1 <?xml version="1.0" encoding="UTF-8"?>
2 <appendix id="HDRWQ595">
3 <title>Managing the NFS/AFS Translator</title>
6 <primary>NFS/AFS Translator</primary>
10 <primary>translator</primary>
12 <secondary>NFS/AFS</secondary>
15 <para>The NFS(R)/AFS(R) Translator enables users working on NFS client machines to access, create and remove files stored in AFS.
16 This chapter assumes familiarity with both NFS and AFS.</para>
19 <title>Summary of Instructions</title>
21 <para>This chapter explains how to perform the following tasks by using the indicated commands:</para>
23 <informaltable frame="none">
25 <colspec colwidth="70*" />
27 <colspec colwidth="30*" />
31 <entry>Mount directory on translator machine</entry>
33 <entry><emphasis role="bold">mount</emphasis></entry>
37 <entry>Examine value of <emphasis role="bold">@sys</emphasis> variable</entry>
39 <entry><emphasis role="bold">fs sysname</emphasis></entry>
43 <entry>Enable/disable reexport of AFS, set other parameters</entry>
45 <entry><emphasis role="bold">fs exportafs</emphasis></entry>
49 <entry>Assign AFS tokens to user on NFS client machine</entry>
51 <entry><emphasis role="bold">knfs</emphasis></entry>
59 <title>Overview</title>
61 <para>The NFS/AFS Translator enables users on NFS client machines to access the AFS filespace as if they are working on an AFS
62 client machine, which facilitates collaboration with other AFS users.</para>
64 <para>An <emphasis>NFS/AFS translator machine</emphasis> (or simply <emphasis>ltranslator machine</emphasis>) is a machine
65 configured as both an AFS client and an NFS server: <itemizedlist>
67 <para>Its AFS client functionality enables it to access the AFS filespace. The Cache Manager requests and caches files
68 from AFS file server machines, and can even maintain tokens for NFS users, if you have made the configuration changes that
69 enable NFS users to authenticate with AFS.</para>
73 <para>Its NFS server functionality makes it possible for the translator machine to export the AFS filespace to NFS client
74 machines. When a user on an NFS client machine mounts the translator machine's <emphasis role="bold">/afs</emphasis>
75 directory (or one of its subdirectories, if that feature is enabled), access to AFS is immediate and transparent. The NFS
76 client machine does not need to run any AFS software.</para>
78 </itemizedlist></para>
81 <title>Enabling Unauthenticated or Authenticated AFS Access</title>
83 <para>By configuring the translation environment appropriately, you can provide either unauthenticated or authenticated access
84 to AFS from NFS client machines. The sections of this chapter on configuring translator machines, NFS client machines, and AFS
85 user accounts explain how to configure the translation environment appropriately. <itemizedlist>
87 <para>If you configure the environment for unauthenticated access, the AFS File Server considers the NFS users to be the
88 user <emphasis role="bold">anonymous</emphasis>. They can access only those AFS files and directories for which the
89 access control list (ACL) extends the required permissions to the <emphasis role="bold">system:anyuser</emphasis> group.
90 They can issue only those AFS commands that do not require privilege, and then only if their NFS client machine is a
91 system type for which AFS binaries are available and accessible by the <emphasis role="bold">system:anyuser</emphasis>
92 group. Such users presumably do not have AFS accounts.</para>
96 <para>If you configure the environment for authenticated access, you must create entries in the AFS Authentication and
97 Protection Databases for the NFS users. The authentication procedure they use depends on whether the NFS client machine
98 is a supported system type (one for which AFS binaries are available): <itemizedlist>
100 <para>If AFS binaries are available for the NFS client machine, NFS users can issue the <emphasis
101 role="bold">klog</emphasis> command on the NFS client machine. They can access the filespace and issue AFS
102 commands to the same extent as authenticated users working on AFS client machines.</para>
106 <para>If AFS binaries are not available for the NFS client machine, NFS users must establish a connection with the
107 translator machine (using the <emphasis role="bold">telnet</emphasis> utility, for example) and then issue the
108 <emphasis role="bold">klog</emphasis> and <emphasis role="bold">knfs</emphasis> commands on the translator machine
109 to make its Cache Manager use the tokens correctly while users work on the NFS client. They can access the AFS
110 filespace as authenticated users, but cannot issue AFS commands. For instructions, see <link
111 linkend="HDRWQ612">Authenticating on Unsupported NFS Client Machines</link>.</para>
113 </itemizedlist></para>
115 </itemizedlist></para>
118 <sect2 id="HDRWQ600">
119 <title>Setting the AFSSERVER and AFSCONF Environment Variables</title>
121 <para>If you wish to enable your NFS users to issue AFS commands, you must define the AFSSERVER and AFSCONF environment
122 variables in their command shell. This section explains the variables' function and outlines the various methods for setting
125 <para>Issuing AFS commands also requires that the NFS client machine is a supported system type (one for which AFS binaries
126 are available and accessible). Users working on NFS client machines of unsupported system types can access AFS as
127 authenticated users, but they cannot issue AFS commands. It is not necessary to define the AFSSERVER and AFSCONF variables for
128 such users. For instructions on using the <emphasis role="bold">knfs</emphasis> command to obtain authenticated access on
129 unsupported system types, see <link linkend="HDRWQ612">Authenticating on Unsupported NFS Client Machines</link>. <indexterm>
130 <primary>AFSSERVER environment variable (NFS/AFS Translator)</primary>
133 <sect3 id="HDRWQ601">
134 <title>The AFSSERVER Variable</title>
136 <para>The AFSSERVER variable designates the AFS client machine that performs two functions for NFS clients: <itemizedlist>
138 <para>It acts as the NFS client's <emphasis>remote executor</emphasis> by executing AFS-specific system calls on its
139 behalf, such as those invoked by the <emphasis role="bold">klog</emphasis> and <emphasis role="bold">tokens</emphasis>
140 commands and by many commands in the AFS suites.</para>
144 <para>Its stores the tokens that NFS users obtain when they authenticate with AFS. This implies that the remote
145 executor machine and the translator machine must be the same if the user needs authenticated access to AFS.</para>
147 </itemizedlist></para>
149 <para>The choice of remote executor most directly affects commands that display or change Cache Manager configuration, such
150 as the <emphasis role="bold">fs getcacheparms</emphasis>, <emphasis role="bold">fs getcellstatus</emphasis>, and <emphasis
151 role="bold">fs setcell</emphasis> commands. When issued on an NFS client, these commands affect the Cache Manager on the
152 designated remote executor machine. (Note, however, that several such commands require the issuer to be logged into the
153 remote executor's local file system as the local superuser <emphasis role="bold">root</emphasis>. The ability of NFS client
154 users to log in as <emphasis role="bold">root</emphasis> is controlled by NFS, not by the NFS/AFS Translator, so setting the
155 remote executor properly does not necessarily enable users on the NFS client to issue such commands.)</para>
157 <para>The choice of remote executor is also relevant for AFS commands that do not concern Cache Manager configuration but
158 rather have the same result on every machine, such as the <emphasis role="bold">fs</emphasis> commands that display or set
159 ACLs and volume quota. These commands take an AFS path as one of their arguments. If the Cache Manager on the remote
160 executor machine mounts the AFS filespace at the <emphasis role="bold">/afs</emphasis> directory, as is conventional for AFS
161 clients, then the pathname specified on the NFS client must begin with the string <emphasis role="bold">/afs</emphasis> for
162 the Cache Manager to understand it. This implies that the remote executor must be the NFS client's primary translator
163 machine (the one whose <emphasis role="bold">/afs</emphasis> directory is mounted at <emphasis role="bold">/afs</emphasis>
164 on the NFS client). <indexterm>
165 <primary>NFS/AFS Translator</primary>
167 <secondary>AFSCONF environment variable</secondary>
168 </indexterm> <indexterm>
169 <primary>AFSCONF environment variable (NFS/AFS Translator)</primary>
173 <sect3 id="Header_672">
174 <title>The AFSCONF Variable</title>
176 <para>The AFSCONF environment variable names the directory that houses the <emphasis role="bold">ThisCell</emphasis> and
177 <emphasis role="bold">CellServDB</emphasis> files to use when running AFS commands issued on the NFS client machine. As on
178 an AFS client, these files determine the default cell for command execution.</para>
180 <para>For predictable performance, it is best that the files in the directory named by the AFSCONF variable match those in
181 the <emphasis role="bold">/usr/vice/etc</emphasis> directory on the translator machine. If your cell has an AFS directory
182 that serves as the central update source for files in the <emphasis role="bold">/usr/vice/etc</emphasis> directory, it is
183 simplest to set the AFSCONF variable to refer to it. In the conventional configuration, this directory is called <emphasis
184 role="bold">/afs/</emphasis>cellname<emphasis role="bold">/common/etc</emphasis>.</para>
187 <sect3 id="Header_673">
188 <title>Setting Values for the Variables</title>
190 <para>To learn the values of the AFSSERVER and AFSCONF variables, AFS command interpreters consult the following three
191 sources in sequence: <orderedlist>
193 <para>The current command shell's environment variable definitions</para>
197 <para>The <emphasis role="bold">.AFSSERVER</emphasis> or <emphasis role="bold">.AFSCONF</emphasis> file in the
198 issuer's home directory</para>
202 <para>The <emphasis role="bold">/.AFSSERVER</emphasis> or <emphasis role="bold">/.AFSCONF</emphasis> file in the NFS
203 client machine's root (<emphasis>/</emphasis>) directory. If the client machine is diskless, its root directory can
204 reside on an NFS server machine.</para>
206 </orderedlist></para>
208 <para>(Actually, before consulting these sources, the NFS client looks for the <emphasis role="bold">CellServDB</emphasis>
209 and <emphasis role="bold">ThisCell</emphasis> files in its own <emphasis role="bold">/usr/vice/etc</emphasis> directory. If
210 the directory exists, the NFS client does not use the value of the AFSCONF variable. However, the <emphasis
211 role="bold">/usr/vice/etc</emphasis> directory usually exists only on AFS clients, not NFS clients.)</para>
213 <para>As previously detailed, correct performance generally requires that the remote executor machine be the NFS client's
214 primary translator machine (the one whose <emphasis role="bold">/afs</emphasis> directory is mounted at the <emphasis
215 role="bold">/afs</emphasis> directory on the NFS client). The requirement holds for all users accessing AFS from the NFS
216 client, so it is usually simplest to create the <emphasis role="bold">.AFSSERVER</emphasis> file in the NFS client's root
217 directory. The main reason to create the file in a user's home directory or to set the AFSSERVER environment variable in the
218 current command shell is that the user needs to switch to a different translator machine, perhaps because the original one
219 has become inaccessible.</para>
221 <para>Similarly, it generally makes sense to create the <emphasis role="bold">.AFSCONF</emphasis> file in the NFS client's
222 root directory. Creating it in the user's home directory or setting the AFSCONF environment variable in the current command
223 shell is useful mostly when there is a reason to specify a different set of database server machines for the cell, perhaps
224 in a testing situation.</para>
228 <sect2 id="HDRWQ602">
229 <title>Delayed Writes for Files Saved on NFS Client Machines</title>
232 <primary>asynchrony</primary>
234 <secondary>when AFS files saved on NFS clients</secondary>
238 <primary>synchrony</primary>
240 <secondary>when AFS files saved on NFS clients</secondary>
244 <primary>delayed write operations</primary>
246 <secondary>when AFS files saved on NFS clients</secondary>
250 <primary>write</primary>
252 <secondary>operations delayed from NFS clients</secondary>
256 <primary>write</primary>
258 <secondary>system call for files saved on NFS client</secondary>
262 <primary>fsync system call</primary>
264 <secondary>for files saved on NFS client</secondary>
268 <primary>close system call</primary>
270 <secondary>for files saved on NFS client</secondary>
273 <para>When an application running on an AFS client machine issues the <emphasis role="bold">close</emphasis> or <emphasis
274 role="bold">fsync</emphasis> system call on a file, the Cache Manager by default performs a synchronous write of the data to
275 the File Server. (For further discussion, see <link linkend="HDRWQ33">AFS Implements Save on Close</link> and <link
276 linkend="HDRWQ418">Enabling Asynchronous Writes</link>.)</para>
278 <para>To avoid degrading performance for the AFS users working on a translator machine, AFS does not perform synchronous
279 writes for applications running on the translator machine's NFS clients. Instead, one of the Cache Manager daemons (the
280 maintenance daemon) checks every 60 seconds for chunks in the cache that contain data saved on NFS clients, and writes their
281 contents to the File Server. This does not guarantee that data saved on NFS clients is written to the File Server within 60
282 seconds, but only that the <emphasis>maintenance daemon</emphasis> checks for and begins the write of data at that
285 <para>Furthermore, AFS always ignores the <emphasis role="bold">fsync</emphasis> system call as issued on an NFS client. The
286 call requires an immediate and possibly time-consuming response from the File Server, which potentially causes delays for
287 other AFS clients of the File Server. NFS version 3 automatically issues the <emphasis role="bold">fsync</emphasis> system
288 call directly after the <emphasis role="bold">close</emphasis> call, but the Cache Manager ignores it and handles the
289 operation just like a regular <emphasis role="bold">close</emphasis>.</para>
291 <para>The delayed write mechanism means that there is usually a delay between the time when an NFS application issues the
292 <emphasis role="bold">close</emphasis> or <emphasis role="bold">fsync</emphasis> system call on a file and the time when the
293 changes are recorded at the File Server, which is when they become visible to users working on other AFS client machines
294 (either directly or on its NFS clients). The delay is likely to be longer than for files saved by users working directly on an
295 AFS client machine.</para>
297 <para>The exact amount of delay is difficult to predict. The NFS protocol itself allows a standard delay before saved data
298 must be transferred from the NFS client to the NFS server (the translator machine). The modified data remains in the
299 translator machine's AFS client cache until the maintenance daemon's next scheduled check for such data, and it takes
300 additional time to transfer the data to the File Server. The maintenance daemon uses a single thread, so there can be
301 additional delay if it takes more than 60 seconds to write out all of the modified NFS data. That is, if the maintenance
302 daemon is still writing data at the time of the next scheduled check, it cannot notice any additional modified data until the
303 scheduled time after it completes the long write operation.</para>
305 <para>The Cache Manager's response to the <emphasis role="bold">write</emphasis> system call is the same whether it is issued
306 on an AFS client machine or on an NFS client of a translator machine: it records the modifications in the local AFS client
311 <sect1 id="HDRWQ603">
312 <title>Configuring NFS/AFS Translator Machines</title>
314 <para>To act as an NFS/AFS translator machine, a machine must configured as follows: <itemizedlist>
316 <para>It must be an AFS client. Many system types supported as AFS clients can be translator machines. To learn about
317 possible restrictions in a specific release of AFS, see the <emphasis>OpenAFS Release Notes</emphasis>.</para>
321 <para>It must be an NFS server. The appropriate number of NFS server daemons (<emphasis role="bold">nfsd</emphasis> and
322 others) depends on the anticipated NFS client load.</para>
326 <para>It must export the local directory on which the AFS filespace is mounted, <emphasis role="bold">/afs</emphasis> by
329 </itemizedlist></para>
331 <para>If users on a translator machine's NFS clients are to issue AFS commands, the translator machine must also meet the
332 requirements discussed in <link linkend="HDRRMTSYS">Configuring the Translator Machine to Accept AFS Commands</link>.</para>
334 <sect2 id="Header_676">
335 <title>Loading NFS and AFS Kernel Extensions</title>
337 <para>The AFS distribution for system types that can act as NFS/AFS Translator machines usually includes two versions of the
338 AFS kernel extensions file, one for machines where the kernel supports NFS server functionality, and one for machines not
339 using NFS (the latter AFS kernel extensions file generally has the string <emphasis role="bold">nonfs</emphasis> in its name).
340 A translator machine must use the NFS-enabled version of the AFS extensions file. On some system types, you select the
341 appropriate file by moving it to a certain location, whereas on other system types you set a variable that results in
342 automatic selection of the correct file. See the instructions in the <emphasis>OpenAFS Quick Beginnings</emphasis> for
343 incorporating AFS into the kernel on each system type.</para>
345 <para>On many system types, NFS is included in the kernel by default, so it is not necessary to load NFS kernel extensions
346 explicitly. On system types where you must load NFS extensions, then in general you must load them before loading the AFS
347 kernel extensions. The <emphasis>OpenAFS Quick Beginnings</emphasis> describes how to incorporate the AFS initialization
348 script into a machine's startup sequence so that it is ordered correctly with respect to the script that handles NFS.</para>
350 <para>In addition, the AFS extensions must be loaded into the kernel before the <emphasis role="bold">afsd</emphasis> command
351 runs. The AFS initialization script included in the AFS distribution correctly orders the loading and <emphasis
352 role="bold">afsd</emphasis> commands.</para>
355 <sect2 id="HDRRMTSYS">
356 <title>Configuring the Translator Machine to Accept AFS Commands</title>
358 <para>For users working on a translator machine's NFS clients to issue AFS commands, the <emphasis
359 role="bold">-rmtsys</emphasis> flag must be included on the <emphasis role="bold">afsd</emphasis> command which initializes
360 the translator machine's Cache Manager. The flag starts an additional daemon (the <emphasis>remote executor</emphasis>
361 daemon), which executes AFS-specific system calls on behalf of NFS clients. For a discussion of the implications of NFS users
362 issuing AFS commands, see <link linkend="HDRWQ600">Setting the AFSSERVER and AFSCONF Environment Variables</link>.</para>
364 <para>The instructions in the OpenAFS Quick Beginnings for configuring the Cache Manager explain how to add options such as
365 the <emphasis role="bold">-rmtsys</emphasis> flag to the <emphasis role="bold">afsd</emphasis> command in the AFS
366 initialization script. On many system types, it is simplest to list the flag on the line in the script that defines the
367 OPTIONS variable. The <emphasis>remote executor daemon</emphasis> does not consume many resources, so it is simplest to add it
368 to the <emphasis role="bold">afsd</emphasis> command on every translator machine, even if not all users on the machine's NFS
369 clients issue AFS commands.</para>
372 <sect2 id="HDRWQ604">
373 <title>Controlling Optional Translator Features</title>
375 <para>After an AFS client machine is configured as a translator machine, it by default exports the AFS filespace to NFS
376 clients. You can disable and reenable translator functionality by using the <emphasis role="bold">fs exportafs</emphasis>
377 command's <emphasis role="bold">-start</emphasis> argument. The command's other arguments control other aspects of translator
378 behavior. <itemizedlist>
380 <para>The <emphasis role="bold">-convert</emphasis> argument controls whether the second and third (<emphasis
381 role="bold">group</emphasis> and <emphasis role="bold">other</emphasis>) sets of UNIX mode bits on an AFS file or
382 directory being exported to NFS are set to match the first (<emphasis role="bold">owner</emphasis>) mode bits. By
383 default, the mode bits are set to match.</para>
385 <para>Unlike AFS, NFS uses all three sets of mode bits when determining whether a user can read or write a file, even
386 one stored in AFS. Some AFS files possibly do not have any <emphasis role="bold">group</emphasis> and <emphasis
387 role="bold">other</emphasis> mode bits turned on, because AFS uses only the <emphasis role="bold">owner</emphasis> bits
388 in combination with the ACL on the file's directory. If only the <emphasis role="bold">owner</emphasis> mode bits are
389 set, NFS allows only the file's owner of the file to read or write it. Setting the <emphasis
390 role="bold">-convert</emphasis> argument to the value <emphasis role="bold">on</emphasis> enables other users to access
391 the file in the same manner as the owner. Setting the value <emphasis role="bold">off</emphasis> preserves the mode bits
392 set on the file as stored in AFS.</para>
396 <para>The <emphasis role="bold">-uidcheck</emphasis> argument controls whether tokens can be assigned to an NFS user
397 whose local UID on the NFS client machine differs from the local UID associated with the tokens on the translator
398 machine. By default, this is possible.</para>
400 <para>If you turn on UID checking by setting the value <emphasis role="bold">on</emphasis>, then tokens can be assigned
401 only to an NFS user whose local UID matches the local UID of the process on the translator machine that is assigning the
402 tokens. One consequence is that there is no point in including the <emphasis role="bold">-id</emphasis> argument to the
403 <emphasis role="bold">knfs</emphasis> command: the only acceptable value is the local UID of the command's issuer, which
404 is the value used when the <emphasis role="bold">-id</emphasis> argument is omitted. Requiring matching UIDs in this way
405 is effective only when users have the same local UID on the translator machine as on NFS client machines. In that case,
406 it guarantees that users assign their tokens only to their own NFS sessions. For instructions, see <link
407 linkend="HDRWQ612">Authenticating on Unsupported NFS Client Machines</link>.</para>
410 <para>Turning on UID checking also prevents users on supported NFS clients from using the <emphasis
411 role="bold">klog</emphasis> command to authenticate on the NFS client directly. They must authenticated and use the
412 <emphasis role="bold">knfs</emphasis> command on the translator machine instead. This is because after the <emphasis
413 role="bold">klog</emphasis> command interpreter obtains the token on the NFS client, it passes it to the Cache
414 Manager's remote executor daemon, which makes the system call that stores the token in a credential structure on the
415 translator machine. The remote executor generally runs as the local superuser <emphasis role="bold">root</emphasis>,
416 so in most cases its local UID (normally zero) does not match the local UID of the user who issued the <emphasis
417 role="bold">klog</emphasis> command on the NFS client machine.</para>
419 <para>On the other hand, although using the <emphasis role="bold">knfs</emphasis> command instead of the <emphasis
420 role="bold">klog</emphasis> command is possibly less convenient for users, it eliminates a security exposure: the
421 <emphasis role="bold">klog</emphasis> command interpreter passes the token across the network to the remote executor
422 daemon in clear text mode.</para>
425 <para>If you disable UID checking by assigning the value <emphasis role="bold">off</emphasis> , the issuer of the
426 <emphasis role="bold">knfs</emphasis> command can assign tokens to a user who has a different local UID on the NFS
427 client machine, such as the local superuser <emphasis role="bold">root</emphasis>. Indeed, more than one issuer of the
428 <emphasis role="bold">knfs</emphasis> command can assign tokens to the same user on the NFS client machine. Each time a
429 different user issues the <emphasis role="bold">knfs</emphasis> command with the same value for the <emphasis
430 role="bold">-id</emphasis> argument, that user's tokens overwrite the existing ones. This can result in unpredictable
431 access for the NFS user.</para>
435 <para>The <emphasis role="bold">-submounts</emphasis> argument controls whether users on the NFS client can mount AFS
436 directories other than the top-level <emphasis role="bold">/afs</emphasis> directory. By default, the translator does
437 not permit these submounts.</para>
439 <para>Submounts can be useful in a couple of circumstances. If, for example, NFS users need to access their own AFS home
440 directories only, then creating a submount to it eliminates the need for them to know or enter the complete path.
441 Similarly, you can use a submount to prevent users from accessing parts of the filespace higher in the AFS hierarchy
442 than the submount.</para>
444 </itemizedlist></para>
447 <sect2 id="Header_679">
448 <title>To configure an NFS/AFS translator machine</title>
450 <para>The following instructions configure the translator to enable users to issue AFS commands. Omit Step <link
451 linkend="LIWQ605">6</link> if you do not want to enable this functionality. <orderedlist>
453 <para>Become the local superuser <emphasis role="bold">root</emphasis> on the machine, if you are not already, by
454 issuing the <emphasis role="bold">su</emphasis> command. <programlisting>
455 % <emphasis role="bold">su root</emphasis>
456 Password: <<replaceable>root_password</replaceable>>
457 </programlisting></para>
461 <para>Configure the NFS/AFS translator machine as an NFS server, if it is not already. Follow the instructions provided
462 by your NFS supplier. The appropriate number of NFS server daemons (such as <emphasis role="bold">nfsd</emphasis>)
463 depends on the number of potential NFS clients.</para>
467 <para>Configure the NFS/AFS translator machine as an AFS client, if it is not already. For the most predictable
468 performance, the translator machine's local copies of the <emphasis role="bold">/usr/vice/etc/CellServDB</emphasis> and
469 <emphasis role="bold">/usr/vice/etc/ThisCell</emphasis> files must be the same as on other client machines in the
474 <para><anchor id="LITRANS-MOUNTFILE" />Modify the file that controls mounting of directories on the machine by remote
475 NFS clients. <itemizedlist>
477 <primary>etc/exports file</primary>
481 <primary>files</primary>
483 <secondary>exports</secondary>
487 <para>On systems that use the <emphasis role="bold">/etc/exports</emphasis> file, edit it to enable export of the
488 <emphasis role="bold">/afs</emphasis> directory to NFS clients. You can list the names of specific NFS client
489 machines if you want to provide access only to certain users. For a description of the file's format, see the NFS
490 manual page for <emphasis role="bold">exports(5)</emphasis>.</para>
492 <para>The following example enables any NFS client machine to mount the machine's <emphasis
493 role="bold">/afs</emphasis>, <emphasis role="bold">/usr</emphasis>, and <emphasis role="bold">/usr2</emphasis>
503 <primary>share command</primary>
507 <primary>commands</primary>
509 <secondary>share</secondary>
514 <para>On system types that use the <emphasis role="bold">share</emphasis> command, edit the <emphasis
515 role="bold">/etc/dfs/dfstab</emphasis> file or equivalent to include <emphasis role="bold">share</emphasis>
516 instructions that enable remote mounts of the <emphasis role="bold">/afs</emphasis> directory. Most distributions
517 include the binary as <emphasis role="bold">/usr/sbin/share</emphasis>. The following example commands enable
518 remote mounts of the root ( <emphasis role="bold">/</emphasis> ) and <emphasis role="bold">/afs</emphasis>
519 directories. To verify the correct syntax, consult the manual page for the <emphasis role="bold">share</emphasis>
520 command. <programlisting>
521 share -F nfs -o rw -d "root" /
522 share -F nfs -o rw -d "afs gateway" /afs
523 </programlisting></para>
525 </itemizedlist></para>
529 <para>Edit the machine's AFS initialization file to invoke the standard UNIX <emphasis role="bold">exportfs</emphasis>
530 command after the <emphasis role="bold">afsd</emphasis> program runs. On some system types, the modifications you made
531 in Step <link linkend="LITRANS-MOUNTFILE">4</link> are not enough to enable exporting the AFS filespace via the
532 <emphasis role="bold">/afs</emphasis> directory, because the resulting configuration changes are made before the
533 <emphasis role="bold">afsd</emphasis> program runs during machine initialization. Only after the <emphasis
534 role="bold">afsd</emphasis> program runs does the <emphasis role="bold">/afs</emphasis> directory become the mount point
535 for the entire AFS filespace; before, it is a local directory like any other.</para>
539 <para><anchor id="LIWQ605" />Modify the <emphasis role="bold">afsd</emphasis> command in the AFS initialization file to
540 include the <emphasis role="bold">-rmtsys</emphasis> flag.</para>
542 <para>For system types other than IRIX, the instructions in the <emphasis>OpenAFS Quick Beginnings</emphasis> for
543 configuring the Cache Manager explain how to add the <emphasis role="bold">-rmtsys</emphasis> flag, for example by
544 adding it to the line in the script that defines the value for the OPTIONS variable.</para>
546 <para>On IRIX systems, the AFS initialization script automatically adds the <emphasis role="bold">-rmtsys</emphasis>
547 flag if you have activated the <emphasis role="bold">afsxnfs</emphasis> configuration variable as instructed in the
548 <emphasis>OpenAFS Quick Beginnings</emphasis> instructions for incorporating AFS extensions into the kernel. If the
549 variable is not already activated, issue the following command.</para>
552 # <emphasis role="bold">/etc/chkconfig -f afsxnfs on</emphasis>
557 <para><emphasis role="bold">(Optional)</emphasis> Depending on the number of NFS clients you expect this machine to
558 serve, it can be beneficial to add other arguments to the <emphasis role="bold">afsd</emphasis> command in the machine's
559 initialization file, such as the <emphasis role="bold">-daemons</emphasis> argument to set the number of background
560 daemons. See <link linkend="HDRWQ387">Administering Client Machines and the Cache Manager</link> and the <emphasis
561 role="bold">afsd</emphasis> reference page in the <emphasis>OpenAFS Administration Reference</emphasis>.</para>
565 <para>Reboot the machine. On many system types, the appropriate command is <emphasis role="bold">shutdown</emphasis>;
566 consult your operating system administrator's guide. <programlisting>
567 # <emphasis role="bold">shutdown</emphasis> appropriate_options
568 </programlisting></para>
570 </orderedlist></para>
573 <primary>fs commands</primary>
575 <secondary>exportafs</secondary>
579 <primary>commands</primary>
581 <secondary>fs exportafs</secondary>
585 <sect2 id="Header_680">
586 <title>To disable or enable Translator functionality, or set optional features</title>
590 <para>Become the local superuser <emphasis role="bold">root</emphasis> on the machine, if you are not already, by issuing
591 the <emphasis role="bold">su</emphasis> command. <programlisting>
592 % <emphasis role="bold">su root</emphasis>
593 Password: <<replaceable>root_password</replaceable>>
594 </programlisting></para>
598 <para>Issue the <emphasis role="bold">fs exportafs</emphasis> command. <programlisting>
599 # <emphasis role="bold">fs exportafs nfs</emphasis> [<emphasis role="bold">-start</emphasis> {<emphasis role="bold">on</emphasis> | <emphasis
600 role="bold">off</emphasis>}} ] [<emphasis role="bold">-convert</emphasis> {<emphasis role="bold">on</emphasis> | <emphasis
601 role="bold">off</emphasis>}]
602 [<emphasis role="bold">-uidcheck</emphasis> {<emphasis role="bold">on</emphasis> | <emphasis role="bold">off</emphasis>}] [<emphasis
603 role="bold">-submounts</emphasis> {<emphasis role="bold">on</emphasis> | <emphasis role="bold">off</emphasis>}]
604 </programlisting> <variablelist>
606 <term><emphasis role="bold">-start</emphasis></term>
609 <para>Disables translator functionality if the value is <emphasis role="bold">off</emphasis> or reenables it if
610 the value is <emphasis role="bold">on</emphasis>. Omit this argument to display the current setting of all
611 parameters set by this command.</para>
616 <term><emphasis role="bold">-convert</emphasis></term>
619 <para>Controls the setting of the second and third (<emphasis role="bold">group</emphasis> and <emphasis
620 role="bold">other</emphasis>) sets of UNIX mode bits on AFS files and directories as exported to NFS clients If
621 the value is <emphasis role="bold">on</emphasis>, they are set to match the <emphasis role="bold">owner</emphasis>
622 mode bits. If the value is <emphasis role="bold">off</emphasis>, the bits are not changed. If this argument is
623 omitted, the default value is <emphasis role="bold">on</emphasis>.</para>
628 <term><emphasis role="bold">-uidcheck</emphasis></term>
631 <para>Controls whether issuers of the <emphasis role="bold">knfs</emphasis> command can specify a value for its
632 <emphasis role="bold">-id</emphasis> argument that does not match their AFS UID: <itemizedlist>
634 <para>If the value is <emphasis role="bold">on</emphasis>, the value of the <emphasis
635 role="bold">-id</emphasis> argument must match the issuer's local UID.</para>
639 <para>If the value is <emphasis role="bold">off</emphasis>, the issuer of the <emphasis
640 role="bold">knfs</emphasis> command can use the <emphasis role="bold">-id</emphasis> argument to assign
641 tokens to a user who has a different local UID on the NFS client machine, such as the local superuser
642 <emphasis role="bold">root</emphasis>.</para>
644 </itemizedlist></para>
646 <para>If this argument is omitted, the default value is <emphasis role="bold">off</emphasis>.</para>
651 <term><emphasis role="bold">-submounts</emphasis></term>
654 <para>Controls whether the translator services an NFS mount of any directory in the AFS filespace other than the
655 top-level <emphasis role="bold">/afs</emphasis> directory. If the value is <emphasis role="bold">on</emphasis>,
656 such submounts are allowed. If the value is off, only mounts of the <emphasis role="bold">/afs</emphasis>
657 directory are allowed. If this argument is omitted, the default value is <emphasis
658 role="bold">off</emphasis>.</para>
661 </variablelist></para>
667 <sect1 id="HDRWQ606">
668 <title>Configuring NFS Client Machines</title>
670 <para>Any NFS client machine that meets the following requirements can access files in AFS via the NFS/AFS Translator. It does
671 not need to be configured as an AFS client machine. <itemizedlist>
673 <para>It must NFS-mount a translator machine's <emphasis role="bold">/afs</emphasis> directory on a local directory, which
674 by convention is also called <emphasis role="bold">/afs</emphasis>. The following instructions explain how to add the
675 <emphasis role="bold">mount</emphasis> command to the NFS client machine's <emphasis role="bold">/etc/fstab</emphasis>
676 file or equivalent.</para>
678 <para>The directory on which an NFS client mounts the translator's machine's <emphasis role="bold">/afs</emphasis>
679 directory can be called something other than <emphasis role="bold">/afs</emphasis>. For instance, to make it easy to
680 switch to another translator machine if the original one becomes inaccessible, you can mount more than one translator
681 machine's <emphasis role="bold">/afs</emphasis> directory. Name the mount <emphasis role="bold">/afs</emphasis> for the
682 translator machine that you normally use, and use a different name the mount to each alternate translator machine.</para>
684 <para>Mounting the AFS filespace on a directory other than <emphasis role="bold">/afs</emphasis> introduces another
685 requirement, however: when issuing a command that takes an AFS pathname argument, you must specify the full pathname,
686 starting with <emphasis role="bold">/afs</emphasis>, rather than a relative pathname. Suppose, for example, that a
687 translator machine's AFS filespace is mounted at <emphasis role="bold">/afs2</emphasis> on an NFS client machine and you
688 issue the following command to display the ACL on the current working directory, which is in AFS:</para>
691 % <emphasis role="bold">fs listacl .</emphasis>
694 <para>The <emphasis role="bold">fs</emphasis> command interpreter on the NFS client must construct a full pathname before
695 passing the request to the Cache Manager on the translator machine. The AFS filespace is mounted at <emphasis
696 role="bold">/afs2</emphasis>, so the full pathname starts with that string. However, the Cache Manager on the translator
697 cannot find a directory called <emphasis role="bold">/afs2</emphasis>, because its mount of the AFS filespace is called
698 <emphasis role="bold">/afs</emphasis>. The command fails. To prevent the failure, provide the file's complete pathname,
699 starting with the string <emphasis role="bold">/afs</emphasis>.</para>
703 <para>It must run an appropriate number of NFS client <emphasis role="bold">biod</emphasis> daemons, which improve
704 performance by handling pre-reading and delayed writing. Most NFS vendors recommend running four such daemons, and most
705 NFS initialization scripts start them automatically. Consult your NFS documentation.</para>
707 </itemizedlist></para>
709 <para>To enable users to issue AFS commands, the NFS client machine must also be a supported system type (one for which AFS
710 binaries are available) and able to access the AFS command binaries. The <emphasis>OpenAFS Release Notes</emphasis> list the
711 supported system types in each release.</para>
713 <para>In addition, the AFSSERVER and AFSCONF environment variables must be set appropriately, as discussed in <link
714 linkend="HDRWQ600">Setting the AFSSERVER and AFSCONF Environment Variables</link>.</para>
716 <sect2 id="Header_682">
717 <title>To configure an NFS client machine to access AFS</title>
720 <para>The following instructions enable NFS users to issue AFS commands. Omit Step <link linkend="LIWQ608">5</link> and Step
721 <link linkend="LIWQ609">6</link> if you do not want to enable this functionality.</para>
726 <para>Become the local superuser <emphasis role="bold">root</emphasis> on the machine, if you are not already, by issuing
727 the <emphasis role="bold">su</emphasis> command. <programlisting>
728 % <emphasis role="bold">su root</emphasis>
729 Password: <<replaceable>root_password</replaceable>>
730 </programlisting></para>
734 <para>Configure the machine as an NFS client machine, if it is not already. Follow the instructions provided by your NFS
735 vendor. The number of NFS client (<emphasis role="bold">biod</emphasis>) daemons needs to be appropriate for the expected
736 load on this machine. The usual recommended number is four.</para>
740 <para>Create a directory called <emphasis role="bold">/afs</emphasis> on the machine, if one does not already exist, to
741 act as the mount point for the translator machine's <emphasis role="bold">/afs</emphasis> directory. It is acceptable to
742 use other names, but doing so introduces the limitation discussed in the introduction to this section. <programlisting>
743 # <emphasis role="bold">mkdir /afs</emphasis>
744 </programlisting> <indexterm>
745 <primary>commands</primary>
747 <secondary>mount</secondary>
748 </indexterm> <indexterm>
749 <primary>mount command</primary>
754 <para><anchor id="LIWQ607" />Modify the machine's file systems registry file (<emphasis role="bold">/etc/fstab</emphasis>
755 or equivalent) to include a command that mounts a translator machine's <emphasis role="bold">/afs</emphasis> directory. To
756 verify the correct syntax of the <emphasis role="bold">mount</emphasis> command, see the operating system's <emphasis
757 role="bold">mount(5)</emphasis> manual page. The following example includes options that are appropriate on many system
758 types. <programlisting>
759 mount -o hard,intr,timeo=300 translator_machine:/afs /afs
760 </programlisting></para>
762 <para>where <variablelist>
764 <term><computeroutput>hard</computeroutput></term>
767 <para>Indicates that the NFS client retries NFS requests until the NFS server (translator machine) responds. When
768 using the translator, file operations possibly take longer than with NFS alone, because they must also pass
769 through the AFS Cache Manager. With a soft mount, a delayed response from the translator machine can cause the
770 request to abort. Many NFS versions use hard mounts by default; if your version does not, it is best to add this
776 <term><computeroutput>intr</computeroutput></term>
779 <para>Enables the user to use a keyboard interrupt signal (such as <<emphasis
780 role="bold">Ctrl-c</emphasis>>) to break the mount when the translator machine is inaccessible. Include this
781 option only if the <computeroutput>hard</computeroutput> option is used, in which case the connection does not
782 automatically break off when a translator machine goes down.</para>
787 <term><computeroutput>timeo</computeroutput></term>
790 <para>Sets the maximum time (in tenths of seconds) the translator can take to respond to the NFS client's request
791 before the client considers the request timed out. With a hard mount, setting this option to a high number like
792 300 reduces the number of error messages like the following, which are generated when the translator does not
793 respond immediately. <programlisting>
794 NFS server translator is not responding, still trying
795 </programlisting></para>
797 <para>With a soft mount, it reduces the number of actual errors returned on timed-out requests.</para>
802 <term><replaceable>translator_machine</replaceable></term>
805 <para>Specifies the fully-qualified hostname of the translator machine whose <emphasis role="bold">/afs</emphasis>
806 directory is to be mounted on the client machine's <emphasis role="bold">/afs</emphasis> directory.</para>
809 </variablelist></para>
812 <para>To mount the translator machine's <emphasis role="bold">/afs</emphasis> directory onto a directory on the NFS
813 client other than <emphasis role="bold">/afs</emphasis>, substitute the alternate directory name for the second instance
814 of <computeroutput>/afs</computeroutput> in the <emphasis role="bold">mount</emphasis> command.</para>
819 <para><anchor id="LIWQ608" /><emphasis role="bold">(Optional)</emphasis> If appropriate, create the <emphasis
820 role="bold">/.AFSSERVER</emphasis> file to set the AFSSERVER environment variable for all of the machine's users. For a
821 discussion, see <link linkend="HDRWQ600">Setting the AFSSERVER and AFSCONF Environment Variables</link>. Place a single
822 line in the file, specifying the fully-qualified hostname of the translator machine that is to serve as the remote
823 executor. To enable users to issue commands that handle tokens, it must be the machine named as translator_machine in Step
824 <link linkend="LIWQ607">4</link>.</para>
828 <para><anchor id="LIWQ609" /><emphasis role="bold">(Optional)</emphasis> If appropriate, create the <emphasis
829 role="bold">/.AFSCONF</emphasis> file to set the AFSCONF environment variable for all of the machine's users. For a
830 discussion, see <link linkend="HDRWQ600">Setting the AFSSERVER and AFSCONF Environment Variables</link>. Place a single
831 line in the file, specifying the name of the directory where the <emphasis role="bold">CellServDB</emphasis> and <emphasis
832 role="bold">ThisCell</emphasis> files reside. If you use a central update source for these files (by convention, <emphasis
833 role="bold">/afs/</emphasis>cellname<emphasis role="bold">/common/etc</emphasis>), name it here.</para>
839 <sect1 id="HDRWQ610">
840 <title>Configuring User Accounts</title>
842 <para>There are no requirements for NFS users to access AFS as unauthenticated users. To take advantage of more AFS
843 functionality, however, they must meet the indicated requirements. <itemizedlist>
845 <para>To access AFS as authenticated users, they must of course authenticate with AFS, which requires an entry in the
846 Protection and Authentication Databases.</para>
850 <para>To create and store files, they need the required ACL permissions. If you are providing a home directory for storage
851 of personal files, it is conventional to create a dedicated volume and mount it at the user's home directory location in
852 the AFS filespace.</para>
856 <para>To issue AFS commands, they must meet several additional requirements: <itemizedlist>
858 <para>They must be working on an NFS client machine of a supported system type and from which the AFS command
859 binaries are accessible.</para>
863 <para>Their command shell must define values for the AFSSERVER and AFSCONF environment variables, as described in
864 <link linkend="HDRWQ600">Setting the AFSSERVER and AFSCONF Environment Variables</link>. It is often simplest to
865 define the variables by creating <emphasis role="bold">/.AFSSERVER</emphasis> and <emphasis
866 role="bold">/.AFSCONF</emphasis> file in the NFS client machine's root directory, but you can also either set the
867 variables in each user's shell initialization file (<emphasis role="bold">.cshrc</emphasis> or equivalent), or
868 create files called <emphasis role="bold">.AFSSERVER</emphasis> and <emphasis role="bold">.AFSCONF</emphasis> in
869 each user's home directory.</para>
873 <para>They must have an entry in the AFS Protection and Authentication Databases, so that they can authenticate if
874 the command requires AFS privilege. Other commands instead require assuming the local <emphasis
875 role="bold">root</emphasis> identity on the translator machine; for further discussion, see <link
876 linkend="HDRWQ601">The AFSSERVER Variable</link>.</para>
880 <para>Their PATH environment variable must include the pathname to the appropriate AFS binaries. If a user works on
881 NFS client machines of different system types, include the <emphasis role="bold">@sys</emphasis> variable in the
882 pathname rather than an actual system type name.</para>
884 </itemizedlist></para>
886 </itemizedlist></para>
888 <sect2 id="Header_684">
889 <title>To configure a user account for issuing AFS commands</title>
893 <para>Create entries for the user in the Protection and Authentication Databases, or create a complete AFS account. See
894 the instructions for account creation in <link linkend="HDRWQ449">Creating and Deleting User Accounts with the uss Command
895 Suite</link> or <link linkend="HDRWQ491">Administering User Accounts</link>.</para>
899 <para><anchor id="LIWQ611" />Modify the user's PATH environment variable to include the pathname of AFS binaries, such as
900 <emphasis role="bold">/afs/</emphasis>cellname<emphasis role="bold">/</emphasis>sysname<emphasis
901 role="bold">/usr/afsws/bin</emphasis>. If the user works on NFS client machines of different system types, considering
902 replacing the specific sysname value with the <emphasis role="bold">@sys</emphasis> variable. The PATH variable is
903 commonly defined in a login or shell initialization file (such as the <emphasis role="bold">.login</emphasis> or <emphasis
904 role="bold">.cshrc</emphasis> file).</para>
908 <para><emphasis role="bold">(Optional)</emphasis> Set the AFSSERVER and AFSCONF environment variables if appropriate. This
909 is required if the NFS client machines on which the user works do not have the <emphasis
910 role="bold">/.AFSSERVER</emphasis> and <emphasis role="bold">/.AFSCONF</emphasis> files in their root directories, or if
911 you want user-specific values to override those settings.</para>
913 <para>Either define the variables in the user's login or shell initialization file, or create the files <emphasis
914 role="bold">.AFSSERVER</emphasis> and <emphasis role="bold">.AFSCONF</emphasis> files in the user's home directory.</para>
916 <para>For the AFSSERVER variable, specify the fully-qualified hostname of the translator machine that is to serve as the
917 remote executor. For the AFSCONF variable, specify the name of the directory where the <emphasis
918 role="bold">CellServDB</emphasis> and <emphasis role="bold">ThisCell</emphasis> files reside. If you use a central update
919 source for these files (by convention, <emphasis role="bold">/afs/</emphasis>cellname<emphasis
920 role="bold">/common/etc</emphasis>), name it here.</para>
924 <para>If the pathname you defined in Step <link linkend="LIWQ611">2</link> includes the <emphasis
925 role="bold">@sys</emphasis> variable, instruct users to check that their system name is defined correctly before they
926 issue AFS commands. They issue the following command: <programlisting>
927 % <emphasis role="bold">fs sysname</emphasis>
928 </programlisting></para>
934 <sect1 id="HDRWQ612">
935 <title>Authenticating on Unsupported NFS Client Machines</title>
937 <para>The <emphasis role="bold">knfs</emphasis> command enables users to authenticate with AFS when they are working on NFS
938 clients of unsupported system types (those for which AFS binaries are not available). This enables such users to access the AFS
939 file tree to the same extent as any other AFS user. They cannot, however, issue AFS commands, which is possible only on NFS
940 client machines of supported system types.</para>
942 <para>To authenticate on an unsupported system type, establish a connection to the translator machine (using a facility such as
943 <emphasis role="bold">telnet</emphasis>), and issue the <emphasis role="bold">klog</emphasis> command to obtain tokens for all
944 the cells you wish to contact during the upcoming NFS session. Then issue the <emphasis role="bold">knfs</emphasis> command,
945 which stores the tokens in a credential structure associated with your NFS session. The Cache Manager uses the tokens when
946 performing AFS access requests that originate from your NFS session.</para>
948 <para>More specifically, the credential structure is identified by a process authentication group (PAG) number associated with a
949 particular local UID on a specific NFS client machine. By default, the NFS UID recorded in the credential structure is the same
950 as your local UID on the translator machine. You can include the <emphasis role="bold">-id</emphasis> argument to specify an
951 alternate NFS UID, unless the translator machine's administrator has used the <emphasis role="bold">fs exportafs</emphasis>
952 command's <emphasis role="bold">-uidcheck</emphasis> argument to enable UID checking. In that case, the value of the <emphasis
953 role="bold">-id</emphasis> argument must match your local UID on the translator machine (so there is not point to including the
954 <emphasis role="bold">-id</emphasis> argument). Enforcing matching UIDs prevents someone else from placing their tokens in your
955 credential structure, either accidentally or on purpose. However, it means that your cell's administrators must set your local
956 UID on the NFS client to match your local UID on the translator machine. It also makes it impossible to authenticate by issuing
957 the <emphasis role="bold">klog</emphasis> command on supported NFS clients, meaning that all NFS users must use the <emphasis
958 role="bold">knfs</emphasis> command. See <link linkend="HDRWQ604">Controlling Optional Translator Features</link>.</para>
960 <para>After issuing the <emphasis role="bold">knfs</emphasis> command, you can begin working on the NFS client with
961 authenticated access to AFS. When you are finished working, it is a good policy to destroy your tokens by issuing the <emphasis
962 role="bold">knfs</emphasis> command on the translator machine again, this time with the <emphasis role="bold">-unlog</emphasis>
963 flag. This is simpler if you have left the connection to the translator machine open, but you can always establish a new
964 connection if you closed the original one.</para>
966 <para>If your NFS client machine is a supported system type and you wish to issue AFS commands on it, include the <emphasis
967 role="bold">-sysname</emphasis> argument to the <emphasis role="bold">knfs</emphasis> command. The remote executor daemon on the
968 translator machine substitutes its value for the <emphasis role="bold">@sys</emphasis> variable in pathnames when executing AFS
969 commands that you issue on the NFS client machine. If your PATH environment variable uses the <emphasis
970 role="bold">@sys</emphasis> variable in the pathnames for directories that house AFS binaries (as recommended), then setting
971 this argument enables the remote executor daemon to access the AFS binaries appropriate for your NFS client machine even if its
972 system type differs from the translator machine's.</para>
974 <para>If you do not issue the <emphasis role="bold">knfs</emphasis> command (or the <emphasis role="bold">klog</emphasis>
975 command on the NFS client machine itself, if it is a supported system type), then you are not authenticated with AFS. For a
976 description of unauthenticated access, see <link linkend="HDRWQ599">Enabling Unauthenticated or Authenticated AFS Access</link>.
978 <primary>knfs command</primary>
979 </indexterm> <indexterm>
980 <primary>commands</primary>
982 <secondary>knfs</secondary>
985 <sect2 id="Header_686">
986 <title>To authenticate using the knfs command</title>
990 <para>Log on to the relevant translator machine, either on the console or remotely by using a program such as <emphasis
991 role="bold">telnet</emphasis>.</para>
995 <para>Obtain tokens for every cell you wish to access while working on the NFS client. AFS-modified login utilities
996 acquire a token for the translator machine's local cell by default; use <emphasis role="bold">klog</emphasis> command to
997 obtain tokens for other cells if desired.</para>
1001 <para>Issue the <emphasis role="bold">knfs</emphasis> command to create a credential structure in the translator machine's
1002 kernel memory for storing the tokens obtained in the previous step. Include the <emphasis role="bold">-id</emphasis>
1003 argument to associate the structure with a UID on the NFS client that differs from your local UID on the translator
1004 machine. This is possible unless the translator machine's administrator has enabled UID checking on the translator
1005 machine; see <link linkend="HDRWQ604">Controlling Optional Translator Features</link>. If the NFS client machine is a
1006 supported system type and you wish to issue AFS commands on it, include the <emphasis role="bold">-sysname</emphasis>
1007 argument to specify its system type. <programlisting>
1008 % <emphasis role="bold">knfs -host</emphasis> <<replaceable>host name</replaceable>> [<emphasis role="bold">-id</emphasis> <<replaceable>user ID (decimal)</replaceable>>] \
1009 [<emphasis role="bold">-sysname</emphasis> <<replaceable>host's '@sys' value</replaceable>>]
1010 </programlisting></para>
1012 <para>where <variablelist>
1014 <term><emphasis role="bold">-host</emphasis></term>
1017 <para>Specifies the fully-qualified hostname of the NFS client machine on which you are working.</para>
1022 <term><emphasis role="bold">-id</emphasis></term>
1025 <para>Specifies a local UID number on the NFS client machine with which to associate the tokens, if different from
1026 your local UID on the translator machine. If this argument is omitted, the tokens are associated with an NFS UID
1027 that matches your local UID on the translator machine. In both cases, the NFS client software marks your AFS
1028 access requests with the NFS UID when it forwards them to the Cache Manager on the translator machine.</para>
1033 <term><emphasis role="bold">-sysname</emphasis></term>
1036 <para>Specifies the value that the local machine's remote executor daemon substitutes for the <emphasis
1037 role="bold">@sys</emphasis> variable in pathnames when executing AFS commands issued on the NFS client machine
1038 (which must be a supported system type).</para>
1041 </variablelist></para>
1043 <para>The following error message indicates that the translator machine's administrator has enabled UID checking and you
1044 have provided a value that differs from your local UID on the translator machine.</para>
1047 knfs: Translator in 'passwd sync' mode; remote uid must be the same as local uid
1052 <para>Close the connection to the translator machine (if desired) and work on the NFS client machine.</para>
1057 <primary>tokens</primary>
1059 <secondary>displaying with knfs command</secondary>
1063 <sect2 id="Header_687">
1064 <title>To display tokens using the knfs command</title>
1068 <para>Log on to the relevant translator machine, either on the console or remotely by using a program such as <emphasis
1069 role="bold">telnet</emphasis>.</para>
1073 <para>Issue the <emphasis role="bold">knfs</emphasis> command with the <emphasis role="bold">-tokens</emphasis> flag to
1074 display the tokens associated with either the NFS UID that matches your local UID on the translator machine or the NFS UID
1075 specified by the <emphasis role="bold">-id</emphasis> argument. <programlisting>
1076 % <emphasis role="bold">knfs -host</emphasis> <<replaceable>host name</replaceable>> [<emphasis role="bold">-id</emphasis> <<replaceable>user ID (decimal)</replaceable>>] <emphasis
1077 role="bold">-tokens</emphasis>
1078 </programlisting></para>
1080 <para>where <variablelist>
1082 <term><emphasis role="bold">-host</emphasis></term>
1085 <para>Specifies the fully-qualified hostname of the NFS client machine on which you are working.</para>
1090 <term><emphasis role="bold">-id</emphasis></term>
1093 <para>Specifies the local UID on the NFS client machine for which to display tokens, if different from your local
1094 UID on the translator machine. If this argument is omitted, the tokens are for the NFS UID that matches your local
1095 UID on the translator machine.</para>
1100 <term><emphasis role="bold">-tokens</emphasis></term>
1103 <para>Displays the tokens.</para>
1106 </variablelist></para>
1110 <para>Close the connection to the translator machine if desired.</para>
1115 <primary>tokens</primary>
1117 <secondary>discarding with knfs command</secondary>
1121 <sect2 id="Header_688">
1122 <title>To discard tokens using the knfs command</title>
1126 <para>If you closed your connection to the translator machine after issuing the <emphasis role="bold">knfs</emphasis>
1127 command, reopen it.</para>
1131 <para>Issue the <emphasis role="bold">knfs</emphasis> command with the <emphasis role="bold">-unlog</emphasis> flag.
1133 % <emphasis role="bold">knfs -host</emphasis> <<replaceable>host name</replaceable>> [<emphasis role="bold">-id</emphasis> <<replaceable>user ID (decimal)</replaceable>>] <emphasis
1134 role="bold">-unlog</emphasis>
1135 </programlisting></para>
1137 <para>where <variablelist>
1139 <term><emphasis role="bold">-host</emphasis></term>
1142 <para>Specifies the fully-qualified hostname of the NFS client machine you are working on.</para>
1147 <term><emphasis role="bold">-id</emphasis></term>
1150 <para>Specifies the local UID number on the NFS client machine for which to discard the associated tokens, if
1151 different from your local UID on the translator machine. If this argument is omitted, the tokens associated with
1152 an NFS UID that matches your local UID on the translator machine are discarded.</para>
1157 <term><emphasis role="bold">-unlog</emphasis></term>
1160 <para>Discards the tokens.</para>
1163 </variablelist></para>
1167 <para>If desired, close the connection to the translator machine.</para>
git://git.openafs.org / openafs.git / blob