-<div>
- <ul>
- <li><a href="#UNIX"> UNIX</a><ul>
- <li><a href="#AFS Backend"> AFS Backend</a></li>
- <li><a href="#BackupAFS">BackupAFS</a></li>
- <li><a href="#Balancing"> Balancing</a></li>
- <li><a href="#Frak"> Frak</a></li>
- <li><a href="#FSR"> FSR</a></li>
- <li><a href="#LibNSS-AFS"> LibNSS-AFS</a></li>
- <li><a href="#LSMounts"> LSMounts</a></li>
- <li><a href="#Nagios Monitoring"> Nagios Monitoring</a></li>
- <li><a href="#Mount Points"> Mount Points</a></li>
- <li><a href="#MVTO"> MVTO</a></li>
- <li><a href="#Pam-AFS-Session"> Pam-AFS-Session</a></li>
- <li><a href="#Pam-KRB5"> Pam-KRB5</a></li>
- <li><a href="#Partinfo"> Partinfo</a></li>
- <li><a href="#PHPafsfree">PHPafsfree</a></li>
- <li><a href="#Reporting DB"> Reporting DB</a></li>
- <li><a href="#VolCreate"> VolCreate</a></li>
- <li><a href="#VolNuke"> VolNuke</a></li>
- </ul>
- </li>
- <li><a href="#Linux"> Linux</a><ul>
- <li><a href="#AFS Tokens GUI"> AFS Tokens GUI</a></li>
- <li><a href="#Kvibille Nautilus Plugin"> Kvibille Nautilus Plugin</a></li>
- <li><a href="#Nautilus for RHEL4"> Nautilus for RHEL4</a></li>
- </ul>
- </li>
- <li><a href="#Macintosh"> Macintosh</a><ul>
- <li><a href="#AFS Tokens GUI"> AFS Tokens GUI</a></li>
- <li><a href="#AFS Commander"> AFS Commander</a></li>
- <li><a href="#Contextual Menu Plug-in for Find"> Contextual Menu Plug-in for Finder</a></li>
- </ul>
- </li>
- </ul>
-</div>
-
-# <a name="UNIX"></a> UNIX
-
-## <a name="AFS Backend"></a> AFS Backend
+[[!toc levels=3]]
+
+# UNIX
+
+## AFS Backend
Delegated administration of certain volumes.
Available at <http://www.eyrie.org/~eagle/software/afs-backend/>
-## <a name="BackupAFS"></a> [[BackupAFS]]
+## [[BackupAFS]]
Backup [[OpenAFS]] volumes to a backup server's local disk or attached RAID. Supports full and multi-level incremental dumps, exponential expiry, and configuration via conf files or a web interface.
Available at <http://www.physics.unc.edu/~stephen/BackupAFS/>
-## <a name="Balancing"></a> Balancing
+## Balancing
Balance volumes, usage, and accesses among servers.
Available at <http://www.eyrie.org/~eagle/software/afs-balance/>
-## <a name="Frak"></a> Frak
+## Frak
Show differences between AFS file trees or volumes
Available at <http://www.eyrie.org/~eagle/software/frak/>
-## <a name="FSR"></a> FSR
+## FSR
Recursive wrapper around fs directory commands
Available at: <http://www.eyrie.org/~eagle/software/fsr/>
-## <a name="LibNSS-AFS"></a> [[LibNSS]]-AFS
+## [[LibNSS]]-AFS
Uses the ptdb (ptserver) to resolve username-to-userid and userid-to-username (NSS) queries on platforms that use GNU Libc.
Available at: <http://www.hcoop.net/~megacz/software/libnss-afs.html>
-## <a name="LSMounts"></a> LSMounts
+## LSMounts
Search through a directory for mount points
Available at: <http://www.eyrie.org/~eagle/software/lsmounts/>
-## <a name="Nagios Monitoring"></a> Nagios Monitoring
+## Nagios Monitoring
Nagios-compatible probes to monitor AFS
Available at: <http://www.eyrie.org/~eagle/software/afs-monitor/>
-## <a name="Mount Points"></a> Mount Points
+## Mount Points
Maintain a database of volume mount points
Available at: <http://www.eyrie.org/~eagle/software/afs-mount/>
-## <a name="MVTO"></a> MVTO
+## MVTO
Smart vos move with usage balancing
Available at: <http://www.eyrie.org/~eagle/software/mvto/>
-## <a name="Pam-AFS-Session"></a> Pam-AFS-Session
+## Pam-AFS-Session
AFS PAG and token PAM session module
Available at: <http://www.eyrie.org/~eagle/software/pam-afs-session/>
-## <a name="Pam-KRB5"></a> Pam-KRB5
+## Pam-KRB5
Kerberos v5 PAM module
Available at: <http://www.eyrie.org/~eagle/software/pam-krb5/>
-## <a name="Partinfo"></a> Partinfo
+## Partinfo
Nicely formatted partition usage report
Available at: <http://www.eyrie.org/~eagle/software/partinfo/>
-## <a name="PHPafsfree"></a> PHPafsfree
+## PHPafsfree
A PHP/GD AFS fileserver disk utilization grapher inspired by the original tcl/tk afsfree script.
Available at: <http://www.physics.unc.edu/~stephen/phpafsfree/>
-## <a name="Reporting DB"></a> Reporting DB
+## Reporting DB
Load AFS metadata into a SQL database for reporting
Available at: <http://www.eyrie.org/~eagle/software/afsdb/>
-## <a name="VolCreate"></a> [[VolCreate]]
+## [[VolCreate]]
Smart vos create with automatic volume placement
Available at: <http://www.eyrie.org/~eagle/software/volcreate/>
-## <a name="VolNuke"></a> [[VolNuke]]
+## [[VolNuke]]
Smart vos remove that finds volume location
Available at: <http://www.eyrie.org/~eagle/software/volnuke/>
-# <a name="Linux"></a> Linux
+# Linux
-## <a name="AFS Tokens GUI"></a> AFS Tokens GUI
+## AFS Tokens GUI
Obtain and delete your AFS tokens via Kerberos 5 login. Manage your group membership and owned groups.
Source and binaries available at [https://forge.cornell.edu/sf/frs/do/viewSummary/projects.afs\_tokens/frs](https://forge.cornell.edu/sf/frs/do/viewSummary/projects.afs_tokens/frs)
-## <a name="Kvibille Nautilus Plugin"></a> Kvibille Nautilus Plugin
+## Kvibille Nautilus Plugin
Graphical editor for AFS access control lists (ACL). Works as a Nautilus plugin and as a standalone application.
Main source tree available at <ftp://ftp.nada.kth.se/pub/hacks/kvibille/>
-## <a name="Nautilus for RHEL4"></a> Nautilus for RHEL4
+## Nautilus for RHEL4
The stock Nautilus with RHEL4, like the Mac OS X finder, attempts to "help" you by pre-determining access to AFS files and folders based on the unix permissions. This version has a small hack which will always return access allowed such that the access decision is made by AFS itself.
RPMS available at /afs/cnf.cornell.edu/shares/public/outside\_users/openafs/nautilus
-# <a name="Macintosh"></a> Macintosh
+# Macintosh
-## <a name="AFS Tokens GUI"></a> AFS Tokens GUI
+## AFS Tokens GUI
Obtain and delete your AFS tokens via Kerberos 5 login. Manage your group membership and owned groups.
Source and binaries available at [https://forge.cornell.edu/sf/frs/do/viewSummary/projects.afs\_tokens/frs](https://forge.cornell.edu/sf/frs/do/viewSummary/projects.afs_tokens/frs)
-## <a name="AFS Commander"></a> AFS Commander
+## AFS Commander
Afs Commander is the development version Apple OSX AFS Preference Pane, made for simplify the afs client administration and usability.
Available at [http://www.lnf.infn.it/~bisegni/Main/Afs\_Commander.html](http://www.lnf.infn.it/~bisegni/Main/Afs_Commander.html)
-## <a name="Contextual Menu Plug-in for Find"></a> Contextual Menu Plug-in for Finder
+## Contextual Menu Plug-in for Finder
Provides access list and volume quota information. AFS access control lists can be added, modified, and deleted. Volume information on user quota and disk space usage are available.
Available at [http://www.ncsu.edu/mac/pn/index.php?name=UpDownload&req=viewdownloaddetails&lid=10](http://www.ncsu.edu/mac/pn/index.php?name=UpDownload&req=viewdownloaddetails&lid=10)
--- [[RedFyre]] - 01 Aug 2008
-## <a name="Demand-Attach File-Server (DAFS)"></a> Demand-Attach File-Server (DAFS)
+[[!toc levels=3]]
+
+# Demand-Attach File-Server (DAFS)
+
OpenAFS 1.5 contains Demand-Attach File-Server (DAFS). DAFS is a significant departure from the more _traditional_ AFS file-server and this document details those changes.
-<div>
- <ul>
- <li><a href="#Demand-Attach File-Server (DAFS)"> Demand-Attach File-Server (DAFS)</a></li>
- <li><a href="#Why Demand-Attach File-Server (D"> Why Demand-Attach File-Server (DAFS) ?</a></li>
- <li><a href="#An Overview of Demand-Attach Fil"> An Overview of Demand-Attach File-Server</a></li>
- <li><a href="#The Gory Details of the Demand-A"> The Gory Details of the Demand-Attach File-Server</a><ul>
- <li><a href="#Bos Configuration"> Bos Configuration</a></li>
- <li><a href="#File-server Start-up / Shutdown"> File-server Start-up / Shutdown Sequence</a></li>
- <li><a href="#Volume Finite-State Automata"> Volume Finite-State Automata</a></li>
- <li><a href="#Volume Least Recently Used (VLRU"> Volume Least Recently Used (VLRU) Queues</a></li>
- <li><a href="#Vnode Finite-State Automata"> Vnode Finite-State Automata</a></li>
- <li><a href="#Demand Salvaging"> Demand Salvaging</a></li>
- <li><a href="#File-Server Host / Callback Stat"> File-Server Host / Callback State</a></li>
- </ul>
- </li>
- <li><a href="#File-Server Arguments (relating"> File-Server Arguments (relating to Demand-Attach)</a></li>
- <li><a href="#Tools for Debugging Demand-Attac"> Tools for Debugging Demand-Attach File-Server</a><ul>
- <li><a href="#==fssync-debug=="> fssync-debug</a></li>
- <li><a href="#==salvsync-debug=="> salvsync-debug</a></li>
- <li><a href="#==state_analyzer=="> state_analyzer</a><ul>
- <li><a href="#Header Information"> Header Information</a></li>
- <li><a href="#Host Information"> Host Information</a></li>
- <li><a href="#Callback Information"> Callback Information</a></li>
- </ul>
- </li>
- </ul>
- </li>
- </ul>
-</div>
-
-## <a name="Why Demand-Attach File-Server (D"></a> Why Demand-Attach File-Server (DAFS) ?
+## Why Demand-Attach File-Server (DAFS) ?
On a traditional file-server, volumes are attached at start-up and detached only at shutdown. Any attached volume can be modified and changes are periodically flushed to disk or on shutdown. When a file-server isn't shutdown cleanly, the integrity of every attached volume has to be verified by the salvager, whether the volume had been modified or not. As file-servers grow larger (and the number of volumes increase), the length of time required to salvage and attach volumes increases, e.g. it takes around two hours for a file-server housing 512GB data to salvage and attach volumes !
Large portions of this document were taken / influenced by the presentation entitled [Demand Attach / Fast-Restart Fileserver](http://workshop.openafs.org/afsbpw06/talks/tkeiser-dafs.pdf) given by Tom Keiser at the [AFS and Kerberos Best Practices Workshop](http://workshop.openafs.org/) in [2006](http://workshop.openafs.org/afsbpw06/).
-## <a name="An Overview of Demand-Attach Fil"></a> An Overview of Demand-Attach File-Server
+## An Overview of Demand-Attach File-Server
Demand-attach necessitated a significant re-design of certain aspects of the AFS code, including:
- callbacks are no longer broken on shutdown
- instead, host / callback state is preserved across restarts
-## <a name="The Gory Details of the Demand-A"></a> The Gory Details of the Demand-Attach File-Server
+## The Gory Details of the Demand-Attach File-Server
-### <a name="Bos Configuration"></a> Bos Configuration
+### Bos Configuration
A traditional file-server uses the `bnode` type `fs` and has a definition similar to
bnode fs fs 1
instead of `fs`. For a complete list of configuration options see the
[dafileserver man page](http://docs.openafs.org/Reference/8/dafileserver.html).
-### <a name="File-server Start-up / Shutdown"></a><a name="File-server Start-up / Shutdown "></a> File-server Start-up / Shutdown Sequence
+### <a name="File-server Start-up / Shutdown "></a> File-server Start-up / Shutdown Sequence
The table below compares the start-up sequence for a traditional file-server and a demand-attach file-server.
On a traditional file-server, volumes are off-lined (detached) serially. In demand-attach, as many threads as possible are used to detach volumes, which is possible due to the notion of a volume has an associated state.
-### <a name="Volume Finite-State Automata"></a> Volume Finite-State Automata
+### Volume Finite-State Automata
The volume finite-state automata is available in the source tree under `doc/arch/dafs-fsa.dot`. See [[=fssync-debug=|DemandAttach#fssync_debug]] for information on debugging the volume package.
-<a name="VolumeLeastRecentlyUsed"></a>
-### <a name="Volume Least Recently Used (VLRU"></a> Volume Least Recently Used (VLRU) Queues
+
+### Volume Least Recently Used (VLRU) Queues
The Volume Least Recently Used (VLRU) is a garbage collection facility which automatically off-lines volumes in the background. The purpose of this facility is to pro-actively off-line infrequently used volumes to improve shutdown and salvage times. The process of off-lining a volume from the "attached" state to the "pre-attached" state is called soft detachment.
The state of the various VLRU queues is dumped with the file-server state and at shutdown.
-<a name="VLRUStateTransitions"></a> The VLRU queues new, mid (intermediate) and old are generational queues for active volumes. State transitions are controlled by inactivity timers and are
+ The VLRU queues new, mid (intermediate) and old are generational queues for active volumes. State transitions are controlled by inactivity timers and are
<table border="1" cellpadding="0" cellspacing="0">
<tr>
`vlruthresh` has been optimized for RO file-servers, where volumes are frequently accessed once a day and soft-detaching has little effect (RO volumes are not salvaged; one of the main reasons for soft detaching).
-### <a name="Vnode Finite-State Automata"></a> Vnode Finite-State Automata
+### Vnode Finite-State Automata
The vnode finite-state automata is available in the source tree under `doc/arch/dafs-vnode-fsa.dot`
`/usr/afs/bin/fssync-debug` provides low-level inspection and control of the file-server volume package. **Indiscriminate use of <code>fsync-debug</code>** can lead to extremely bad things occurring. Use with care.
-<a name="SalvageServer"></a>
-### <a name="Demand Salvaging"></a> Demand Salvaging
+
+### Demand Salvaging
Demand salvaging is implemented by the `salvageserver`. The actual code for salvaging a volume remains largely unchanged. However, the method for invoking salvaging with demand-attach has changed:
- `/usr/afs/bin/salvsync-debug` provides low-level inspection and control over the `salvageserver`. **Indiscriminate use of `salvsync-debug` can lead to extremely bad things occurring. Use with care.**
- See [[=salvsync-debug=|DemandAttach#salvsync_debug]] for information on debugging problems with the salvageserver.
-<a name="FSStateDat"></a>
-### <a name="File-Server Host / Callback Stat"></a> File-Server Host / Callback State
+
+### File-Server Host / Callback State
Host / callback information is persistent across restarts with demand-attach. On shutdown, the file-server writes the data to `/usr/afs/local/fsstate.dat`. The contents of this file are read and verified at start-up and hence it is unnecessary to break callbacks on shutdown with demand-attach.
The contents of `fsstate.dat` can be inspected using `/usr/afs/bin/state_analyzer`.
-## <a name="File-Server Arguments (relating"></a><a name="File-Server Arguments (relating "></a> File-Server Arguments (relating to Demand-Attach)
+## <a name="File-Server Arguments (relating "></a> File-Server Arguments (relating to Demand-Attach)
These are available in the man-pages (section 8) for the fileserver; some details are provided here for convenience:
</tr>
<tr>
<td><code>fs-state-verify</code></td>
- <td><none %vbar%="%VBAR%" %vbar^%="%VBAR^%" both="both" restore="restore" save="save"> </none></td>
+ <td> n/a </td>
<td> both </td>
<td> - </td>
<td> Controls the behavior of the state verification mechanism. Before saving or restoring the <code>fileserver</code> state information, the internal host and callback data structures are verified. A value of 'none' turns off all verification. A value of 'save' only performs the verification steps prior to saving state to disk. A value of 'restore' only performs the verification steps after restoring state from disk. A value of 'both' performs all verification steps both prior to saving and after restoring state. </td>
</tr>
</table>
-## <a name="Tools for Debugging Demand-Attac"></a> Tools for Debugging Demand-Attach File-Server
+## Tools for Debugging Demand-Attach File-Server
Several tools aid debugging problems with demand-attach file-servers. They operate at an extremely low-level and hence require a detailed knowledge of the architecture / code.
-### <a name="==fssync-debug=="></a> <code>**fssync-debug**</code>
+### <code>**fssync-debug**</code>
**Indiscriminate use of `fssync-debug` can have extremely dire consequences. Use with care.**
An understanding of the [volume finite-state machine](http://www.dementia.org/twiki//view/dafs-fsa.png) is required before the state of a volume should be manipulated.
-### <a name="==salvsync-debug=="></a> <code>**salvsync-debug**</code>
+### <code>**salvsync-debug**</code>
**Indiscriminate use of `salvsync-debug` can have extremely dire consequences. Use with care**
(where `priority` is a 32-bit integer).
-### <a name="==state_analyzer=="></a> <code>**state\_analyzer**</code>
+### <code>**state\_analyzer**</code>
`state_analyzer` allows the contents of the host / callback state file ( `/usr/afs/local/fsstate.dat`) to be inspected.
-#### <a name="Header Information"></a> Header Information
+#### Header Information
Header information is gleaned through the `hdr` command
}
fs state analyzer>
-#### <a name="Host Information"></a> Host Information
+#### Host Information
Host information can be gleaned through the `h` command, e.g.
}
fs state analyzer: h(1)>
-#### <a name="Callback Information"></a> Callback Information
+#### Callback Information
Callback information is available through the `cb` command, e.g.
+[[!toc levels=3]]
+
At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for authenticated access to and from the machine.
Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of settings in the PAM configuration file (for example, how the other entry works, the effect of marking an entry as required, optional, or sufficient, and so on).
If the pam library is owned by the wrong group, it will fail to be called when you login.
-## <a name="Solaris 9"></a> Solaris 9
+## Solaris 9
# chown root:bin pam_afs.krb.so.1
-## <a name="Solaris 8"></a> Solaris 8
+## Solaris 8
# chown root:sys pam_afs.krb.so.1
-# <a name="Edit pam.conf"></a> Edit pam.conf
+# Edit pam.conf
Edit the Authentication management section of the Solaris PAM configuration file, /etc/pam.conf by convention. The entries in this section have the value auth in their second field.
Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following example shows what the Authentication Management section looks like after you have you edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines only for legibility.
-## <a name="pam.conf configuration for Solar"></a> pam.conf configuration for Solaris 9
+## pam.conf configuration for Solaris 9
Note: leave the full path to the library intact for afs. This will allow it to work for both 32 bit and 64 bit Solaris.
# telnet auth optional /usr/lib/security/pam_unix.so.1
# telnet auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root setenv_password_expires
-## <a name="pam.conf configuration for Solar"></a> pam.conf configuration for Solaris 6
+## pam.conf configuration for Solaris 6
login auth optional /usr/lib/security/pam_unix.so.1
login auth optional /usr/lib/security/pam_afs.so \
-<div>
- <ul>
- <li><a href="#Installing the First AFS Machine"> Installing the First AFS Machine</a></li>
- <li><a href="#Overview: Installing Server Func"> Overview: Installing Server Functionality</a></li>
- <li><a href="#Choosing the First AFS Machine"> Choosing the First AFS Machine</a></li>
- <li><a href="#Performing Platform-Specific Pro"> Performing Platform-Specific Procedures</a></li>
- <li><a href="#Getting Started on AIX Systems"> Getting Started on AIX Systems</a><ul>
- <li><a href="#Loading AFS into the AIX Kernel"> Loading AFS into the AIX Kernel</a></li>
- <li><a href="#Replacing the fsck Program Helpe"> Replacing the fsck Program Helper on AIX Systems</a></li>
- <li><a href="#Configuring Server Volumes on AI"> Configuring Server Volumes on AIX Systems</a></li>
- </ul>
- </li>
- <li><a href="#Getting Started on Digital UNIX"> Getting Started on Digital UNIX Systems</a><ul>
- <li><a href="#Loading AFS into the Digital UNI">Loading AFS into the Digital UNIX Kernel</a></li>
- <li><a href="#Replacing the fsck Program on Di"> Replacing the fsck Program on Digital UNIX Systems</a></li>
- <li><a href="#Configuring Server Volumes on Di"> Configuring Server Volumes on Digital UNIX Systems</a></li>
- </ul>
- </li>
- <li><a href="#Getting Started on HP-UX Systems"> Getting Started on HP-UX Systems</a><ul>
- <li><a href="#Building AFS into the HP-UX Kern"> Building AFS into the HP-UX Kernel</a></li>
- <li><a href="#Configuring the AFS-modified fsc"> Configuring the AFS-modified fsck Program on HP-UX Systems</a></li>
- <li><a href="#Configuring Server Volumes on HP"> Configuring Server Volumes on HP-UX Systems</a></li>
- </ul>
- </li>
- <li><a href="#Getting Started on IRIX Systems"> Getting Started on IRIX Systems</a><ul>
- <li><a href="#Loading AFS into the IRIX Kernel"> Loading AFS into the IRIX Kernel</a></li>
- <li><a href="#Configuring Server Volumes on IR"> Configuring Server Volumes on IRIX Systems</a></li>
- </ul>
- </li>
- <li><a href="#Getting Started on Linux Systems"> Getting Started on Linux Systems</a><ul>
- <li><a href="#Loading AFS into the Linux Kerne"> Loading AFS into the Linux Kernel</a></li>
- <li><a href="#Configuring Server Volumes on Li"> Configuring Server Volumes on Linux Systems</a></li>
- </ul>
- </li>
- <li><a href="#Getting Started on Solaris Syste"> Getting Started on Solaris Systems</a><ul>
- <li><a href="#Loading AFS into the Solaris Ker"> Loading AFS into the Solaris Kernel</a></li>
- <li><a href="#Configuring the AFS-modified fsc"> Configuring the AFS-modified fsck Program on Solaris Systems</a></li>
- <li><a href="#Configuring Server Partitions on"> Configuring Server Partitions on Solaris Systems</a></li>
- <li><a href="#Enabling AFS Login on Solaris Sy"> Enabling AFS Login on Solaris Systems</a></li>
- </ul>
- </li>
- <li><a href="#Starting the BOS Server"> Starting the BOS Server</a></li>
- <li><a href="#Defining Cell Name and Membershi"> Defining Cell Name and Membership for Server Processes</a></li>
- <li><a href="#Starting the Database Server Pro"> Starting the Database Server Processes</a></li>
- <li><a href="#Initializing Cell Security"> Initializing Cell Security</a></li>
- <li><a href="#Starting the File Server, Volume"> Starting the File Server, Volume Server, and Salvager</a></li>
- <li><a href="#Starting the Server Portion of t"> Starting the Server Portion of the Update Server</a></li>
- <li><a href="#Starting the Controller for NTPD"> Starting the Controller for NTPD</a></li>
- <li><a href="#Overview: Installing Client Func"> Overview: Installing Client Functionality</a><ul>
- <li><a href="#Copying Client Files to the Loca"> Copying Client Files to the Local Disk</a></li>
- <li><a href="#Defining Cell Membership for Cli"> Defining Cell Membership for Client Processes</a></li>
- <li><a href="#Creating the Client _CellServDB"> Creating the Client CellServDB File</a></li>
- <li><a href="#Configuring the Cache"> Configuring the Cache</a></li>
- <li><a href="#Configuring the Cache Manager"> Configuring the Cache Manager</a></li>
- </ul>
- </li>
- <li><a href="#Overview: Completing the Install"> Overview: Completing the Installation of the First AFS Machine</a><ul>
- <li><a href="#Verifying the AFS Initialization"> Verifying the AFS Initialization Script</a></li>
- <li><a href="#On AIX systems:"> On AIX systems:</a></li>
- <li><a href="#On Digital UNIX systems:"> On Digital UNIX systems:</a></li>
- <li><a href="#On HP-UX systems:"> On HP-UX systems:</a></li>
- <li><a href="#On IRIX systems:"> On IRIX systems:</a></li>
- <li><a href="#On Linux systems:"> On Linux systems:</a></li>
- <li><a href="#On Solaris systems:"> On Solaris systems:</a></li>
- </ul>
- </li>
- <li><a href="#Configuring the Top Levels of th"> Configuring the Top Levels of the AFS Filespace</a></li>
- <li><a href="#Storing AFS Binaries in AFS"> Storing AFS Binaries in AFS</a></li>
- <li><a href="#The AFS distribution includes th"> The AFS distribution includes the following documents:</a></li>
- <li><a href="#Storing System Binaries in AFS"> Storing System Binaries in AFS</a></li>
- <li><a href="#Enabling Access to Foreign Cells"> Enabling Access to Foreign Cells</a></li>
- <li><a href="#Improving Cell Security"> Improving Cell Security</a></li>
- <li><a href="#Controlling root Access"> Controlling root Access</a><ul>
- <li><a href="#Controlling System Administrator"> Controlling System Administrator Access</a></li>
- <li><a href="#Protecting Sensitive AFS Directo"> Protecting Sensitive AFS Directories</a></li>
- </ul>
- </li>
- <li><a href="#Removing Client Functionality"> Removing Client Functionality</a></li>
- </ul>
-</div>
-
-# <a name="Installing the First AFS Machine"></a> Installing the First AFS Machine
+
+[[!toc level=3]]
+
+# Installing the First AFS Machine
This chapter describes how to install the first AFS machine in your cell, configuring it as both a file server machine and a client machine. After completing all procedures in this chapter, you can remove the client functionality if you wish, as described in Removing Client Functionality.
- Configuring your cell's filespace, establishing further security mechanisms, and enabling access to foreign cells (begins in Overview: Completing the Installation of the First AFS Machine)
-# <a name="Overview: Installing Server Func"></a> Overview: Installing Server Functionality
+# Overview: Installing Server Functionality
In the first phase of installing your cell's first AFS machine, you install file server and database server functionality by performing the following procedures:
13. Start the controller process (called runntp) for the Network Time Protocol Daemon, which synchronizes machine clocks
-# <a name="Choosing the First AFS Machine"></a> Choosing the First AFS Machine
+# Choosing the First AFS Machine
The first AFS machine you install must have sufficient disk space to store AFS volumes. To take best advantage of AFS's capabilities, store client-side binaries as well as user files in volumes. When you later install additional file server machines in your cell, you can distribute these volumes among the different machines as you see fit.
# mkdir /cdrom
-# <a name="Performing Platform-Specific Pro"></a> Performing Platform-Specific Procedures
+# Performing Platform-Specific Procedures
Several of the initial procedures for installing a file server machine differ for each system type. For convenience, the following sections group them together for each system type:
- If the machine is to remain an AFS client machine, modify the machine's authentication system so that users obtain an AFS token as they log into the local file system. Using AFS is simpler and more convenient for your users if you make the modifications on all client machines. Otherwise, users must perform a two-step login procedure (login to the local file system and then issue the klog command). For further discussion of AFS authentication, see the chapter in the IBM AFS Administration Guide about cell configuration and administration issues.
-# <a name="Getting Started on AIX Systems"></a> Getting Started on AIX Systems
+# Getting Started on AIX Systems
Begin by running the AFS initialization script to call the AIX kernel extension facility, which dynamically loads AFS modifications into the kernel. Then use the SMIT program to configure partitions for storing AFS volumes, and replace the AIX fsck program helper with a version that correctly handles AFS volumes. If the machine is to remain an AFS client machine, incorporate AFS into the AIX secondary authentication system.
-## <a name="Loading AFS into the AIX Kernel"></a> Loading AFS into the AIX Kernel
+## Loading AFS into the AIX Kernel
[[Loading AFS into the AIX Kernel|LoadingAFSIntoTheAIXKernel]]
-## <a name="Replacing the fsck Program Helpe"></a> Replacing the fsck Program Helper on AIX Systems
+## Replacing the fsck Program Helper on AIX Systems
Never run the standard fsck program on AFS server partitions. It discards AFS volumes.
[[Replacing the fsck Program Helper on AIX Systems|ReplacingTheFsckProgramHelperOnAIXSystems]]
-## <a name="Configuring Server Volumes on AI"></a> Configuring Server Volumes on AIX Systems
+## Configuring Server Volumes on AIX Systems
If this system is going to be used as a file server to share some of its disk space, create a directory called /vicepxx for each AFS server partition you are configuring (there must be at least one). If it is not going to be a file server you can skip this step.
If you plan to retain client functionality on this machine after completing the installation, proceed to [[Enabling AFS Login on AIX Systems|EnablingAFSLoginOnAIXSystems]]. Otherwise, proceed to Starting the BOS Server.
-# <a name="Getting Started on Digital UNIX"></a><a name="Getting Started on Digital UNIX "></a> Getting Started on Digital UNIX Systems
+# <a name="Getting Started on Digital UNIX "></a> Getting Started on Digital UNIX Systems
Begin by either building AFS modifications into a new static kernel or by setting up to dynamically load the AFS kernel module. Then create partitions for storing AFS volumes, and replace the Digital UNIX fsck program with a version that correctly handles AFS volumes. If the machine is to remain an AFS client machine, incorporate AFS into the machine's Security Integration Architecture (SIA) matrix.
-## <a name="Loading AFS into the Digital UNI"></a> Loading AFS into the Digital UNIX Kernel
+## Loading AFS into the Digital UNIX Kernel
[[Building AFS into the Digital UNIX Kernel|BuildingAFSIntoTheDigitalUNIXKernel]]
-## <a name="Replacing the fsck Program on Di"></a> Replacing the fsck Program on Digital UNIX Systems
+## Replacing the fsck Program on Digital UNIX Systems
Never run the standard fsck program on AFS server partitions. It discards AFS volumes.
[[Replacing the fsck Program on Digital UNIX Systems|ReplacingTheFsckProgramOnDigitalUNIXSystems]]
-## <a name="Configuring Server Volumes on Di"></a> Configuring Server Volumes on Digital UNIX Systems
+## Configuring Server Volumes on Digital UNIX Systems
If this system is going to be used as a file server to share some of its disk space, create a directory called /vicepxx for each AFS server partition you are configuring (there must be at least one). If it is not going to be a file server you can skip this step.
If you plan to retain client functionality on this machine after completing the installation, proceed to [[Enabling AFS Login on Digital UNIX Systems|EnablingAFSLoginOnDigitalUNIXSystems]]. Otherwise, proceed to Starting the BOS Server.
-# <a name="Getting Started on HP-UX Systems"></a> Getting Started on HP-UX Systems
+# Getting Started on HP-UX Systems
Begin by building AFS modifications into a new kernel; HP-UX does not support dynamic loading. Then create partitions for storing AFS volumes, and install and configure the AFS-modified fsck program to run on AFS server partitions. If the machine is to remain an AFS client machine, incorporate AFS into the machine's Pluggable Authentication Module (PAM) scheme.
-## <a name="Building AFS into the HP-UX Kern"></a> Building AFS into the HP-UX Kernel
+## Building AFS into the HP-UX Kernel
[[Building AFS into the HP-UX Kernel|BuildingAFSIntoTheHP-UXKernel]]
-## <a name="Configuring the AFS-modified fsc"></a> Configuring the AFS-modified fsck Program on HP-UX Systems
+## Configuring the AFS-modified fsck Program on HP-UX Systems
Never run the standard fsck program on AFS server partitions. It discards AFS volumes.
[[Configuring the AFS-modified fsck Program on HP-UX Systems|ConfiguringTheAFS-modifiedFsckProgramOnHP-UXSystems]]
-## <a name="Configuring Server Volumes on HP"></a> Configuring Server Volumes on HP-UX Systems
+## Configuring Server Volumes on HP-UX Systems
If this system is going to be used as a file server to share some of its disk space, create a directory called /vicepxx for each AFS server partition you are configuring (there must be at least one). If it is not going to be a file server you can skip this step.
If you plan to retain client functionality on this machine after completing the installation, proceed to [[Enabling AFS Login on HP-UX Systems|EnablingAFSLoginOnHP-UXSystems]]. Otherwise, proceed to Starting the BOS Server.
-# <a name="Getting Started on IRIX Systems"></a> Getting Started on IRIX Systems
+# Getting Started on IRIX Systems
Begin by incorporating AFS modifications into the kernel. Either use the ml dynamic loader program, or build a static kernel. Then configure partitions to house AFS volumes. AFS supports use of both EFS and XFS partitions for housing AFS volumes. SGI encourages use of XFS partitions.
You do not need to replace IRIX fsck program, because the version that SGI distributes handles AFS volumes properly.
-## <a name="Loading AFS into the IRIX Kernel"></a> Loading AFS into the IRIX Kernel
+## Loading AFS into the IRIX Kernel
[[Loading AFS into the IRIX Kernel|LoadingAFSIntoTheIRIXKernel]]
Proceed to Configuring Server Partitions on IRIX Systems.
-## <a name="Configuring Server Volumes on IR"></a> Configuring Server Volumes on IRIX Systems
+## Configuring Server Volumes on IRIX Systems
If this system is going to be used as a file server to share some of its disk space, create a directory called /vicepxx for each AFS server partition you are configuring (there must be at least one). If it is not going to be a file server you can skip this step.
If you plan to retain client functionality on this machine after completing the installation, proceed to [[Enabling AFS Login on IRIX Systems|EnablingAFSLoginOnIRIXSystems]]. Otherwise, proceed to Starting the BOS Server.
-# <a name="Getting Started on Linux Systems"></a> Getting Started on Linux Systems
+# Getting Started on Linux Systems
Begin by running the AFS initialization script to call the insmod program, which dynamically loads AFS modifications into the kernel. Then create partitions for storing AFS volumes. You do not need to replace the Linux fsck program. If the machine is to remain an AFS client machine, incorporate AFS into the machine's Pluggable Authentication Module (PAM) scheme.
-## <a name="Loading AFS into the Linux Kerne"></a> Loading AFS into the Linux Kernel
+## Loading AFS into the Linux Kernel
[[Loading AFS into the Linux Kernel|LoadingAFSIntoTheLinuxKernel]]
-## <a name="Configuring Server Volumes on Li"></a> Configuring Server Volumes on Linux Systems
+## Configuring Server Volumes on Linux Systems
If this system is going to be used as a file server to share some of its disk space, create a directory called /vicepxx for each AFS server partition you are configuring (there must be at least one). If it is not going to be a file server you can skip this step.
If you plan to retain client functionality on this machine after completing the installation, proceed to [[Enabling AFS Login on Linux Systems|EnablingAFSLoginOnLinuxSystems]]. Otherwise, proceed to Starting the BOS Server.
-# <a name="Getting Started on Solaris Syste"></a> Getting Started on Solaris Systems
+# Getting Started on Solaris Systems
Begin by running the AFS initialization script to call the modload program distributed by Sun Microsystems, which dynamically loads AFS modifications into the kernel. Then create partitions for storing AFS volumes, and install and configure the AFS-modified fsck program to run on AFS server partitions. If the machine is to remain an AFS client machine, incorporate AFS into the machine's Pluggable Authentication Module (PAM) scheme.
-## <a name="Loading AFS into the Solaris Ker"></a> Loading AFS into the Solaris Kernel
+## Loading AFS into the Solaris Kernel
[[Loading AFS into the Solaris Kernel|LoadingAFSIntoTheSolarisKernel]]
-## <a name="Configuring the AFS-modified fsc"></a> Configuring the AFS-modified fsck Program on Solaris Systems
+## Configuring the AFS-modified fsck Program on Solaris Systems
Never run the standard fsck program on AFS server partitions. It discards AFS volumes.
[[Configuring the AFS-modified fsck Program on Solaris Systems|ConfiguringTheAFS-modifiedFsckProgramOnSolarisSystems]]
-## <a name="Configuring Server Partitions on"></a> Configuring Server Partitions on Solaris Systems
+## Configuring Server Partitions on Solaris Systems
If this system is going to be used as a file server to share some of its disk space, create a directory called /vicepxx for each AFS server partition you are configuring (there must be at least one). If it is not going to be a file server you can skip this step.
If you plan to retain client functionality on this machine after completing the installation, proceed to Enabling AFS Login on Solaris Systems. Otherwise, proceed to Starting the BOS Server.
-## <a name="Enabling AFS Login on Solaris Sy"></a> Enabling AFS Login on Solaris Systems
+## Enabling AFS Login on Solaris Systems
Note: If you plan to remove client functionality from this machine after completing the installation, skip this section and proceed to Starting the BOS Server.
Proceed to Starting the BOS Server (or if referring to these instructions while installing an additional file server machine, return to Starting Server Programs).
-# <a name="Starting the BOS Server"></a> Starting the BOS Server
+# Starting the BOS Server
You are now ready to start the AFS server processes on this machine. Begin by copying the AFS server binaries from the CD-ROM to the conventional local disk location, the /usr/afs/bin directory. The following instructions also create files in other subdirectories of the /usr/afs directory.
# ln -s /usr/afs/etc/CellServDB
-# <a name="Defining Cell Name and Membershi"></a> Defining Cell Name and Membership for Server Processes
+# Defining Cell Name and Membership for Server Processes
Now assign your cell's name. The chapter in the IBM AFS Administration Guide about cell configuration and administration issues discusses the important considerations, explains why changing the name is difficult, and outlines the restrictions on name format. Two of the most important restrictions are that the name cannot include uppercase letters or more than 64 characters.
Cell name is cell_name
Host 1 is machine_name
-# <a name="Starting the Database Server Pro"></a> Starting the Database Server Processes
+# Starting the Database Server Processes
Next use the bos create command to create entries for the four database server processes in the /usr/afs/local/BosConfig file and start them running. The four processes run on database server machines only:
# ./bos create <machine name> vlserver simple /usr/afs/bin/vlserver \
-cell <cell name> -noauth
-# <a name="Initializing Cell Security"></a> Initializing Cell Security
+# Initializing Cell Security
Now initialize the cell's security mechanisms. Begin by creating the following two initial entries in the Authentication Database:
# ./pts createuser -name admin -cell <cell name> [-id <AFS UID>] -noauth
User admin has id AFS UID
-10. Issue the pts adduser command to make the admin user a member of the system:administrators group, and the pts membership command to verify the new membership. Membership in the group enables the admin user to issue privileged pts commands and some privileged fs commands.
+10. Issue the pts adduser command to make the admin user a member of the
+system:administrators group, and the pts membership command to verify the new
+membership. Membership in the group enables the admin user to issue privileged
+pts commands and some privileged fs commands.
- # ./pts adduser admin system:administrators -cell <cell name> -noauth
+ # ./pts adduser admin system:administrators -cell <cell name> -noauth
# ./pts membership admin -cell <cell name> -noauth
Groups admin (id: 1) is a member of:
system:administrators
-11. Issue the bos restart command with the -all flag to restart the database server processes, so that they start using the new server encryption key.
+
+11. Issue the bos restart command with the -all flag to restart the database
+server processes, so that they start using the new server encryption key.
+
# ./bos restart <machine name> -all -cell <cell name> -noauth
-# <a name="Starting the File Server, Volume"></a> Starting the File Server, Volume Server, and Salvager
+
+# Starting the File Server, Volume Server, and Salvager
Start the fs process, which consists of the File Server, Volume Server, and Salvager (fileserver, volserver and salvager processes).
You can ignore error messages indicating that tokens are missing, or that authentication failed.
-# <a name="Starting the Server Portion of t"></a> Starting the Server Portion of the Update Server
+# Starting the Server Portion of the Update Server
Start the server portion of the Update Server (the upserver process), to distribute the contents of directories on this machine to other server machines in the cell. It becomes active when you configure the client portion of the Update Server on additional server machines.
"/usr/afs/bin/upserver -crypt /usr/afs/etc \
-clear /usr/afs/bin" -cell <cell name> -noauth
-# <a name="Starting the Controller for NTPD"></a> Starting the Controller for NTPD
+# Starting the Controller for NTPD
Keeping the clocks on all server and client machines in your cell synchronized is crucial to several functions, and in particular to the correct operation of AFS's distributed database technology, Ubik. The chapter in the IBM AFS Administration Guide about administering server machines explains how time skew can disturb Ubik's performance and cause service outages in your cell.
"/usr/afs/bin/runntp -localclock <host>+" \
-cell <cell name> -noauth
-# <a name="Overview: Installing Client Func"></a> Overview: Installing Client Functionality
+# Overview: Installing Client Functionality
The machine you are installing is now an AFS file server machine, database server machine, system control machine, and binary distribution machine. Now make it a client machine by completing the following tasks:
1. Create the /afs directory and start the Cache Manager
-## <a name="Copying Client Files to the Loca"></a> Copying Client Files to the Local Disk
+## Copying Client Files to the Local Disk
Before installing and configuring the AFS client, copy the necessary files from the AFS CD-ROM to the local /usr/vice/etc directory.
# cp -rp C /usr/vice/etc
-## <a name="Defining Cell Membership for Cli"></a> Defining Cell Membership for Client Processes
+## Defining Cell Membership for Client Processes
Every AFS client machine has a copy of the /usr/vice/etc/ThisCell file on its local disk to define the machine's cell membership for the AFS client programs that run on it. The [[ThisCell]] file you created in the /usr/afs/etc directory (in Defining Cell Name and Membership for Server Processes) is used only by server processes.
# cp /usr/afs/etc/ThisCell ThisCell
-## <a name="Creating the Client _CellServDB"></a><a name="Creating the Client _CellServDB "></a> Creating the Client [[CellServDB]] File
+## <a name="Creating the Client _CellServDB "></a> Creating the Client [[CellServDB]] File
[[Creating the Client CellServDB File|CreatingTheClientCellServDBFile]]
-## <a name="Configuring the Cache"></a> Configuring the Cache
+## Configuring the Cache
[[Configuring the Cache|ConfiguringTheCache]]
-## <a name="Configuring the Cache Manager"></a> Configuring the Cache Manager
+## Configuring the Cache Manager
[[Configuring the Cache Manager|ConfiguringTheCacheManager]]
-# <a name="Overview: Completing the Install"></a> Overview: Completing the Installation of the First AFS Machine
+# Overview: Completing the Installation of the First AFS Machine
The machine is now configured as an AFS file server and client machine. In this final phase of the installation, you initialize the Cache Manager and then create the upper levels of your AFS filespace, among other procedures. The procedures are:
1. Remove client functionality if desired
-## <a name="Verifying the AFS Initialization"></a> Verifying the AFS Initialization Script
+## Verifying the AFS Initialization Script
At this point you run the AFS initialization script to verify that it correctly invokes all of the necessary programs and AFS processes, and that they start correctly. The following are the relevant commands:
1. Issue the appropriate commands to run the AFS initialization script for this system type.
-## <a name="On AIX systems:"></a> On AIX systems:
+## On AIX systems:
[[Initialization Script on AIX|InitializationScriptOnAIX]]
Proceed to Step 4.
-## <a name="On Digital UNIX systems:"></a> On Digital UNIX systems:
+## On Digital UNIX systems:
[[Initialization Script on Digital UNIX|InitializationScriptOnDigitalUNIX]]
Proceed to Step 4.
-## <a name="On HP-UX systems:"></a> On HP-UX systems:
+## On HP-UX systems:
[[Initialization Script on HP-UX|InitializationScriptOnHP-UX]]
Proceed to Step 4.
-## <a name="On IRIX systems:"></a> On IRIX systems:
+## On IRIX systems:
[[Initialization Script on IRIX|InitializationScriptOnIRIX]]
Proceed to Step 4.
-## <a name="On Linux systems:"></a> On Linux systems:
+## On Linux systems:
[[Initialization Script on Linux|InitializationScriptOnLinux]]
Proceed to Step 4.
-## <a name="On Solaris systems:"></a> On Solaris systems:
+## On Solaris systems:
[[Initialization Script on Solaris|InitializationScriptOnSolaris]]
Proceed to Configuring the Top Levels of the AFS Filespace.
-# <a name="Configuring the Top Levels of th"></a> Configuring the Top Levels of the AFS Filespace
+# Configuring the Top Levels of the AFS Filespace
If you have not previously run AFS in your cell, you now configure the top levels of your cell's AFS filespace. If you have run a previous version of AFS, the filespace is already configured. Proceed to Storing AFS Binaries in AFS.
# ./fs examine /afs/cellname
-# <a name="Storing AFS Binaries in AFS"></a> Storing AFS Binaries in AFS
+# Storing AFS Binaries in AFS
In the conventional configuration, you make AFS client binaries and configuration files available in the subdirectories of the /usr/afsws directory on client machines (afsws is an acronym for AFS workstation). You can conserve local disk space by creating /usr/afsws as a link to an AFS volume that houses the AFS client binaries and configuration files for this system type.
Storing AFS Documents in AFS
-# <a name="The AFS distribution includes th"></a> The AFS distribution includes the following documents:
+# The AFS distribution includes the following documents:
- IBM AFS Release Notes
An alternative is to create a link in each user's home directory to the /afs/cellname/afsdoc/format\_name directory.
-# <a name="Storing System Binaries in AFS"></a> Storing System Binaries in AFS
+# Storing System Binaries in AFS
You can also choose to store other system binaries in AFS volumes, such as the standard UNIX programs conventionally located in local disk directories such as /etc, /bin, and /lib. Storing such binaries in an AFS volume not only frees local disk space, but makes it easier to update binaries on all client machines.
sysname.usr.man /afs/cellname/sysname/usr/man
sysname.usr.sys /afs/cellname/sysname/usr/sys
-# <a name="Enabling Access to Foreign Cells"></a> Enabling Access to Foreign Cells
+# Enabling Access to Foreign Cells
In this section you create a mount point in your AFS filespace for the root.cell volume of each foreign cell that you want to enable your users to access. For users working on a client machine to access the cell, there must in addition be an entry for it in the client machine's local /usr/vice/etc/CellServDB file. (The instructions in Creating the Client [[CellServDB]] File suggest that you use the [[CellServDB]].sample file included in the AFS distribution as the basis for your cell's client [[CellServDB]] file. The sample file lists all of the cells that had agreed to participate in the AFS global namespace at the time your AFS CD-ROM was created. As mentioned in that section, the AFS Product Support group also maintains a copy of the file, updating it as necessary.)
# /usr/afs/bin/fs checkvolumes
-1. If this machine is going to remain an AFS client after you complete the installation, verify that the local /usr/vice/etc/CellServDB file includes an entry for each foreign cell.
+If this machine is going to remain an AFS client after you complete the
+installation, verify that the local /usr/vice/etc/CellServDB file includes an
+entry for each foreign cell.
For each cell that does not already have an entry, complete the following instructions:
-1. 1. 1. Create an entry in the [[CellServDB]] file. Be sure to comply with the formatting instructions in Creating the Client [[CellServDB]] File.
+Create an entry in the [[CellServDB]] file. Be sure to comply with the
+formatting instructions in Creating the Client [[CellServDB]] File.
+
+Issue the fs newcell command to add an entry for the cell directly to
+the list that the Cache Manager maintains in kernel memory. Provide each
+database server machine's fully qualified hostname.
+
-1. 1. 1. Issue the fs newcell command to add an entry for the cell directly to the list that the Cache Manager maintains in kernel memory. Provide each database server machine's fully qualified hostname.
+ # /usr/afs/bin/fs newcell <foreign_cell> <dbserver1> [<dbserver2>] [<dbserver3>]
- # /usr/afs/bin/fs newcell <foreign_cell> <dbserver1> \
- [<dbserver2>] [<dbserver3>]
-1. 1. 1. If you plan to maintain a central version of the [[CellServDB]] file (the conventional location is /afs/cellname/common/etc/CellServDB), create it now as a copy of the local /usr/vice/etc/CellServDB file. Verify that it includes an entry for each foreign cell you want your users to be able to access.
+If you plan to maintain a central version of the [[CellServDB]] file
+(the conventional location is /afs/cellname/common/etc/CellServDB), create it
+now as a copy of the local /usr/vice/etc/CellServDB file. Verify that it
+includes an entry for each foreign cell you want your users to be able to
+access.
# mkdir common
# /usr/afs/bin/vos release root.cell
-1. Issue the ls command to verify that the new cell's mount point is visible in your filespace. The output lists the directories at the top level of the new cell's AFS filespace.
+Issue the ls command to verify that the new cell's mount point is visible in your filespace. The output lists the directories at the top level of the new cell's AFS filespace.
# ls /afs/foreign_cell
-1. Please register your cell with the AFS Product Support group at this time. If you do not want to participate in the global AFS namespace, they list your cell in a private [[CellServDB]] file that is not available to other AFS cells.
+Please register your cell with the AFS Product Support group at this time. If you do not want to participate in the global AFS namespace, they list your cell in a private [[CellServDB]] file that is not available to other AFS cells.
-# <a name="Improving Cell Security"></a> Improving Cell Security
+# Improving Cell Security
This section discusses ways to improve the security of AFS data in your cell. Also see the chapter in the IBM AFS Administration Guide about configuration and administration issues.
-# <a name="Controlling root Access"></a> Controlling root Access
+# Controlling root Access
As on any machine, it is important to prevent unauthorized users from logging onto an AFS server or client machine as the local superuser root. Take care to keep the root password secret.
- On server machines, the ability to disable authorization checking, or to install rogue process binaries
-## <a name="Controlling System Administrator"></a> Controlling System Administrator Access
+## Controlling System Administrator Access
Following are suggestions for managing AFS administrative privilege:
- Limit the use by administrators of standard UNIX commands that make connections to remote machines (such as the telnet utility). Many of these programs send passwords across the network without encrypting them.
-## <a name="Protecting Sensitive AFS Directo"></a> Protecting Sensitive AFS Directories
+## Protecting Sensitive AFS Directories
Some subdirectories of the /usr/afs directory contain files crucial to cell security. Unauthorized users must not read or write to these files because of the potential for misuse of the information they contain.
/usr/afs/local drwx???---
/usr/afs/logs drwxr?xr-x
-# <a name="Removing Client Functionality"></a> Removing Client Functionality
+# Removing Client Functionality
Follow the instructions in this section only if you do not wish this machine to remain an AFS client. Removing client functionality means that you cannot use this machine to access AFS files.
-# <a name="Git Plan:"></a> Git Plan:
+[[!toc levels=3]]
+
+# Git Plan:
This is the procedure used to convert the [[OpenAFS]] CVS version control into a git repository. This work was done by Maximilian Cohan and Michael Meffie at the [[OpenAFS]] hackathon 2008 at Google, based off the work already done by Derrick Brashear.
-## <a name="Background"></a> Background
+
+## Background
The [[OpenAFS]] cvs repository poses several unique and interesting challenges in the git conversion. A custom tool called wdelta, combined with a custom set of commit scripts, has been used since the projects inception. The deltas are effectively patch sets made up of rcs revisions. We need to preserve these deltas and all the history associated with the deltas. Unfortuntunately, the not all deltas were created automically. This leads to some issues,
- In the cases where there are revision gaps, there could be conflicts when trying to collapse the changes into a single patch for the file.
- Also in the cases where there are gaps, it is possible that cvs tags could interleave the revisions of a delta, although it is unknown at this time if such a case exists.
-## <a name="Overview of the process"></a> Overview of the process
+## Overview of the process
-## <a name="Where the tools are"></a> Where the tools are
+## Where the tools are
/afs/sinenomine.net/public/openafs/projects/git\_work/
-## <a name="Set up base Repo"></a> Set up base Repo
+## Set up base Repo
-### <a name="Prep:"></a> Prep:
+### Prep:
-### <a name="Process:"></a> Process:
+### Process:
-#### <a name="(commit 1) Start from IBM 1.0 +"></a><a name="(commit 1) Start from IBM 1.0 + "></a> (commit 1) Start from IBM 1.0 + 3.6 docs
+#### (commit 1) Start from IBM 1.0 + 3.6 docs
- (in a tmp directory) cvs -d:pserver:anonymous@cvs.openafs.org:/cvs -z5 export -ropenafs-stable-1\_1\_0 openafs/doc
- Make and change to git\_base directory
- git add .
- git commit -m "Initial IBM source code import\\rDelta initial-20001103" --author="Transarc <afs@transarc.com>"
-#### <a name="(commit 2) Apply license changes"></a> (commit 2) Apply license changes
+#### (commit 2) Apply license changes
- Apply 2.patch
- Cleanup: rm .rej & .orig
- untar 2-postapply.tar
- git commit -m "" --author="Transarc <afs@transarc.com>"
-### <a name="Patch Fixup"></a> Patch Fixup
+### Patch Fixup
- Original codebase had bit errors; tarball used for git base does not have them, remove (most of) these fixes from patchsets
-### <a name="Repo Fixup"></a> Repo Fixup
+### Repo Fixup
- Resolve issues into commit 3
- Part of the doc tree was not in the initial import
- Amend commit 1
- Reapply commit 2
-### <a name="Issues:"></a> Issues:
+### Issues:
license changes won´t apply cleanly as initial was from RCS and CVS munged rev vars on checkout
-## <a name="Automate patch - branches"></a> Automate patch -> branches
+## Automate patch -> branches
-### <a name="Prep:"></a> Prep:
+### Prep:
-### <a name="Process:"></a> Process:
+### Process:
- Clone base repo (git clone git\_base git\_working)
- Starting with 3.patch
- Apply patch (git apply --index)
- Commit (-m ´Apply patch X´)
-### <a name="Issues:"></a> Issues:
+### Issues:
-## <a name="Handle binaries"></a> Handle binaries
+## Handle binaries
-### <a name="Prep:"></a> Prep:
+### Prep:
- Find a list of binaries in cvs, search for '^expand\\w+@b|o@'
-### <a name="Process:"></a> Process:
+### Process:
- Loop:
- For patch X
- For each binary file, CVS check out listed revision over existing file
- Commit (-m ´Adding binaries´)
-## <a name="Merge branches into master branc"></a> Merge branches into master branch
+## Merge branches into master branch
-### <a name="Prep:"></a> Prep:
+### Prep:
- Parse patches to make X.msg & X.author
-### <a name="Process:"></a> Process:
+### Process:
- Loop:
- Merge branch X into master (git merge --squash)
- ! On failure... stop, and allow for reset
- Push master to origin/master
-## <a name="Validate and release"></a> Validate and release
+## Validate and release
- Check that checkout of master matches cvs HEAD
-## <a name="Handle tags"></a> Handle tags
+## Handle tags
- Determine tag->delta relationship
--- Michael Meffie - 28 Oct 2008
+
**This content may be out of date. See details in a [posting to openafs-info mailing list](http://www.mail-archive.com/openafs-info@openafs.org/msg35820.html). Please edit this page and add status details to this paragraph as appropriate.**
A circa-2008 version of this content is available as HTMLHelp from [TommieGannert's site](http://www.e.kth.se/~tommie/openafs/openafs-referenceguide.chm).
-# <a name="Configuration Reference Guide"></a> Configuration Reference Guide
-
-<div>
- <ul>
- <li><a href="#Configuration Reference Guide"> Configuration Reference Guide</a><ul>
- <li><a href="#Introduction"> Introduction</a></li>
- <li><a href="#Credentials Manager"> Credentials Manager</a><ul>
- <li><a href="#Command Line Options"> Command Line Options</a></li>
- <li><a href="#Tokens"> Tokens</a></li>
- <li><a href="#Drive Letters"> Drive Letters</a></li>
- <li><a href="#Advanced"> Advanced</a></li>
- <li><a href="#System Tray"> System Tray</a></li>
- </ul>
- </li>
- <li><a href="#Client Configuration"> Client Configuration</a><ul>
- <li><a href="#General"> General</a></li>
- <li><a href="#Drive Letters"> Drive Letters</a></li>
- <li><a href="#Preferences"> Preferences</a></li>
- <li><a href="#AFS Cells"> AFS Cells</a></li>
- <li><a href="#Advanced"> Advanced</a><ul>
- <li><a href="#Logon Settings"> Logon Settings</a></li>
- <li><a href="#Diagnostic"> Diagnostic</a></li>
- <li><a href="#Global Drives"> Global Drives</a></li>
- <li><a href="#Binding"> Binding</a></li>
- <li><a href="#Miscellaneous"> Miscellaneous</a></li>
- </ul>
- </li>
- </ul>
- </li>
- <li><a href="#Settings Without a User Interfac"> Settings Without a User Interface</a><ul>
- <li><a href="#Netbios Name"> Netbios Name</a></li>
- <li><a href="#Encryption of Network Traffic"> Encryption of Network Traffic</a></li>
- <li><a href="#Freelance Client Support"> Freelance Client Support</a><ul>
- <li><a href="#Freelance Root Setup"> Freelance Root Setup</a></li>
- </ul>
- </li>
- <li><a href="#Hiding Dot-Files"> Hiding Dot-Files</a></li>
- <li><a href="#Hiding the \\AFS\all Share"> Hiding the <tt>\\AFS\all</tt> Share</a></li>
- <li><a href="#Tweaking the SMB Connections"> Tweaking the SMB Connections</a></li>
- <li><a href="#Connection Timeouts"> Connection Timeouts</a></li>
- <li><a href="#Tweaking RPC Traffic"> Tweaking RPC Traffic</a></li>
- <li><a href="#Enabling Debug Trace Events"> Enabling Debug Trace Events</a></li>
- <li><a href="#Restricting the Number of Utiliz"> Restricting the Number of Utilized CPUs</a></li>
- <li><a href="#Moving the _CellServDB File"> Moving the CellServDB File</a></li>
- <li><a href="#Moving the Integrated Logon Supp"> Moving the Integrated Logon Support File</a></li>
- <li><a href="#Allowing More Time For the Servi"> Allowing More Time For the Service To Start</a></li>
- <li><a href="#Running a Logon Script"> Running a Logon Script</a></li>
- <li><a href="#Integrated Logon Usage"> Integrated Logon Usage</a></li>
- <li><a href="#Integrated Logon Silence"> Integrated Logon Silence</a></li>
- <li><a href="#Disable Automatic Use of _Kerber"> Disable Automatic Use of KerberosV</a></li>
- <li><a href="#Changing the Default Authenticat"> Changing the Default Authentication Cell</a></li>
- <li><a href="#Changing the Parameters of AFS C"> Changing the Parameters of AFS Credentials Manager</a></li>
- </ul>
- </li>
- <li><a href="#Per Domain Options"> Per Domain Options</a><ul>
- <li><a href="#Resolution of Domain Specific Va"> Resolution of Domain Specific Values</a></li>
- <li><a href="#Exceptions To the Resolution Rul"> Exceptions To the Resolution Rule</a></li>
- </ul>
- </li>
- <li><a href="#Windows Registry Keys of _OpenAF"> Windows Registry Keys of OpenAFS</a></li>
- </ul>
- </li>
- </ul>
-</div>
-
-## <a name="Introduction"></a> Introduction
+[[!toc levels=3]]
+
+# Configuration Reference Guide
+
+
+## Introduction
Once you have installed [[OpenAFS]] for Windows onto your computer, there are two programs you will be concerned with: the AFS Client (Credentials Manager), and the AFS Client Configuration program. Many of the options in [[OpenAFS]] can be set from both programs. This is a source of confusion, which this guide will try to sort out.
Because this is a reference, the programs will be described in order, screen by screen. At the end, files and Windows Registry keys will be described.
-## <a name="Credentials Manager"></a> Credentials Manager
+## Credentials Manager
This program is located in `C:\Program Files\OpenAFS\Client\Program\afscreds.exe` (default location). It is used for managing end-user tasks. This includes obtaining tickets and setting up per-user drive mappings.
-### <a name="Command Line Options"></a> Command Line Options
+### Command Line Options
If you intend to run `afscreds.exe` from a command line, the following options may be of interest to you. NB: The flags are case-insensitive, and can begin with either **_-_** (� la Unix) or **_/_** (old Windows style).
<dd> Unmap All. Unmaps all per-user drives. </dd>
</dl>
-### <a name="Tokens"></a> Tokens
+### Tokens
<img src="http://www.e.kth.se/~tommie/openafs/screens/afscreds/tokens.png" width="467" height="238" /> The Tokens Tab displays brief information about your AFS tokens. It shows your current cell, and when the tokens expire. It lets you obtain (or renew) tokens (kauth/kinit in Unix) and make it sound an alarm if they will be expiring any time soon. If you have sensitive information in AFS, you can discard (kdestroy) tokens when away.
The Credentials Manager can make use of MIT Kerberos for Windows, if installed. This lets you use [[KerberosV]] tickets directly in the AFS Credentials Manager. Thus, there is no longer a need to have a third party Credentials Manager running. This window also shows what version of [[OpenAFS]] you are currently running.
-### <a name="Drive Letters"></a> Drive Letters
+### Drive Letters
<img src="http://www.e.kth.se/~tommie/openafs/screens/afscreds/drive-letters.png" width="467" height="238" /> A fundamental entity in the Microsoft Windows operating systems is the **_drive_**. A drive is identified by one letter and a colon. Masking a network file system as a drive is called "mapping a drive."
The Description field is not as obvious. It is an **_identifier_** for the mapping, and is called a **_submount_**. It is not a free text description. The same restrictions apply to the description as to any name of a Windows share. See the [[WindowsTroubleshootingGuide]] for more information on submounts.
-### <a name="Advanced"></a> Advanced
+### Advanced
<img src="http://www.e.kth.se/~tommie/openafs/screens/afscreds/advanced.png" width="467" height="238" /> If you are an administrator, you will want to use this tab eventually. You can check the status of the AFS service, start it if needed and configure global parameters. Pressing "Configure AFS Client" brings up the "AFS Client Configuration" program, which is described in a later section.
The "Always show the AFS Client icon in the taskbar" option sets whether the Credentials Manager should be started on each login or not.
-### <a name="System Tray"></a> System Tray
+### System Tray
<img src="http://www.e.kth.se/~tommie/openafs/screens/windows/taskbar.png" width="135" height="26" /> A padlock is the icon for AFS Credentials Manager. It is locked when you have valid tokens, and has a small red cross when you do not.
Clicking it brings the Credentials Manager up. Right-clicking opens a three-item menu. "Remove Icon..." will ask if you want to stop the AFS service or not. The Credentials Manager will then exit.
-## <a name="Client Configuration"></a> Client Configuration
+## Client Configuration
This program is located in `C:\Program Files\OpenAFS\Common\afs_config.exe` (default location). The configuration utility can perform most operations of the Credentials Manager, and more. In fact, the Client Configuration is not able to obtain tokens, but everything else can be updated with it.
When installed, [[OpenAFS]] also installs this program as a Control Panel applet, called "AFS Client Configuration". No matter what you call it, the functionality is the same.
-### <a name="General"></a> General
+### General
<img src="http://www.e.kth.se/~tommie/openafs/screens/afsconfig/general.png" width="356" height="495" /> The General Tab of the AFS Client Configuration provide roughly the same functionality as the Advanced Tab of the Credentials Manager. The Cell Name identifies the default authentication cell. The `root.afs` volume of this cell is used to identify which cells to present at the root. Your default cell must have AFSDB-records in DNS, or/and be listed in [[CellServDB]] (see AFS Cells below). At the bottom, you will find the same Start / Stop Service as in the Credentials Manager.
- **Provide an AFS Light Gateway** gives you access to the [[OpenAFS]] submounts from other computers.
- **Show the AFS Client icon in the taskbar** will start the Credentials Manager if it is not already running.
-### <a name="Drive Letters"></a> Drive Letters
+### Drive Letters
Mapping drives and creating submounts work the same way as for the Credentials Manager. Please refer to the section above.
-### <a name="Preferences"></a> Preferences
+### Preferences
<img src="http://www.e.kth.se/~tommie/openafs/screens/afsconfig/preferences.png" width="356" height="495" /> Since AFS can mirror both files and volume information on several servers, there must be a way to determine which server to contact. In [[OpenAFS]] for Windows, this is specified using the Server Preferences screen. Normally, you will never need to manually change the preferences of the servers. However, if you are doing load balance testing or if you are stress-testing a server, you may want to set preferences here.
You can also import the rankings from a file. The file is a text file with one line per server. Whitespaces separate the server name from the ranking number. Note that the servers are imported to the active list (File Server or Volume Location Server).
-### <a name="AFS Cells"></a> AFS Cells
+### AFS Cells
<img src="http://www.e.kth.se/~tommie/openafs/screens/afsconfig/afscells.png" width="356" height="495" /> Before [[OpenAFS]] was able to handle AFSDB-records in DNS, the [[CellServDB]] file contained the explicit mappings between cells and servers. The AFS Cells Tab shows the cells currently in the [[CellServDB]]. You add a cell and list its associated servers. Most large sites copy the [[CellServDB]] directly from the network, to keep it in sync.
-### <a name="Advanced"></a> Advanced
+### Advanced
<img src="http://www.e.kth.se/~tommie/openafs/screens/afsconfig/advanced.png" width="356" height="495" /> Finally, the Advanced Tab. This is where you configure the heart of [[OpenAFS]] for Windows. Most of these settings already have a best-practice value. Be warned that changing these settings can cause [[OpenAFS]] to be slow, or to stop working at all.
- **Chunk Size** is the smallest transfer unit. The cache works by caching chunks of files, not necessarily entire files. It should be set to a size which is fast to transfer over the network, yet large enough to avoid lots and lots of transfers. The default is 32 kB. It must be an even power of two.
- **Status Cache** describes file meta information caching. 1000 entries is the default.
-#### <a name="Logon Settings"></a> Logon Settings
+#### Logon Settings
Change the behavior of the Integrated Logon feature. The login retry interval sets how long (in seconds) [[OpenAFS]] will try to obtain initial tokens. Fail Logins Silently controls whether you will get a message box telling the reason for the failure.
Setting "Fail Logins Silently" to "No" also affects the function of the retry interval. When the interval has passed, you will be asked whether to start the timer over or not. If you choose to start over, another retry interval will be used to try and obtain the tokens.
-#### <a name="Diagnostic"></a> Diagnostic
+#### Diagnostic
Due to the complexity of [[OpenAFS]], the error and trace logging facilites have evolved into a detailed tracer of execution. The buffer is a ring, and the default size is 5000 kB. You can read this buffer using the `osidebug` program.
"Report Session Startups" will let the AFS service send an event to the Windows Event Log each time a new SMB/CIFS session is started. Default is "No".
-#### <a name="Global Drives"></a> Global Drives
+#### Global Drives
In a highly networked environment, it is not uncommon to read login scripts from the network. This, of course, requires the scripts to be accessible by login time. Since the per-user drive mappings are executed **_after_** the scripts are executed, the global drive mappings can be used. These affect all users, and can only be modified by an Administrator.
-#### <a name="Binding"></a> Binding
+#### Binding
Before [[OpenAFS]] for Windows began to use the [[WindowsLoopBackAdapter]], it used physical network interfaces to bind to. In certain situations, the default choice may be a bad one. For instance, when the network interface connects directly to the Internet, this would be a bad idea. With the Loop Back Adapter, this is no longer an issue.
-#### <a name="Miscellaneous"></a> Miscellaneous
+#### Miscellaneous
<img src="http://www.e.kth.se/~tommie/openafs/screens/afsconfig/adv_misc.png" width="336" height="301" /> These settings are hardly ever changed. They control system specific settings.
- **Mount Directory** is really "Mount Root". It is used when resolving symlinks. Microsoft Windows does not know about symbolic links, so the AFS Client Service must convert them. If a symlink target begins with the **_Mount Directory_** string, it will be transformed into an absolute path of the form `\\AFS\ALL\...`. Default is `/afs`. There is generally no need to modify this value.
- **Root Volume** is the name of the root volume of the default cell. Default is `root.afs`, and is the recommended AFS root volume name.
-## <a name="Settings Without a User Interfac"></a> Settings Without a User Interface
+## Settings Without a User Interface
Currently, some options have not yet been given a proper user interface. These can be changed directly in the Windows Registry using `regedit`.
-### <a name="Netbios Name"></a> Netbios Name
+### Netbios Name
As the AFS service publishes its services as SMB/CIFS shares, there must be a name of this service. The `NetbiosName` (type expanding string) value of `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` can change this. The default is "AFS". Change this to "%COMPUTERNAME%-AFS" to revert to the old behavior.
-### <a name="Encryption of Network Traffic"></a> Encryption of Network Traffic
+### Encryption of Network Traffic
Historically, AFS did not support encrypted network traffic. This has changed in recent years. The support is off by default in order to be compatible with old servers. You enable and disable encryption through the value `SecurityLevel` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`. Set to 1 to enable and 0 to disable.
-### <a name="Freelance Client Support"></a> Freelance Client Support
+### Freelance Client Support
This option can be set during installation. After installation, a registry entry must be edited. It can be found in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` and is called `FreelanceClient` (type DWORD). Set it to 1 to enable Freelance Mode. See the [[Troubleshooting Guide|WindowsTroubleshootingGuide#What_is_Freelance_Mode_]] for more information on Freelance Mode. Default is zero (disabled).
-#### <a name="Freelance Root Setup"></a> Freelance Root Setup
+#### Freelance Root Setup
To be able to use Freelance Mode, the AFS Client Service needs to know which cells should be visible. This is equivalent to mounting `root.cell` volumes in `root.afs`. If there are no volumes described when the AFS Client Service first starts, the default cell is inserted into the list (including a forced R/W volume).
will make two volumes available, one normal and one forced R/W.
-### <a name="Hiding Dot-Files"></a> Hiding Dot-Files
+### Hiding Dot-Files
On Unix, a dot-file is a file which begins with the dot character. It is semantically similar to the Hidden attribute used in Windows. This feature is enabled by default and marks all dot-files with the Hidden attribute. The value `HideDotFiles` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` can disable it (by giving it the value 0).
-### <a name="Hiding the \\AFS\all Share"></a> Hiding the `\\AFS\all` Share
+### Hiding the `\\AFS\all` Share
The share `all` is exported by default, and is defined as the root volume of the default cell. If you do not want this share to be defined, you can set `AllSubmount` (type DWORD) to 0, in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`.
-### <a name="Tweaking the SMB Connections"></a> Tweaking the SMB Connections
+### Tweaking the SMB Connections
Four values in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` affect the SMB connections:
Note that CSC is something Windows can do with all CIFS shares. The setting is used for responding to Windows requests about the policy. AFS itself has its own caching which is not involved in CSC. Read more in [Windows Clustering](http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/cluad_pr_100.asp).
-### <a name="Connection Timeouts"></a> Connection Timeouts
+### Connection Timeouts
In `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`, two values control when connections are considered dead.
- `ConnDeadTimeout` (type DWORD) Default is 60 seconds.
- `HardDeadTimeout` (type DWORD) Default is 120 seconds, and it must be at least twice the `ConnDeadTimeout` value.
-### <a name="Tweaking RPC Traffic"></a> Tweaking RPC Traffic
+### Tweaking RPC Traffic
In `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`, two values control how RX transfers data.
- `RxNoJumbo` (type DWORD) If enabled, does not send or indicate that we are able to send or receive RX jumbograms. Default is 0, which means jumbograms are used.
- `RxMaxMTU` (type DWORD) If set to anything other than -1, uses that value as the maximum MTU supported by the RX interface. In order to enable [[OpenAFS]] to operate across the Cisco IPSec VPN client, this value must be set to 1264 or smaller. Default is -1, the maximum.
-### <a name="Enabling Debug Trace Events"></a> Enabling Debug Trace Events
+### Enabling Debug Trace Events
Normally, the `TraceOption` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` is 0, meaning no traces will be sent to the Application Event Log. Setting it to 1 enables trace output.
-### <a name="Restricting the Number of Utiliz"></a> Restricting the Number of Utilized CPUs
+### Restricting the Number of Utilized CPUs
For most part, the [[OpenAFS]] client can use as many processors as available. However, using multiple processors on a Hyperthreaded Pentium 4 system can cause the [[OpenAFS]] service to crash. If you have such a system, you should set `MaxCPUs` (type DWORD) (in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`) to 1. The default is undefined, and means all processors may be used.
-### <a name="Moving the _CellServDB File"></a> Moving the [[CellServDB]] File
+### Moving the [[CellServDB]] File
The registry setting `CellServDBDir` (type string) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` specifies the base directory of the [[CellServDB]] file. Note that the filename `CellServDB` is appended to this path. The default is `C:\Program Files\OpenAFS\Client`.
-### <a name="Moving the Integrated Logon Supp"></a> Moving the Integrated Logon Support File
+### Moving the Integrated Logon Support File
[[OpenAFS]] installs very few files outside its directory in `Program Files`. The Integrated Logon DLL, `afslogon.dll`, is an exception. It is installed in `%WINDIR%\SYSTEM32` by default.
To change this location you must update the registry value `AuthentProviderPath` (type string) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` to point to the new location.
-### <a name="Allowing More Time For the Servi"></a> Allowing More Time For the Service To Start
+### Allowing More Time For the Service To Start
When the AFS Client Service starts, it has to read files, the registry, DNS information, and connect to servers. All of this may take quite some time. On slow computers, the default retry policy can be too short.
In this case, the `LoginRetryInterval` (type DWORD) and `LoginSleepInterval` (type DWORD) values in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` can be increased. If the [[OpenAFS]] client service has not started yet, the network provider will wait for a maximum of `LoginRetryInterval` seconds while retrying every `LoginSleepInterval` seconds to check if the service is up. This setting is domain-specific; see below.
-### <a name="Running a Logon Script"></a> Running a Logon Script
+### Running a Logon Script
You may set `LogonScript` (type string or expandable string) of `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` to any runnable script or program. Default is to not run any program. This setting is also domain-specific; see below.
-### <a name="Integrated Logon Usage"></a> Integrated Logon Usage
+### Integrated Logon Usage
Utilization of the Integrated Logon feature can be set on a per-domain basis. The value is called `LogonOptions` (type DWORD) and can be found in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider`. Setting this to "0" disables Integrated Logon, and a "1" enables it. Default is enabled. If you set this to "2", you enable the [[OpenAFS]] High Security mode, and setting it to "3" enables both High Security Mode and Integrated Logon.
High Security mode is a deprecated techinque to let several users logon to the same computer at once. Since [[OpenAFS]] now supports authenticated SMB connections, there is really no need for this mode. If you still want to use this mode, you should disable SMB Authentication. See "Tweaking the SMB Connections" on this matter.
-### <a name="Integrated Logon Silence"></a> Integrated Logon Silence
+### Integrated Logon Silence
In the Client Configuration, you may choose whether the Intergrated Logon should warn when you cannot logon, or if it should not. Since this setting is domain-specific, here is the background. The `FailLoginsSilently` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` can be set to 1 to ignore any failures. Default is to warn (i.e. a value of zero).
-### <a name="Disable Automatic Use of _Kerber"></a> Disable Automatic Use of [[KerberosV]]
+### Disable Automatic Use of [[KerberosV]]
If you have MIT Kerberos for Windows installed, and you do not want to let AFS Credentials Manager use it, you can disable it by setting `EnableKFW` (type DWORD) in `SOFTWARE\OpenAFS\Client`. This can be done in either of `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER`.
-### <a name="Changing the Default Authenticat"></a> Changing the Default Authentication Cell
+### Changing the Default Authentication Cell
In some rare cases, you may want to authenticate to one cell, but keep using another cell as your home. You can do this by entering the authentication cell each time you obtain new tokens. If you intend to do it regularly, you can change it in the registry.
The value `Authentication Cell` (type string) in `HKEY_CURRENT_USER\SOFTWARE\OpenAFS\Client` can be set to another cell name than the default cell.
-### <a name="Changing the Parameters of AFS C"></a> Changing the Parameters of AFS Credentials Manager
+### Changing the Parameters of AFS Credentials Manager
When the AFS Credentials Manager starts, it recreates the Start Menu and Startup shortcuts to enforce the parameters given during installation. These parameters are stored as `AfscredsShortcutParams` in `SOFTWARE\OpenAFS\Client`. It can be set for both `HKEY_LOCAL_MACHINE` and for `HKEY_CURRENT_USER`. Default is `-A -M -N -Q`. See above for an explanation of these parameters.
-## <a name="Per Domain Options"></a> Per Domain Options
+## Per Domain Options
[[OpenAFS]] for Windows is now able to support domain-specific settings. Four of the settings in the previous section can be adjusted on a domain basis:
All values that can be domain-specific are located under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider`. Domains which want to have specific settings can create the subkey <tt>Domain\\_domain_\\</tt> and store the values there. The domain name is the logon domain, as specified in the Windows Login screen. A special domain, called `LOCALHOST`, is a placeholder for the local computer. Any other Active Directory or Kerberos realm should use its realm name for the key.
-### <a name="Resolution of Domain Specific Va"></a> Resolution of Domain Specific Values
+### Resolution of Domain Specific Values
As a consequence of this scheme, there must also be set rules for resolving which value to use. Let us use the following example in the discussion:
Back to our example. Logging in to domain `OPENAFS.ORG` clearly enables the Integrated Logon. Logging on the local computer disables it. Logging in to `MIT.EDU` will also disable Integrated Logon, because the domain key exists, but misses a value. This resolves to using the value of `Domain\LogonOption`. However, logging in to `KTH.SE` would enable Integrated Logon. It is not listed as a domain, and thus the `NetworkProvider\LogonOption` is used. In order to retain backward-compatibility, there are two exceptions to this resolution order.
-### <a name="Exceptions To the Resolution Rul"></a> Exceptions To the Resolution Rule
+### Exceptions To the Resolution Rule
Historically, the 'FailLoginsSilently' value was in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` key and not in the `NetworkProvider` key. Therefore, for backward compatibility, the value in the `Parameters` key will supercede all instances of this value in other keys. In the absence of this value in the `Parameters` key, normal scope rules apply.
The second exception is for the `LogonScript` value. If a `LogonScript` is not specified in the specific domain key nor in the `Domain` key, the value in the `NetworkProvider` key will only be checked if the effective `LogonOptions` specify a high security integrated login. If a logon script is specified in the specific domain key or the domains key, it will be used regardless of the high security setting. Please be aware of this when setting this value.
-## <a name="Windows Registry Keys of _OpenAF"></a> Windows Registry Keys of [[OpenAFS]]
+## Windows Registry Keys of [[OpenAFS]]
During the preparation of this release of [[OpenAFS]], a lot of changes have been made to the way configuration is stored. The work is still not finished; the list of registry keys currently used can be found [here](http://web.mit.edu/~jaltman/Public/OpenAFS/registry.txt).
-# <a name="End User Quick Start Guide"></a> End User Quick Start Guide
-## <a name="Introduction"></a> Introduction
+[[!toc levels=3]]
+
+# End User Quick Start Guide
+
+## Introduction
This guide is a (hopefully) straightforward manual for setting up [[OpenAFS]] for Windows <del>1.3.70</del> <b>1.7.4</b>. It was written with the not-so-experienced user in mind and is a step-by-step description of a sample configuration. Changing the settings to your specific needs should pose no problems.
<i><b>(The changes for 1.7.4 are incomplete; none of the pictures are up to date. When complete, the markup should be removed --jtb) </b></i>
-### <a name="Before the Installation"></a> Before the Installation
+### Before the Installation
Before we start, let us take a moment and just skim through the installation. For the impatient, this section may not be what you are looking for. This is an introduction to the concepts of AFS'ing in Windows -- "basic" knowledge you should have before attempting to connect to the world.
-#### <a name="System Requirements"></a> System Requirements
+#### System Requirements
First of all, check that your system and network is capable of using [[OpenAFS]] for Windows. You will need <del>Windows 2000 or later. Support for Windows NT and the Windows 9x (including ME) series has been discontinued. If you succeed with the installation, it is sheer luck!</del> <b>Windows XP SP3, Windows Server 2003 SP2, Windows Vista SP1, Windows Server 2008, Windows 7, Windows Server 2008 R2</b>.
To be able to access files, you will need the network up and running. AFS is not very demanding on bandwidth, but realize that every byte of a file is transmitted over the wire (or air) uncompressed. The use of the client cache helps reduce bandwidth requirements.
-#### <a name="Kerberos: An Analogy"></a> Kerberos: An Analogy
+#### Kerberos: An Analogy
AFS uses an access-restriction system called Kerberos, originally developed at MIT. Kerberos is a three-part authenticator. You could say the Kerberos server (a.k.a. KDC, Kerberos Domain Controller) is somewhat like an ID-card archive. When Adam wants to loan a car from Eve, Eve may trust Adam. Adam is trusted to leave the car back as agreed. In this case, Adam needs simply state "I am Adam". Eve lends him the car, and everything is fine.
Both Adam and Eve go about sending in their secret password (known only to the respective person and the computer at ID Authority). They flash their fresh ID cards, and accept each others identity. Instead of the two trusting each other, they only have to trust one common party.
-#### <a name="Kerberos in practice"></a> Kerberos in practice
+#### Kerberos in practice
In AFS, you (the Windows Client, actually) are Adam, and the AFS server is Eve. They both communicate with a KDC.
In order to use [[KerberosV]] (recommended), you will have to use Kerberos for Windows <del>an MIT product</del>. Of course, this requires that you use [[KerberosV]] servers, which still is not always the case. Small sites may still use [[OpenAFS]]'s own Kerberos IV server implementation, called the **_kaserver_** <b>but since this option is no longer supported, this introduction will no longer discuss it</b>.
-### <a name="A Word of Advice"></a> A Word of Advice
+### A Word of Advice
While installing and configuring AFS, you should keep in mind that the authentication part is the part which most often causes problems. This is partly due to the fact that different generations of Kerberos are kept in the software for backward compatiblity. It may also be that some information is not available to the [[OpenAFS]] developers. Please be patient about getting Kerberos to work.
If the AFS servers you are about to connect to are already set up and in use, you may be able to browse public areas without being authenticated. This way, you can check if AFS or Kerberos is causing your headache.
-### <a name="The Software Installation"></a> The Software Installation
+### The Software Installation
Now that you know about the existence and uses of Kerberos, we can continue with the installation. This guide will first discuss the installation screens, then continuing with a simple sample configuration and end with some references. Happy installing!
-## <a name="Step by Step"></a> Step by Step
+## Step by Step
-### <a name="Optionally: Download Kerberos fo"></a> <del>Optionally:</del> Download and Install Kerberos for Windows
+### <del>Optionally:</del> Download and Install Kerberos for Windows
<del>If you know, or believe, that the AFS cell you will be connecting to uses [[KerberosV]], you should download [MIT Kerberos for Windows](http://web.mit.edu/kerberos/www/). The latest release is available on [this page](http://web.mit.edu/kerberos/www/dist/). The download of interest is the **Installer** for Windows.</del>
Note that installing <del>MIT</del> Kerberos for Windows will not prevent you from using the old Kerberos 4 protocol. It will, however, set up your computer for [[KerberosV]] as a first choice.
-### <a name="Install Network Identity Manager (v2)"></a>Download and Install Network Identity Manager (v2)
+### Download and Install Network Identity Manager (v2)
Download and install Network Identity Manager (v2) also from <a href="https://www.secure-endpoints.com/netidmgr/v2/index.html">Secure Endpoints</a>.
The "Typical Install" is all one needs here. <i>(NB: shoudl give picture here></i></b>
-### <a name="Obtaining _OpenAFS for Windows"></a> Obtaining [[OpenAFS]] for Windows
+### Obtaining [[OpenAFS]] for Windows
The main site for [[OpenAFS]] is [openafs.org](http://openafs.org). From here you can download the latest releases of all versions of the [[OpenAFS]] package. On [this page](http://openafs.org/windows.html) you will always find the latest releases.
<b><i>In the remainder of this document we assume you have a 64-bit system.
(Stopped here with 1.7.4 changes.)</i></b>
-### <a name="Start the Installation"></a> Start the Installation
+### Start the Installation
To begin installing, run the file you downloaded. The screens are pretty standard. Let us go through them one by one.
This choice is skipped in the [[NullSoft]] installer.
-#### <a name="Custom Installation"></a> Custom Installation
+#### Custom Installation
<img src="http://www.e.kth.se/~tommie/openafs/screens/install/msi/4 custom.png" width="499" height="385" /> <img src="http://www.e.kth.se/~tommie/openafs/screens/install/nis/2 components.png" width="503" height="386" /> Choosing Custom Installation gives you more control over what is installed onto your computer. This is shown to the right. There are three different icons used when presenting the components: a grey, a white and a red cross. Installation using the Nullsoft Installer is similar, except a standard checkbox list is being used.
This is all it takes for Custom Installation. From now on, the differences between the three installation types are not visible.
-### <a name="Finishing the Installation"></a> Finishing the Installation
+### Finishing the Installation
<img src="http://www.e.kth.se/~tommie/openafs/screens/install/msi/8 ready.png" width="499" height="385" /> <img src="http://www.e.kth.se/~tommie/openafs/screens/install/nis/7 installing.png" width="503" height="386" /> Now that you have setup your [[OpenAFS]] package, [[OpenAFS]] can be copied into the right directories. This will be reasonably fast, so don't go for a coffee yet!
<img src="http://www.e.kth.se/~tommie/openafs/screens/install/msi/11 restart.png" width="366" height="165" /> The last thing you have to do is reboot your computer. Theoretically, you could start [[OpenAFS]] without rebooting. This is not recommended, though. With all of today's anti virus programs and synchronization drivers, you can have that well-deserved coffee break now. Soon, the final adventure will begin.
-## <a name="Configure the Rest"></a> Configure the Rest
+## Configure the Rest
When you logged in, you may have encountered an error message from "AFS Integrated Logon". This is because you enabled Integrated Logon, but did not have the same username and password for both Windows and the AFS servers. In a later section, we will see how we can make [[OpenAFS]] ignore these situations without bothering you about it.
According to the Client Status, the service is started, as it should. If you used the Typical Installation mode, you will now have to change the cell name into something more appropriate. (No one can authenticate to openafs.org, really.) Change it to whatever your network administrator told you. It is usually simply the domain name of the organization.
-### <a name="Silencing the Intergrated Login"></a> Silencing the Intergrated Login
+### Silencing the Intergrated Login
<img src="http://www.e.kth.se/~tommie/openafs/screens/afsconfig/adv_login.png" width="285" height="175" /> Information is good, but not in excess. To remove the message, go to the "Advanced" tab. Click the "Logon..." button, and set "Fail Logins Silently" to "Yes". This is shown to the right.
-### <a name="Check If You Have Kerberos 5"></a> Check If You Have Kerberos 5
+### Check If You Have Kerberos 5
If everything is well, you should now be able to obtain AFS tokens for your default cell. Try this by opening the Credentials Manager from the Start Menu. Depending on your installation settings, you may be presented with a password prompt, an information window, or nothing.
Optional: Kerberos for Windows To be able to use [[KerberosV]] authentication servers, install MIT Kerberos for Windows. A description of how to install this is outside the scope of this guide.
-## <a name="Trying It Out"></a> Trying It Out
+## Trying It Out
Start the Credentials Manager and try to obtain new tokens. This should work. You should be able to browse the lands of **_\\\\AFS\\all_** like you were on a Unix computer. Do you have write permissions in the right directories?
-## <a name="Mapping Network Drives"></a> Mapping Network Drives
+## Mapping Network Drives
Many Windows users are more comfortable using drive letters instead of UNC path notation such as \\\\AFS\\openafs.org\\software\\openafs\\1.5.73\\. Windows permits any UNC path to be mapped to a drive. On Windows 7 this can be done from the Start Menu. Right Click on "Computer" and select "Map Network Drive". Select a drive letter to map, enter the \\\\AFS UNC path to map, and select "Reconnect at logon". To map the AFS root volume, use the UNC path \\\\AFS\\all.
Drive mapping can also be performed using the "NET USE" command line tool.
-## <a name="From here to eternity"></a> From here to eternity
+## From here to eternity
The next time you install [[OpenAFS]] for Windows, you are sufficiently competent to go directly onto the [[WindowsAdministratorsInstallationGuide]]. It is more hard-core, and with less fancy screen shots. The [[WindowsConfigurationReferenceGuide]] contains a complete description of the configuration options of [[OpenAFS]] for Windows.
-# <a name="Troubleshooting Guide for _OpenA"></a> Troubleshooting Guide for [[OpenAFS]] for Windows
-
-<div>
- <ul>
- <li><a href="#Troubleshooting Guide for _OpenA"> Troubleshooting Guide for OpenAFS for Windows</a><ul>
- <li><a href="#Bugs"> Bugs</a><ul>
- <li><a href="#Are my tokens destroyed when I l"> Are my tokens destroyed when I logout?</a></li>
- <li><a href="#How come my non-ASCII filename c"> How come my non-ASCII filename characters are wrong; code page problems?</a></li>
- <li><a href="#Why do my 2 GB+ files break?"> Why do my 2 GB+ files break?</a></li>
- <li><a href="#Why does the Client Service cras"> Why does the Client Service crash when I start my laptop?</a></li>
- <li><a href="#Why does _OpenAFS for Windows cr"> Why does OpenAFS for Windows crash on my Hyperthreaded Pentium 4?</a></li>
- </ul>
- </li>
- <li><a href="#Error Messages"> Error Messages</a><ul>
- <li><a href="#I receive a "Delayed Write failu"> I receive a "Delayed Write failure" error when saving documents from Microsoft Office to AFS volumes. What can I do?</a></li>
- <li><a href="#I receive errors stating that th"> I receive errors stating that the AFS Client Service may not have been started; what should I do?</a></li>
- <li><a href="#When I have obtained tokens usin"> When I have obtained tokens using Kerberos for Windows, I receive errors similar to "Ticket contained unknown key version number". What is wrong?</a></li>
- <li><a href="#Why can't I use _OpenAFS with an"> Why can't I use OpenAFS with an Active Directory KDC?</a></li>
- <li><a href="#Why can't I install _OpenAFS on"> Why can't I install OpenAFS on Windows NT, ME or 9x?</a></li>
- <li><a href="#Why do I receive "AFS is still s"> Why do I receive "AFS is still starting. Retry?" messages when I have turned off "Obtain tokens at logon"?</a></li>
- <li><a href="#What is this _MrxSmb event 3019"> What is this MrxSmb event 3019 that pops up in my System Log?</a></li>
- <li><a href="#Why isn't the AFS Light Gateway"> Why isn't the AFS Light Gateway working anymore?</a></li>
- </ul>
- </li>
- <li><a href="#Features"> Features</a><ul>
- <li><a href="#There is only one cell listed in"> There is only one cell listed in <tt>\\AFS\all</tt> or when browsing <tt>\\AFS</tt>. Where are all my cells?</a><ul>
- <li><a href="#Broken Root Volume"> Broken Root Volume</a></li>
- <li><a href="#Freelance Mode"> Freelance Mode</a></li>
- </ul>
- </li>
- <li><a href="#What happened to the files in th"> What happened to the files in the Windows directory, like <tt>afsdcell.ini</tt>, <tt>afs_freelance.ini</tt> and <tt>afsdsbmt.ini</tt>?</a></li>
- <li><a href="#Why can I not use fs to set the"> Why can I not use <tt>fs</tt> to set the X option anymore?</a></li>
- <li><a href="#Why should I abandon Kerberos 4?"> Why should I abandon Kerberos 4?</a></li>
- <li><a href="#What is the difference between t"> What is the difference between the Nullsoft Installer (.exe) and the Microsoft Installer (.msi)?</a></li>
- </ul>
- </li>
- <li><a href="#Nomenclature"> Nomenclature</a><ul>
- <li><a href="#What is "Freelance Mode"?"> What is "Freelance Mode"?</a></li>
- <li><a href="#What is "High Security Mode"?"> What is "High Security Mode"?</a></li>
- <li><a href="#What is the Microsoft Loop Back"> What is the Microsoft Loop Back Adapter?</a></li>
- <li><a href="#What is a "submount"?"> What is a "submount"?</a></li>
- <li><a href="#What is "Symbol Information"?"> What is "Symbol Information"?</a></li>
- </ul>
- </li>
- </ul>
- </li>
- </ul>
-</div>
-
-## <a name="Bugs"></a> Bugs
-
-### <a name="Are my tokens destroyed when I l"></a> Are my tokens destroyed when I logout?
+
+# Troubleshooting Guide for [[OpenAFS]] for Windows
+
+[[!toc levels=3]]
+
+## Bugs
+
+### Are my tokens destroyed when I logout?
Hard to tell. If your profile is local (not on the network, roaming) there is no need for the tokens, and they are destroyed when you logout.
If, on the other hand, you are using roaming profiles, there is unfortunately no way for the AFS Client Service to know when the profile has been put back into AFS. Thus, the "roaming" could fail if the service tried to forget the tokens. When using roaming profiles, the tokens are not destroyed on logout.
-### <a name="How come my non-ASCII filename c"></a> How come my non-ASCII filename characters are wrong; code page problems?
+### How come my non-ASCII filename characters are wrong; code page problems?
Yes, it is. Currently, the [[OpenAFS]] implementation uses a SMB server with which Windows communicates. This server is not yet able to handle all code pages. So, if you are accessing files from other systems as well, you will experience the old code page mismatch problem.
The CIFS protocol itself has support for Unicode. Hopefully, it will be implemented in [[OpenAFS]] in the future. (from J. Altman)
-### <a name="Why do my 2 GB+ files break?"></a> Why do my 2 GB+ files break?
+### Why do my 2 GB+ files break?
First of all, note that the default cache size is 20 MB, which means a 2 GB file will flush the cache directly. Second, [[OpenAFS]] does not yet support files larger than 2<sup>31</sup> bytes, which is 2 GB.
-### <a name="Why does the Client Service cras"></a> Why does the Client Service crash when I start my laptop?
+### Why does the Client Service crash when I start my laptop?
If the [[OpenAFS]] Client Service cannot connect to your home cell when it starts, it will crash.
To solve this problem, look up Freelance Mode in the [[WindowsConfigurationReferenceGuide]].
-### <a name="Why does _OpenAFS for Windows cr"></a> Why does [[OpenAFS]] for Windows crash on my Hyperthreaded Pentium 4?
+### Why does [[OpenAFS]] for Windows crash on my Hyperthreaded Pentium 4?
This is due to a known bug. Set `MaxCPUs` (type DWORD) (in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`) to 1. This restricts the [[OpenAFS]] Client Service to use one processor.
-## <a name="Error Messages"></a> Error Messages
+## Error Messages
-### <a name="I receive a "Delayed Write failu"></a> I receive a "Delayed Write failure" error when saving documents from Microsoft Office to AFS volumes. What can I do?
+### I receive a "Delayed Write failure" error when saving documents from Microsoft Office to AFS volumes. What can I do?
Windows has support for a concept known as Overlapped I/O. It is frequently used in Microsoft Office programs. The idea is that the program sends several file read, or write, requests at once and handles them in the order they are completed. This way, writes to different locations do not have to wait for previous writes to complete. It is mostly a performance enhancement.
Unfortunately, [[OpenAFS]] for Windows currently does not handle these overlapping requests very well. You are probably better off saving to local disk and then copying into AFS.
-### <a name="I receive errors stating that th"></a> I receive errors stating that the AFS Client Service may not have been started; what should I do?
+### I receive errors stating that the AFS Client Service may not have been started; what should I do?
First, you should check if the service is running or not. You can do this in Control Panel\\Administration Tools\\Services. If it is not, try to start it. Won't work? File a bugreport!
If all fails, file a bugreport!
-### <a name="When I have obtained tokens usin"></a> When I have obtained tokens using Kerberos for Windows, I receive errors similar to "Ticket contained unknown key version number". What is wrong?
+### When I have obtained tokens using Kerberos for Windows, I receive errors similar to "Ticket contained unknown key version number". What is wrong?
As with most things on the computer, this error message is not entirely correct. It is not neccessarily the version number of the key that is wrong. Two of the most common reasons are
- Wrong cell. You may have obtained tokens for one cell and are now trying to reach another cell. Try doing `afslog` for the new cell if you know you should have access to it.
- Old server. Support for [[KerberosV]] tickets is a relatively new feature of [[OpenAFS]]. You will need an [[OpenAFS]] 1.2.8 or later server to use the feature. Either update the server, or disable [[KerberosV]]. Read about the latter in the [[Configuration Reference Guide|WindowsConfigurationReferenceGuide#Disable_Automatic_Use_of_KerberosV]].
-### <a name="Why can't I use _OpenAFS with an"></a> Why can't I use [[OpenAFS]] with an Active Directory KDC?
+### Why can't I use [[OpenAFS]] with an Active Directory KDC?
You can; however, Microsoft uses Kerberos tickets in a way no one anticipated during protocol design. While remaining syntactically valid, the tickets the AD KDC issues are very large: they can be 10 kB while other KDC implementations usually issue tickets around 500 bytes in size.
You will have to setup you AFS server to support the larger ticket sizes, or update your server.
-### <a name="Why can't I install _OpenAFS on"></a><a name="Why can't I install _OpenAFS on "></a> Why can't I install [[OpenAFS]] on Windows NT, ME or 9x?
+### Why can't I install [[OpenAFS]] on Windows NT, ME or 9x?
As of version 1.3.65, the old Windows branch will no longer be maintained. The interface for the Windows NT series and the Windows 9x series are completely different. Most users now use Windows 2000 or newer. Less has changed between Windows NT 4 and Windows 2000, but the developer community has decided to discontinue support for Windows NT 4 too.
The main reason for this decision is a lack of developers and funding. [[OpenAFS]] for Windows is a free project and requires donations, or developers with time left, to move forward. Old versions of [[OpenAFS]] for Windows 9x and NT 4 are still available.
-### <a name="Why do I receive "AFS is still s"></a> Why do I receive "AFS is still starting. Retry?" messages when I have turned off "Obtain tokens at logon"?
+### Why do I receive "AFS is still starting. Retry?" messages when I have turned off "Obtain tokens at logon"?
The AFS Client Service is trying to start, but is waiting for something. This may be a slow or non-existent DNS server, a faulty AFS server, or simply an unplugged cable. The important thing to know is that AFS does not have enough information to begin normal operation. Check your DNS, AFS servers and [[CellServDB]].
-### <a name="What is this _MrxSmb event 3019"></a><a name="What is this _MrxSmb event 3019 "></a> What is this [[MrxSmb]] event 3019 that pops up in my System Log?
+### What is this [[MrxSmb]] event 3019 that pops up in my System Log?
The [[MrxSmb]] event 3019 is due to the use of the [[WindowsLoopBackAdapter]]. It can be safely ignored. (from [JSI FAQ, 3136](http://www.jsiinc.com/SUBG/TIP3100/rh3136.htm))
-### <a name="Why isn't the AFS Light Gateway"></a><a name="Why isn't the AFS Light Gateway "></a> Why isn't the AFS Light Gateway working anymore?
+### Why isn't the AFS Light Gateway working anymore?
The Light Gateway works by simply publishing what [[OpenAFS]] has already built for internal use. If you install the [[WindowsLoopBackAdapter]], the submounts will only be published on the local computer. Either remove the Loop Back Adapter, or stop using the gateway functionality.
-## <a name="Features"></a> Features
+## Features
-### <a name="There is only one cell listed in"></a> There is only one cell listed in `\\AFS\all` or when browsing `\\AFS`. Where are all my cells?
+### There is only one cell listed in `\\AFS\all` or when browsing `\\AFS`. Where are all my cells?
There are two possible reasons:
-#### <a name="Broken Root Volume"></a> Broken Root Volume
+#### Broken Root Volume
You may have chosen the wrong default cell. Maybe that cell only has one cell mounted at the root.
-#### <a name="Freelance Mode"></a> Freelance Mode
+#### Freelance Mode
Your computer is currently using Freelance Mode. Read about that below.
-### <a name="What happened to the files in th"></a> What happened to the files in the Windows directory, like `afsdcell.ini`, `afs_freelance.ini` and `afsdsbmt.ini`?
+### What happened to the files in the Windows directory, like `afsdcell.ini`, `afs_freelance.ini` and `afsdsbmt.ini`?
They are gone. All INI files but one have been put into the Windows registry. Use the [[WindowsConfigurationReferenceGuide]] and `regedit` to change them.
The only file preserved is the `afsdsbmt.ini`, which is now called `CellServDB` and moved to `C:\Program Files\OpenAFS\Client\` (default location).
-### <a name="Why can I not use fs to set the"></a><a name="Why can I not use fs to set the "></a> Why can I not use `fs` to set the X option anymore?
+### Why can I not use `fs` to set the X option anymore?
Starting with version 1.3.65 several settings now require Administrator privileges to change them.
-### <a name="Why should I abandon Kerberos 4?"></a> Why should I abandon Kerberos 4?
+### Why should I abandon Kerberos 4?
A giant security hole was found in the Kerberos 4 protocol. This led the world to move over to the (already deployed) more secure Kerberos 5 protocol. The problem occurs when using trusted domains.
Recent updates to [[OpenAFS]] include support for Kerberos 5. If your cell still uses **_kaserver_** or a plain Kerberos 4 server, you should update them to use Kerberos 5. The **_kaserver_** can be seen as deprecated. The most common Kerberos 5 servers (KDCs) are [Heimdal](http://www.pdc.kth.se/heimdal/), [MIT Kerberos](http://web.mit.edu/kerberos/www/) and [Microsoft's Active Directory services](http://www.microsoft.com/).
-### <a name="What is the difference between t"></a> What is the difference between the Nullsoft Installer (.exe) and the Microsoft Installer (.msi)?
+### What is the difference between the Nullsoft Installer (.exe) and the Microsoft Installer (.msi)?
[[OpenAFS]] for Windows is distributed in two different packages. The first uses the Nullsoft Install System (NSIS) and is a stand-alone executable file. The second is the Microsoft (Windows) Installer (MSI) package, which relies on the pre-installed Microsoft Installer.
For more information, see the [MSI Deployment Guide](http://www.openafs.org/dl/openafs/1.3.70/winnt/msi-deployment-guide.txt).
-## <a name="Nomenclature"></a> Nomenclature
+## Nomenclature
-### <a name="What is "Freelance Mode"?"></a> What is "Freelance Mode"?
+### What is "Freelance Mode"?
AFS was originally intended to be run on stationary office computers. It required the AFS servers to be reachable at any time. Laptop computers operate differently: users disconnect and connect their computers to different networks several times a day. This led the AFS community to invent "Freelance Mode." Since the user's default cell determines which cells will be visible to the user, a workaround was neccessary when laptops began moving around.
To switch Freelance Mode on and off, please read the [[Configuration Reference|WindowsConfigurationReferenceGuide#Freelance_Client_Support]].
-### <a name="What is "High Security Mode"?"></a> What is "High Security Mode"?
+### What is "High Security Mode"?
It is a deprecated way of achieving a modicum of security. Before the [[OpenAFS]] for Windows client was able to use authenticated SMB connections, you had a potential security risk when more than one user was logging on to the same computer at once.
The High Security Mode created a SMB share with a random name (instead of the default <tt>\\\\machine-AFS</tt>), thus making it harder for anyone else to connect to it. There is no reason to use High Security Mode now that [[OpenAFS]] for Windows supports SMB authentication.
-### <a name="What is the Microsoft Loop Back"></a><a name="What is the Microsoft Loop Back "></a> What is the Microsoft Loop Back Adapter?
+### What is the Microsoft Loop Back Adapter?
See the [[WindowsLoopBackAdapter]] page.
-### <a name="What is a "submount"?"></a> What is a "submount"?
+### What is a "submount"?
A submount is used in [[OpenAFS]] for Windows to map drives. Instead of mapping drives directly to the AFS server, the [[OpenAFS]] Client uses another approach. It uses the CIFS file system as an intermediary. So, the Windows computer really thinks it maps a normal Windows share. These shares are the same thing as a submount. When you want to map a drive, the [[OpenAFS]] service creates a submount, exports it for Windows to see it, and maps the share. The submount "all" is always available and is the root of the AFS file system (`/afs` in Unix). This means you can always access any cell by writing `\\AFS\all\cell\...`.
This is a quick-and-dirty approach, but it has an upside. In Unix, the way to shorten a path is to install a symbolic link. In Windows, this is not possible. Using submounts, however, you can create shortcuts to any AFS path. Say you often use the path `/afs/openafs.org/usr/someone/development/code/openafs/src/WINNT`. Then you could create a submount (say, "openafs-nt") of it, thus reducing the path to `\\AFS\openafs-nt`.
-### <a name="What is "Symbol Information"?"></a> What is "Symbol Information"?
+### What is "Symbol Information"?
When installing [[OpenAFS]], you have the option of installing symbol information. This helps the developers track down crashes. It is only informational, and if you don't intend to send bug reports (you really should), there is no need for this feature.
git://git.openafs.org / openafs-wiki.git / commitdiff