From 18a59167044738b41753ad4f93847b0d4054bd57 Mon Sep 17 00:00:00 2001 From: Adam Megacz Date: Fri, 30 Mar 2007 18:13:54 +0000 Subject: [PATCH] none --- AFSLore/CreatingANewCell.mdwn | 11 +++++++++++ AFSLore/UsageFAQ.mdwn | 25 ++++++++++++++++++++++++- AFSLore/WebHome.mdwn | 1 + 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 AFSLore/CreatingANewCell.mdwn diff --git a/AFSLore/CreatingANewCell.mdwn b/AFSLore/CreatingANewCell.mdwn new file mode 100644 index 0000000..73dc297 --- /dev/null +++ b/AFSLore/CreatingANewCell.mdwn @@ -0,0 +1,11 @@ +# Creating a new AFS cell + +These are some links (and commentary) to various documents that exist online that describe creating a new AFS cell. The most common problem with a lot of existing documentation is that it has you install the kaserver, which is highly deprecated. Any new cell installation really should install a conventional kerberos server (MIT, Heimdal and the Windows Active Directory server all have been used as kerberos servers for various AFS cells). + +- The [[OpenAFS]] [Quick Start Guide for Unix](http://www.openafs.org/pages/doc/QuickStartUnix/auqbg000.htm) --- derived from the Transarc 3.6 AFS document. Shows it's age in a lot of places, and takes you through using kaserver, which is highly deprecated. Still has useful information in it, however. +- The Gentoo [OpenAFS Guide](http://www.gentoo.org/doc/en/openafs.xml) From the Gentoo Linux distribution. Again, takes you through using kaserver, which is highly deprecated. +- [[http://kula.public.iastate.edu/talks/afs-bpw-2005/|Main/UsingNetBSDToProvideAFSAndKerberosServices]] Talk from the 2005 AFS & Kerb Workshop, describing how to use [[NetBSD]] to provide AFS and Kerberos services. Some steps are [[NetBSD]] specific, but there are key bits of info in there on using a Heimdal KDC as your kerberos server. +- [[http://kula.public.iastate.edu/talks/afs-bpw-2006/|Main/UsingOSXToProvideAFSAndKerberosServices]] Talk from the 2006 AFS & Kerb Workshop, describing how to use OS X to provide AFS and Kerberos services. Some steps are OS X specific, but there are key bits of info in there on using an MIT KDC as your kerberos server. +- [[http://www.pmw.org/afsbpw06/talks/shadow-AD.pdf|Main/UtilizingActiveDirectoryAsTheAFSKDC]] (pdf) Talk from the 2006 AFS & Kerb Workshop, describing how to use Active Directory as your kerberos server for an AFS cell. + +-- [[ThomasKula]] - 30 Mar 2007 diff --git a/AFSLore/UsageFAQ.mdwn b/AFSLore/UsageFAQ.mdwn index 8b81c37..3a4c22c 100644 --- a/AFSLore/UsageFAQ.mdwn +++ b/AFSLore/UsageFAQ.mdwn @@ -28,6 +28,7 @@ The Usage Section of the [[AFSFrequentlyAskedQuestions]].
  • 2.18 Can I klog as two users on a machine in the same cell?
  • 2.19 What are the ~/.__afsXXXX files?
  • 2.20 How do you set up IP-based ACLs?
    • +
  • 2.21 What meaning do the UNIX owner, group, and mode bits have in AFS?
    • @@ -58,7 +59,7 @@ AFS provides access control lists to give more precise control to users wishing **File permissions:** [ User ] -Unix mode bits for group and other are ignored. The mode bits for the file owner don't work the way they used to. +Unix mode bits for group and other are ignored. The mode bits for the file owner don't work the way they used to. See also question 2.21. Users should protect their AFS files with (directory) ACLs only. Just use mode bits to make a file executable. @@ -460,3 +461,25 @@ Newer versions of AFS rename such files to .\_\_afsXXXX, thus making sure that t ### 2.20 How do you set up IP-based ACLs? See [[IPAccessControl]]. + +### 2.21 What meaning do the UNIX owner, group, and mode bits have in AFS? + +In order to appear more like a local filesystem, AFS will faithfully store the numeric UID (owner), GID (group), and permission bits (read, write, and execute for user, group, and other), as well as the setuid, setgid, and sticky bits. For the most part, these values are simply recorded and reported back when requested. However, in some instances the fileserver and/or cache manager will make access control decisions based in part on these values. + +The following is believed to be a complete list of those circumstances. + +- fileserver + - the fileserver will not allow a file to be read unless the u+r (user read) bit is set + - the fileserver will not allow a file to be written to unless the u+w (user write) bit is set + - if the user's numeric pts identity is equal to the numeric UNIX owner of the root directory of a volume, then the fileserver will act as if that user had implicit "a" rights on every directory in the volume. + - the fileserver will only allow the mode bits on a file (ugo+rwx) to be changed if the user has write (w) and lookup (l) rights on the directory containing the file. + - the fileserver will only allow the mode bits on a directory to be changed if the user has delete (d) insert (i) and lookup (l) rights on the directory. + - only members of system:administrators can change the user or group of a file. + +- client (cache manager) + - if enabled for a cell, the setuid and setgid bits will be treated according to their usual UNIX semantics + - the client will refuse to execute a file unless the u+rx (user read and execute) bits are set + +In particular, the sticky bit, group of a file, g+rwx, and o+rwx bits are completely ignored by all AFS components. Additionally, the u+rwx bits are ignored on directories. + +Newly created files and directories are given a UNIX user numerically equal to the pts identity of the user who created the file or directory. Initial mode bits are assigned based on the creating user's umask. diff --git a/AFSLore/WebHome.mdwn b/AFSLore/WebHome.mdwn index f2da352..fb1dbf7 100644 --- a/AFSLore/WebHome.mdwn +++ b/AFSLore/WebHome.mdwn @@ -2,6 +2,7 @@ Welcome to the home of **%WIKITOOLNAME%.%WEB%**. This is a web-based collaborati - What is AFS? - [[GettingStarted]] +- [[CreatingANewCell]] - [[AFSFrequentlyAskedQuestions]] - [[WhereToGetHelp]] - AFS3 [[ProtocolInfo]] -- 1.9.4