[openafs.git] / src / packaging / Debian / configuration-transcript.txt

[This transcript includes creation of a loopback mount on /vicepa
using file full of zeros.  This is useful to know how to do because it
allows you to test an AFS server without repartitioning.  However, for
production cells, you should repartition and create a /vicepa
partition.]

snorklewacker:/# apt-get -q install openafs-dbserver openafs-krb5 krb5-admin-server
Reading Package Lists...
Building Dependency Tree...
The following extra packages will be installed:
  krb5-kdc krb5-user libkrb53 openafs-client openafs-fileserver openafs-ptutil 
The following NEW packages will be installed:
  krb5-admin-server krb5-kdc krb5-user libkrb53 openafs-client openafs-dbserver
  openafs-fileserver openafs-krb5 openafs-ptutil 
0 packages upgraded, 9 newly installed, 0 to remove and 22 not upgraded.
Need to get 2264kB of archives. After unpacking 5939kB will be used.
Do you want to continue? [Y/n] y
Get:1 http://www.mit.edu packages/ krb5-admin-server 1.2.1-5 [174kB]
Get:2 http://www.mit.edu packages/ krb5-kdc 1.2.1-5 [173kB]
Get:3 http://www.mit.edu packages/ krb5-user 1.2.1-5 [154kB]
Get:4 http://www.mit.edu packages/ libkrb53 1.2.1-5 [337kB]
Get:5 http://www.mit.edu packages/ openafs-client 1.0.snap20001106-6 [662kB]
Get:6 http://www.mit.edu packages/ openafs-dbserver 1.0.snap20001106-6 [211kB]
Get:7 http://www.mit.edu packages/ openafs-fileserver 1.0.snap20001106-6 [427kB]
Get:8 http://www.mit.edu packages/ openafs-krb5 1.3-3 [96.5kB]
Get:9 http://www.mit.edu packages/ openafs-ptutil 0.0.snap20001123-1 [30.3kB]
Fetched 2264kB in 8s (253kB/s)
Preconfiguring packages ..
Configuring Libkrb53
--------------------


  When users attempt to use Kerberos and specify a principal or user
  name without specifying what administrative Kerberos realm that
  principal belongs to, the system appends the default realm.
  Normally default realm is the upper case version of the local DNS
  domain.

What is the default Kerberos realm? [ATHENA.MIT.EDU] SNORKLEWACKER.MIT.EDU

Configuring Krb5-kdc
--------------------

By default, Kerberos4 requests are allowed from principals that do not require
preauthentication.  This allows Kerberos4 services to exist while requiring
most users to use Kerberos5 clients to get their initial tickets.  These
tickets can then be converted to Kerberos4 tickets.  Alternatively, the mode
can be set to full, allowing Kerberos4 to get initial tickets even when
preauthentication would normally be required, or to disable, which will
disable all Kerberos4 support. 

  d. disable  f. full  n. nopreauth

What Kerberos4 compatibility mode should be used? [n] 

Configuring Krb5-admin-server
-----------------------------

Setting up a Kerberos Realm

 This package contains the administrative tools necessary to run on
 the Kerberos master server.  However, installing this package does
 not automatically set up a Kerberos realm.  Doing so requires
 entering passwords and as such is not well-suited for package
 installation.  To create the realm, run the krb5_newrealm command.
 You may also wish to read /usr/share/doc/krb5-kdc/README.KDC and the
 administration guide found in the krb5-doc package.
 .
 Don't forget to set up DNS information so your clients can find your
 KDC and admin servers.  Doing so is documented in the administration
 guide.

Configuring Openafs-client
--------------------------


  AFS filespace is organized into cells or administrative domains.
[More] 
  Each workstation belongs to one cell.  Usually the cell is the DNS
  domain name of the workstation.

What AFS cell does this workstation belong to? snorklewacker.mit.edu


  AFS uses a  area of the disk to cache remote files for faster
  access.  This cache will be mounted on /var/cache/openafs.  It is
  important that the cache not overfill the partition it is located
  on.  Often, people find it useful to dedicate a partition to their
  AFS cache.

How large is your AFS cache (kb)? [50000] 95000

Configuring Openafs-fileserver
------------------------------

Selecting previously deselected package libkrb53.
(Reading database ... 28342 files and directories currently installed.)
Unpacking libkrb53 (from .../libkrb53_1.2.1-5_i386.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.2.1-5_i386.deb) ...
Selecting previously deselected package krb5-kdc.
Unpacking krb5-kdc (from .../krb5-kdc_1.2.1-5_i386.deb) ...
Selecting previously deselected package krb5-admin-server.
Unpacking krb5-admin-server (from .../krb5-admin-server_1.2.1-5_i386.deb) ...
Selecting previously deselected package openafs-client.
Unpacking openafs-client (from .../openafs-client_1.0.snap20001106-6_i386.deb) ...
Selecting previously deselected package openafs-fileserver.
Unpacking openafs-fileserver (from .../openafs-fileserver_1.0.snap20001106-6_i386.deb) ...
Selecting previously deselected package openafs-ptutil.
Unpacking openafs-ptutil (from .../openafs-ptutil_0.0.snap20001123-1_i386.deb) ...
Selecting previously deselected package openafs-dbserver.
Unpacking openafs-dbserver (from .../openafs-dbserver_1.0.snap20001106-6_i386.deb) ...
Selecting previously deselected package openafs-krb5.
Unpacking openafs-krb5 (from .../openafs-krb5_1.3-3_i386.deb) ...
Setting up openafs-client (1.0.snap20001106-6) ...
Configuring Openafs-client
--------------------------

AFS uses the file /etc/openafs/CellServDB to hold the list of servers that
should be contacted to find parts of a cell.  The cell you claim this
workstation belongs to is not in that file.  Enter the host names of the
database servers separated by spaces. IMPORTANT: If you are creating a new
cell and this machine is to be a database server in that cell, only enter this
machine's name; add the other servers later after they are functioning. Also,
do not enable the AFS client to start at boot on this server until the cell is
configured.  When you are ready you can edit /etc/openafs/afs.conf.client to
enable the client. 

What hosts are DB servers for your home cell?snorklewacker.mit.edu

Should the Openafs filesystem be started and mounted at boot? Normally, most
users who install the openafs-client package expect to run it at boot. 
However, if you are planning on setting up a new cell or are on a laptop, you
may not want it started at boot time. If you answer no to this question, run
/etc/init.d/openafs-client force-start to run. 

Run Openafs client at boot? [yes] n

Starting AFS services: 
Setting up openafs-fileserver (1.0.snap20001106-6) ...
Starting AFS Server: ===================== U.S. Government Restricted Rights ======================
If you are licensing the Software on behalf of the U.S. Government
("Government"), the following provisions apply to you.  If the Software is
supplied to the Department of Defense ("DoD"), it is classified as "Commercial
Computer Software" under paragraph 252.227-7014 of the DoD Supplement to the
Federal Acquisition Regulations ("DFARS") (or any successor regulations)
and the Government is acquiring only the license rights granted herein (the
license rights customarily provided to non-Government users).  If the Software
is supplied to any unit or agency of the Government other than DoD, it is
classified as "Restricted Computer Software" and the Government's rights in
the Software are defined in paragraph 52.227-19 of the Federal Acquisition
Regulations ("FAR") (or any successor regulations) or, in the case of NASA,
in paragraph 18.52.227-86 of the NASA Supplement in the FAR (or any successor
regulations).
bosserver.

Setting up openafs-ptutil (0.0.snap20001123-1) ...

Setting up openafs-dbserver (1.0.snap20001106-6) ...

Setting up libkrb53 (1.2.1-5) ...

Setting up krb5-user (1.2.1-5) ...

Setting up krb5-kdc (1.2.1-5) ...

Setting up krb5-admin-server (1.2.1-5) ...

Setting up openafs-krb5 (1.3-3) ...

snorklewacker:/# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Initializing database '/var/lib/krb5kdc/principal' for realm 'SNORKLEWACKER.MIT.EDU',
master key name 'K/M@SNORKLEWACKER.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:foo

Re-enter KDC database master key to verify:foo

Authenticating as principal hartmans/admin@ATHENA.MIT.EDU with password.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Authenticating as principal hartmans/admin@ATHENA.MIT.EDU with password.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Starting Kerberos KDC: krb5kdc krb524d.
Starting Kerberos Administration Servers: kadmind.


Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.
snorklewacker:/# kadmin.local -e des-cbc-crc:v4
Authenticating as principal hartmans/admin@ATHENA.MIT.EDU with password.
kadmin.local:  addprinc -randkey afs
addprinc -randkey afs
WARNING: no policy specified for afs@SNORKLEWACKER.MIT.EDU; defaulting to no policy
Principal "afs@SNORKLEWACKER.MIT.EDU" created.
kadmin.local:  ktadd -k /tmp/snork.keytab afs
ktadd -k /tmp/snork.keytab afs
Entry for principal afs with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/snork.keytab.
kadmin.local:  quit
quit
snorklewacker:/# kadmin.local
kadmin.local
Authenticating as principal hartmans/admin@ATHENA.MIT.EDU with password.
kadmin.local:  addprinc hartmans
addprinc hartmans
WARNING: no policy specified for hartmans@SNORKLEWACKER.MIT.EDU; defaulting to no policy
Enter password for principal "hartmans@SNORKLEWACKER.MIT.EDU": foo

Re-enter password for principal "hartmans@SNORKLEWACKER.MIT.EDU": foo

Principal "hartmans@SNORKLEWACKER.MIT.EDU" created.
kadmin.local:  quit
quit
snorklewacker:/# asetkey add 3 /tmp/snork.keytab afs
asetkey add 3 /tmp/snork.keytab afs
snorklewacker:/# snorklewacker:/# dd if=/dev/zero of=/var/lib/openafs/vicepa bs=1024k count=32
32+0 records in
32+0 records out
snorklewacker:/# mke2fs /var/lib/openafs/vicepa
mke2fs 1.19, 13-Jul-2000 for EXT2 FS 0.5b, 95/08/09
/var/lib/openafs/vicepa is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
8192 inodes, 32768 blocks
1638 blocks (5.00%) reserved for the super user
First data block=1
4 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks: 
        8193, 24577

Writing inode tables: 0/4\b\b\b1/4\b\b\b2/4\b\b\b3/4\b\b\bdone                            
Writing superblocks and filesystem accounting information: done
snorklewacker:/# mount -oloop /var/lib/openafs/vicepa /vicepa

snorklewacker:/# afs-newcell
                            Prerequisites

In order to set up a new AFS cell, you must meet the following:

1) You need a working Kerberos realm with Kerberos4 support.  You
   should install Heimdal with Kth-kerberos compatibility or MIT
   Kerberos5.

2) You need to create the AFS key and load it into
   /etc/openafs/server/KeyFile.  If your cell's name is the same as
   your Kerberos realm then create a principal called afs.  Otherwise,
   create a principal called afs/cellname in your realm.  The cell
   name should be all lower case, unlike Kerberos realms which are all
   upper case.  You can use asetkey from the openafs-krb5 package, or
   if you used AFS3 salt to create the key, the bos addkey command.

3) This machine should have a filesystem mounted on /vicepa.  If you
   do not have a free partition, then create a large file by using dd
   to extract bytes from /dev/zero.  Create a filesystem on this file
   and mount it using -oloop.  

4) You will need an administrative principal created in a Kerberos
realm.  This principal will be added to susers and
system:administrators and thus will be able to run administrative
commands.  Generally the user is a root instance of some administravie
user.  For example if jruser is an administrator then it would be
reasonable to create jruser/root and specify jruser/root as the user
to be added in this script.

5) The AFS client must not be running on this workstation.  It will be
at the end of this script.

Do you meet these requirements? [y/n] y
If the fileserver is not running, this may hang for 30 seconds.
/etc/init.d/openafs-fileserver stop
Stopping AFS Server: bosserver.
What administrative principal should be used?hartmans
echo \>snorklewacker.mit.edu >/etc/openafs/server/CellServDB
/etc/init.d/openafs-fileserver start
Starting AFS Server: ===================== U.S. Government Restricted Rights ======================
If you are licensing the Software on behalf of the U.S. Government
("Government"), the following provisions apply to you.  If the Software is
supplied to the Department of Defense ("DoD"), it is classified as "Commercial
Computer Software" under paragraph 252.227-7014 of the DoD Supplement to the
Federal Acquisition Regulations ("DFARS") (or any successor regulations)
and the Government is acquiring only the license rights granted herein (the
license rights customarily provided to non-Government users).  If the Software
is supplied to any unit or agency of the Government other than DoD, it is
classified as "Restricted Computer Software" and the Government's rights in
the Software are defined in paragraph 52.227-19 of the Federal Acquisition
Regulations ("FAR") (or any successor regulations) or, in the case of NASA,
in paragraph 18.52.227-86 of the NASA Supplement in the FAR (or any successor
regulations).
bosserver.
bos addhost snorklewacker snorklewacker -localauth ||true
bos adduser snorklewacker hartmans -localauth
pt_util: /var/lib/openafs/db/prdb.DB0: Bad UBIK_MAGIC. Is 0 should be 354545
Ubik Version is: 2.0
Error while creating system:administrators: Entry for id already exists
pt_util: Ubik Version number changed during execution.
Old Version = 2.0, new version = 33554432.0
bos create snorklewacker ptserver simple /usr/lib/openafs/ptserver -localauth
bos create snorklewacker vlserver simple /usr/lib/openafs/vlserver -localauth
bos create snorklewacker fs fs -cmd /usr/lib/openafs/fileserver -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauth
Waiting for database elections: done.
vos create snorklewacker a root.afs -localauth
Volume 536870924 created on partition /vicepa of snorklewacker
echo snorklewacker.mit.edu >/etc/openafs/ThisCell
/etc/init.d/openafs-client force-start
Starting AFS services: ===================== U.S. Government Restricted Rights ======================
If you are licensing the Software on behalf of the U.S. Government
("Government"), the following provisions apply to you.  If the Software is
supplied to the Department of Defense ("DoD"), it is classified as "Commercial
Computer Software" under paragraph 252.227-7014 of the DoD Supplement to the
Federal Acquisition Regulations ("DFARS") (or any successor regulations)
and the Government is acquiring only the license rights granted herein (the
license rights customarily provided to non-Government users).  If the Software
is supplied to any unit or agency of the Government other than DoD, it is
classified as "Restricted Computer Software" and the Government's rights in
the Software are defined in paragraph 52.227-19 of the Federal Acquisition
Regulations ("FAR") (or any successor regulations) or, in the case of NASA,
in paragraph 18.52.227-86 of the NASA Supplement in the FAR (or any successor
regulations).
afsd: All AFS daemons started.
 afsd.
Now, get tokens as hartmans in the snorklewacker.mit.edu cell.  Then, run
afs-rootvol.
snorklewacker:/# 
snorklewacker:/# kinit hartmans
Password for hartmans@SNORKLEWACKER.MIT.EDU: foo

snorklewacker:/# aklog snorklewacker.mit.edu -k SNORKLEWACKER.MIT.EDU
snorklewacker:/# afs-rootvol
                            Prerequisites

In order to set up the root.afs volume, you must meet the following pre-conditions:

1) The cell must be configured, running a database server with a
   volume location and protection server.

2)  You must be logged into the cell with  tokens in
    system:administrators and with a principal that is in the susers
    file of the servers in the cell.

3) You need a fileserver in the cell with partitions mounted and a root.afs volume created.
   Presumably, it has no volumes on it, although the script will work
   so long as nothing besides root.afs exists.

4) The AFS client must be running pointed at the new cell.
Do you meet these conditions? (Y/n) y
You will need to select a server (hostname) and AFS
partition on which to create the root volumes.
What AFS Server should volumes be placed on? snorklewacker
What partition? [a] 
fs sa /afs system:anyuser rl
vos create snorklewacker a root.cell -localauth
Volume 536870927 created on partition /vicepa of snorklewacker
fs mkm /afs/snorklewacker.mit.edu root.cell -cell snorklewacker.mit.edu 
fs mkm /afs/andrew.cmu.edu root.cell -cell andrew.cmu.edu 
fs mkm /afs/cs.cmu.edu root.cell -cell cs.cmu.edu 
fs mkm /afs/ece.cmu.edu root.cell -cell ece.cmu.edu 
fs mkm /afs/athena.mit.edu root.cell -cell athena.mit.edu 
fs mkm /afs/dev.mit.edu root.cell -cell dev.mit.edu 
fs mkm /afs/net.mit.edu root.cell -cell net.mit.edu 
fs mkm /afs/sipb.mit.edu root.cell -cell sipb.mit.edu 
fs mkm /afs/ir.stanford.edu root.cell -cell ir.stanford.edu 
fs mkm /afs/umr.edu root.cell -cell umr.edu 
fs mkm /afs/dementia.org root.cell -cell dementia.org 
fs sa /afs/snorklewacker.mit.edu system:anyuser rl
fs mkm /afs/.snorklewacker.mit.edu root.cell -cell snorklewacker.mit.edu -rw
fs mkm /afs/.root.afs root.afs -rw
vos create snorklewacker a user -localauth
Volume 536870930 created on partition /vicepa of snorklewacker
fs mkm /afs/snorklewacker.mit.edu/user user 
fs sa /afs/snorklewacker.mit.edu/user system:anyuser rl
vos create snorklewacker a service -localauth
Volume 536870933 created on partition /vicepa of snorklewacker
fs mkm /afs/snorklewacker.mit.edu/service service 
fs sa /afs/snorklewacker.mit.edu/service system:anyuser rl
ln -s /afs/snorklewacker.mit.edu /afs/snorklewacker
ln -s /afs/.snorklewacker.mit.edu /afs/.snorklewacker
vos addsite snorklewacker a root.afs -localauth
Added replication site snorklewacker /vicepa for volume root.afs
vos addsite snorklewacker a root.cell -localauth
Added replication site snorklewacker /vicepa for volume root.cell
vos release root.afs -localauth
Released volume root.afs successfully
vos release root.cell -localauth
Released volume root.cell successfully
snorklewacker:/# ls /afs
andrew.cmu.edu  dementia.org  ir.stanford.edu  snorklewacker
athena.mit.edu  dev.mit.edu   net.mit.edu      snorklewacker.mit.edu
cs.cmu.edu      ece.cmu.edu   sipb.mit.edu     umr.edu
snorklewacker:/# ls /afs/athena.mit.edu
activity  contrib  dept  project    service   system
astaff    course   org   reference  software  user
snorklewacker:/# ls /afs/snorklewacker
service  user
snorklewacker:/#