1 ## <a name="3 AFS administration"></a> 3 AFS administration
3 The Administration Section of the [[AFSFrequentlyAskedQuestions]].
11 <li><a href="#3 AFS administration"> 3 AFS administration</a><ul>
12 <li><a href="#3.01 Is there a version of xdm"> 3.01 Is there a version of xdm available with AFS authentication?</a></li>
13 <li><a href="#3.02 Is there a version of xloc"> 3.02 Is there a version of xlock available with AFS authentication?</a></li>
14 <li><a href="#3.03 What is /afs/@cell?"> 3.03 What is /afs/@cell?</a></li>
15 <li><a href="#3.04 Given that AFS data is loc"> 3.04 Given that AFS data is location independent, how does an AFS client determine which server houses the data its user is attempting to access?</a></li>
16 <li><a href="#3.05 Which protocols does AFS u"> 3.05 Which protocols does AFS use?</a></li>
17 <li><a href="#3.06 Are setuid programs execut"> 3.06 Are setuid programs executable across AFS cell boundaries?</a></li>
18 <li><a href="#3.07 How does AFS maintain cons"> 3.07 How does AFS maintain consistency on read-write files?</a></li>
19 <li><a href="#3.08 How can I run daemons with"> 3.08 How can I run daemons with tokens that do not expire?</a></li>
20 <li><a href="#3.09 Can I check my user's pass"> 3.09 Can I check my user's passwords for security purposes?</a></li>
21 <li><a href="#3.10 Is there a way to automati"> 3.10 Is there a way to automatically balance disk usage across fileservers?</a></li>
22 <li><a href="#3.11 Can I shutdown an AFS file"> 3.11 Can I shutdown an AFS fileserver without affecting users?</a></li>
23 <li><a href="#3.12 How can I set up mail deli"> 3.12 How can I set up mail delivery to users with $HOMEs in AFS?</a></li>
24 <li><a href="#3.13 Should I replicate a _Read"> 3.13 Should I replicate a ReadOnly volume on the same partition and server as the ReadWrite volume?</a></li>
25 <li><a href="#3.14 Should I start AFS before"> 3.14 Should I start AFS before NFS in /etc/inittab?</a></li>
26 <li><a href="#3.15 Will AFS run on a multi-ho"> 3.15 Will AFS run on a multi-homed fileserver?</a></li>
27 <li><a href="#3.16 Can I replicate my user's"> 3.16 Can I replicate my user's home directory AFS volumes?</a></li>
28 <li><a href="#3.17 Which TCP/IP ports and pro"> 3.17 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?</a></li>
29 <li><a href="#3.18 What is the Andrew Benchma"> 3.18 What is the Andrew Benchmark?</a></li>
30 <li><a href="#3.19 Is there a version of HP V"> 3.19 Is there a version of HP VUE login with AFS authentication?</a></li>
31 <li><a href="#3.20 How can I list which clien"> 3.20 How can I list which clients have cached files from a server?</a></li>
32 <li><a href="#3.21 Do Backup volumes require"> 3.21 Do Backup volumes require as much space as ReadWrite volumes?</a></li>
33 <li><a href="#3.22 Should I run timed on my A"> 3.22 Should I run timed on my AFS client?</a></li>
34 <li><a href="#3.23 Why should I keep /usr/vic"> 3.23 Why should I keep /usr/vice/etc/CellServDB current?</a></li>
35 <li><a href="#3.24 How can I keep /usr/vice/e"> 3.24 How can I keep /usr/vice/etc/CellServDB current?</a></li>
36 <li><a href="#3.25 How can I compute a list o"> 3.25 How can I compute a list of AFS fileservers?</a></li>
37 <li><a href="#3.26 How can I set up anonymous"> 3.26 How can I set up anonymous FTP login to access /afs?</a></li>
38 <li><a href="#3.27 Where can I find the Andre"> 3.27 Where can I find the Andrew Benchmark?</a></li>
39 <li><a href="#3.28 Is the data sent over the n"> 3.28 Is the data sent over the network encrypted in AFS ?</a></li>
40 <li><a href="#3.29 What underlying filesystems"> 3.29 What underlying filesystems can I use for AFS ?</a></li>
41 <li><a href="#3.30 Compiling _OpenAFS"> 3.30 Compiling OpenAFS</a></li>
42 <li><a href="#3.31 Upgrading _OpenAFS"> 3.31 Upgrading OpenAFS</a></li>
43 <li><a href="#3.32 Debugging _OpenAFS"> 3.32 Debugging OpenAFS</a></li>
44 <li><a href="#3.33 Tuning client cache for hug"> 3.33 Tuning client cache for huge data</a></li>
45 <li><a href="#3.34 Settting up PAM with AFS"> 3.34 Settting up PAM with AFS</a></li>
46 <li><a href="#3.35 Setting up AFS key in KDC a"> 3.35 Setting up AFS key in KDC and KeyFile</a></li>
47 <li><a href="#3.36 Obtaining and getting asetk"> 3.36 Obtaining and getting asetkey compiled</a></li>
48 <li><a href="#3.37 afs_krb_get_lrealm() using"> 3.37 afs_krb_get_lrealm() using /usr/afs/etc/krb.conf</a></li>
49 <li><a href="#3.38 Moving from kaserver to Hei"> 3.38 Moving from kaserver to Heimdal KDC</a></li>
50 <li><a href="#3.39 Moving from KTH-KRB4 to Hei"> 3.39 Moving from KTH-KRB4 to Heimdal KDC</a></li>
60 ### <a name="3.01 Is there a version of xdm"></a><a name="3.01 Is there a version of xdm "></a> 3.01 Is there a version of xdm available with AFS authentication?
62 Yes, xdm can be found in:
64 <file:///afs/transarc.com/public/afs-contrib/tools/xdm> <ftp://ftp.transarc.com/pub/afs-contrib/tools/xdm/MANIFEST>
66 ### <a name="3.02 Is there a version of xloc"></a> 3.02 Is there a version of xlock available with AFS authentication?
68 Yes, xlock can be found in:
70 <file:///afs/transarc.com/public/afs-contrib/tools/xlock> <ftp://ftp.transarc.com/pub/afs-contrib/tools/xlock/MANIFEST>
72 ### <a name="3.03 What is /afs/@cell?"></a> 3.03 What is /afs/@cell?
74 It is a symbolic link pointing at /afs/$your\_cell\_name.
76 NB, @cell is not something that is provided by AFS. You may decide it is useful in your cell and wish to create it yourself.
78 /afs/@cell is useful because:
80 - If you look after more than one AFS cell, you could create the link in each cell then set your PATH as:
81 - PATH=$PATH:/afs/@cell/@sys/local/bin
83 - For most cells, it shortens the path names to be typed in thus reducing typos and saving time.
85 A disadvantage of using this convention is that when you cd into /afs/@cell then type "pwd" you see "/afs/@cell" instead of the full name of your cell. This may appear confusing if a user wants to tell a user in another cell the pathname to a file.
87 You could create your own /afs/@cell with the following:
91 [ -L /afs/@cell ] && echo We already have @cell! && exit
92 cell=$(cat /usr/vice/etc/ThisCell)
93 cd /afs/.${cell} && fs mkm temp root.afs
95 ln -s /afs/${cell} @cell
96 ln -s /afs/.${cell} .@cell # .@cell for RW path
97 cd /afs/.${cell} && fs rmm temp
98 vos release root.afs; fs checkv
100 <http://www-archive.stanford.edu/lists/info-afs/hyper95/0298.html>
102 ### <a name="3.04 Given that AFS data is loc"></a> 3.04 Given that AFS data is location independent, how does an AFS client determine which server houses the data its user is attempting to access?
104 The Volume Location Database (VLDB) is stored on AFS Database Servers and is ideally replicated across 3 or more Database Server machines. Replication of the Database ensures high availability and load balances the requests for the data. The VLDB maintains information regarding the current physical location of all volume data (files and directories) in the cell, including the IP address of the [[FileServer]], and the name of the disk partition the data is stored on.
106 A list of a cell's Database Servers is stored on the local disk of each AFS Client machine as: /usr/vice/etc/CellServDB
108 The Database Servers also house the Kerberos Authentication Database (encrypted user and server passwords), the Protection Database (user UID and protection group information) and the Backup Database (used by System Administrators to backup AFS file data to tape).
110 ### <a name="3.05 Which protocols does AFS u"></a> 3.05 Which protocols does AFS use?
112 AFS may be thought of as a collection of protocols and software processes, nested one on top of the other. The constant interaction between and within these levels makes AFS a very sophisticated software system.
114 At the lowest level is the UDP protocol, which is part of TCP/IP. UDP is the connection to the actual network wire. The next protocol level is the remote procedure call (RPC). In general, RPCs allow the developer to build applications using the client/server model, hiding the underlying networking mechanisms. AFS uses Rx, an RPC protocol developed specifically for AFS during its development phase at Carnegie Mellon University.
116 Above the RPC is a series of server processes and interfaces that all use Rx for communication between machines. Fileserver, volserver, upserver, upclient, and bosserver are server processes that export RPC interfaces to allow their user interface commands to request actions and get information. For example, a bos status command will examine the bos server process on the indicated file server machine.
118 Database servers use ubik, a replicated database mechanism which is implemented using RPC. Ubik guarantees that the copies of AFS databases of multiple server machines remain consistent. It provides an application programming interface (API) for database reads and writes, and uses RPCs to keep the database synchronized. The database server processes, vlserver, kaserver, and ptserver, reside above ubik. These processes export an RPC interface which allows user commands to control their operation. For instance, the pts command is used to communicate with the ptserver, while the command klog uses the kaserver's RPC interface.
120 Some application programs are quite complex, and draw on RPC interfaces for communication with an assortment of processes. Scout utilizes the RPC interface to file server processes to display and monitor the status of file servers. The uss command interfaces with kaserver, ptserver, volserver and vlserver to create new user accounts.
122 The Cache Manager also exports an RPC interface. This interface is used principally by file server machines to break callbacks. It can also be used to obtain Cache Manager status information. The program cmdebug shows the status of a Cache Manager using this interface.
124 For additional information, Section 1.5 of the AFS System Administrator's Guide and the April 1990 Cache Update contain more information on ubik. Udebug information and short descriptions of all debugging tools were included in the January 1991 Cache Update. Future issues will discuss other debugging tools in more detail.
126 [ source: <ftp://ftp.transarc.com/pub/afsug/newsletter/apr91> ] [ Copyright 1991 Transarc Corporation ]
128 ### <a name="3.06 Are setuid programs execut"></a> 3.06 Are setuid programs executable across AFS cell boundaries?
130 By default, the setuid bit is ignored but the program may be run (without setuid privilege).
132 It is possible to configure an AFS client to honour the setuid bit. This is achieved by root running:
134 root@toontown # fs setcell -cell $cellname -suid
136 (where $cellname is the name of the foreign cell. Use with care!).
138 NB: making a program setuid (or setgid) in AFS does **not** mean that the program will get AFS permissions of a user or group. To become AFS authenticated, you have to klog. If you are not authenticated, AFS treats you as "system:anyuser".
140 ### <a name="3.07 How does AFS maintain cons"></a> 3.07 How does AFS maintain consistency on read-write files?
142 AFS uses a mechanism called "callback".
144 Callback is a promise from the fileserver that the cache version of a file/directory is up-to-date. It is established by the fileserver with the caching of a file.
146 When a file is modified the fileserver breaks the callback. When the user accesses the file again the Cache Manager fetches a new copy if the callback has been broken.
148 The following paragraphs describe AFS callback mechanism in more detail:
150 If I open() fileA and start reading, and you then open() fileA, write() a change **\*\*and close() or fsync()\*\*** the file to get your changes back to the server - at the time the server accepts and writes your changes to the appropriate location on the server disk, the server also breaks callbacks to all clients to which it issued a copy of fileA.
152 So my client receives a message to break the callback on fileA, which it dutifully does. But my application (editor, spreadsheet, whatever I'm using to read fileA) is still running, and doesn't really care that the callback has been broken.
154 When something causes the application to read() more of the file the read() system call executes AFS cache manager code via the VFS switch, which does check the callback and therefore gets new copies of the data.
156 Of course, the application may not re-read data that it has already read, but that would also be the case if you were both using the same host. So, for both AFS and local files, I may not see your changes.
158 Now if I exit the application and start it again, or if the application does another open() on the file, then I will see the changes you've made.
160 This information tends to cause tremendous heartache and discontent - but unnecessarily so. People imagine rampant synchronization problems. In practice this rarely happens and in those rare instances, the data in question is typically not critical enough to cause real problems or crashing and burning of applications. Since 1985, we've found that the synchronization algorithm has been more than adequate in practice - but people still like to worry!
162 The source of worry is that, if I make changes to a file from my workstation, your workstation is not guaranteed to be notified until I close or fsync the file, at which point AFS guarantees that your workstation will be notified. This is a significant departure from NFS, in which no guarantees are provided.
164 Partially because of the worry factor and largely because of Posix, this will change in DFS. DFS synchronization semantics are identical to local file system synchronization.
166 [ DFS is the Distributed File System which is part of the Distributed ] [ Computing Environment (DCE). ]
168 ### <a name="3.08 How can I run daemons with"></a> 3.08 How can I run daemons with tokens that do not expire?
170 It is not a good idea to run with tokens that do not expire because this would weaken one of the security features of Kerberos.
172 A better approach is to re-authenticate just before the token expires.
174 There are two examples of this that have been contributed to afs-contrib. The first is "reauth":
176 - <file:///afs/transarc.com/public/afs-contrib/tools/reauth/>
177 - <ftp://ftp.transarc.com/pub/afs-contrib/tools/reauth/MANIFEST>
178 - <ftp://ftp.andrew.cmu.edu/pub/AFS-Tools/reauth-0.0.5.tar.gz>
182 <file:///afs/transarc.com/public/afs-contrib/pointers/UMich-lat-authenticated-batch-jobs> <ftp://ftp.transarc.com/pub/afs-contrib/pointers/UMich-lat-authenticated-batch-jobs>
184 Another collection of tools was [mentioned](https://lists.openafs.org/pipermail/openafs-info/2002-October/006353.html) by [[DanielClark]]:
186 Another option is [OpenPBS](http://www.openpbs.org/) and [Password Storage and Retrieval](http://www.lam-mpi.org/software/psr/) (PSR), where you encrypt your AFS password with a public key and put it in your home directory, and trusted machine(s) which have the private key on local disk then decrypt your password and run your job. MIT uses a variant of this (e.g. [a](http://web.mit.edu/longjobs/www/) & [b](http://mit.edu/longjobs-dev/notebook/)) that uses their own code (see [longjobs documentation](http://web.mit.edu/longjobs-dev/doc/netsec.txt) sections III and IV) instead of PSR.
188 ### <a name="3.09 Can I check my user's pass"></a> 3.09 Can I check my user's passwords for security purposes?
190 Yes. Alec Muffett's Crack tool (at version 4.1f) has been converted to work on the Transarc kaserver database. This modified Crack (AFS Crack) is available via anonymous ftp from:
192 - <ftp://export.acs.cmu.edu/pub/crack.tar.Z>
193 - <ftp://ftp.andrew.cmu.edu/pub/AFS-Tools/crack.tar.Z>
195 and is known to work on: pmax\_\* sun4\*\_\* hp700\_\* rs\_aix\* next\_\*
197 It uses the file /usr/afs/db/kaserver.DB0, which is the database on the kaserver machine that contains the encrypted passwords. As a bonus, AFS Crack is usually two to three orders of magnitude faster than the standard Crack since there is no concept of salting in a Kerberos database.
199 On a normal UNIX /etc/passwd file, each password can have been encrypted around 4096 (2^12) different saltings of the crypt(3) algorithm, so for a large number of users it is easy to see that a potentially large (up to 4095) number of seperate encryptions of each word checked has been avoided.
201 Author: Dan Lovinger Contact: Derrick J. Brashear <shadow+@andrew.cmu.edu>
203 <table border="1" cellpadding="0" cellspacing="0">
206 <td> AFS Crack does not work for MIT Kerberos Databases. The author is willing to give general guidance to someone interested in doing the (probably minimal) amount of work to port it to do MIT Kerberos. The author does not have access to a MIT Kerberos server to do this. </td>
210 ### <a name="3.10 Is there a way to automati"></a> 3.10 Is there a way to automatically balance disk usage across fileservers?
212 Yes. There is a tool, balance, which does exactly this. It can be retrieved via anonymous ftp from:
214 - <ftp://ftp.andrew.cmu.edu/pub/AFS-Tools/balance-1.1b.tar.gz>
216 Actually, it is possible to write arbitrary balancing algorithms for this tool. The default set of "agents" provided for the current version of balance balance by usage, # of volumes, and activity per week, the latter currently requiring a source patch to the AFS volserver. Balance is highly configurable.
218 Author: Dan Lovinger Contact: Derrick Brashear <shadow+@andrew.cmu.edu>
220 ### <a name="3.11 Can I shutdown an AFS file"></a> 3.11 Can I shutdown an AFS fileserver without affecting users?
222 Yes, this is an example of the flexibility you have in managing AFS.
224 Before attempting to shutdown an AFS fileserver you have to make some arrangements that any services that were being provided are moved to another AFS fileserver:
226 1. Move all AFS volumes to another fileserver. (Check you have the space!) This can be done "live" while users are actively using files in those volumes with no detrimental effects.
228 1. Make sure that critical services have been replicated on one (or more) other fileserver(s). Such services include:
229 - kaserver - Kerberos Authentication server
230 - vlserver - Volume Location server
231 - ptserver - Protection server
232 - buserver - Backup server
234 It is simple to test this before the real shutdown by issuing:
236 bos shutdown $server $service
238 where: $server is the name of the server to be shutdown
239 and $service is one (or all) of: kaserver vlserver ptserver buserver
241 Other points to bear in mind:
243 - "vos remove" any RO volumes on the server to be shutdown. Create corresponding RO volumes on the 2nd fileserver after moving the RW. There are two reasons for this:
244 1. An RO on the same partition ("cheap replica") requires less space than a full-copy RO.
245 2. Because AFS always accesses RO volumes in preference to RW, traffic will be directed to the RO and therefore quiesce the load on the fileserver to be shutdown.
247 - If the system to be shutdown has the lowest IP address there may be a brief delay in authenticating because of timeout experienced before contacting a second kaserver.
249 ### <a name="3.12 How can I set up mail deli"></a> 3.12 How can I set up mail delivery to users with $HOMEs in AFS?
251 There are many ways to do this. Here, only two methods are considered:
253 Method 1: deliver into local filestore
255 This is the simplest to implement. Set up your mail delivery to append mail to /var/spool/mail/$USER on one mailserver host. The mailserver is an AFS client so users draw their mail out of local filestore into their AFS $HOME (eg: inc).
257 Note that if you expect your (AFS unauthenticated) mail delivery program to be able to process .forward files in AFS $HOMEs then you need to add "system:anyuser rl" to each $HOMEs ACL.
261 - Simple to implement and maintain.
262 - No need to authenticate into AFS.
266 - It doesn't scale very well.
267 - Users have to login to the mailserver to access their new mail.
268 - Probably less secure than having your mailbox in AFS.
269 - System administrator has to manage space in /var/spool/mail.
271 Method 2: deliver into AFS
273 This takes a little more setting up than the first method.
275 First, you must have your mail delivery daemon AFS authenticated (probably as "postman"). The reauth example in afs-contrib shows how a daemon can renew its token. You will also need to setup the daemon startup soon after boot time to klog (see the -pipe option).
277 Second, you need to set up the ACLs so that "postman" has lookup rights down to the user's $HOME and "lik" on $HOME/Mail.
281 - Scales better than first method.
282 - Delivers to user's $HOME in AFS giving location independence.
283 - Probably more secure than first method.
284 - User responsible for space used by mail.
288 - More complicated to set up.
289 - Need to correctly set ACLs down to $HOME/Mail for every user.
290 - Probably need to store postman's password in a file so that the mail delivery daemon can klog after boot time. This may be OK if the daemon runs on a relatively secure host.
292 An example of how to do this for IBM RISC System/6000 is auth-sendmail. A beta test version of auth-sendmail can be found in:
294 <file:///afs/transarc.com/public/afs-contrib/doc/faq/auth-sendmail.tar.Z> <ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/auth-sendmail.tar.Z>
296 ### <a name="3.13 Should I replicate a _Read"></a> 3.13 Should I replicate a [[ReadOnly]] volume on the same partition and server as the [[ReadWrite]] volume?
298 Yes, Absolutely! It improves the robustness of your served volumes.
300 If [[ReadOnly]] volumes exist (note use of term **exist** rather than **are available**), Cache Managers will **never** utilize the [[ReadWrite]] version of the volume. The only way to access the RW volume is via the "dot" path (or by special mounting).
302 This means if **all** RO copies are on dead servers, are offline, are behind a network partition, etc, then clients will not be able to get the data, even if the RW version of the volume is healthy, on a healthy server and in a healthy network.
304 However, you are **very** strongly encouraged to keep one RO copy of a volume on the **same server and partition** as the RW. There are two reasons for this:
306 1. The RO that is on the same server and partition as the RW is a clone (just a copy of the header - not a full copy of each file). It therefore is very small, but provides access to the same set of files that all other (full copy) [[ReadOnly]] volume do. Transarc trainers refer to this as the "cheap replica".
307 2. To prevent the frustration that occurs when all your ROs are unavailable but a perfectly healthy RW was accessible but not used.
309 If you keep a "cheap replica", then by definition, if the RW is available, one of the RO's is also available, and clients will utilize that site.
311 ### <a name="3.14 Should I start AFS before"></a><a name="3.14 Should I start AFS before "></a> 3.14 Should I start AFS before NFS in /etc/inittab?
313 Yes, it is possible to run both AFS and NFS on the same system but you should start AFS first.
315 In IBM's AIX 3.2, your /etc/inittab would contain:
317 rcafs:2:wait:/etc/rc.afs > /dev/console 2>&1 # Start AFS daemons
318 rcnfs:2:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS daemons
320 With AIX, you need to load NFS kernel extensions before the AFS KEs in /etc/rc.afs like this:
323 # example /etc/rc.afs for an AFS fileserver running AIX 3.2
325 echo "Installing NFS kernel extensions (for AFS+NFS)"
326 /etc/gfsinstall -a /usr/lib/drivers/nfs.ext
327 echo "Installing AFS kernel extensions..."
328 D=/usr/afs/bin/dkload
329 ${D}/cfgexport -a ${D}/export.ext
330 ${D}/cfgafs -a ${D}/afs.ext
331 /usr/afs/bin/bosserver &
333 ### <a name="3.15 Will AFS run on a multi-ho"></a> 3.15 Will AFS run on a multi-homed fileserver?
335 (multi-homed = host has more than one network interface.)
337 Yes, it will. However, AFS was designed for hosts with a single IP address. There can be problems if you have one host name being resolved to several IP addresses.
339 Transarc suggest designating unique hostnames for each network interface. For example, a host called "spot" has two tokenring and one ethernet interfaces: spot-tr0, spot-tr1, spot-en0. Then, select which interface will be used for AFS and use that hostname in the [[CellServDB]] file (eg: spot-tr0).
341 You also have to remember to use the AFS interface name with any AFS commands that require a server name (eg: vos listvol spot-tr0).
343 There is a more detailed discussion of this in the August 1993 issue of "Cache Update" (see: <ftp://ftp.transarc.com/pub/afsug/newsletter/aug93>).
345 The simplest way of dealing with this is to make your AFS fileservers single-homed (eg only use one network interface).
347 At release 3.4 of AFS, it is possible to have multi-homed fileservers (but _not_ multi-homed database servers).
349 ### <a name="3.16 Can I replicate my user's"></a><a name="3.16 Can I replicate my user's "></a> 3.16 Can I replicate my user's home directory AFS volumes?
353 Users with $HOMEs in /afs normally have an AFS [[ReadWrite]] volume mounted in their home directory.
355 You can replicate a RW volume but only as a [[ReadOnly]] volume and there can only be one instance of a [[ReadWrite]] volume.
357 In theory, you could have RO copies of a user's RW volume on a second server but in practice this won't work for the following reasons:
359 a) AFS has built-in bias to always access the RO copy of a RW volume.
360 So the user would have a ReadOnly $HOME which is not too useful!
362 b) Even if a) was not true you would have to arrange frequent
363 synchronisation of the RO copy with the RW volume (for example:
364 "vos release user.fred; fs checkv") and this would have to be
365 done for all such user volumes.
367 c) Presumably, the idea of replicating is to recover the $HOME
368 in the event of a server crash. Even if a) and b) were not
369 problems consider what you might have to do to recover a $HOME:
371 1) Create a new RW volume for the user on the second server
372 (perhaps named "user.fred.2").
374 2) Now, where do you mount it?
376 The existing mountpoint cannot be used because it already has
377 the ReadOnly copy of the original volume mounted there.
379 Let's choose: /afs/MyCell/user/fred.2
381 3) Copy data from the RO of the original into the new RW volume
384 4) Change the user's entry in the password file for the new $HOME:
385 /afs/MyCell/user/fred.2
387 You would have to attempt steps 1 to 4 for every user who had
388 their RW volume on the crashed server. By the time you had done
389 all of this, the crashed server would probably have rebooted.
391 The bottom line is: you cannot replicate $HOMEs across servers.
393 ### <a name="3.17 Which TCP/IP ports and pro"></a> 3.17 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?
395 Assuming you have already taken care of nameserving, you may wish to use an Internet timeserver for Network Time Protocol [[[NTP|Main/FurtherReading#NTP]]] and question [[3.22|Main/WebHome#NTP]]:
399 A list of NTP servers is available via anonymous FTP from:
401 - <http://www.eecis.udel.edu/~mills/ntp/servers.html>
403 For further details on NTP see: <http://www.eecis.udel.edu/~ntp/>
405 For a "minimal" AFS service which does not allow inbound or outbound klog:
407 cachemanager 4711/udp (only if you use the arla-client instead of OpenAFS)
409 cachemanager 7001/udp
417 (Ports in the 7020-7029 range are used by the AFS backup system, and won't be needed by external clients performing simple file accesses.)
419 Additionally, for "klog" to work through the firewall you need to allow inbound and outbound UDP on ports >1024 (probably 1024<port<2048 would suffice depending on the number of simultaneous klogs).
421 See also: <http://www-archive.stanford.edu/lists/info-afs/hyper95/0874.html>
423 ### <a name="3.18 What is the Andrew Benchma"></a> 3.18 What is the Andrew Benchmark?
425 "It is a script that operates on a collection of files constituting an application program. The operations are intended to represent typical actions of an average user. The input to the benchmark is a source tree of about 70 files. The files total about 200 KB in size. The benchmark consists of five distinct phases:
427 I MakeDir - Construct a target subtree that is identical to the
429 II Copy - Copy every file from the source subtree to the target subtree.
430 III ScanDir - Traverse the target subtree and examine the status
432 IV ReadAll - Scan every byte of every file in the target subtree.
433 V Make - Complete and link all files in the target subtree."
435 Source: <file:///afs/transarc.com/public/afs-contrib/doc/benchmark/Andrew.Benchmark.ps> <ftp://ftp.transarc.com/pub/afs-contrib/doc/benchmark/Andrew.Benchmark.ps>
437 ### <a name="3.19 Is there a version of HP V"></a> 3.19 Is there a version of HP VUE login with AFS authentication?
439 Yes, the availability of this is described in: <file:///afs/transarc.com/public/afs-contrib/pointers/HP-VUElogin.txt> <ftp://ftp.transarc.com/pub/afs-contrib/pointers/HP-VUElogin.txt>
441 If you don't have access to the above, please contact Rajeev Pandey of Hewlett Packard whose email address is <rpandey@cv.hp.com>.
443 ### <a name="3.20 How can I list which clien"></a> 3.20 How can I list which clients have cached files from a server?
445 By using the following script:
450 # AUTHOR Rainer Toebbicke <rtb@dxcern.cern.ch>
452 # PURPOSE Display AFS clients which have grabbed files from a server
455 echo "Usage: $0 <afs_server 1> ... <afsserver n>"
459 /usr/afsws/etc/rxdebug -servers $n -allconn
460 done | grep '^Connection' | \
461 while read x y z ipaddr rest; do echo $ipaddr; done | sort -u |
462 while read ipaddr; do
464 n="`nslookup $ipaddr`"
472 ### <a name="3.21 Do Backup volumes require"></a><a name="3.21 Do Backup volumes require "></a> 3.21 Do Backup volumes require as much space as [[ReadWrite]] volumes?
476 The technique used is to create a new volume, where every file in the RW copy is pointed to by the new backup volume. The files don't exist in the BK, only in the RW volume. The backup volume therefore takes up very little space.
478 If the user now starts modifying data, the old copy must not be destroyed.
480 There is a Copy-On-Write bit in the vnode - if the fileserver writes to a vnode with the bit on it allocates a new vnode for the data and turns off the COW bit. The BK volume hangs onto the old data, and the RW volume slowly splits itself away over time.
482 The BK volume is re-synchronised with the RW next time a "vos backupsys" is run.
484 The space needed for the BK volume is directly related to the size of all files changed in the RW between runs of "vos backupsys".
486 ### <a name="3.22 Should I run timed on my A"></a> 3.22 Should I run timed on my AFS client?
490 <a name="NTP"></a> The AFS Servers make use of NTP [[[NTP|Main/FurtherReading#NTP]]] to synchronise time each other and typically with one or more external NTP servers. By default, clients synchronize their time with one of the servers in the local cell. Thus all the machines participating in the AFS cell have an accurate view of the time.
492 For further details on NTP see: <http://www.eecis.udel.edu/~ntp/>. The latest version is 4.1, dated August 2001, which is **much** more recent that the version packaged with Transarc AFS.
494 A list of NTP servers is available via anonymous FTP from:
496 - <http://www.eecis.udel.edu/~mills/ntp/servers.html>
498 The default time setting behavior of the AFS client can be disabled by specifying the `-nosettime` argument to [afsd](http://www.transarc.ibm.com/Library/documentation/afs/3.5/unix/cmd/cmd53.htm). This is recommended for AFS servers which are also configured as clients (because servers normally run NTP daemons) and for clients that run NTP.
500 ### <a name="3.23 Why should I keep /usr/vic"></a> 3.23 Why should I keep /usr/vice/etc/CellServDB current?
502 On AFS clients, /usr/vice/etc/CellservDB, defines the cells and (their servers) that can be accessed via /afs.
504 Over time, site details change: servers are added/removed or moved onto new network addresses. New sites appear.
506 In order to keep up-to-date with such changes, the [[CellservDB]] file on each AFS client should be kept consistent with some master copy (at your site).
508 As well as updating [[CellservDB]], your AFS administrator should ensure that new cells are mounted in your cell's root.afs volume.
510 If a cell is added to [[CellServDB]] then the **client** must either be restared or you must the AFS command "fs newcell -cell .. -servers ... ...".
512 ### <a name="3.24 How can I keep /usr/vice/e"></a> 3.24 How can I keep /usr/vice/etc/CellServDB current?
514 Do a daily copy from a master source and update the AFS kernel sitelist.
516 One good master source is the grand.central.org [[CellServDB]], available from <http://grand.central.org/dl/cellservdb/CellServDB> or <file:/afs/openafs.org/service/CellServDB> (N.B. update to /afs/grand.central.org path when available). You can send updates for this to <cellservdb@central.org>.
518 The client [[CellServDB]] file must not reside under /afs and is best located in local filespace.
520 Simply updating a client [[CellServDB]] file is not enough. You also need to update the AFS kernel sitelist by either: 1 rebooting the client or 1 running "fs newcell $cell\_name $server\_list" for each site in the [[CellServDB]] file.
522 A script to update the AFS kernel sitelist on a running system is newCellServDB.
524 <file:///afs/ece.cmu.edu/usr/awk/Public/newCellServDB> <ftp://ftp.ece.cmu.edu/pub/afs-tools/newCellServDB>
526 One way to distribute [[CellServDB]] is to have a root cron job on each AFS client copy the file then run newCellServDB.
532 # NAME syncCellServDB
533 # PURPOSE Update local CellServDB file and update AFS kernel sitelist
534 # USAGE run by daily root cron job eg:
535 # 0 3 * * * /usr/local/sbin/syncCellServDB
537 # NOTE "@cell" is a symbolic link to /afs/$this_cell_name
539 src=/afs/@cell/service/etc/CellServDB
540 dst=/usr/vice/etc/CellServDB
541 xec=/usr/local/sbin/newCellServDB
542 log=/var/log/syncCellServDB
544 if [ -s ${src} ]; then
545 if [ ${src} -nt ${dst} ]; then
546 cp $dst ${dst}- && cp $src $dst && $xec 2>&1 >$log
548 echo "master copy no newer: no processing to be done" >$log
551 echo "zero length file: ${src}" >&2
554 ### <a name="3.25 How can I compute a list o"></a> 3.25 How can I compute a list of AFS fileservers?
556 Here is a Korn shell command to do it:
558 stimpy@nick $ vos listvldb -cell $(cat /usr/vice/etc/ThisCell) \
559 | awk '(/server/) {print $2}' | sort -u
561 ### <a name="3.26 How can I set up anonymous"></a> 3.26 How can I set up anonymous FTP login to access /afs?
563 The easiest way on a primarily "normal" machine (where you don't want to have everything in AFS) is to actually mount root.cell under ~ftp, and then symlink /afs to ~ftp/afs or whatever. It's as simple as changing the mountpoint in /usr/vice/etc/cacheinfo and restarting afsd.
565 Note that when you do this, anon ftp users can go anywhere system:anyuser can (or worse, if you're using IP-based ACLs and the ftp host is PTS groups). The only "polite" solution I've arrived at is to have the ftp host machine run a minimal [[CellServDB]] and police my ACLs tightly.
567 Alternatively, you can make ~ftp an AFS volume and just mount whatever you need under that - this works well if you can keep everything in AFS, and you don't have the same problems with anonymous "escapes" into /afs.
569 Unless you need to do authenticating ftp, you are _strongly_ recommended using wu-ftpdv2.4 (or better).
571 ### <a name="3.27 Where can I find the Andre"></a> 3.27 Where can I find the Andrew Benchmark?
573 <file:///afs/transarc.com/public/afs-contrib/doc/faq/ab.tar.Z> [156k] <ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/ab.tar.Z> [156k]
575 This is a tar archive of <file:///afs/cs.cmu.edu/user/satya/ftp/ab/>
577 ### <a name="3.28 Is the data sent over the n"></a> 3.28 Is the data sent over the network encrypted in AFS ?
579 There is still no easy way to do this in Transarc AFS, but [[OpenAFS]] now has a "fs" subcommand to turn on encryption of regular file data sent and received by a client. This is a per client setting that persist until reboot. No server actions are needed to support this change. The syntax is:
585 Note that this only encrypts network traffic between the client and server. The data on the server's disk is not encrypted nor is the data in the client's disk cache. The encryption algorithm used is [fcrypt](http://tedanderson.home.mindspring.com/fcrypt-paper.txt), which is a DES variant.
587 Getting encryption enabled by default:
589 - [[RedHat]] Linux: ([src](https://lists.openafs.org/pipermail/openafs-info/2002-July/005085.html)) change the last line of /etc/sysconfig/afs to `AFS_POST_INIT="/usr/bin/fs setcrypt on"`
590 - Windows ([src](https://lists.openafs.org/pipermail/openafs-info/2003-June/009416.html)) set the following registry value named `SecurityLevel` under `HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` to 2.
592 I have not tested either of these procedures. -- [[TedAnderson]] - 05 Jun 2003
594 ### <a name="3.29 What underlying filesystems"></a> 3.29 What underlying filesystems can I use for AFS ?
596 See also [[SupportedConfigurations]].
598 You need to distinguish between the filesystem used by the file server to store the actual AFS data (by convention in /vicep?) and the filesystem used by the client cache manager to cache files.
600 With the new namei file server you can basically use any filesystem you want. Tne namei file server does not do any fancy stuff behind the scenes but only accesses normal files (their names are a bit strange though).
602 But you cannot use SGI efs under [[OpenAFS]] at all.
604 It is a different story with the old inode based server. It directly operates on the inodes of the underlying file system which therefore has to fully support the inode abstraction scheme. The the Administrators Guide for more details (they differ from system to system).
606 On the client side, you always have to use a file system supporting the inode abstraction for the cache (usually /usr/vice/cache) since the cache manager references files by their inode. Fortunately, it does not do such tricky stuff as the inode based server.
608 The following file systems have been reported _not_ to work for the AFS client cache:
612 - advfs (Tru64), it works but gives cachecurruption
613 - efs (SGI) - IBM AFS does support efs, but openafs doesn't have a license for that
615 - Patch committed to cvs around 6/2003 will now enforce this in some cases and generate a warning to the user if the filesystem type is wrong.
617 The following file systems have been reported to work for the AFS client cache:
622 - xfs (at least on IRIX 6.5)
623 - ufs (Solaris, [[Tru64Unix]])
625 ### <a name="3.30 Compiling _OpenAFS"></a> 3.30 Compiling [[OpenAFS]]
627 The kernel parts on Solaris have to be compiled with Sun cc, same for other platforms, i.e. you need same compiler used to compile kernel to compile your afs modules. [[Tru64Unix]] doesn't support modules, so you have to edit kernel config files and link statically into kernel. Kernel module insertion works fine on Linux, Solaris, Irix ...
629 $ ./configure --enable-transarc-paths=/usr/etc --with-afs-sysname=i386\_linux24
633 $ cd dest/i386\_linux24
635 ... and continue the install process described in IBM AFS documentation. If you do "make install", you will end up with some stuff installed into /usr/local but something not, regardless the --enable-transarc-paths option ... "make install" it's messy.
637 ### <a name="3.31 Upgrading _OpenAFS"></a> 3.31 Upgrading [[OpenAFS]]
639 Upgrade of AFS on Solaris 2.6
644 cd root.server/usr/afs
645 tar cvf - ./bin | (cd /usr/afs; tar xfp -)
647 cp root.client/usr/vice/etc/modload/libafs.nonfs.o /kernel/fs/afs
648 cp root.server/etc/vfsck /usr/lib/fs/afs/fsck
649 cd root.client/usr/vice
650 tar cvf - ./etc | (cd /usr/vice; tar xf -)
652 cp lib/pam_afs.krb.so.1 /usr/lib/security
653 cp lib/pam_afs.so.1 /usr/lib/security
658 Upgrade of AFS on Irix 6.5
660 /etc/chkconfig -f afsserver off
661 /etc/chkconfig -f afsclient off
662 /etc/chkconfig -f afsml off
663 /etc/chkconfig -f afsxnfs off
665 cd root.server/usr/afs
666 tar cvf - ./bin | (cd /usr/afs; tar xfp -)
668 cp root.client/usr/vice/etc/sgiload/libafs.IP22.nonfs.o /usr/vice/etc/sgiload
669 echo "AFS will be compiled statically into kernel"
670 echo "otherwise skip following lines and use chkconfig afsml on"
671 cp root.client/bin/afs.sm /var/sysgen/system
672 cp root.client/bin/afs /var/sysgen/master.d
673 echo "The next file comes from openafs-*/src/libafs/STATIC.*"
674 cp root.client/bin/libafs.IP22.nonfs.a /var/sysgen/boot/afs.a
677 echo "end of static kernel modifications"
678 cd root.client/usr/vice/etc
679 echo "Delete any of the modload/ files which don't fit your platform if you need space"
680 echo "These files originate from openafs-*/src/libafs/MODLOAD.*"
681 tar cvf - . | (cd /usr/vice/etc; tar xf -)
682 /etc/chkconfig -f afsserver on
683 /etc/chkconfig -f afsclient on
684 # /etc/chkconfig -f afsml on - afs is compiled statically into kernel, so leave afsml off
685 /etc/chkconfig -f afsml off
686 /etc/chkconfig -f afsxnfs off
689 Upgrade of AFS on [[Tru64Unix]]
691 cd root.server/usr/afs/
692 tar cvf - ./bin | (cd /usr/afs; tar xfp -)
693 cd ../../../root.client/bin
694 cp ./libafs.nonfs.o /usr/sys/BINARY/afs.mod
695 ls -la /usr/sys/BINARY/afs.mod
697 cd ../../root.client/usr/vice
698 cp etc/afsd /usr/vice/etc/afsd
699 cp etc/C/afszcm.cat /usr/vice/etc/C/afszcm.cat
701 ### <a name="3.32 Debugging _OpenAFS"></a> 3.32 Debugging [[OpenAFS]]
703 In case of troubles when you need only fileserver process to run (to be able to debug), run the lwp fileserver instead of the pthreads fileserver (src/viced/fileserver instead of src/tviced/fileserver if you have a buildtree handy):
705 cp src/viced/fileserver /usr/afs/bin (or wherever)
707 bos restart calomys fs -local
709 ... then attach with gdb
711 To debug if client running afsd kernel process talks to the servers from [[CellServDB]], do:
713 tcpdump -vv -s 1500 port 7001
717 fileserver 7000/udp # fileport (FILESERVICE)
718 afscb 7001/udp # kernel extensions
719 afsprot 7002/udp # ptserver (PROTSERVICE)
720 afsvldb 7003/udp # vlserver (VLDBSERVICE)
721 afskauth 7004/udp # kaserver (KAUTHSERVICE)
722 afsvol 7005/udp # volserver (VOLUMESERVICE)
723 afserror 7006/udp # ERRORSERVICE
724 afsnanny 7007/udp # bosserver (NANNYSERVICE)
725 afsupdate 7008/udp # upserver (UPDATESERVICE)
726 afsrmtsys 7009/udp # RMTSYSSERVICE
728 ### <a name="3.33 Tuning client cache for hug"></a> 3.33 Tuning client cache for huge data
730 Use on afsd command line -chunk 17 or greater. Be carefull, with certain cache sizes afsd crashes on startup (Linux, [[Tru64Unix]] at least).
732 ### <a name="3.34 Settting up PAM with AFS"></a> 3.34 Settting up PAM with AFS
736 auth sufficient /lib/security/pam_afs.so debug try_first_pass ignore_root debug
737 auth required /lib/security/pam_env.so
738 auth sufficient /lib/security/pam_unix.so likeauth nullok
739 auth required /lib/security/pam_deny.so
741 account required /lib/security/pam_unix.so
743 password required /lib/security/pam_cracklib.so retry=3 type=
744 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
745 password required /lib/security/pam_deny.so
747 session sufficient /lib/security/pam_afs.so set_token
748 session required /lib/security/pam_limits.so
749 session required /lib/security/pam_unix.so
751 # reafslog is to unlock dtlogin's screensaver
752 other auth sufficient /usr/athena/lib/pam_krb4.so reafslog
754 ### <a name="3.35 Setting up AFS key in KDC a"></a> 3.35 Setting up AFS key in KDC and [[KeyFile]]
756 The easiest method is not much recommended, as the password is possibly very weak:
758 dattan# bos addkey server -kvno <n+1>
762 dattan# kstring2key -c <cellname>
765 dattan# kadmin ckey afs
766 <cut-n-paste the ascii output from above>
768 Beware, there is currently a byte order bug in the kadmin tool as of May 2001 in KTH-KRB. If you run kadmin on a little indian machine (PC, Alpha, ...) you must swap the bytes manually. Here is a small example:
770 bg$ kstring2key -c sics.se
772 ascii = \361\334\211\221\221\206\325\334
773 hex = f1dc89919186d5dc
776 bg.admin@SICS.SE's Password:
777 New DES key for afs: \221\211\334\361\334\325\206\221
779 Please note how the bytes are swapped in groups of four.
781 This bug is fixed in an upcoming release.
783 Better approach is to create random key in KDC using "ksrvutil get" (rather then "ksrvutil add" which asks you for the new password), export it into /etc/srvtab ("ksrvutil ext") and from there copy it into /usr/afs/etc/KeyFile using asetkey utility from /afs/transarc.com/public/afs-contrib. After some years, you may wish to regenerate the random afs key using "ksrvutil change" in KDC and exporting it again.
785 There are two nice pages abou this:
787 <http://www.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs/afs-with-kerberos.html> <http://www.contrib.andrew.cmu.edu/~shadow/afs/afs-with-kerberos.html>
789 As someone noted, you might need some ext\_srvtab utility to extract the key from /etc/srvtab, but I don't remeber that I needed it. Then he also suggets to use asetkey utility.
791 Create afs.natur\\.cuni\\.cz@NATUR.CUNI.CZ principal entry in kerberos:
794 principal instance: natur.cuni.cz
795 principal realm: NATUR.CUNI.CZ
797 Import this key from Kerberos (/etc/srvtab) into AFS /usr/afs/etc/KeyFile using asetkey utility, which is I think from /afs/transarc.com/public/afs-contrib
799 ./asetkey add 0 /etc/srvtab <afs.natur.cuni.cz@NATUR.CUNI.CZ>
801 This [[KeyFile]] with the AFS-key you can just always re-copy to new AFS **server** machines. Be sure that the key version number KVNO is always same in this [[KeyFile]] and in Kerberos database. On all these machines you of course need afs.hostname.REALM key loaded into their /etc/srvtab (create them with 'ksrvutil get'). It seems klog(1) needs afs@REALM, so copy the principal afs.cell.name@REALM to it.
803 You can test if you have same keys in kerberos and AFS like this:
808 If you have some tokens now, then it works and you can now shutdown kaserver. Users, which you have created in AFS under kaserver are in /usr/afs/db/kaserver.\*, but you can just forget them. Create these users again in Kerberos IV.
810 AFS users are then looked up in:
812 kerberos database (/var/kerberos/principal.db)
814 /usr/afs/etc/UserList (permission to manipulate 'bos')
816 system:administrators (permissions for vos, pts, fs, i.e. 'pts adduser' etc)
818 ---------------------------------------------------------------------------------
819 Another approach, untested:
821 http://www.natur.cuni.cz/~majordomo/krb4/krb4.9703/msg00002.html
823 Date: Tue, 9 May 2000 10:57:23 +0200 (MET DST)
824 From: Johan Hedin <johanh at fusion.kth.se>
825 To: Erland Fristedt <Erland.Fristedt@wcs.eraj.ericsson.se>
827 Subject: Re: AFS+KTH-KRB problem
829 This is a printout how we got it to work. Hope this helps.
833 callisto#/usr/athena/sbin/ksrvutil -p johanh.admin -f srvtab get
835 Instance [callisto]: fusion.kth.se
836 Realm [FUSION.KTH.SE]:
837 Is this correct? (y,n) [y]
838 Add more keys? (y,n) [n]
839 Password for johanh.admin@FUSION.KTH.SE:
840 Warning: Are you sure `fusion.kth.se' should not be `fusion'?
841 Added afs.fusion.kth.se@FUSION.KTH.SE
842 Old keyfile in srvtab.old.
843 callisto#/usr/athena/sbin/ksrvutil -p johanh.admin -f srvtab list
845 4 afs.fusion.kth.se@FUSION.KTH.SE
846 callisto#/tmp/asetkey add 4 srvtab afs.fusion.kth.se@FUSION.KTH.SE
848 callisto#bin/bos status callisto
849 Instance buserver, currently running normally.
850 Instance ptserver, currently running normally.
851 Instance vlserver, currently running normally.
852 Instance fs, currently running normally.
853 Auxiliary status is: file server running.
854 callisto#bin/fs la /afs
855 Access list for /afs is
857 system:administrators rlidwka
859 --------------------------------------------------------------------------------
860 > Tokens held by the Cache Manager:
862 > User's (AFS ID 6020) tokens for afs@sunrise.ericsson.se [Expires May 5
866 You got your tickets alright, but then
868 > > touch /afs/.sunrise.ericsson.se/tabort
869 > afs: Tokens for user of AFS id 6020 for cell sunrise.ericsson.se are
870 > discarded (rxkad error=19270407)
872 grep 19270407 /usr/afsws/include/rx/*
873 /usr/afsws/include/rx/rxkad.h:#define RXKADBADTICKET (19270407L)
875 so I would guess that the key version number and/or the key on your
876 AFS servers does not match the key of the afs principal.
878 Use klist -v to figure out about key version numbers and then use
880 $ kstring2key -c sunrise.ericsson.se
882 ascii = \242\345\345\260\323p\263\233
883 hex = a2e5e5b0d370b39b
885 or some other means to ensure that you use the same keys.
887 ### <a name="3.36 Obtaining and getting asetk"></a> 3.36 Obtaining and getting asetkey compiled
889 Better approach is to create random key in KDC, export it into /etc/srvtab and from there move in /usr/afs/etc/KeyFile using asetkey utility from /afs/transarc.com/public/afs-contrib
891 | I can not get asetkey to compile.
893 | asetkey.c: In function `main':
894 | asetkey.c:25: `AFSCONF_SERVERNAME' undeclared (first use in this function)
895 | asetkey.c:25: (Each undeclared identifier is reported only once
896 | asetkey.c:25: for each function it appears in.)
899 AFS 3.5 got rid of a few commonly-used AFS defines; I suspect they are now API calls of some kind, akin to the POSIX move from hardcoded constants to use of \{,f\}pathconf() and sysconf(). I have no idea what those calls are, though.
901 In the meantime, the following two defines are useful in building stuff on AFS 3.5:
903 #define AFSCONF_CLIENTNAME "/usr/vice/etc"
904 #define AFSCONF_SERVERNAME "/usr/afs/etc"
906 ### <a name="3.37 afs_krb_get_lrealm() using"></a><a name="3.37 afs_krb_get_lrealm() using "></a> 3.37 afs\_krb\_get\_lrealm() using /usr/afs/etc/krb.conf
908 In this file you can set also another REALM to be used by you afs server processes, if the REALM should differ from the system-wide REALM (/etc/krb.conf).
910 Don't forget it's related to these entries in Kerberos KDC:
912 afs.cell.name@REALM krbtgt CELL.NAME@REALM
914 ### <a name="3.38 Moving from kaserver to Hei"></a> 3.38 Moving from kaserver to Heimdal KDC
916 > While converting all our administration tools, we have discovered that
917 > the time a principal changed his/her/its password is _not_ carried over
918 > from the kaserver DB.
920 First of all, some Heimdal's configure flags:
922 --enable-kaserver requires krb4 libs, so for that you'll need a working krb4 are you still using a kaserver/kaserver emulation ?
924 --enable-kaserver-db is just for dumping a kaserver krb4 database. If you are no longer running a kaserver, you don't need it.
928 <https://lists.openafs.org/pipermail/openafs-info/2002-May/004326.html>
930 This works while migrating from kaserver:
932 /usr/heimdal/libexec/hprop --source=kaserver --cell=xxx --kaspecials --stdout | /usr/heimdal/libexec/hpropd --no-inetd --stdin
934 This somewhat doesn't:
936 /usr/heimdal/libexec/hprop --source=kaserver --cell=xxx --encrypt --master-key= --kaspecials --stdout | /usr/heimdal/libexec/hpropd --stdin
938 ### <a name="3.39 Moving from KTH-KRB4 to Hei"></a> 3.39 Moving from KTH-KRB4 to Heimdal KDC
940 /usr/heimdal/libexec/hprop -n -k /etc/krb5.keytab --source=krb4-dump -d /var/kerberos/dump.txt --master-key=/.k -D | /usr/heimdal/libexec/hpropd -n
944 1. dump of the krb4 database with kdb\_util 2. dump of the "default" heimdal database with kadmin -l 3. /usr/heimdal/libexec/hprop -n -k /etc/krb5.keytab --source=krb4-dump -d /usr/heimdal/libexec/hprop -n -k /etc/krb5.keytab --source=krb4-dump -d where /etc/krb5.keytab contains hprop/\`hostname\` keys 4. merge of the converted database with file from (2) via kadmin
946 The special thing for me is the use of "-D" in the (3) which seems to cause conversion des-cbc-sha1 keys of old krb4 database entries to des-cbc-md5.