1 [This transcript includes creation of a loopback mount on /vicepa
2 using file full of zeros. This is useful to know how to do because it
3 allows you to test an AFS server without repartitioning. However, for
4 production cells, you should repartition and create a /vicepa
7 snorklewacker:/# apt-get -q install openafs-dbserver openafs-krb5 krb5-admin-server
8 Reading Package Lists...
9 Building Dependency Tree...
10 The following extra packages will be installed:
11 krb5-kdc krb5-user libkrb53 openafs-client openafs-fileserver openafs-ptutil
12 The following NEW packages will be installed:
13 krb5-admin-server krb5-kdc krb5-user libkrb53 openafs-client openafs-dbserver
14 openafs-fileserver openafs-krb5 openafs-ptutil
15 0 packages upgraded, 9 newly installed, 0 to remove and 22 not upgraded.
16 Need to get 2264kB of archives. After unpacking 5939kB will be used.
17 Do you want to continue? [Y/n] y
18 Get:1 http://www.mit.edu packages/ krb5-admin-server 1.2.1-5 [174kB]
19 Get:2 http://www.mit.edu packages/ krb5-kdc 1.2.1-5 [173kB]
20 Get:3 http://www.mit.edu packages/ krb5-user 1.2.1-5 [154kB]
21 Get:4 http://www.mit.edu packages/ libkrb53 1.2.1-5 [337kB]
22 Get:5 http://www.mit.edu packages/ openafs-client 1.0.snap20001106-6 [662kB]
23 Get:6 http://www.mit.edu packages/ openafs-dbserver 1.0.snap20001106-6 [211kB]
24 Get:7 http://www.mit.edu packages/ openafs-fileserver 1.0.snap20001106-6 [427kB]
25 Get:8 http://www.mit.edu packages/ openafs-krb5 1.3-3 [96.5kB]
26 Get:9 http://www.mit.edu packages/ openafs-ptutil 0.0.snap20001123-1 [30.3kB]
27 Fetched 2264kB in 8s (253kB/s)
28 Preconfiguring packages ..
33 When users attempt to use Kerberos and specify a principal or user
34 name without specifying what administrative Kerberos realm that
35 principal belongs to, the system appends the default realm.
36 Normally default realm is the upper case version of the local DNS
39 What is the default Kerberos realm? [ATHENA.MIT.EDU] SNORKLEWACKER.MIT.EDU
44 By default, Kerberos4 requests are allowed from principals that do not require
45 preauthentication. This allows Kerberos4 services to exist while requiring
46 most users to use Kerberos5 clients to get their initial tickets. These
47 tickets can then be converted to Kerberos4 tickets. Alternatively, the mode
48 can be set to full, allowing Kerberos4 to get initial tickets even when
49 preauthentication would normally be required, or to disable, which will
50 disable all Kerberos4 support.
52 d. disable f. full n. nopreauth
54 What Kerberos4 compatibility mode should be used? [n]
56 Configuring Krb5-admin-server
57 -----------------------------
59 Setting up a Kerberos Realm
61 This package contains the administrative tools necessary to run on
62 the Kerberos master server. However, installing this package does
63 not automatically set up a Kerberos realm. Doing so requires
64 entering passwords and as such is not well-suited for package
65 installation. To create the realm, run the krb5_newrealm command.
66 You may also wish to read /usr/share/doc/krb5-kdc/README.KDC and the
67 administration guide found in the krb5-doc package.
69 Don't forget to set up DNS information so your clients can find your
70 KDC and admin servers. Doing so is documented in the administration
73 Configuring Openafs-client
74 --------------------------
77 AFS filespace is organized into cells or administrative domains.
79 Each workstation belongs to one cell. Usually the cell is the DNS
80 domain name of the workstation.
82 What AFS cell does this workstation belong to? snorklewacker.mit.edu
85 AFS uses a area of the disk to cache remote files for faster
86 access. This cache will be mounted on /var/cache/openafs. It is
87 important that the cache not overfill the partition it is located
88 on. Often, people find it useful to dedicate a partition to their
91 How large is your AFS cache (kb)? [50000] 95000
93 Configuring Openafs-fileserver
94 ------------------------------
96 Selecting previously deselected package libkrb53.
97 (Reading database ... 28342 files and directories currently installed.)
98 Unpacking libkrb53 (from .../libkrb53_1.2.1-5_i386.deb) ...
99 Selecting previously deselected package krb5-user.
100 Unpacking krb5-user (from .../krb5-user_1.2.1-5_i386.deb) ...
101 Selecting previously deselected package krb5-kdc.
102 Unpacking krb5-kdc (from .../krb5-kdc_1.2.1-5_i386.deb) ...
103 Selecting previously deselected package krb5-admin-server.
104 Unpacking krb5-admin-server (from .../krb5-admin-server_1.2.1-5_i386.deb) ...
105 Selecting previously deselected package openafs-client.
106 Unpacking openafs-client (from .../openafs-client_1.0.snap20001106-6_i386.deb) ...
107 Selecting previously deselected package openafs-fileserver.
108 Unpacking openafs-fileserver (from .../openafs-fileserver_1.0.snap20001106-6_i386.deb) ...
109 Selecting previously deselected package openafs-ptutil.
110 Unpacking openafs-ptutil (from .../openafs-ptutil_0.0.snap20001123-1_i386.deb) ...
111 Selecting previously deselected package openafs-dbserver.
112 Unpacking openafs-dbserver (from .../openafs-dbserver_1.0.snap20001106-6_i386.deb) ...
113 Selecting previously deselected package openafs-krb5.
114 Unpacking openafs-krb5 (from .../openafs-krb5_1.3-3_i386.deb) ...
115 Setting up openafs-client (1.0.snap20001106-6) ...
116 Configuring Openafs-client
117 --------------------------
119 AFS uses the file /etc/openafs/CellServDB to hold the list of servers that
120 should be contacted to find parts of a cell. The cell you claim this
121 workstation belongs to is not in that file. Enter the host names of the
122 database servers separated by spaces. IMPORTANT: If you are creating a new
123 cell and this machine is to be a database server in that cell, only enter this
124 machine's name; add the other servers later after they are functioning. Also,
125 do not enable the AFS client to start at boot on this server until the cell is
126 configured. When you are ready you can edit /etc/openafs/afs.conf.client to
129 What hosts are DB servers for your home cell?snorklewacker.mit.edu
131 Should the Openafs filesystem be started and mounted at boot? Normally, most
132 users who install the openafs-client package expect to run it at boot.
133 However, if you are planning on setting up a new cell or are on a laptop, you
134 may not want it started at boot time. If you answer no to this question, run
135 /etc/init.d/openafs-client force-start to run.
137 Run Openafs client at boot? [yes] n
139 Starting AFS services:
140 Setting up openafs-fileserver (1.0.snap20001106-6) ...
141 Starting AFS Server: ===================== U.S. Government Restricted Rights ======================
142 If you are licensing the Software on behalf of the U.S. Government
143 ("Government"), the following provisions apply to you. If the Software is
144 supplied to the Department of Defense ("DoD"), it is classified as "Commercial
145 Computer Software" under paragraph 252.227-7014 of the DoD Supplement to the
146 Federal Acquisition Regulations ("DFARS") (or any successor regulations)
147 and the Government is acquiring only the license rights granted herein (the
148 license rights customarily provided to non-Government users). If the Software
149 is supplied to any unit or agency of the Government other than DoD, it is
150 classified as "Restricted Computer Software" and the Government's rights in
151 the Software are defined in paragraph 52.227-19 of the Federal Acquisition
152 Regulations ("FAR") (or any successor regulations) or, in the case of NASA,
153 in paragraph 18.52.227-86 of the NASA Supplement in the FAR (or any successor
157 Setting up openafs-ptutil (0.0.snap20001123-1) ...
159 Setting up openafs-dbserver (1.0.snap20001106-6) ...
161 Setting up libkrb53 (1.2.1-5) ...
163 Setting up krb5-user (1.2.1-5) ...
165 Setting up krb5-kdc (1.2.1-5) ...
167 Setting up krb5-admin-server (1.2.1-5) ...
169 Setting up openafs-krb5 (1.3-3) ...
171 snorklewacker:/# krb5_newrealm
172 This script should be run on the master KDC/admin server to initialize
173 a Kerberos realm. It will ask you to type in a master key password.
174 This password will be used to generate a key that is stored in
175 /etc/krb5kdc/stash. You should try to remember this password, but it
176 is much more important that it be a strong password than that it be
177 remembered. However, if you lose the password and /etc/krb5kdc/stash,
178 you cannot decrypt your Kerberos database.
179 Initializing database '/var/lib/krb5kdc/principal' for realm 'SNORKLEWACKER.MIT.EDU',
180 master key name 'K/M@SNORKLEWACKER.MIT.EDU'
181 You will be prompted for the database Master Password.
182 It is important that you NOT FORGET this password.
183 Enter KDC database master key:foo
185 Re-enter KDC database master key to verify:foo
187 Authenticating as principal hartmans/admin@ATHENA.MIT.EDU with password.
188 Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
189 Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
190 Authenticating as principal hartmans/admin@ATHENA.MIT.EDU with password.
191 Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
192 Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
193 Starting Kerberos KDC: krb5kdc krb524d.
194 Starting Kerberos Administration Servers: kadmind.
197 Now that your realm is set up you may wish to create an administrative
198 principal using the addprinc subcommand of the kadmin.local program.
199 Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
200 you can use the kadmin program on other computers. Kerberos admin
201 principals usually belong to a single user and end in /admin. For
202 example, if jruser is a Kerberos administrator, then in addition to
203 the normal jruser principal, a jruser/admin principal should be
206 Don't forget to set up DNS information so your clients can find your
207 KDC and admin servers. Doing so is documented in the administration
209 snorklewacker:/# kadmin.local -e des-cbc-crc:v4
210 Authenticating as principal hartmans/admin@ATHENA.MIT.EDU with password.
211 kadmin.local: addprinc -randkey afs
212 addprinc -randkey afs
213 WARNING: no policy specified for afs@SNORKLEWACKER.MIT.EDU; defaulting to no policy
214 Principal "afs@SNORKLEWACKER.MIT.EDU" created.
215 kadmin.local: ktadd -k /tmp/snork.keytab afs
216 ktadd -k /tmp/snork.keytab afs
217 Entry for principal afs with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/snork.keytab.
220 snorklewacker:/# kadmin.local
222 Authenticating as principal hartmans/admin@ATHENA.MIT.EDU with password.
223 kadmin.local: addprinc hartmans
225 WARNING: no policy specified for hartmans@SNORKLEWACKER.MIT.EDU; defaulting to no policy
226 Enter password for principal "hartmans@SNORKLEWACKER.MIT.EDU": foo
228 Re-enter password for principal "hartmans@SNORKLEWACKER.MIT.EDU": foo
230 Principal "hartmans@SNORKLEWACKER.MIT.EDU" created.
233 snorklewacker:/# asetkey add 3 /tmp/snork.keytab afs
234 asetkey add 3 /tmp/snork.keytab afs
235 snorklewacker:/# snorklewacker:/# dd if=/dev/zero of=/var/lib/openafs/vicepa bs=1024k count=32
238 snorklewacker:/# mke2fs /var/lib/openafs/vicepa
239 mke2fs 1.19, 13-Jul-2000 for EXT2 FS 0.5b, 95/08/09
240 /var/lib/openafs/vicepa is not a block special device.
241 Proceed anyway? (y,n) y
244 Block size=1024 (log=0)
245 Fragment size=1024 (log=0)
246 8192 inodes, 32768 blocks
247 1638 blocks (5.00%) reserved for the super user
250 8192 blocks per group, 8192 fragments per group
251 2048 inodes per group
252 Superblock backups stored on blocks:
255 Writing inode tables: 0/4
\b\b\b1/4
\b\b\b2/4
\b\b\b3/4
\b\b\bdone
256 Writing superblocks and filesystem accounting information: done
257 snorklewacker:/# mount -oloop /var/lib/openafs/vicepa /vicepa
259 snorklewacker:/# afs-newcell
262 In order to set up a new AFS cell, you must meet the following:
264 1) You need a working Kerberos realm with Kerberos4 support. You
265 should install Heimdal with Kth-kerberos compatibility or MIT
268 2) You need to create the AFS key and load it into
269 /etc/openafs/server/KeyFile. If your cell's name is the same as
270 your Kerberos realm then create a principal called afs. Otherwise,
271 create a principal called afs/cellname in your realm. The cell
272 name should be all lower case, unlike Kerberos realms which are all
273 upper case. You can use asetkey from the openafs-krb5 package, or
274 if you used AFS3 salt to create the key, the bos addkey command.
276 3) This machine should have a filesystem mounted on /vicepa. If you
277 do not have a free partition, then create a large file by using dd
278 to extract bytes from /dev/zero. Create a filesystem on this file
279 and mount it using -oloop.
281 4) You will need an administrative principal created in a Kerberos
282 realm. This principal will be added to susers and
283 system:administrators and thus will be able to run administrative
284 commands. Generally the user is a root instance of some administravie
285 user. For example if jruser is an administrator then it would be
286 reasonable to create jruser/root and specify jruser/root as the user
287 to be added in this script.
289 5) The AFS client must not be running on this workstation. It will be
290 at the end of this script.
292 Do you meet these requirements? [y/n] y
293 If the fileserver is not running, this may hang for 30 seconds.
294 /etc/init.d/openafs-fileserver stop
295 Stopping AFS Server: bosserver.
296 What administrative principal should be used?hartmans
297 echo \>snorklewacker.mit.edu >/etc/openafs/server/CellServDB
298 /etc/init.d/openafs-fileserver start
299 Starting AFS Server: ===================== U.S. Government Restricted Rights ======================
300 If you are licensing the Software on behalf of the U.S. Government
301 ("Government"), the following provisions apply to you. If the Software is
302 supplied to the Department of Defense ("DoD"), it is classified as "Commercial
303 Computer Software" under paragraph 252.227-7014 of the DoD Supplement to the
304 Federal Acquisition Regulations ("DFARS") (or any successor regulations)
305 and the Government is acquiring only the license rights granted herein (the
306 license rights customarily provided to non-Government users). If the Software
307 is supplied to any unit or agency of the Government other than DoD, it is
308 classified as "Restricted Computer Software" and the Government's rights in
309 the Software are defined in paragraph 52.227-19 of the Federal Acquisition
310 Regulations ("FAR") (or any successor regulations) or, in the case of NASA,
311 in paragraph 18.52.227-86 of the NASA Supplement in the FAR (or any successor
314 bos addhost snorklewacker snorklewacker -localauth ||true
315 bos adduser snorklewacker hartmans -localauth
316 pt_util: /var/lib/openafs/db/prdb.DB0: Bad UBIK_MAGIC. Is 0 should be 354545
318 Error while creating system:administrators: Entry for id already exists
319 pt_util: Ubik Version number changed during execution.
320 Old Version = 2.0, new version = 33554432.0
321 bos create snorklewacker ptserver simple /usr/lib/openafs/ptserver -localauth
322 bos create snorklewacker vlserver simple /usr/lib/openafs/vlserver -localauth
323 bos create snorklewacker fs fs -cmd /usr/lib/openafs/fileserver -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauth
324 Waiting for database elections: done.
325 vos create snorklewacker a root.afs -localauth
326 Volume 536870924 created on partition /vicepa of snorklewacker
327 echo snorklewacker.mit.edu >/etc/openafs/ThisCell
328 /etc/init.d/openafs-client force-start
329 Starting AFS services: ===================== U.S. Government Restricted Rights ======================
330 If you are licensing the Software on behalf of the U.S. Government
331 ("Government"), the following provisions apply to you. If the Software is
332 supplied to the Department of Defense ("DoD"), it is classified as "Commercial
333 Computer Software" under paragraph 252.227-7014 of the DoD Supplement to the
334 Federal Acquisition Regulations ("DFARS") (or any successor regulations)
335 and the Government is acquiring only the license rights granted herein (the
336 license rights customarily provided to non-Government users). If the Software
337 is supplied to any unit or agency of the Government other than DoD, it is
338 classified as "Restricted Computer Software" and the Government's rights in
339 the Software are defined in paragraph 52.227-19 of the Federal Acquisition
340 Regulations ("FAR") (or any successor regulations) or, in the case of NASA,
341 in paragraph 18.52.227-86 of the NASA Supplement in the FAR (or any successor
343 afsd: All AFS daemons started.
345 Now, get tokens as hartmans in the snorklewacker.mit.edu cell. Then, run
348 snorklewacker:/# kinit hartmans
349 Password for hartmans@SNORKLEWACKER.MIT.EDU: foo
351 snorklewacker:/# aklog snorklewacker.mit.edu -k SNORKLEWACKER.MIT.EDU
352 snorklewacker:/# afs-rootvol
355 In order to set up the root.afs volume, you must meet the following pre-conditions:
357 1) The cell must be configured, running a database server with a
358 volume location and protection server.
360 2) You must be logged into the cell with tokens in
361 system:administrators and with a principal that is in the susers
362 file of the servers in the cell.
364 3) You need a fileserver in the cell with partitions mounted and a root.afs volume created.
365 Presumably, it has no volumes on it, although the script will work
366 so long as nothing besides root.afs exists.
368 4) The AFS client must be running pointed at the new cell.
369 Do you meet these conditions? (Y/n) y
370 You will need to select a server (hostname) and AFS
371 partition on which to create the root volumes.
372 What AFS Server should volumes be placed on? snorklewacker
374 fs sa /afs system:anyuser rl
375 vos create snorklewacker a root.cell -localauth
376 Volume 536870927 created on partition /vicepa of snorklewacker
377 fs mkm /afs/snorklewacker.mit.edu root.cell -cell snorklewacker.mit.edu
378 fs mkm /afs/andrew.cmu.edu root.cell -cell andrew.cmu.edu
379 fs mkm /afs/cs.cmu.edu root.cell -cell cs.cmu.edu
380 fs mkm /afs/ece.cmu.edu root.cell -cell ece.cmu.edu
381 fs mkm /afs/athena.mit.edu root.cell -cell athena.mit.edu
382 fs mkm /afs/dev.mit.edu root.cell -cell dev.mit.edu
383 fs mkm /afs/net.mit.edu root.cell -cell net.mit.edu
384 fs mkm /afs/sipb.mit.edu root.cell -cell sipb.mit.edu
385 fs mkm /afs/ir.stanford.edu root.cell -cell ir.stanford.edu
386 fs mkm /afs/umr.edu root.cell -cell umr.edu
387 fs mkm /afs/dementia.org root.cell -cell dementia.org
388 fs sa /afs/snorklewacker.mit.edu system:anyuser rl
389 fs mkm /afs/.snorklewacker.mit.edu root.cell -cell snorklewacker.mit.edu -rw
390 fs mkm /afs/.root.afs root.afs -rw
391 vos create snorklewacker a user -localauth
392 Volume 536870930 created on partition /vicepa of snorklewacker
393 fs mkm /afs/snorklewacker.mit.edu/user user
394 fs sa /afs/snorklewacker.mit.edu/user system:anyuser rl
395 vos create snorklewacker a service -localauth
396 Volume 536870933 created on partition /vicepa of snorklewacker
397 fs mkm /afs/snorklewacker.mit.edu/service service
398 fs sa /afs/snorklewacker.mit.edu/service system:anyuser rl
399 ln -s /afs/snorklewacker.mit.edu /afs/snorklewacker
400 ln -s /afs/.snorklewacker.mit.edu /afs/.snorklewacker
401 vos addsite snorklewacker a root.afs -localauth
402 Added replication site snorklewacker /vicepa for volume root.afs
403 vos addsite snorklewacker a root.cell -localauth
404 Added replication site snorklewacker /vicepa for volume root.cell
405 vos release root.afs -localauth
406 Released volume root.afs successfully
407 vos release root.cell -localauth
408 Released volume root.cell successfully
409 snorklewacker:/# ls /afs
410 andrew.cmu.edu dementia.org ir.stanford.edu snorklewacker
411 athena.mit.edu dev.mit.edu net.mit.edu snorklewacker.mit.edu
412 cs.cmu.edu ece.cmu.edu sipb.mit.edu umr.edu
413 snorklewacker:/# ls /afs/athena.mit.edu
414 activity contrib dept project service system
415 astaff course org reference software user
416 snorklewacker:/# ls /afs/snorklewacker