<li><a href="#3.25 How can I compute a list o"> 3.25 How can I compute a list of AFS fileservers?</a></li>
<li><a href="#3.26 How can I set up anonymous"> 3.26 How can I set up anonymous FTP login to access /afs?</a></li>
<li><a href="#3.27 Where can I find the Andre"> 3.27 Where can I find the Andrew Benchmark?</a></li>
+ <li><a href="#3.28 Is the data sent over the n"> 3.28 Is the data sent over the network encrypted in AFS ?</a></li>
+ <li><a href="#3.29 What underlying filesystems"> 3.29 What underlying filesystems can I use for AFS ?</a></li>
</ul>
</li>
</ul>
There are two examples of this that have been contributed to afs-contrib. The first is "reauth":
-<file:///afs/transarc.com/public/afs-contrib/tools/reauth/> <ftp://ftp.transarc.com/pub/afs-contrib/tools/reauth/MANIFEST>
+- <file:///afs/transarc.com/public/afs-contrib/tools/reauth/>
+- <ftp://ftp.transarc.com/pub/afs-contrib/tools/reauth/MANIFEST>
+- <ftp://ftp.andrew.cmu.edu/pub/AFS-Tools/reauth-0.0.5.tar.gz>
The second is "lat":
<file:///afs/transarc.com/public/afs-contrib/pointers/UMich-lat-authenticated-batch-jobs> <ftp://ftp.transarc.com/pub/afs-contrib/pointers/UMich-lat-authenticated-batch-jobs>
+Another collection of tools was [mentioned](https://lists.openafs.org/pipermail/openafs-info/2002-October/006353.html) by [[DanielClark]]:
+
+Another option is [OpenPBS](http://www.openpbs.org/) and [Password Storage and Retrieval](http://www.lam-mpi.org/software/psr/) (PSR), where you encrypt your AFS password with a public key and put it in your home directory, and trusted machine(s) which have the private key on local disk then decrypt your password and run your job. MIT uses a variant of this (e.g. [a](http://web.mit.edu/longjobs/www/) & [b](http://mit.edu/longjobs-dev/notebook/)) that uses their own code (see [longjobs documentation](http://web.mit.edu/longjobs-dev/doc/netsec.txt) sections III and IV) instead of PSR.
+
### <a name="3.09 Can I check my user's pass"></a> 3.09 Can I check my user's passwords for security purposes?
Yes. Alec Muffett's Crack tool (at version 4.1f) has been converted to work on the Transarc kaserver database. This modified Crack (AFS Crack) is available via anonymous ftp from:
- <ftp://export.acs.cmu.edu/pub/crack.tar.Z>
+- <ftp://ftp.andrew.cmu.edu/pub/AFS-Tools/crack.tar.Z>
and is known to work on: pmax\_\* sun4\*\_\* hp700\_\* rs\_aix\* next\_\*
Yes. There is a tool, balance, which does exactly this. It can be retrieved via anonymous ftp from:
-- <ftp://ftp.andrew.cmu.edu/pub/balance-1.1a.tar.Z>
+- <ftp://ftp.andrew.cmu.edu/pub/AFS-Tools/balance-1.1b.tar.gz>
Actually, it is possible to write arbitrary balancing algorithms for this tool. The default set of "agents" provided for the current version of balance balance by usage, # of volumes, and activity per week, the latter currently requiring a source patch to the AFS volserver. Balance is highly configurable.
### <a name="3.17 Which TCP/IP ports and pro"></a> 3.17 Which TCP/IP ports and protocols do I need to enable in order to operate AFS through my Internet firewall?
-Assuming you have already taken care of nameserving, you may wish to use an Internet timeserver for Network Time Protocol [35] [36]:
+Assuming you have already taken care of nameserving, you may wish to use an Internet timeserver for Network Time Protocol [[[NTP|Main/FurtherReading#NTP]]] and question [[3.22|Main/WebHome#NTP]]:
-ntp 123/tcp
+ntp 123/udp
A list of NTP servers is available via anonymous FTP from:
For a "minimal" AFS service which does not allow inbound or outbound klog:
+ cachemanager 4711/udp (only if you use the arla-client instead of OpenAFS)
fileserver 7000/udp
cachemanager 7001/udp
ptserver 7002/udp
No.
-The AFS Cache Manager makes use of NTP [35] [36] to synchronise time with your cell's NTP servers.
+<a name="NTP"></a> The AFS Servers make use of NTP [[[NTP|Main/FurtherReading#NTP]]] to synchronise time each other and typically with one or more external NTP servers. By default, clients synchronize their time with one of the servers in the local cell. Thus all the machines participating in the AFS cell have an accurate view of the time.
+
+For further details on NTP see: <http://www.eecis.udel.edu/~ntp/>. The latest version is 4.1, dated August 2001, which is **much** more recent that the version packaged with Transarc AFS.
+
+A list of NTP servers is available via anonymous FTP from:
+
+- <http://www.eecis.udel.edu/~mills/ntp/servers.html>
-Typically, one of your AFS cell's servers synchronises with an external NTP server and provides accurate time to your cell.
+The default time setting behavior of the AFS client can be disabled by specifying the `-nosettime` argument to [afsd](http://www.transarc.ibm.com/Library/documentation/afs/3.5/unix/cmd/cmd53.htm). This is recommended for AFS servers which are also configured as clients (because servers normally run NTP daemons) and for clients that run NTP.
### <a name="3.23 Why should I keep /usr/vic"></a> 3.23 Why should I keep /usr/vice/etc/CellServDB current?
Do a daily copy from a master source and update the AFS kernel sitelist.
+One good master source is the grand.central.org [[CellServDB]], available from <http://grand.central.org/dl/cellservdb/CellServDB> or <file:/afs/openafs.org/service/CellServDB> (N.B. update to /afs/grand.central.org path when available). You can send updates for this to <cellservdb@central.org>.
+
The client [[CellServDB]] file must not reside under /afs and is best located in local filespace.
Simply updating a client [[CellServDB]] file is not enough. You also need to update the AFS kernel sitelist by either: 1 rebooting the client or 1 running "fs newcell $cell\_name $server\_list" for each site in the [[CellServDB]] file.
<file:///afs/transarc.com/public/afs-contrib/doc/faq/ab.tar.Z> [156k] <ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/ab.tar.Z> [156k]
This is a tar archive of <file:///afs/cs.cmu.edu/user/satya/ftp/ab/>
+
+### <a name="3.28 Is the data sent over the n"></a> 3.28 Is the data sent over the network encrypted in AFS ?
+
+There is still no easy way to do this in Transarc AFS, but [[OpenAFS]] now has a "fs" subcommand to turn on encryption of regular file data sent and received by a client. This is a per client setting that persist until reboot. No server actions are needed to support this change. The syntax is:
+
+- `fs setcrypt on`
+- `fs setcrypt off`
+- `fs getcrypt`
+
+Note that this only encrypts network traffic between the client and server. The data on the server's disk is not encrypted nor is the data in the client's disk cache. The encryption algorithm used is [fcrypt](http://tedanderson.home.mindspring.com/fcrypt-paper.txt), which is a DES variant.
+
+Getting encryption enabled by default:
+
+- [[RedHat]] Linux: ([src](https://lists.openafs.org/pipermail/openafs-info/2002-July/005085.html)) change the last line of /etc/sysconfig/afs to `AFS_POST_INIT="/usr/bin/fs setcrypt on"`
+- Windows ([src](https://lists.openafs.org/pipermail/openafs-info/2003-June/009416.html)) set the following registry value named `SecurityLevel` under `HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` to 2.
+
+I have not tested either of these procedures. -- [[TedAnderson]] - 05 Jun 2003
+
+### <a name="3.29 What underlying filesystems"></a> 3.29 What underlying filesystems can I use for AFS ?
+
+See also [[SupportedConfigurations]].
+
+You need to distinguish between the filesystem used by the file server to store the actual AFS data (by convention in /vicep?) and the filesystem used by the client cache manager to cache files.
+
+With the new namei file server you can basically use any filesystem you want. Tne namei file server does not do any fancy stuff behind the scenes but only accesses normal files (their names are a bit strange though).
+
+It is a different story with the old inode based server. It directly operates on the inodes of the underlying file system which therefore has to fully support the inode abstraction scheme. The the Administrators Guide for more details (they differ from system to system).
+
+On the client side, you always have to use a file system supporting the inode abstraction for the cache (usually /usr/vice/cache) since the cache manager references files by their inode. Fortunately, it does not do such tricky stuff as the inode based server. The following file systems have been reported _not_ to work:
+
+- reiserfs
+- vxfs (HP-UX)
+- advfs (Tru64), it works but gives cachecurruption
+
+- Patch committed to cvs around 6/2003 will now enforce this in some cases and generate a warning to the user if the filesystem type is wrong.
+
+The following file systems have been reported to work for the AFS client cache:
+
+- ext2
+- ext3
+- hfs (HP-UX)
+- xfs (at least on IRIX 6.5)
git://git.openafs.org / openafs-wiki.git / blobdiff