Directories</link>. <indexterm>
        <primary>Binary Distribution</primary>

        <secondary>copying server files from</secondary>

        <tertiary>first AFS machine</tertiary>
      </indexterm> <indexterm>
        <primary>first AFS machine</primary>

        <secondary>subdirectories of /usr/afs</secondary>
      </indexterm> <indexterm>
        <primary>creating</primary>

        <secondary>/usr/afs/bin directory</secondary>

        <tertiary>first AFS machine</tertiary>
      </indexterm> <indexterm>
        <primary>creating</primary>

        <secondary>/usr/afs/etc directory</secondary>

        <tertiary>first AFS machine</tertiary>
      </indexterm> <indexterm>
        <primary>copying</primary>

        <secondary>server files to local disk</secondary>

        <tertiary>first AFS machine</tertiary>
      </indexterm> <indexterm>
        <primary>first AFS machine</primary>

        <secondary>copying</secondary>

        <tertiary>server files to local disk</tertiary>
      </indexterm> <indexterm>
        <primary>usr/afs/bin directory</primary>

        <secondary>first AFS machine</secondary>
      </indexterm> <indexterm>
        <primary>usr/afs/etc directory</primary>

        <secondary>first AFS machine</secondary>
      </indexterm> <indexterm>
        <primary>usr/afs/db directory</primary>
      </indexterm> <indexterm>
        <primary>usr/afs/local directory</primary>
      </indexterm> <indexterm>
        <primary>usr/afs/logs directory</primary>
      </indexterm> <itemizedlist>
        <listitem>
          <para><emphasis role="bold">/usr/afs/db</emphasis></para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">/usr/afs/etc/CellServDB</emphasis></para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">/usr/afs/etc/ThisCell</emphasis></para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">/usr/afs/local</emphasis></para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">/usr/afs/logs</emphasis></para>
        </listitem>
      </itemizedlist></para>

    <para>The BOS Server also creates symbolic links called <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> and <emphasis
    role="bold">/usr/vice/etc/CellServDB</emphasis> to the corresponding files in the <emphasis role="bold">/usr/afs/etc</emphasis>
    directory. The AFS command interpreters consult the <emphasis role="bold">CellServDB</emphasis> and <emphasis
    role="bold">ThisCell</emphasis> files in the <emphasis role="bold">/usr/vice/etc</emphasis> directory because they generally run
    on client machines. On machines that are AFS servers only (as this machine currently is), the files reside only in the <emphasis
    role="bold">/usr/afs/etc</emphasis> directory; the links enable the command interpreters to retrieve the information they need.
    Later instructions for installing the client functionality replace the links with actual files. <orderedlist>
        <listitem>
          <para>If you are not working from a packaged distribution, you may need to copy files from the distribution media to the local <emphasis role="bold">/usr/afs</emphasis> directory. 
<programlisting>
   # <emphasis role="bold">cd /tmp/afsdist/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/root.server/usr/afs</emphasis>
   # <emphasis role="bold">cp -rp  *  /usr/afs</emphasis>
</programlisting> <indexterm>
              <primary>commands</primary>

              <secondary>bosserver</secondary>
            </indexterm> <indexterm>
              <primary>bosserver command</primary>
            </indexterm></para>
        </listitem>

        <listitem>
          <para>Issue the <emphasis role="bold">bosserver</emphasis> command. Include the <emphasis role="bold">-noauth</emphasis>
          flag to disable authorization checking. <programlisting>
   # <emphasis role="bold">/usr/afs/bin/bosserver -noauth &amp;</emphasis>
</programlisting></para>
        </listitem>

        <listitem>
          <para>Verify that the BOS Server created <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> and <emphasis
          role="bold">/usr/vice/etc/CellServDB</emphasis> as symbolic links to the corresponding files in the <emphasis
          role="bold">/usr/afs/etc</emphasis> directory. <programlisting>
   # <emphasis role="bold">ls -l  /usr/vice/etc</emphasis>
</programlisting></para>

          <para>If either or both of <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> and <emphasis
          role="bold">/usr/vice/etc/CellServDB</emphasis> do not exist, or are not links, issue the following commands.</para>

          <programlisting>
   # <emphasis role="bold">cd /usr/vice/etc</emphasis>
   # <emphasis role="bold">ln -s /usr/afs/etc/ThisCell</emphasis>
   # <emphasis role="bold">ln -s /usr/afs/etc/CellServDB</emphasis> 
</programlisting>
        </listitem>
      </orderedlist></para>

    <indexterm>
      <primary>cell name</primary>

      <secondary>defining during installation of first machine</secondary>
    </indexterm>

    <indexterm>
      <primary>defining</primary>

      <secondary>cell name during installation of first machine</secondary>
    </indexterm>

    <indexterm>
      <primary>cell name</primary>

      <secondary>setting in server ThisCell file</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>setting</primary>

      <secondary>cell name in server ThisCell file</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>ThisCell file (server)</secondary>
    </indexterm>

    <indexterm>
      <primary>usr/afs/etc/ThisCell</primary>

      <see>ThisCell file (server)</see>
    </indexterm>

    <indexterm>
      <primary>ThisCell file (server)</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>files</primary>

      <secondary>ThisCell (server)</secondary>
    </indexterm>

    <indexterm>
      <primary>database server machine</primary>

      <secondary>entry in server CellServDB file</secondary>

      <tertiary>on first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>cell membership, defining</secondary>

      <tertiary>for server processes</tertiary>
    </indexterm>

    <indexterm>
      <primary>usr/afs/etc/CellServDB file</primary>

      <see>CellServDB file (server)</see>
    </indexterm>

    <indexterm>
      <primary>CellServDB file (server)</primary>

      <secondary>creating</secondary>

      <tertiary>on first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>creating</primary>

      <secondary>CellServDB file (server)</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>files</primary>

      <secondary>CellServDB (server)</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>CellServDB file (server)</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>defining</secondary>

      <tertiary>as database server</tertiary>
    </indexterm>

    <indexterm>
      <primary>defining</primary>

      <secondary>first AFS machine as database server</secondary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ51">
    <title>Defining Cell Name and Membership for Server Processes</title>

    <para>Now assign your cell's name. The chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about cell configuration
    and administration issues discusses the important considerations, explains why changing the name is difficult, and outlines the
    restrictions on name format. Two of the most important restrictions are that the name cannot include uppercase letters or more
    than 64 characters.</para>

    <para>Use the <emphasis role="bold">bos setcellname</emphasis> command to assign the cell name. It creates two files:
    <itemizedlist>
        <listitem>
          <para><emphasis role="bold">/usr/afs/etc/ThisCell</emphasis>, which defines this machine's cell membership</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">/usr/afs/etc/CellServDB</emphasis>, which lists the cell's database server machines; the
          machine named on the command line is placed on the list automatically</para>
        </listitem>
      </itemizedlist> <note>
        <para>In the following and every instruction in this guide, for the <replaceable>machine name</replaceable> argument
        substitute the fully-qualified hostname (such as <emphasis role="bold">fs1.example.com</emphasis>) of the machine you are
        installing. For the <replaceable>cell name</replaceable> argument substitute your cell's complete name (such as <emphasis
        role="bold">example.com</emphasis>).</para>
      </note></para>

    <indexterm>
      <primary>commands</primary>

      <secondary>bos setcellname</secondary>
    </indexterm>

    <indexterm>
      <primary>bos commands</primary>

      <secondary>setcellname</secondary>
    </indexterm>

    <orderedlist>
      <listitem>
        <para>If necessary, add the directory containing the <emphasis role="bold">bos</emphasis> command to your path.
      <programlisting>
   # <emphasis role="bold">export PATH=$PATH:/usr/afs/bin</emphasis>
      </programlisting>
        </para>
      </listitem>

      <listitem>
        <para>Issue the <emphasis role="bold">bos setcellname</emphasis> command to set the cell name. <programlisting>
   # <emphasis role="bold">bos setcellname</emphasis> &lt;<replaceable>machine name</replaceable>&gt; &lt;<replaceable>cell name</replaceable>&gt; <emphasis
              role="bold">-noauth</emphasis>
</programlisting></para>

        <para>Because you are not authenticated and authorization checking is disabled, the <emphasis role="bold">bos</emphasis>
        command interpreter possibly produces error messages about being unable to obtain tickets and running unauthenticated. You
        can safely ignore the messages. <indexterm>
            <primary>commands</primary>

            <secondary>bos listhosts</secondary>
          </indexterm> <indexterm>
            <primary>bos commands</primary>

            <secondary>listhosts</secondary>
          </indexterm> <indexterm>
            <primary>CellServDB file (server)</primary>

            <secondary>displaying entries</secondary>
          </indexterm> <indexterm>
            <primary>displaying</primary>

            <secondary>CellServDB file (server) entries</secondary>
          </indexterm></para>
      </listitem>

      <listitem>
        <para>Issue the <emphasis role="bold">bos listhosts</emphasis> command to verify that the machine you are installing is now
        registered as the cell's first database server machine. <programlisting>
   # <emphasis role="bold">bos listhosts</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">-noauth</emphasis>
   Cell name is <replaceable>cell_name</replaceable>
       Host 1 is <replaceable>machine_name</replaceable>
</programlisting></para>
      </listitem>
    </orderedlist>

    <indexterm>
      <primary>database server machine</primary>

      <secondary>installing</secondary>

      <tertiary>first</tertiary>
    </indexterm>

    <indexterm>
      <primary>instructions</primary>

      <secondary>database server machine, installing first</secondary>
    </indexterm>

    <indexterm>
      <primary>installing</primary>

      <secondary>database server machine</secondary>

      <tertiary>first</tertiary>
    </indexterm>

    <indexterm>
      <primary>Backup Server</primary>

      <secondary>starting</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>buserver process</primary>

      <see>Backup Server</see>
    </indexterm>

    <indexterm>
      <primary>starting</primary>

      <secondary>Backup Server</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>Backup Server</secondary>
    </indexterm>

    <indexterm>
      <primary>Protection Server</primary>

      <secondary>starting</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>ptserver process</primary>

      <see>Protection Server</see>
    </indexterm>

    <indexterm>
      <primary>starting</primary>

      <secondary>Protection Server</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>Protection Server</secondary>
    </indexterm>

    <indexterm>
      <primary>VL Server (vlserver process)</primary>

      <secondary>starting</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>Volume Location Server</primary>

      <see>VL Server</see>
    </indexterm>

    <indexterm>
      <primary>starting</primary>

      <secondary>VL Server</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>VL Server</secondary>
    </indexterm>

    <indexterm>
      <primary>usr/afs/local/BosConfig</primary>

      <see>BosConfig file</see>
    </indexterm>

    <indexterm>
      <primary>BosConfig file</primary>

      <secondary>adding entries</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>adding</primary>

      <secondary>entries to BosConfig file</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>files</primary>

      <secondary>BosConfig</secondary>
    </indexterm>

    <indexterm>
      <primary>initializing</primary>

      <secondary>server process</secondary>

      <see>starting</see>
    </indexterm>

    <indexterm>
      <primary>server process</primary>

      <secondary>see also entry for each server's name</secondary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ52">
    <title>Starting the Database Server Processes</title>

    <para>Next use the <emphasis role="bold">bos create</emphasis> command to create entries for the three database server processes
    in the <emphasis role="bold">/usr/afs/local/BosConfig</emphasis> file and start them running. The three processes run on database
    server machines only: <itemizedlist>

        <listitem>
          <para>The Backup Server (the <emphasis role="bold">buserver</emphasis> process) maintains the Backup Database</para>
        </listitem>

        <listitem>
          <para>The Protection Server (the <emphasis role="bold">ptserver</emphasis> process) maintains the Protection
          Database</para>
        </listitem>

        <listitem>
          <para>The Volume Location (VL) Server (the <emphasis role="bold">vlserver</emphasis> process) maintains the Volume
          Location Database (VLDB)</para>
        </listitem>
      </itemizedlist></para>

    <indexterm>
      <primary>Kerberos</primary>
    </indexterm>

    <note>
      <para>AFS ships with an additional database server named 'kaserver', which
      was historically used to provide authentication services to AFS cells.
      kaserver was based on <emphasis>Kerberos v4</emphasis>, as such, it is
      not recommended for new cells. This guide assumes you have already
      configured a Kerberos v5 realm for your site, and details the procedures 
      required to use AFS with this realm. If you do wish to use
      <emphasis role="bold">kaserver</emphasis>, please see the modifications
      to these instructions detailed in 
      <link linkend="KAS006">Starting the kaserver Database Server Process</link>
      </para>
    </note>

    <para>The remaining instructions in this chapter include the <emphasis role="bold">-cell</emphasis> argument on all applicable
    commands. Provide the cell name you assigned in <link linkend="HDRWQ51">Defining Cell Name and Membership for Server
    Processes</link>. If a command appears on multiple lines, it is only for legibility. <indexterm>
        <primary>commands</primary>

        <secondary>bos create</secondary>
      </indexterm> <indexterm>
        <primary>bos commands</primary>

        <secondary>create</secondary>
      </indexterm> <orderedlist>
        <listitem>
          <para>Issue the <emphasis role="bold">bos create</emphasis> command to start the Backup Server. <programlisting>
   # <emphasis role="bold">./bos create</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">buserver simple /usr/afs/bin/buserver</emphasis>  <emphasis role="bold">-noauth</emphasis>
</programlisting></para>
        </listitem>

        <listitem>
          <para>Issue the <emphasis role="bold">bos create</emphasis> command to start the Protection Server. <programlisting>
   # <emphasis role="bold">./bos create</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">ptserver simple /usr/afs/bin/ptserver</emphasis> <emphasis role="bold">-noauth</emphasis>
</programlisting></para>
        </listitem>

        <listitem>
          <para>Issue the <emphasis role="bold">bos create</emphasis> command to start the VL Server. <programlisting>
   # <emphasis role="bold">./bos create</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">vlserver simple /usr/afs/bin/vlserver</emphasis> <emphasis role="bold">-noauth</emphasis>
</programlisting></para>
        </listitem>
      </orderedlist></para>

    <indexterm>
      <primary>admin account</primary>

      <secondary>creating</secondary>
    </indexterm>

    <indexterm>
      <primary>afs entry in Kerberos Database</primary>
    </indexterm>

    <indexterm>
      <primary>Kerberos Database</primary>
    </indexterm>

    <indexterm>
      <primary>creating</primary>

      <secondary>afs entry in Kerberos Database</secondary>
    </indexterm>

    <indexterm>
      <primary>creating</primary>

      <secondary>admin account in Kerberos Database</secondary>
    </indexterm>

    <indexterm>
      <primary>security</primary>

      <secondary>initializing cell-wide</secondary>
    </indexterm>

    <indexterm>
      <primary>cell</primary>

      <secondary>initializing security mechanisms</secondary>
    </indexterm>

    <indexterm>
      <primary>initializing</primary>

      <secondary>cell security mechanisms</secondary>
    </indexterm>

    <indexterm>
      <primary>usr/afs/etc/KeyFile</primary>

      <see>KeyFile file</see>
    </indexterm>

    <indexterm>
      <primary>KeyFile file</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>files</primary>

      <secondary>KeyFile</secondary>
    </indexterm>

    <indexterm>
      <primary>key</primary>

      <see>server encryption key</see>
    </indexterm>

    <indexterm>
      <primary>encryption key</primary>

      <see>server encryption key</see>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ53">
    <title>Initializing Cell Security </title>

    <para>If you are working with an existing cell which uses
    <emphasis role="bold">kaserver</emphasis> or Kerberos v4 for authentication,
    please see 
    <link linkend="HDRWQ53">Initializing Cell Security with kaserver</link>
    for installation instructions which replace this section.</para>
    
    <para>Now initialize the cell's security mechanisms. Begin by creating the following two entires in your site's Kerberos database: <itemizedlist>
        <listitem>
          <para>A generic administrative account, called <emphasis role="bold">admin</emphasis> by convention. If you choose to
          assign a different name, substitute it throughout the remainder of this document.</para>

          <para>After you complete the installation of the first machine, you can continue to have all administrators use the
          <emphasis role="bold">admin</emphasis> account, or you can create a separate administrative account for each of them. The
          latter scheme implies somewhat more overhead, but provides a more informative audit trail for administrative
          operations.</para>
        </listitem>

        <listitem>
          <para>The entry for AFS server processes, called either 
          <emphasis role="bold">afs</emphasis> or 
          <emphasis role="bold">afs/<replaceable>cell</replaceable></emphasis>. 
          The latter form is preferred since it works regardless of whether
          your cell name matches your Kerberos realm name and allows multiple
          AFS cells to be served from a single Kerberos realm.  
          No user logs in under this identity, but it is used to encrypt the
          server tickets that granted to AFS clients for presentation to 
          server processes during mutual authentication. (The
          chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about cell configuration and administration describes the
          role of server encryption keys in mutual authentication.)</para>

          <para>In Step <link linkend="LIWQ58">7</link>, you also place the initial AFS server encryption key into the <emphasis
          role="bold">/usr/afs/etc/KeyFile</emphasis> file. The AFS server processes refer to this file to learn the server
          encryption key when they need to decrypt server tickets.</para>
        </listitem>
      </itemizedlist></para>

    <para>You also issue several commands that enable the new <emphasis role="bold">admin</emphasis> user to issue privileged
    commands in all of the AFS suites.</para>

    <para>The following instructions do not configure all of the security mechanisms related to the AFS Backup System. See the
    chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about configuring the Backup System.</para>

    <para>The examples below assume you are using MIT Kerberos. Please refer 
    to the documentation for your KDC's administrative interface if you are 
    using a different vendor</para>

    <orderedlist>
        <listitem>
          <para>Enter <emphasis role="bold">kadmin</emphasis> interactive mode.
<programlisting>
   # <emphasis role="bold">kadmin</emphasis>
Authenticating as principal <replaceable>you</replaceable>/admin@<replaceable>YOUR REALM</replaceable> with password
Password for <replaceable>you/admin@REALM</replaceable>: <replaceable>your_password</replaceable>
</programlisting> <indexterm>
              <primary>server encryption key</primary>

              <secondary>in Kerberos Database</secondary>
            </indexterm> <indexterm>
              <primary>creating</primary>

              <secondary>server encryption key</secondary>

              <tertiary>Kerberos Database</tertiary>
            </indexterm></para>
        </listitem>

        <listitem id="LIWQ54">
          <para>Issue the 
          <emphasis role="bold">add_principal</emphasis> command to create 
          Kerberos Database entries called 
          <emphasis role="bold">admin</emphasis> and 
          <emphasis role="bold">afs/&lt;<replaceable>cell name</replaceable>&gt;</emphasis>.</para>

          <para>You should make the <replaceable>admin_passwd</replaceable> as
          long and complex as possible, but keep in mind that administrators 
          need to enter it often. It must be at least six characters long.</para>
          <para>Note that when creating the 
          <emphasis role="bold">afs/&lt;<replaceable>cell name</replaceable>&gt;</emphasis> 
          entry, the encryption types should be restricted to des-cbc-crc:v4. 
          For more details regarding encryption types, see the documentation 
          for your Kerberos installation.

<programlisting>
   kadmin: <emphasis role="bold">add_principal -randkey -e des-cbc-crc:v4 afs/</emphasis>&lt;<replaceable>cell name</replaceable>&gt;
   Principal "afs/<replaceable>cell name</replaceable>@<replaceable>REALM</replaceable>" created.
   kadmin:  <emphasis role="bold">add_principal admin</emphasis>
   Enter password for principal "admin@<replaceable>REALM</replaceable>": <emphasis role="bold"><replaceable>admin_password</replaceable></emphasis>
   Principal "admin@<replaceable>REALM</replaceable>" created.
</programlisting>
          </para>

          <indexterm>
            <primary>commands</primary>

            <secondary>kas examine</secondary>
          </indexterm>

          <indexterm>
            <primary>kas commands</primary>

            <secondary>examine</secondary>
          </indexterm>

          <indexterm>
            <primary>displaying</primary>

            <secondary>server encryption key</secondary>

            <tertiary>Authentication Database</tertiary>
          </indexterm>
        </listitem>

        <listitem id="LIWQ55">
          <para>Issue the <emphasis role="bold">kadmin 
          get_principal</emphasis> command to display the <emphasis
          role="bold">afs/</emphasis>&lt;<replaceable>cell name</replaceable>&gt; entry. 
<programlisting>
  kadmin: <emphasis role="bold">get_principal afs/&lt;<replaceable>cell name</replaceable>&gt;</emphasis>
  Principal: afs/<replaceable>cell</replaceable>
  [ ... ]
  Key: vno 2, DES cbc mode with CRC-32, no salt
  [ ... ]
</programlisting>
</para>
        </listitem>
        <listitem>
          <para>Extract the newly created key for <emphasis role="bold">afs/<replaceable>cell</replaceable></emphasis> to a keytab on the local machine. We will use <emphasis role="bold">/etc/afs.keytab</emphasis> as the location for this keytab.</para>

          <para>The keytab contains the key material that ensures the security of your AFS cell. You should ensure that it is kept in a secure location at all times.</para>

<programlisting>
  kadmin: <emphasis role="bold">ktadd -k /etc/afs.keytab -e des-cbc-crc:v4 afs/&lt;<replaceable>cell name</replaceable>&gt;</emphasis>
Entry for principal afs/&lt;<replaceable>cell name</replaceable>&gt; with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/afs.keytab
</programlisting>
          <para>Make a note of the key version number (kvno) given in the
          response, as you will need it to load the key into bos in a later
          step</para>

          <note><para>Note that each time you run 
          <emphasis role="bold">ktadd</emphasis> a new key is generated
          for the item being extracted. This means that you cannot run ktadd
          multiple times and end up with the same key material each time.
          </para></note>

        </listitem>
        <listitem>
          <para>Issue the <emphasis role="bold">quit</emphasis> command to leave <emphasis role="bold">kadmin</emphasis>
          interactive mode. <programlisting>
   kadmin: <emphasis role="bold">quit</emphasis>
</programlisting> <indexterm>
              <primary>commands</primary>

              <secondary>bos adduser</secondary>
            </indexterm> <indexterm>
              <primary>bos commands</primary>

              <secondary>adduser</secondary>
            </indexterm> <indexterm>
              <primary>usr/afs/etc/UserList</primary>

              <see>UserList file</see>
            </indexterm> <indexterm>
              <primary>UserList file</primary>

              <secondary>first AFS machine</secondary>
            </indexterm> <indexterm>
              <primary>files</primary>

              <secondary>UserList</secondary>
            </indexterm> <indexterm>
              <primary>creating</primary>

              <secondary>UserList file entry</secondary>
            </indexterm> <indexterm>
              <primary>admin account</primary>

              <secondary>adding</secondary>

              <tertiary>to UserList file</tertiary>
            </indexterm></para>
        </listitem>

        <listitem id="LIWQ57">
          <para>Issue the <emphasis role="bold">bos adduser</emphasis> command to add the <emphasis
          role="bold">admin</emphasis> user to the <emphasis role="bold">/usr/afs/etc/UserList</emphasis> file. This enables the
          <emphasis role="bold">admin</emphasis> user to issue privileged <emphasis role="bold">bos</emphasis> and <emphasis
          role="bold">vos</emphasis> commands. <programlisting>
   # <emphasis role="bold">./bos adduser</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">admin -noauth</emphasis>
</programlisting> 
            <indexterm>
              <primary>commands</primary>
              <secondary>asetkey</secondary>
            </indexterm>
            <indexterm>
              <primary>creating</primary>
              <secondary>server encryption key</secondary>
              <tertiary>KeyFile file</tertiary>
            </indexterm> 
            <indexterm>
              <primary>server encryption key</primary>
              <secondary>in KeyFile file</secondary>
            </indexterm></para>
        </listitem>

        <listitem id="LIWQ58">
          <para>Issue the 
          <emphasis role="bold">asetkey</emphasis> command to set the AFS 
          server encryption key in the 
          <emphasis role="bold">/usr/afs/etc/KeyFile</emphasis> file. This key 
          is created from the <emphasis role="bold">/etc/afs.keytab</emphasis> 
          file created earlier.</para>

          <para>asetkey requires the key version number (or kvno) of the 
          <emphasis role="bold">afs/</emphasis><replaceable>cell</replaceable>
          key. You should have made note of the kvno when creating the key
          earlier.  The key version number can also be found by running the 
          <emphasis role="bold">kvno</emphasis> command</para>
<programlisting>
   # <emphasis role="bold">kvno -k /etc/afs.keytab afs/</emphasis>&lt;<replaceable>cell name</replaceable>&gt;
</programlisting>

          <para>Once the kvno is known, the key can then be extracted using 
          asetkey</para>
<programlisting>
   # <emphasis role="bold">asetkey add</emphasis> &lt;<replaceable>kvno</replaceable>&gt;  <emphasis role="bold">/etc/afs.keytab afs/</emphasis>&lt;<replaceable>cell name</replaceable>&gt;
</programlisting>

          <indexterm>
            <primary>commands</primary>
            <secondary>bos listkeys</secondary>
          </indexterm>

          <indexterm>
            <primary>bos commands</primary>
            <secondary>listkeys</secondary>
          </indexterm>

          <indexterm>
            <primary>displaying</primary>
            <secondary>server encryption key</secondary>
            <tertiary>KeyFile file</tertiary>
          </indexterm>
        </listitem>

        <listitem id="LIWQ59">
          <para>Issue the 
          <emphasis role="bold">bos listkeys</emphasis> command to verify that 
          the key version number for the new key in the 
          <emphasis role="bold">KeyFile</emphasis> file is the same as the key 
          version number in the Authentication Database's 
          <emphasis role="bold">afs/<replaceable>cell name</replaceable></emphasis> 
          entry, which you displayed in Step <link linkend="LIWQ55">3</link>. 
<programlisting>
   # <emphasis role="bold">./bos listkeys</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">-noauth</emphasis>
   key 0 has cksum <replaceable>checksum</replaceable>    
</programlisting></para>

          <para>You can safely ignore any error messages indicating that <emphasis role="bold">bos</emphasis> failed to get tickets
          or that authentication failed.</para>
        </listitem>
      </orderedlist>
    </sect1>
    <sect1 id="HDRWQ53a">
      <title>Initializing the Protection Database</title>
      
      <para>Now continue to configure your cell's security systems by
      populating the Protection Database with the newly created
      <emphasis role="bold">admin</emphasis> user, and permitting it
      to issue priviledged commands on the AFS filesystem.</para>
          
        <orderedlist>
          <listitem>
          <indexterm>
            <primary>commands</primary>
            <secondary>pts createuser</secondary>
          </indexterm>

          <indexterm>
            <primary>pts commands</primary>
            <secondary>createuser</secondary>
          </indexterm>

          <indexterm>
            <primary>Protection Database</primary>
          </indexterm>
          <para>Issue the <emphasis role="bold">pts createuser</emphasis> command to create a Protection Database entry for the
          <emphasis role="bold">admin</emphasis> user.</para>

          <para>By default, the Protection Server assigns AFS UID 1 (one) to the <emphasis role="bold">admin</emphasis> user,
          because it is the first user entry you are creating. If the local password file (<emphasis
          role="bold">/etc/passwd</emphasis> or equivalent) already has an entry for <emphasis role="bold">admin</emphasis> that
          assigns it a UNIX UID other than 1, it is best to use the <emphasis role="bold">-id</emphasis> argument to the <emphasis
          role="bold">pts createuser</emphasis> command to make the new AFS UID match the existing UNIX UID. Otherwise, it is best
          to accept the default.</para>

          <programlisting>
   # <emphasis role="bold">pts createuser -name admin</emphasis> [<emphasis
              role="bold">-id</emphasis> &lt;<replaceable>AFS UID</replaceable>&gt;]  <emphasis role="bold">-noauth</emphasis>
   User admin has id <replaceable>AFS UID</replaceable>
</programlisting>

          <indexterm>
            <primary>commands</primary>
            <secondary>pts adduser</secondary>
          </indexterm>

          <indexterm>
            <primary>pts commands</primary>
            <secondary>adduser</secondary>
          </indexterm>

          <indexterm>
            <primary>system:administrators group</primary>
          </indexterm>

          <indexterm>
            <primary>admin account</primary>
            <secondary>adding</secondary>
            <tertiary>to system:administrators group</tertiary>
          </indexterm>
        </listitem>

        <listitem>
          <para>Issue the <emphasis role="bold">pts adduser</emphasis> command to make the <emphasis role="bold">admin</emphasis>
          user a member of the <emphasis role="bold">system:administrators</emphasis> group, and the <emphasis role="bold">pts
          membership</emphasis> command to verify the new membership. Membership in the group enables the <emphasis
          role="bold">admin</emphasis> user to issue privileged <emphasis role="bold">pts</emphasis> commands and some privileged
          <emphasis role="bold">fs</emphasis> commands. <programlisting>
   # <emphasis role="bold">./pts adduser admin system:administrators</emphasis> <emphasis role="bold">-noauth</emphasis>
   # <emphasis role="bold">./pts membership admin</emphasis> <emphasis role="bold">-noauth</emphasis>
   Groups admin (id: 1) is a member of:
     system:administrators
</programlisting> <indexterm>
              <primary>commands</primary>
              <secondary>bos restart</secondary>
              <tertiary>on first AFS machine</tertiary>
            </indexterm> <indexterm>
              <primary>bos commands</primary>
              <secondary>restart</secondary>
              <tertiary>on first AFS machine</tertiary>
            </indexterm> <indexterm>
              <primary>restarting server process</primary>
              <secondary>on first AFS machine</secondary>
            </indexterm> <indexterm>
              <primary>server process</primary>
              <secondary>restarting</secondary>
              <tertiary>on first AFS machine</tertiary>
            </indexterm></para>
        </listitem>

        <listitem>
          <para>Issue the <emphasis role="bold">bos restart</emphasis> command with the <emphasis role="bold">-all</emphasis> flag
          to restart the database server processes, so that they start using the new server encryption key. <programlisting>
   # <emphasis role="bold">./bos restart</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">-all</emphasis>
   <emphasis role="bold">-noauth</emphasis>
</programlisting></para>
        </listitem>
      </orderedlist>

    <indexterm>
      <primary>File Server</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>fileserver process</primary>

      <see>File Server</see>
    </indexterm>

    <indexterm>
      <primary>starting</primary>

      <secondary>File Server</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>File Server, fs process</secondary>
    </indexterm>

    <indexterm>
      <primary>Volume Server</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>volserver process</primary>

      <see>Volume Server</see>
    </indexterm>

    <indexterm>
      <primary>starting</primary>

      <secondary>Volume Server</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>Volume Server</secondary>
    </indexterm>

    <indexterm>
      <primary>Salvager (salvager process)</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>fs process</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>starting</primary>

      <secondary>fs process</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>Salvager</secondary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ60">
    <title>Starting the File Server processes</title>

    <para>Start either the <emphasis role="bold">fs</emphasis> process or, if you want to run the Demand-Attach File Server, the
    <emphasis role="bold">dafs</emphasis> process. The <emphasis role="bold">fs</emphasis> process consists of the File Server,
    Volume Server, and Salvager (<emphasis role="bold">fileserver</emphasis>, <emphasis role="bold">volserver</emphasis> and
    <emphasis role="bold">salvager</emphasis> processes). The <emphasis role="bold">dafs</emphasis> process consists of the
    Demand-Attach File Server, Volume Server, Salvage Server, and Salvager (<emphasis role="bold">dafileserver</emphasis>,
    <emphasis role="bold"> davolserver</emphasis>, <emphasis role="bold">salvageserver</emphasis>, and <emphasis
    role="bold">dasalvager</emphasis> processes). For information about the Demand-Attach File Server and to see whether or not
    you should run it, see <link linkend="DAFS">Appendix C, The Demand-Attach File Server</link>.
     <orderedlist>
        <listitem>
          <para>Issue the <emphasis role="bold">bos create</emphasis> command to start the <emphasis role="bold">fs</emphasis>
          process or the <emphasis role="bold">dafs</emphasis> process. The commands appear here on multiple lines only for legibility.

            <itemizedlist>
              <listitem>
                <para>If you are not planning on running the Demand-Attach File Server, create the <emphasis role="bold">fs</emphasis>
                process:
                  <programlisting>
   # <emphasis role="bold">./bos create</emphasis>  &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">fs fs /usr/afs/bin/fileserver</emphasis>   \
                   <emphasis role="bold">/usr/afs/bin/volserver /usr/afs/bin/salvager</emphasis>  \
                   <emphasis role="bold">-noauth</emphasis>   
</programlisting></para>
             </listitem>
             <listitem>
               <para>If you are planning on running the Demand-Attach File Server, create the <emphasis
               role="bold">dafs</emphasis> process:
                  <programlisting>
   # <emphasis role="bold">./bos create</emphasis>  &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">dafs dafs /usr/afs/bin/dafileserver</emphasis>   \
                   <emphasis role="bold">/usr/afs/bin/davolserver /usr/afs/bin/salvageserver</emphasis> \
                   <emphasis role="bold">/usr/afs/bin/dasalvager</emphasis> <emphasis role="bold">-noauth</emphasis>   
</programlisting></para>
             </listitem>
            </itemizedlist>
          </para>

          <para>Sometimes a message about Volume Location Database (VLDB) initialization appears, along with one or more instances
          of an error message similar to the following:</para>

          <programlisting>
   FSYNC_clientInit temporary failure (will retry)   
</programlisting>

          <para>This message appears when the <emphasis role="bold">volserver</emphasis> process tries to start before the <emphasis
          role="bold">fileserver</emphasis> process has completed its initialization. Wait a few minutes after the last such message
          before continuing, to guarantee that both processes have started successfully. <indexterm>
              <primary>commands</primary>

              <secondary>bos status</secondary>
            </indexterm> <indexterm>
              <primary>bos commands</primary>

              <secondary>status</secondary>
            </indexterm></para>

          <para>You can verify that the <emphasis role="bold">fs</emphasis> or <emphasis role="bold">dafs</emphasis> process has started
          successfully by issuing the <emphasis role="bold">bos status</emphasis> command. Its output mentions two <computeroutput>proc
          starts</computeroutput>.</para>

          <itemizedlist>
            <listitem>
              <para>If you are not running the Demand-Attach File Server:

          <programlisting>
   # <emphasis role="bold">./bos status</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">fs -long -noauth</emphasis>
</programlisting></para></listitem>

            <listitem>
              <para>If you are running the Demand-Attach File Server:
          <programlisting>
   # <emphasis role="bold">./bos status</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis role="bold">dafs -long -noauth</emphasis>
</programlisting></para></listitem>
          </itemizedlist>

        </listitem>

        <listitem>
          <para>Your next action depends on whether you have ever run AFS file server machines in the cell: <itemizedlist>
              <indexterm>
                <primary>commands</primary>

                <secondary>vos create</secondary>

                <tertiary>root.afs volume</tertiary>
              </indexterm>

              <indexterm>
                <primary>vos commands</primary>

                <secondary>create</secondary>

                <tertiary>root.afs volume</tertiary>
              </indexterm>

              <indexterm>
                <primary>root.afs volume</primary>

                <secondary>creating</secondary>
              </indexterm>

              <indexterm>
                <primary>volume</primary>

                <secondary>creating</secondary>

                <tertiary>root.afs</tertiary>
              </indexterm>

              <indexterm>
                <primary>creating</primary>

                <secondary>root.afs volume</secondary>
              </indexterm>

              <listitem>
                <para>If you are installing the first AFS server machine ever in the cell (that is, you are not upgrading the AFS
                software from a previous version), create the first AFS volume, <emphasis role="bold">root.afs</emphasis>.</para>

                <para>For the <replaceable>partition name</replaceable> argument, substitute the name of one of the machine's AFS
                server partitions (such as <emphasis role="bold">/vicepa</emphasis>).</para>

                <programlisting>
   # <emphasis role="bold">./vos create</emphasis>  &lt;<replaceable>machine name</replaceable>&gt; &lt;<replaceable>partition name</replaceable>&gt; <emphasis
                    role="bold">root.afs</emphasis>   \
                   <emphasis role="bold">-noauth</emphasis>   
</programlisting>

                <para>The Volume Server produces a message confirming that it created the volume on the specified partition. You can
                ignore error messages indicating that tokens are missing, or that authentication failed. <indexterm>
                    <primary>commands</primary>

                    <secondary>vos syncvldb</secondary>
                  </indexterm> <indexterm>
                    <primary>vos commands</primary>

                    <secondary>syncvldb</secondary>
                  </indexterm> <indexterm>
                    <primary>commands</primary>

                    <secondary>vos syncserv</secondary>
                  </indexterm> <indexterm>
                    <primary>vos commands</primary>

                    <secondary>syncserv</secondary>
                  </indexterm></para>
              </listitem>

              <listitem>
                <para>If there are existing AFS file server machines and volumes in the cell, issue the <emphasis role="bold">vos
                syncvldb</emphasis> and <emphasis role="bold">vos syncserv</emphasis> commands to synchronize the VLDB with the
                actual state of volumes on the local machine. To follow the progress of the synchronization operation, which can
                take several minutes, use the <emphasis role="bold">-verbose</emphasis> flag. <programlisting>
   # <emphasis role="bold">./vos syncvldb</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis
                      role="bold">-verbose  -noauth</emphasis>
   # <emphasis role="bold">./vos syncserv</emphasis> &lt;<replaceable>machine name</replaceable>&gt; <emphasis
                      role="bold">-verbose  -noauth</emphasis>   
</programlisting></para>

                <para>You can ignore error messages indicating that tokens are missing, or that authentication failed.</para>
              </listitem>
            </itemizedlist></para>
        </listitem>
      </orderedlist></para>

    <indexterm>
      <primary>Update Server</primary>

      <secondary>starting server portion</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>upserver process</primary>

      <see>Update Server</see>
    </indexterm>

    <indexterm>
      <primary>starting</primary>

      <secondary>Update Server server portion</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>Update Server server portion</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>defining</secondary>

      <tertiary>as binary distribution machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>defining</secondary>

      <tertiary>as system control machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>system control machine</primary>
    </indexterm>

    <indexterm>
      <primary>binary distribution machine</primary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ61">
    <title>Starting the Server Portion of the Update Server</title>

    <para>Start the server portion of the Update Server (the <emphasis role="bold">upserver</emphasis> process), to distribute the
    contents of directories on this machine to other server machines in the cell. It becomes active when you configure the client
    portion of the Update Server on additional server machines.</para>

    <para>Distributing the contents of its <emphasis role="bold">/usr/afs/etc</emphasis> directory makes this machine the cell's
    <emphasis>system control machine</emphasis>. The other server machines in the cell run the <emphasis
    role="bold">upclientetc</emphasis> process (an instance of the client portion of the Update Server) to retrieve the
    configuration files. Use the <emphasis role="bold">-crypt</emphasis> argument to the <emphasis role="bold">upserver</emphasis>
    initialization command to specify that the Update Server distributes the contents of the <emphasis
    role="bold">/usr/afs/etc</emphasis> directory only in encrypted form, as shown in the following instruction. Several of the
    files in the directory, particularly the <emphasis role="bold">KeyFile</emphasis> file, are crucial to cell security and so must
    never cross the network unencrypted.</para>

    <para>(You can choose not to configure a system control machine, in which case you must update the configuration files in each
    server machine's <emphasis role="bold">/usr/afs/etc</emphasis> directory individually. The <emphasis role="bold">bos</emphasis>
    commands used for this purpose also encrypt data before sending it across the network.)</para>

    <para>Distributing the contents of its <emphasis role="bold">/usr/afs/bin</emphasis> directory to other server machines of its
    system type makes this machine a <emphasis>binary distribution machine</emphasis>. The other server machines of its system type
    run the <emphasis role="bold">upclientbin</emphasis> process (an instance of the client portion of the Update Server) to
    retrieve the binaries. If your platform has a package management system, 
    such as 'rpm' or 'apt', running the Update Server to distribute binaries 
    may interfere with this system.</para>

    <para>The binaries in the <emphasis role="bold">/usr/afs/bin</emphasis> directory are not sensitive, so it is not necessary to
    encrypt them before transfer across the network. Include the <emphasis role="bold">-clear</emphasis> argument to the <emphasis
    role="bold">upserver</emphasis> initialization command to specify that the Update Server distributes the contents of the
    <emphasis role="bold">/usr/afs/bin</emphasis> directory in unencrypted form unless an <emphasis
    role="bold">upclientbin</emphasis> process requests encrypted transfer.</para>

    <para>Note that the server and client portions of the Update Server always mutually authenticate with one another, regardless of
    whether you use the <emphasis role="bold">-clear</emphasis> or <emphasis role="bold">-crypt</emphasis> arguments. This protects
    their communications from eavesdropping to some degree.</para>

    <para>For more information on the <emphasis role="bold">upclient</emphasis> and <emphasis role="bold">upserver</emphasis>
    processes, see their reference pages in the <emphasis>OpenAFS Administration Reference</emphasis>. The commands appear on
    multiple lines here only for legibility. <orderedlist>
        <listitem>
          <para>Issue the <emphasis role="bold">bos create</emphasis> command to start the <emphasis role="bold">upserver</emphasis>
          process. <programlisting>
   # <emphasis role="bold">./bos create</emphasis>  &lt;<replaceable>machine name&gt;</replaceable> <emphasis role="bold">upserver simple</emphasis>  \ 
             <emphasis role="bold">"/usr/afs/bin/upserver  -crypt /usr/afs/etc</emphasis>    \
             <emphasis role="bold">-clear /usr/afs/bin"</emphasis> <emphasis role="bold">-noauth</emphasis> 
</programlisting></para>
        </listitem>
      </orderedlist></para>
  </sect1>

  <sect1 id="HDRWQ62">
    <title>Clock Sync Considerations</title>

    <para>Keeping the clocks on all server and client machines in your cell synchronized is crucial to several functions, and in
    particular to the correct operation of AFS's distributed database technology, Ubik. The chapter in the <emphasis>OpenAFS
    Administration Guide</emphasis> about administering server machines explains how time skew can disturb Ubik's performance and
    cause service outages in your cell.</para>

    <para>You should install and configure your time service independently of
    AFS. Your Kerberos realm will also require a reliable time source, so your site
    may already have one available.</para>

    <indexterm>
      <primary>overview</primary>

      <secondary>installing client functionality on first machine</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>client functionality</secondary>

      <tertiary>installing</tertiary>
    </indexterm>

    <indexterm>
      <primary>installing</primary>

      <secondary>client functionality</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ63">
    <title>Overview: Installing Client Functionality</title>

    <para>The machine you are installing is now an AFS file server machine, 
    database server machine, system control machine, and binary distribution 
    machine. Now make it a client machine by completing the following tasks: 
    <orderedlist>
        <listitem>
          <para>Define the machine's cell membership for client processes</para>
        </listitem>

        <listitem>
          <para>Create the client version of the <emphasis role="bold">CellServDB</emphasis> file</para>
        </listitem>

        <listitem>
          <para>Define cache location and size</para>
        </listitem>

        <listitem>
          <para>Create the <emphasis role="bold">/afs</emphasis> directory and start the Cache Manager</para>
        </listitem>
      </orderedlist></para>

    <indexterm>
      <primary>Distribution</primary>

      <secondary>copying client files from</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>copying</secondary>

      <tertiary>client files to local disk</tertiary>
    </indexterm>

    <indexterm>
      <primary>copying</primary>

      <secondary>client files to local disk</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ64">
    <title>Copying Client Files to the Local Disk</title>

    <para>You need only undertake the steps in this section, if you are using
    a tar file distribution, or one built from scratch. Packaged distributions,
    such as RPMs or DEBs will already have installed the necessary files in
    the correct locations.</para>

    <para>Before installing and configuring the AFS client, copy the necessary files from the tarball to the local <emphasis
    role="bold">/usr/vice/etc</emphasis> directory. <orderedlist>
        <listitem>
          <para>If you have not already done so, unpack the distribution 
          tarball for this machine's system type into a suitable location on 
          the filesystem, such as <emphasis role="bold">/tmp/afsdist</emphasis>.
          If you use a different location, substitue that in the examples that 
          follow.</para>
        </listitem>

        <listitem>
          <para>Copy files to the local <emphasis role="bold">/usr/vice/etc</emphasis> directory.</para>

          <para>This step places a copy of the AFS initialization script (and related files, if applicable) into the <emphasis
          role="bold">/usr/vice/etc</emphasis> directory. In the preceding instructions for incorporating AFS into the kernel, you
          copied the script directly to the operating system's conventional location for initialization files. When you incorporate
          AFS into the machine's startup sequence in a later step, you can choose to link the two files.</para>

          <para>On some system types that use a dynamic kernel loader program, you previously copied AFS library files into a
          subdirectory of the <emphasis role="bold">/usr/vice/etc</emphasis> directory. On other system types, you copied the
          appropriate AFS library file directly to the directory where the operating system accesses it. The following commands do
          not copy or recopy the AFS library files into the <emphasis role="bold">/usr/vice/etc</emphasis> directory, because on
          some system types the library files consume a large amount of space. If you want to copy them, add the <emphasis
          role="bold">-r</emphasis> flag to the first <emphasis role="bold">cp</emphasis> command and skip the second <emphasis
          role="bold">cp</emphasis> command.</para>

          <programlisting>
   # <emphasis role="bold">cd /tmp/afsdist/</emphasis><replaceable>sysname</replaceable><emphasis role="bold">/root.client/usr/vice/etc</emphasis>
   # <emphasis role="bold">cp -p  *  /usr/vice/etc</emphasis>
   # <emphasis role="bold">cp -rp  C  /usr/vice/etc</emphasis>
</programlisting>
        </listitem>
      </orderedlist></para>

    <indexterm>
      <primary>cell name</primary>

      <secondary>setting in client ThisCell file</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>setting</primary>

      <secondary>cell name in client ThisCell file</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>ThisCell file (client)</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>cell membership, defining</secondary>

      <tertiary>for client processes</tertiary>
    </indexterm>

    <indexterm>
      <primary>usr/vice/etc/ThisCell</primary>

      <see>ThisCell file (client)</see>
    </indexterm>

    <indexterm>
      <primary>ThisCell file (client)</primary>

      <secondary>first AFS machine</secondary>
    </indexterm>

    <indexterm>
      <primary>files</primary>

      <secondary>ThisCell (client)</secondary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ65">
    <title>Defining Cell Membership for Client Processes</title>

    <para>Every AFS client machine has a copy of the <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> file on its local disk
    to define the machine's cell membership for the AFS client programs that run on it. The <emphasis
    role="bold">ThisCell</emphasis> file you created in the <emphasis role="bold">/usr/afs/etc</emphasis> directory (in <link
    linkend="HDRWQ51">Defining Cell Name and Membership for Server Processes</link>) is used only by server processes.</para>

    <para>Among other functions, the <emphasis role="bold">ThisCell</emphasis> file on a client machine determines the following:
    <itemizedlist>
        <listitem>
          <para>The cell in which users gain tokens when they log onto the 
          machine, assuming it is using an AFS-modified login utility</para>
        </listitem>

        <listitem>
          <para>The cell in which users gain tokens by default when they issue
          the <emphasis role="bold">aklog</emphasis> command</para>
        </listitem>

        <listitem>
          <para>The cell membership of the AFS server processes that the AFS 
          command interpreters on this machine contact by default</para>
        </listitem>
      </itemizedlist> 
    <orderedlist>
        <listitem>
          <para>Change to the <emphasis role="bold">/usr/vice/etc</emphasis> directory and remove the symbolic link created in <link
          linkend="HDRWQ50">Starting the BOS Server</link>. <programlisting>
   # <emphasis role="bold">cd /usr/vice/etc</emphasis>
   # <emphasis role="bold">rm ThisCell</emphasis>
</programlisting></para>
        </listitem>

        <listitem>
          <para>Create the <emphasis role="bold">ThisCell</emphasis> file as a copy of the <emphasis
          role="bold">/usr/afs/etc/ThisCell</emphasis> file. Defining the same local cell for both server and client processes leads
          to the most consistent AFS performance. <programlisting>
   # <emphasis role="bold">cp  /usr/afs/etc/ThisCell  ThisCell</emphasis>
</programlisting></para>
        </listitem>
      </orderedlist></para>

    <indexterm>
      <primary>database server machine</primary>

      <secondary>entry in client CellServDB file</secondary>

      <tertiary>on first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>usr/vice/etc/CellServDB</primary>

      <see>CellServDB file (client)</see>
    </indexterm>

    <indexterm>
      <primary>CellServDB file (client)</primary>

      <secondary>creating</secondary>

      <tertiary>on first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>creating</primary>

      <secondary>CellServDB file (client)</secondary>

      <tertiary>first AFS machine</tertiary>
    </indexterm>

    <indexterm>
      <primary>CellServDB file (client)</primary>

      <secondary>required format</secondary>
    </indexterm>

    <indexterm>
      <primary>requirements</primary>

      <secondary>CellServDB file format (client version)</secondary>
    </indexterm>

    <indexterm>
      <primary>files</primary>

      <secondary>CellServDB (client)</secondary>
    </indexterm>

    <indexterm>
      <primary>first AFS machine</primary>

      <secondary>CellServDB file (client)</secondary>
    </indexterm>
  </sect1>

  <sect1 id="HDRWQ66">
    <title>Creating the Client CellServDB File</title>

    <para>The <emphasis role="bold">/usr/vice/etc/CellServDB</emphasis> file on a client machine's local disk lists the database
    server machines for each cell that the local Cache Manager can contact. If there is no entry in the file for a cell, or if the
    list of database server machines is wrong, then users working on this machine cannot access the cell. The chapter in the
    <emphasis>OpenAFS Administration Guide</emphasis> about administering client machines explains how to maintain the file after
    creating it.</para>

    <para>As the <emphasis role="bold">afsd</emphasis> program initializes the Cache Manager, it copies the contents of the
    <emphasis role="bold">CellServDB</emphasis> file into kernel memory. The Cache Manager always consults the list in kernel memory
    rather than the <emphasis role="bold">CellServDB</emphasis> file itself. Between reboots of the machine, you can use the
    <emphasis role="bold">fs newcell</emphasis> command to update the list in kernel memory directly; see the chapter in the
    <emphasis>OpenAFS Administration Guide</emphasis> about administering client machines.</para>

    <para>The AFS distribution includes the file 
    <emphasis role="bold">CellServDB.dist</emphasis>. It includes an entry for 
    all AFS cells that agreed to share their database server machine 
    information at the time the distribution was 
    created.