1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Managing the NFS/AFS Translator</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="AFS Administration Guide"
11 HREF="book1.html"><LINK
13 TITLE="Managing Administrative Privilege"
14 HREF="c32432.html"><LINK
16 TITLE="Using AFS Commands"
17 HREF="a33826.html"></HEAD
28 SUMMARY="Header navigation table"
37 >AFS Administration Guide: Version 3.6</TH
74 >Appendix A. Managing the NFS/AFS Translator</H1
76 >The NFS(R)/AFS(R) Translator enables users working on NFS client machines to access, create and remove files stored in AFS.
77 This chapter assumes familiarity with both NFS and AFS.</P
84 >Summary of Instructions</A
87 >This chapter explains how to perform the following tasks by using the indicated commands:</P
102 >Mount directory on translator machine</TD
114 >Examine value of <SPAN
132 >Enable/disable reexport of AFS, set other parameters</TD
144 >Assign AFS tokens to user on NFS client machine</TD
167 >The NFS/AFS Translator enables users on NFS client machines to access the AFS filespace as if they are working on an AFS
168 client machine, which facilitates collaboration with other AFS users.</P
174 >NFS/AFS translator machine</I
180 >ltranslator machine</I
183 configured as both an AFS client and an NFS server: <UL
186 >Its AFS client functionality enables it to access the AFS filespace. The Cache Manager requests and caches files
187 from AFS file server machines, and can even maintain tokens for NFS users, if you have made the configuration changes that
188 enable NFS users to authenticate with AFS.</P
192 >Its NFS server functionality makes it possible for the translator machine to export the AFS filespace to NFS client
193 machines. When a user on an NFS client machine mounts the translator machine's <SPAN
200 directory (or one of its subdirectories, if that feature is enabled), access to AFS is immediate and transparent. The NFS
201 client machine does not need to run any AFS software.</P
211 >Enabling Unauthenticated or Authenticated AFS Access</A
214 >By configuring the translation environment appropriately, you can provide either unauthenticated or authenticated access
215 to AFS from NFS client machines. The sections of this chapter on configuring translator machines, NFS client machines, and AFS
216 user accounts explain how to configure the translation environment appropriately. <UL
219 >If you configure the environment for unauthenticated access, the AFS File Server considers the NFS users to be the
226 >. They can access only those AFS files and directories for which the
227 access control list (ACL) extends the required permissions to the <SPAN
234 They can issue only those AFS commands that do not require privilege, and then only if their NFS client machine is a
235 system type for which AFS binaries are available and accessible by the <SPAN
242 group. Such users presumably do not have AFS accounts.</P
246 >If you configure the environment for authenticated access, you must create entries in the AFS Authentication and
247 Protection Databases for the NFS users. The authentication procedure they use depends on whether the NFS client machine
248 is a supported system type (one for which AFS binaries are available): <UL
251 >If AFS binaries are available for the NFS client machine, NFS users can issue the <SPAN
257 > command on the NFS client machine. They can access the filespace and issue AFS
258 commands to the same extent as authenticated users working on AFS client machines.</P
262 >If AFS binaries are not available for the NFS client machine, NFS users must establish a connection with the
263 translator machine (using the <SPAN
269 > utility, for example) and then issue the
282 > commands on the translator machine
283 to make its Cache Manager use the tokens correctly while users work on the NFS client. They can access the AFS
284 filespace as authenticated users, but cannot issue AFS commands. For instructions, see <A
285 HREF="a33047.html#HDRWQ612"
286 >Authenticating on Unsupported NFS Client Machines</A
301 >Setting the AFSSERVER and AFSCONF Environment Variables</A
304 >If you wish to enable your NFS users to issue AFS commands, you must define the AFSSERVER and AFSCONF environment
305 variables in their command shell. This section explains the variables' function and outlines the various methods for setting
308 >Issuing AFS commands also requires that the NFS client machine is a supported system type (one for which AFS binaries
309 are available and accessible). Users working on NFS client machines of unsupported system types can access AFS as
310 authenticated users, but they cannot issue AFS commands. It is not necessary to define the AFSSERVER and AFSCONF variables for
311 such users. For instructions on using the <SPAN
317 > command to obtain authenticated access on
318 unsupported system types, see <A
319 HREF="a33047.html#HDRWQ612"
320 >Authenticating on Unsupported NFS Client Machines</A
328 >The AFSSERVER Variable</A
331 >The AFSSERVER variable designates the AFS client machine that performs two functions for NFS clients: <UL
334 >It acts as the NFS client's <SPAN
340 > by executing AFS-specific system calls on its
341 behalf, such as those invoked by the <SPAN
354 commands and by many commands in the AFS suites.</P
358 >Its stores the tokens that NFS users obtain when they authenticate with AFS. This implies that the remote
359 executor machine and the translator machine must be the same if the user needs authenticated access to AFS.</P
364 >The choice of remote executor most directly affects commands that display or change Cache Manager configuration, such
383 > commands. When issued on an NFS client, these commands affect the Cache Manager on the
384 designated remote executor machine. (Note, however, that several such commands require the issuer to be logged into the
385 remote executor's local file system as the local superuser <SPAN
391 >. The ability of NFS client
392 users to log in as <SPAN
398 > is controlled by NFS, not by the NFS/AFS Translator, so setting the
399 remote executor properly does not necessarily enable users on the NFS client to issue such commands.)</P
401 >The choice of remote executor is also relevant for AFS commands that do not concern Cache Manager configuration but
402 rather have the same result on every machine, such as the <SPAN
408 > commands that display or set
409 ACLs and volume quota. These commands take an AFS path as one of their arguments. If the Cache Manager on the remote
410 executor machine mounts the AFS filespace at the <SPAN
416 > directory, as is conventional for AFS
417 clients, then the pathname specified on the NFS client must begin with the string <SPAN
424 the Cache Manager to understand it. This implies that the remote executor must be the NFS client's primary translator
425 machine (the one whose <SPAN
431 > directory is mounted at <SPAN
438 on the NFS client). </P
446 >The AFSCONF Variable</A
449 >The AFSCONF environment variable names the directory that houses the <SPAN
462 > files to use when running AFS commands issued on the NFS client machine. As on
463 an AFS client, these files determine the default cell for command execution.</P
465 >For predictable performance, it is best that the files in the directory named by the AFSCONF variable match those in
472 > directory on the translator machine. If your cell has an AFS directory
473 that serves as the central update source for files in the <SPAN
480 simplest to set the AFSCONF variable to refer to it. In the conventional configuration, this directory is called <SPAN
500 >Setting Values for the Variables</A
503 >To learn the values of the AFSSERVER and AFSCONF variables, AFS command interpreters consult the following three
504 sources in sequence: <OL
508 >The current command shell's environment variable definitions</P
525 issuer's home directory</P
542 client machine's root (<SPAN
548 >) directory. If the client machine is diskless, its root directory can
549 reside on an NFS server machine.</P
554 >(Actually, before consulting these sources, the NFS client looks for the <SPAN
567 > files in its own <SPAN
574 the directory exists, the NFS client does not use the value of the AFSCONF variable. However, the <SPAN
580 > directory usually exists only on AFS clients, not NFS clients.)</P
582 >As previously detailed, correct performance generally requires that the remote executor machine be the NFS client's
583 primary translator machine (the one whose <SPAN
589 > directory is mounted at the <SPAN
595 > directory on the NFS client). The requirement holds for all users accessing AFS from the NFS
596 client, so it is usually simplest to create the <SPAN
602 > file in the NFS client's root
603 directory. The main reason to create the file in a user's home directory or to set the AFSSERVER environment variable in the
604 current command shell is that the user needs to switch to a different translator machine, perhaps because the original one
605 has become inaccessible.</P
607 >Similarly, it generally makes sense to create the <SPAN
613 > file in the NFS client's
614 root directory. Creating it in the user's home directory or setting the AFSCONF environment variable in the current command
615 shell is useful mostly when there is a reason to specify a different set of database server machines for the cell, perhaps
616 in a testing situation.</P
625 >Delayed Writes for Files Saved on NFS Client Machines</A
628 >When an application running on an AFS client machine issues the <SPAN
640 > system call on a file, the Cache Manager by default performs a synchronous write of the data to
641 the File Server. (For further discussion, see <A
642 HREF="c667.html#HDRWQ33"
643 >AFS Implements Save on Close</A
645 HREF="c21473.html#HDRWQ418"
646 >Enabling Asynchronous Writes</A
649 >To avoid degrading performance for the AFS users working on a translator machine, AFS does not perform synchronous
650 writes for applications running on the translator machine's NFS clients. Instead, one of the Cache Manager daemons (the
651 maintenance daemon) checks every 60 seconds for chunks in the cache that contain data saved on NFS clients, and writes their
652 contents to the File Server. This does not guarantee that data saved on NFS clients is written to the File Server within 60
653 seconds, but only that the <SPAN
657 >maintenance daemon</I
659 > checks for and begins the write of data at that
662 >Furthermore, AFS always ignores the <SPAN
668 > system call as issued on an NFS client. The
669 call requires an immediate and possibly time-consuming response from the File Server, which potentially causes delays for
670 other AFS clients of the File Server. NFS version 3 automatically issues the <SPAN
677 call directly after the <SPAN
683 > call, but the Cache Manager ignores it and handles the
684 operation just like a regular <SPAN
692 >The delayed write mechanism means that there is usually a delay between the time when an NFS application issues the
705 > system call on a file and the time when the
706 changes are recorded at the File Server, which is when they become visible to users working on other AFS client machines
707 (either directly or on its NFS clients). The delay is likely to be longer than for files saved by users working directly on an
708 AFS client machine.</P
710 >The exact amount of delay is difficult to predict. The NFS protocol itself allows a standard delay before saved data
711 must be transferred from the NFS client to the NFS server (the translator machine). The modified data remains in the
712 translator machine's AFS client cache until the maintenance daemon's next scheduled check for such data, and it takes
713 additional time to transfer the data to the File Server. The maintenance daemon uses a single thread, so there can be
714 additional delay if it takes more than 60 seconds to write out all of the modified NFS data. That is, if the maintenance
715 daemon is still writing data at the time of the next scheduled check, it cannot notice any additional modified data until the
716 scheduled time after it completes the long write operation.</P
718 >The Cache Manager's response to the <SPAN
724 > system call is the same whether it is issued
725 on an AFS client machine or on an NFS client of a translator machine: it records the modifications in the local AFS client
735 >Configuring NFS/AFS Translator Machines</A
738 >To act as an NFS/AFS translator machine, a machine must configured as follows: <UL
741 >It must be an AFS client. Many system types supported as AFS clients can be translator machines. To learn about
742 possible restrictions in a specific release of AFS, see the <SPAN
746 >IBM AFS Release Notes</I
752 >It must be an NFS server. The appropriate number of NFS server daemons (<SPAN
759 others) depends on the anticipated NFS client load.</P
763 >It must export the local directory on which the AFS filespace is mounted, <SPAN
775 >If users on a translator machine's NFS clients are to issue AFS commands, the translator machine must also meet the
776 requirements discussed in <A
777 HREF="a33047.html#HDRRMTSYS"
778 >Configuring the Translator Machine to Accept AFS Commands</A
786 >Loading NFS and AFS Kernel Extensions</A
789 >The AFS distribution for system types that can act as NFS/AFS Translator machines usually includes two versions of the
790 AFS kernel extensions file, one for machines where the kernel supports NFS server functionality, and one for machines not
791 using NFS (the latter AFS kernel extensions file generally has the string <SPAN
798 A translator machine must use the NFS-enabled version of the AFS extensions file. On some system types, you select the
799 appropriate file by moving it to a certain location, whereas on other system types you set a variable that results in
800 automatic selection of the correct file. See the instructions in the <SPAN
804 >IBM AFS Quick Beginnings</I
807 incorporating AFS into the kernel on each system type.</P
809 >On many system types, NFS is included in the kernel by default, so it is not necessary to load NFS kernel extensions
810 explicitly. On system types where you must load NFS extensions, then in general you must load them before loading the AFS
811 kernel extensions. The <SPAN
815 >IBM AFS Quick Beginnings</I
817 > describes how to incorporate the AFS initialization
818 script into a machine's startup sequence so that it is ordered correctly with respect to the script that handles NFS.</P
820 >In addition, the AFS extensions must be loaded into the kernel before the <SPAN
827 runs. The AFS initialization script included in the AFS distribution correctly orders the loading and <SPAN
841 >Configuring the Translator Machine to Accept AFS Commands</A
844 >For users working on a translator machine's NFS clients to issue AFS commands, the <SPAN
850 > flag must be included on the <SPAN
856 > command which initializes
857 the translator machine's Cache Manager. The flag starts an additional daemon (the <SPAN
864 daemon), which executes AFS-specific system calls on behalf of NFS clients. For a discussion of the implications of NFS users
865 issuing AFS commands, see <A
866 HREF="a33047.html#HDRWQ600"
867 >Setting the AFSSERVER and AFSCONF Environment Variables</A
870 >The instructions in the IBM AFS Quick Beginnings for configuring the Cache Manager explain how to add options such as
884 initialization script. On many system types, it is simplest to list the flag on the line in the script that defines the
885 OPTIONS variable. The <SPAN
889 >remote executor daemon</I
891 > does not consume many resources, so it is simplest to add it
898 > command on every translator machine, even if not all users on the machine's NFS
899 clients issue AFS commands.</P
907 >Controlling Optional Translator Features</A
910 >After an AFS client machine is configured as a translator machine, it by default exports the AFS filespace to NFS
911 clients. You can disable and reenable translator functionality by using the <SPAN
924 > argument. The command's other arguments control other aspects of translator
934 > argument controls whether the second and third (<SPAN
946 >) sets of UNIX mode bits on an AFS file or
947 directory being exported to NFS are set to match the first (<SPAN
954 default, the mode bits are set to match.</P
956 >Unlike AFS, NFS uses all three sets of mode bits when determining whether a user can read or write a file, even
957 one stored in AFS. Some AFS files possibly do not have any <SPAN
969 > mode bits turned on, because AFS uses only the <SPAN
976 in combination with the ACL on the file's directory. If only the <SPAN
983 set, NFS allows only the file's owner of the file to read or write it. Setting the <SPAN
989 > argument to the value <SPAN
995 > enables other users to access
996 the file in the same manner as the owner. Setting the value <SPAN
1002 > preserves the mode bits
1003 set on the file as stored in AFS.</P
1013 > argument controls whether tokens can be assigned to an NFS user
1014 whose local UID on the NFS client machine differs from the local UID associated with the tokens on the translator
1015 machine. By default, this is possible.</P
1017 >If you turn on UID checking by setting the value <SPAN
1023 >, then tokens can be assigned
1024 only to an NFS user whose local UID matches the local UID of the process on the translator machine that is assigning the
1025 tokens. One consequence is that there is no point in including the <SPAN
1038 > command: the only acceptable value is the local UID of the command's issuer, which
1039 is the value used when the <SPAN
1045 > argument is omitted. Requiring matching UIDs in this way
1046 is effective only when users have the same local UID on the translator machine as on NFS client machines. In that case,
1047 it guarantees that users assign their tokens only to their own NFS sessions. For instructions, see <A
1048 HREF="a33047.html#HDRWQ612"
1049 >Authenticating on Unsupported NFS Client Machines</A
1058 >Turning on UID checking also prevents users on supported NFS clients from using the <SPAN
1064 > command to authenticate on the NFS client directly. They must authenticated and use the
1071 > command on the translator machine instead. This is because after the <SPAN
1077 > command interpreter obtains the token on the NFS client, it passes it to the Cache
1078 Manager's remote executor daemon, which makes the system call that stores the token in a credential structure on the
1079 translator machine. The remote executor generally runs as the local superuser <SPAN
1086 so in most cases its local UID (normally zero) does not match the local UID of the user who issued the <SPAN
1092 > command on the NFS client machine.</P
1094 >On the other hand, although using the <SPAN
1100 > command instead of the <SPAN
1106 > command is possibly less convenient for users, it eliminates a security exposure: the
1113 > command interpreter passes the token across the network to the remote executor
1114 daemon in clear text mode.</P
1118 >If you disable UID checking by assigning the value <SPAN
1124 > , the issuer of the
1131 > command can assign tokens to a user who has a different local UID on the NFS
1132 client machine, such as the local superuser <SPAN
1138 >. Indeed, more than one issuer of the
1145 > command can assign tokens to the same user on the NFS client machine. Each time a
1146 different user issues the <SPAN
1152 > command with the same value for the <SPAN
1158 > argument, that user's tokens overwrite the existing ones. This can result in unpredictable
1159 access for the NFS user.</P
1169 > argument controls whether users on the NFS client can mount AFS
1170 directories other than the top-level <SPAN
1176 > directory. By default, the translator does
1177 not permit these submounts.</P
1179 >Submounts can be useful in a couple of circumstances. If, for example, NFS users need to access their own AFS home
1180 directories only, then creating a submount to it eliminates the need for them to know or enter the complete path.
1181 Similarly, you can use a submount to prevent users from accessing parts of the filespace higher in the AFS hierarchy
1182 than the submount.</P
1193 >To configure an NFS/AFS translator machine</A
1196 >The following instructions configure the translator to enable users to issue AFS commands. Omit Step <A
1197 HREF="a33047.html#LIWQ605"
1199 > if you do not want to enable this functionality. <OL
1203 >Become the local superuser <SPAN
1209 > on the machine, if you are not already, by
1217 CLASS="programlisting"
1234 >Configure the NFS/AFS translator machine as an NFS server, if it is not already. Follow the instructions provided
1235 by your NFS supplier. The appropriate number of NFS server daemons (such as <SPAN
1242 depends on the number of potential NFS clients.</P
1246 >Configure the NFS/AFS translator machine as an AFS client, if it is not already. For the most predictable
1247 performance, the translator machine's local copies of the <SPAN
1251 >/usr/vice/etc/CellServDB</B
1258 >/usr/vice/etc/ThisCell</B
1260 > files must be the same as on other client machines in the
1266 NAME="LITRANS-MOUNTFILE"
1268 >Modify the file that controls mounting of directories on the machine by remote
1272 >On systems that use the <SPAN
1278 > file, edit it to enable export of the
1285 > directory to NFS clients. You can list the names of specific NFS client
1286 machines if you want to provide access only to certain users. For a description of the file's format, see the NFS
1287 manual page for <SPAN
1295 >The following example enables any NFS client machine to mount the machine's <SPAN
1316 CLASS="programlisting"
1324 >On system types that use the <SPAN
1330 > command, edit the <SPAN
1336 > file or equivalent to include <SPAN
1343 instructions that enable remote mounts of the <SPAN
1349 > directory. Most distributions
1350 include the binary as <SPAN
1356 >. The following example commands enable
1357 remote mounts of the root ( <SPAN
1370 directories. To verify the correct syntax, consult the manual page for the <SPAN
1378 CLASS="programlisting"
1379 > share -F nfs -o rw -d "root" /
1380 share -F nfs -o rw -d "afs gateway" /afs
1389 >Edit the machine's AFS initialization file to invoke the standard UNIX <SPAN
1396 command after the <SPAN
1402 > program runs. On some system types, the modifications you made
1404 HREF="a33047.html#LITRANS-MOUNTFILE"
1406 > are not enough to enable exporting the AFS filespace via the
1413 > directory, because the resulting configuration changes are made before the
1420 > program runs during machine initialization. Only after the <SPAN
1426 > program runs does the <SPAN
1432 > directory become the mount point
1433 for the entire AFS filespace; before, it is a local directory like any other.</P
1446 > command in the AFS initialization file to
1455 >For system types other than IRIX, the instructions in the <SPAN
1459 >IBM AFS Quick Beginnings</I
1462 configuring the Cache Manager explain how to add the <SPAN
1468 > flag, for example by
1469 adding it to the line in the script that defines the value for the OPTIONS variable.</P
1471 >On IRIX systems, the AFS initialization script automatically adds the <SPAN
1478 flag if you have activated the <SPAN
1484 > configuration variable as instructed in the
1489 >IBM AFS Quick Beginnings</I
1491 > instructions for incorporating AFS extensions into the kernel. If the
1492 variable is not already activated, issue the following command.</P
1494 CLASS="programlisting"
1499 >/etc/chkconfig -f afsxnfs on</B
1512 > Depending on the number of NFS clients you expect this machine to
1513 serve, it can be beneficial to add other arguments to the <SPAN
1519 > command in the machine's
1520 initialization file, such as the <SPAN
1526 > argument to set the number of background
1529 >Administering Client Machines and the Cache Manager</A
1536 > reference page in the <SPAN
1540 >IBM AFS Administration Reference</I
1546 >Reboot the machine. On many system types, the appropriate command is <SPAN
1553 consult your operating system administrator's guide. <PRE
1554 CLASS="programlisting"
1561 > appropriate_options
1574 >To disable or enable Translator functionality, or set optional features</A
1580 >Become the local superuser <SPAN
1586 > on the machine, if you are not already, by issuing
1594 CLASS="programlisting"
1618 CLASS="programlisting"
1623 >fs exportafs nfs</B
1701 CLASS="variablelist"
1713 >Disables translator functionality if the value is <SPAN
1719 > or reenables it if
1726 >. Omit this argument to display the current setting of all
1727 parameters set by this command.</P
1739 >Controls the setting of the second and third (<SPAN
1751 >) sets of UNIX mode bits on AFS files and directories as exported to NFS clients If
1758 >, they are set to match the <SPAN
1765 mode bits. If the value is <SPAN
1771 >, the bits are not changed. If this argument is
1772 omitted, the default value is <SPAN
1790 >Controls whether issuers of the <SPAN
1796 > command can specify a value for its
1803 > argument that does not match their AFS UID: <UL
1806 >If the value is <SPAN
1812 >, the value of the <SPAN
1818 > argument must match the issuer's local UID.</P
1822 >If the value is <SPAN
1828 >, the issuer of the <SPAN
1834 > command can use the <SPAN
1840 > argument to assign
1841 tokens to a user who has a different local UID on the NFS client machine, such as the local superuser
1853 >If this argument is omitted, the default value is <SPAN
1871 >Controls whether the translator services an NFS mount of any directory in the AFS filespace other than the
1878 > directory. If the value is <SPAN
1885 such submounts are allowed. If the value is off, only mounts of the <SPAN
1892 directory are allowed. If this argument is omitted, the default value is <SPAN
1913 >Configuring NFS Client Machines</A
1916 >Any NFS client machine that meets the following requirements can access files in AFS via the NFS/AFS Translator. It does
1917 not need to be configured as an AFS client machine. <UL
1920 >It must NFS-mount a translator machine's <SPAN
1926 > directory on a local directory, which
1927 by convention is also called <SPAN
1933 >. The following instructions explain how to add the
1940 > command to the NFS client machine's <SPAN
1947 file or equivalent.</P
1949 >The directory on which an NFS client mounts the translator's machine's <SPAN
1956 directory can be called something other than <SPAN
1962 >. For instance, to make it easy to
1963 switch to another translator machine if the original one becomes inaccessible, you can mount more than one translator
1970 > directory. Name the mount <SPAN
1977 translator machine that you normally use, and use a different name the mount to each alternate translator machine.</P
1979 >Mounting the AFS filespace on a directory other than <SPAN
1985 > introduces another
1986 requirement, however: when issuing a command that takes an AFS pathname argument, you must specify the full pathname,
1993 >, rather than a relative pathname. Suppose, for example, that a
1994 translator machine's AFS filespace is mounted at <SPAN
2000 > on an NFS client machine and you
2001 issue the following command to display the ACL on the current working directory, which is in AFS:</P
2003 CLASS="programlisting"
2019 > command interpreter on the NFS client must construct a full pathname before
2020 passing the request to the Cache Manager on the translator machine. The AFS filespace is mounted at <SPAN
2026 >, so the full pathname starts with that string. However, the Cache Manager on the translator
2027 cannot find a directory called <SPAN
2033 >, because its mount of the AFS filespace is called
2040 >. The command fails. To prevent the failure, provide the file's complete pathname,
2041 starting with the string <SPAN
2051 >It must run an appropriate number of NFS client <SPAN
2057 > daemons, which improve
2058 performance by handling pre-reading and delayed writing. Most NFS vendors recommend running four such daemons, and most
2059 NFS initialization scripts start them automatically. Consult your NFS documentation.</P
2064 >To enable users to issue AFS commands, the NFS client machine must also be a supported system type (one for which AFS
2065 binaries are available) and able to access the AFS command binaries. The <SPAN
2069 >IBM AFS Release Notes</I
2072 supported system types in each release.</P
2074 >In addition, the AFSSERVER and AFSCONF environment variables must be set appropriately, as discussed in <A
2075 HREF="a33047.html#HDRWQ600"
2076 >Setting the AFSSERVER and AFSCONF Environment Variables</A
2084 >To configure an NFS client machine to access AFS</A
2093 >The following instructions enable NFS users to issue AFS commands. Omit Step <A
2094 HREF="a33047.html#LIWQ608"
2098 HREF="a33047.html#LIWQ609"
2100 > if you do not want to enable this functionality.</P
2107 >Become the local superuser <SPAN
2113 > on the machine, if you are not already, by issuing
2121 CLASS="programlisting"
2138 >Configure the machine as an NFS client machine, if it is not already. Follow the instructions provided by your NFS
2139 vendor. The number of NFS client (<SPAN
2145 >) daemons needs to be appropriate for the expected
2146 load on this machine. The usual recommended number is four.</P
2150 >Create a directory called <SPAN
2156 > on the machine, if one does not already exist, to
2157 act as the mount point for the translator machine's <SPAN
2163 > directory. It is acceptable to
2164 use other names, but doing so introduces the limitation discussed in the introduction to this section. <PRE
2165 CLASS="programlisting"
2181 >Modify the machine's file systems registry file (<SPAN
2188 or equivalent) to include a command that mounts a translator machine's <SPAN
2195 verify the correct syntax of the <SPAN
2201 > command, see the operating system's <SPAN
2207 > manual page. The following example includes options that are appropriate on many system
2209 CLASS="programlisting"
2210 > mount -o hard,intr,timeo=300 translator_machine:/afs /afs
2215 CLASS="variablelist"
2219 CLASS="computeroutput"
2224 >Indicates that the NFS client retries NFS requests until the NFS server (translator machine) responds. When
2225 using the translator, file operations possibly take longer than with NFS alone, because they must also pass
2226 through the AFS Cache Manager. With a soft mount, a delayed response from the translator machine can cause the
2227 request to abort. Many NFS versions use hard mounts by default; if your version does not, it is best to add this
2232 CLASS="computeroutput"
2237 >Enables the user to use a keyboard interrupt signal (such as <<SPAN
2243 >>) to break the mount when the translator machine is inaccessible. Include this
2244 option only if the <SAMP
2245 CLASS="computeroutput"
2247 > option is used, in which case the connection does not
2248 automatically break off when a translator machine goes down.</P
2252 CLASS="computeroutput"
2257 >Sets the maximum time (in tenths of seconds) the translator can take to respond to the NFS client's request
2258 before the client considers the request timed out. With a hard mount, setting this option to a high number like
2259 300 reduces the number of error messages like the following, which are generated when the translator does not
2260 respond immediately. <PRE
2261 CLASS="programlisting"
2262 > NFS server translator is not responding, still trying
2266 >With a soft mount, it reduces the number of actual errors returned on timed-out requests.</P
2271 >translator_machine</VAR
2275 >Specifies the fully-qualified hostname of the translator machine whose <SPAN
2282 directory is to be mounted on the client machine's <SPAN
2300 >To mount the translator machine's <SPAN
2306 > directory onto a directory on the NFS
2307 client other than <SPAN
2313 >, substitute the alternate directory name for the second instance
2315 CLASS="computeroutput"
2338 > If appropriate, create the <SPAN
2344 > file to set the AFSSERVER environment variable for all of the machine's users. For a
2346 HREF="a33047.html#HDRWQ600"
2347 >Setting the AFSSERVER and AFSCONF Environment Variables</A
2349 line in the file, specifying the fully-qualified hostname of the translator machine that is to serve as the remote
2350 executor. To enable users to issue commands that handle tokens, it must be the machine named as translator_machine in Step
2352 HREF="a33047.html#LIWQ607"
2367 > If appropriate, create the <SPAN
2373 > file to set the AFSCONF environment variable for all of the machine's users. For a
2375 HREF="a33047.html#HDRWQ600"
2376 >Setting the AFSSERVER and AFSCONF Environment Variables</A
2378 line in the file, specifying the name of the directory where the <SPAN
2390 > files reside. If you use a central update source for these files (by convention, <SPAN
2402 >), name it here.</P
2413 >Configuring User Accounts</A
2416 >There are no requirements for NFS users to access AFS as unauthenticated users. To take advantage of more AFS
2417 functionality, however, they must meet the indicated requirements. <UL
2420 >To access AFS as authenticated users, they must of course authenticate with AFS, which requires an entry in the
2421 Protection and Authentication Databases.</P
2425 >To create and store files, they need the required ACL permissions. If you are providing a home directory for storage
2426 of personal files, it is conventional to create a dedicated volume and mount it at the user's home directory location in
2427 the AFS filespace.</P
2431 >To issue AFS commands, they must meet several additional requirements: <UL
2434 >They must be working on an NFS client machine of a supported system type and from which the AFS command
2435 binaries are accessible.</P
2439 >Their command shell must define values for the AFSSERVER and AFSCONF environment variables, as described in
2441 HREF="a33047.html#HDRWQ600"
2442 >Setting the AFSSERVER and AFSCONF Environment Variables</A
2443 >. It is often simplest to
2444 define the variables by creating <SPAN
2456 > file in the NFS client machine's root directory, but you can also either set the
2457 variables in each user's shell initialization file (<SPAN
2463 > or equivalent), or
2464 create files called <SPAN
2477 each user's home directory.</P
2481 >They must have an entry in the AFS Protection and Authentication Databases, so that they can authenticate if
2482 the command requires AFS privilege. Other commands instead require assuming the local <SPAN
2488 > identity on the translator machine; for further discussion, see <A
2489 HREF="a33047.html#HDRWQ601"
2490 >The AFSSERVER Variable</A
2495 >Their PATH environment variable must include the pathname to the appropriate AFS binaries. If a user works on
2496 NFS client machines of different system types, include the <SPAN
2503 pathname rather than an actual system type name.</P
2516 >To configure a user account for issuing AFS commands</A
2522 >Create entries for the user in the Protection and Authentication Databases, or create a complete AFS account. See
2523 the instructions for account creation in <A
2525 >Creating and Deleting User Accounts with the uss Command
2529 >Administering User Accounts</A
2537 >Modify the user's PATH environment variable to include the pathname of AFS binaries, such as
2556 >. If the user works on NFS client machines of different system types, considering
2557 replacing the specific sysname value with the <SPAN
2563 > variable. The PATH variable is
2564 commonly defined in a login or shell initialization file (such as the <SPAN
2586 > Set the AFSSERVER and AFSCONF environment variables if appropriate. This
2587 is required if the NFS client machines on which the user works do not have the <SPAN
2599 > files in their root directories, or if
2600 you want user-specific values to override those settings.</P
2602 >Either define the variables in the user's login or shell initialization file, or create the files <SPAN
2614 > files in the user's home directory.</P
2616 >For the AFSSERVER variable, specify the fully-qualified hostname of the translator machine that is to serve as the
2617 remote executor. For the AFSCONF variable, specify the name of the directory where the <SPAN
2629 > files reside. If you use a central update
2630 source for these files (by convention, <SPAN
2642 >), name it here.</P
2646 >If the pathname you defined in Step <A
2647 HREF="a33047.html#LIWQ611"
2649 > includes the <SPAN
2655 > variable, instruct users to check that their system name is defined correctly before they
2656 issue AFS commands. They issue the following command: <PRE
2657 CLASS="programlisting"
2677 >Authenticating on Unsupported NFS Client Machines</A
2686 > command enables users to authenticate with AFS when they are working on NFS
2687 clients of unsupported system types (those for which AFS binaries are not available). This enables such users to access the AFS
2688 file tree to the same extent as any other AFS user. They cannot, however, issue AFS commands, which is possible only on NFS
2689 client machines of supported system types.</P
2691 >To authenticate on an unsupported system type, establish a connection to the translator machine (using a facility such as
2698 >), and issue the <SPAN
2704 > command to obtain tokens for all
2705 the cells you wish to contact during the upcoming NFS session. Then issue the <SPAN
2712 which stores the tokens in a credential structure associated with your NFS session. The Cache Manager uses the tokens when
2713 performing AFS access requests that originate from your NFS session.</P
2715 >More specifically, the credential structure is identified by a process authentication group (PAG) number associated with a
2716 particular local UID on a specific NFS client machine. By default, the NFS UID recorded in the credential structure is the same
2717 as your local UID on the translator machine. You can include the <SPAN
2723 > argument to specify an
2724 alternate NFS UID, unless the translator machine's administrator has used the <SPAN
2737 > argument to enable UID checking. In that case, the value of the <SPAN
2743 > argument must match your local UID on the translator machine (so there is not point to including the
2750 > argument). Enforcing matching UIDs prevents someone else from placing their tokens in your
2751 credential structure, either accidentally or on purpose. However, it means that your cell's administrators must set your local
2752 UID on the NFS client to match your local UID on the translator machine. It also makes it impossible to authenticate by issuing
2759 > command on supported NFS clients, meaning that all NFS users must use the <SPAN
2766 HREF="a33047.html#HDRWQ604"
2767 >Controlling Optional Translator Features</A
2770 >After issuing the <SPAN
2776 > command, you can begin working on the NFS client with
2777 authenticated access to AFS. When you are finished working, it is a good policy to destroy your tokens by issuing the <SPAN
2783 > command on the translator machine again, this time with the <SPAN
2790 flag. This is simpler if you have left the connection to the translator machine open, but you can always establish a new
2791 connection if you closed the original one.</P
2793 >If your NFS client machine is a supported system type and you wish to issue AFS commands on it, include the <SPAN
2799 > argument to the <SPAN
2805 > command. The remote executor daemon on the
2806 translator machine substitutes its value for the <SPAN
2812 > variable in pathnames when executing AFS
2813 commands that you issue on the NFS client machine. If your PATH environment variable uses the <SPAN
2819 > variable in the pathnames for directories that house AFS binaries (as recommended), then setting
2820 this argument enables the remote executor daemon to access the AFS binaries appropriate for your NFS client machine even if its
2821 system type differs from the translator machine's.</P
2823 >If you do not issue the <SPAN
2829 > command (or the <SPAN
2836 command on the NFS client machine itself, if it is a supported system type), then you are not authenticated with AFS. For a
2837 description of unauthenticated access, see <A
2838 HREF="a33047.html#HDRWQ599"
2839 >Enabling Unauthenticated or Authenticated AFS Access</A
2848 >To authenticate using the knfs command</A
2854 >Log on to the relevant translator machine, either on the console or remotely by using a program such as <SPAN
2864 >Obtain tokens for every cell you wish to access while working on the NFS client. AFS-modified login utilities
2865 acquire a token for the translator machine's local cell by default; use <SPAN
2872 obtain tokens for other cells if desired.</P
2882 > command to create a credential structure in the translator machine's
2883 kernel memory for storing the tokens obtained in the previous step. Include the <SPAN
2890 argument to associate the structure with a UID on the NFS client that differs from your local UID on the translator
2891 machine. This is possible unless the translator machine's administrator has enabled UID checking on the translator
2893 HREF="a33047.html#HDRWQ604"
2894 >Controlling Optional Translator Features</A
2895 >. If the NFS client machine is a
2896 supported system type and you wish to issue AFS commands on it, include the <SPAN
2903 argument to specify its system type. <PRE
2904 CLASS="programlisting"
2922 >user ID (decimal)</VAR
2932 >host's '@sys' value</VAR
2938 CLASS="variablelist"
2950 >Specifies the fully-qualified hostname of the NFS client machine on which you are working.</P
2962 >Specifies a local UID number on the NFS client machine with which to associate the tokens, if different from
2963 your local UID on the translator machine. If this argument is omitted, the tokens are associated with an NFS UID
2964 that matches your local UID on the translator machine. In both cases, the NFS client software marks your AFS
2965 access requests with the NFS UID when it forwards them to the Cache Manager on the translator machine.</P
2977 >Specifies the value that the local machine's remote executor daemon substitutes for the <SPAN
2983 > variable in pathnames when executing AFS commands issued on the NFS client machine
2984 (which must be a supported system type).</P
2990 >The following error message indicates that the translator machine's administrator has enabled UID checking and you
2991 have provided a value that differs from your local UID on the translator machine.</P
2993 CLASS="programlisting"
2994 > knfs: Translator in 'passwd sync' mode; remote uid must be the same as local uid
2999 >Close the connection to the translator machine (if desired) and work on the NFS client machine.</P
3009 >To display tokens using the knfs command</A
3015 >Log on to the relevant translator machine, either on the console or remotely by using a program such as <SPAN
3031 > command with the <SPAN
3038 display the tokens associated with either the NFS UID that matches your local UID on the translator machine or the NFS UID
3039 specified by the <SPAN
3046 CLASS="programlisting"
3064 >user ID (decimal)</VAR
3076 CLASS="variablelist"
3088 >Specifies the fully-qualified hostname of the NFS client machine on which you are working.</P
3100 >Specifies the local UID on the NFS client machine for which to display tokens, if different from your local
3101 UID on the translator machine. If this argument is omitted, the tokens are for the NFS UID that matches your local
3102 UID on the translator machine.</P
3114 >Displays the tokens.</P
3122 >Close the connection to the translator machine if desired.</P
3132 >To discard tokens using the knfs command</A
3138 >If you closed your connection to the translator machine after issuing the <SPAN
3145 command, reopen it.</P
3155 > command with the <SPAN
3163 CLASS="programlisting"
3181 >user ID (decimal)</VAR
3193 CLASS="variablelist"
3205 >Specifies the fully-qualified hostname of the NFS client machine you are working on.</P
3217 >Specifies the local UID number on the NFS client machine for which to discard the associated tokens, if
3218 different from your local UID on the translator machine. If this argument is omitted, the tokens associated with
3219 an NFS UID that matches your local UID on the translator machine are discarded.</P
3231 >Discards the tokens.</P
3239 >If desired, close the connection to the translator machine.</P
3250 SUMMARY="Footer navigation table"
3289 >Managing Administrative Privilege</TD
3299 >Using AFS Commands</TD
git://git.openafs.org / openafs.git / blob