+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
-<HTML><HEAD>
-<TITLE>Quick Beginnings</TITLE>
-<!-- Begin Header Records ========================================== -->
-<!-- /tmp/idwt3574/auqbg000.scr converted by idb2h R4.2 (359) ID -->
-<!-- Workbench Version (AIX) on 2 Oct 2000 at 12:25:35 -->
-<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 12:25:35">
-<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 12:25:35">
-<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 12:25:35">
-</HEAD><BODY>
-<!-- (C) IBM Corporation 2000. All Rights Reserved -->
-<BODY bgcolor="ffffff">
-<!-- End Header Records ============================================ -->
-<A NAME="Top_Of_Page"></A>
-<H1>Quick Beginnings</H1>
-<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg006.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auqbg008.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
-<P>
-<A NAME="IDX2926"></A>
-<A NAME="IDX2927"></A>
-<HR><H1><A NAME="HDRWQ133" HREF="auqbg002.htm#ToC_115">Installing Additional Client Machines</A></H1>
-<P>This chapter describes how to install AFS client machines
-after you have installed the first AFS machine. Some parts of the
-installation differ depending on whether or not the new client is of the same
-AFS system type (uses the same AFS binaries) as a previously installed client
-machine.
-<A NAME="IDX2928"></A>
-<HR><H2><A NAME="Header_116" HREF="auqbg002.htm#ToC_116">Summary of Procedures</A></H2>
-<OL TYPE=1>
-<P><LI>Incorporate AFS into the machine's kernel
-<P><LI>Define the machine's cell membership
-<P><LI>Define cache location and size
-<P><LI>Create the <B>/usr/vice/etc/CellServDB</B> file, which determines
-which foreign cells the client can access in addition to the local cell
-<P><LI>Create the <B>/afs</B> directory and start the Cache Manager
-<P><LI>Create and mount volumes for housing AFS client binaries (necessary only
-for clients of a new system type)
-<P><LI>Create a link from the local <B>/usr/afsws</B> directory to the AFS
-directory housing the AFS client binaries
-<P><LI>Modify the machine's authentication system to enable AFS users to
-obtain tokens at login
-</OL>
-<A NAME="IDX2929"></A>
-<A NAME="IDX2930"></A>
-<A NAME="IDX2931"></A>
-<A NAME="IDX2932"></A>
-<A NAME="IDX2933"></A>
-<A NAME="IDX2934"></A>
-<A NAME="IDX2935"></A>
-<HR><H2><A NAME="HDRWQ134" HREF="auqbg002.htm#ToC_117">Creating AFS Directories on the Local Disk</A></H2>
-<P>Create the <B>/usr/vice/etc</B> directory on the local
-disk, to house client binaries and configuration files. Subsequent
-instructions copy files from the AFS CD-ROM into them. Create the
-<B>/cdrom</B> directory as a mount point for the CD-ROM, if it does not
-already exist.
-<PRE>
- # <B>mkdir /usr/vice</B>
-
- # <B>mkdir /usr/vice/etc</B>
-
- # <B>mkdir /cdrom</B>
-
-</PRE>
-<HR><H2><A NAME="HDRWQ135" HREF="auqbg002.htm#ToC_118">Performing Platform-Specific Procedures</A></H2>
-<P>Every AFS client machine's kernel must incorporate AFS
-modifications. Some system types use a dynamic kernel loader program,
-whereas on other system types you build AFS modifications into a static
-kernel. Some system types support both methods.
-<P>Also modify the machine's authentication system so that users obtain
-an AFS token as they log into the local file system. Using AFS is
-simpler and more convenient for your users if you make the modifications on
-all client machines. Otherwise, users must perform a two-step login
-procedure (login to the local file system and then issue the <B>klog</B>
-command). For further discussion of AFS authentication, see the chapter
-in the <I>IBM AFS Administration Guide</I> about cell configuration and
-administration issues.
-<P>For convenience, the following sections group the two procedures by system
-type. Proceed to the appropriate section.
-<UL>
-<P><LI><A HREF="#HDRWQ136">Getting Started on AIX Systems</A>
-<P><LI><A HREF="#HDRWQ137">Getting Started on Digital UNIX Systems</A>
-<P><LI><A HREF="#HDRWQ138">Getting Started on HP-UX Systems</A>
-<P><LI><A HREF="#HDRWQ139">Getting Started on IRIX Systems</A>
-<P><LI><A HREF="#HDRWQ143">Getting Started on Linux Systems</A>
-<P><LI><A HREF="#HDRWQ144">Getting Started on Solaris Systems</A>
-</UL>
-<A NAME="IDX2936"></A>
-<A NAME="IDX2937"></A>
-<A NAME="IDX2938"></A>
-<A NAME="IDX2939"></A>
-<A NAME="IDX2940"></A>
-<A NAME="IDX2941"></A>
-<A NAME="IDX2942"></A>
-<A NAME="IDX2943"></A>
-<A NAME="IDX2944"></A>
-<HR><H2><A NAME="HDRWQ136" HREF="auqbg002.htm#ToC_119">Getting Started on AIX Systems</A></H2>
-<P>In this section you load AFS into the AIX kernel.
-Then incorporate AFS modifications into the machine's secondary
-authentication system, if you wish to enable AFS login.
-<P><H3><A NAME="Header_120" HREF="auqbg002.htm#ToC_120">Loading AFS into the AIX Kernel</A></H3>
-<P>The AIX kernel extension facility is the dynamic kernel loader provided
-by IBM Corporation. AIX does not support incorporation of AFS
-modifications during a kernel build.
-<P>For AFS to function correctly, the kernel extension facility must run each
-time the machine reboots, so the AFS initialization script (included in the
-AFS distribution) invokes it automatically. In this section you copy
-the script to the conventional location and edit it to select the appropriate
-options depending on whether NFS is also to run.
-<P>After editing the script, you run it to incorporate AFS into the
-kernel. In a later section you verify that the script correctly
-initializes the Cache Manager, then configure the AIX <B>inittab</B> file
-so that the script runs automatically at reboot.
-<OL TYPE=1>
-<P><LI>Mount the AFS CD-ROM for AIX on the local <B>/cdrom</B>
-directory. For instructions on mounting CD-ROMs (either locally or
-remotely via NFS), see your AIX documentation. Then change directory as
-indicated.
-<PRE>
- # <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
-
-</PRE>
-<P><LI>Copy the AFS kernel library files to the local
-<B>/usr/vice/etc/dkload</B> directory, and the AFS initialization script
-to the <B>/etc</B> directory.
-<PRE>
- # <B>cp -rp dkload /usr/vice/etc</B>
-
- # <B>cp -p rc.afs /etc/rc.afs</B>
-
-</PRE>
-<P><LI>Edit the <B>/etc/rc.afs</B> script, setting the <TT>NFS</TT>
-variable as indicated.
-<P>If the machine is not to function as an NFS/AFS Translator, set the
-<TT>NFS</TT> variable as follows.
-<PRE>
- NFS=$NFS_NONE
-</PRE>
-<P>If the machine is to function as an NFS/AFS Translator and is running AIX
-4.2.1 or higher, set the <TT>NFS</TT> variable as
-follows. Note that NFS must already be loaded into the kernel, which
-happens automatically on systems running AIX 4.1.1 and later, as
-long as the file <B>/etc/exports</B> exists.
-<PRE>
- NFS=$NFS_IAUTH
-
-</PRE>
-<P><LI>Invoke the <B>/etc/rc.afs</B> script to load AFS modifications
-into the kernel. You can ignore any error messages about the inability
-to start the BOS Server or the Cache Manager or AFS client.
-<PRE>
- # <B>/etc/rc.afs</B>
-
-</PRE>
-</OL>
-<P><H3><A NAME="Header_121" HREF="auqbg002.htm#ToC_121">Enabling AFS Login on AIX Systems</A></H3>
-<P>Now incorporate AFS into the AIX secondary authentication
-system.
-<OL TYPE=1>
-<P><LI>Issue the <B>ls</B> command to verify that the
-<B>afs_dynamic_auth</B> and <B>afs_dynamic_kerbauth</B> programs are
-installed in the local <B>/usr/vice/etc</B> directory.
-<PRE>
- # <B>ls /usr/vice/etc</B>
-</PRE>
-<P>If the files do not exist, mount the AFS CD-ROM for AIX (if it is not
-already), change directory as indicated, and copy them.
-<PRE>
- # <B>cd /cdrom/rs_aix42/root.client/usr/vice/etc</B>
-
- # <B>cp -p afs_dynamic* /usr/vice/etc</B>
-
-</PRE>
-<P><LI>Edit the local <B> /etc/security/user</B> file, making changes to the
-indicated stanzas:
-<UL>
-<P><LI>In the default stanza, set the <TT>registry</TT> attribute to
-<B>DCE</B> (not to <B>AFS</B>), as follows:
-<PRE>
- registry = DCE
-
-</PRE>
-<P><LI>In the default stanza, set the <TT>SYSTEM</TT> attribute as
-indicated.
-<P>If the machine is an AFS client only, set the following value:
-<PRE>
- SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
-</PRE>
-<P>If the machine is both an AFS and a DCE client, set the following value (it
-must appear on a single line in the file):
-<PRE>
- SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL] \
- AND compat[SUCCESS])"
-
-</PRE>
-<P><LI>In the <TT>root</TT> stanza, set the <TT>registry</TT> attribute as
-follows. It enables the local superuser <B>root</B> to log into the
-local file system only, based on the password listed in the local password
-file.
-<PRE>
- root:
- registry = files
-
-</PRE>
-</UL>
-<P><LI>Edit the local <B>/etc/security/login.cfg</B> file, creating or
-editing the indicated stanzas:
-<UL>
-<P><LI>In the <TT>DCE</TT> stanza, set the <TT>program</TT> attribute as
-follows.
-<P>If you use the AFS Authentication Server (<B>kaserver</B>
-process):
-<PRE>
- DCE:
- program = /usr/vice/etc/afs_dynamic_auth
-</PRE>
-<P>If you use a Kerberos implementation of AFS authentication:
-<PRE>
- DCE:
- program = /usr/vice/etc/afs_dynamic_kerbauth
-
-</PRE>
-<P><LI>In the <TT>AFS</TT> stanza, set the <TT>program</TT> attribute as
-follows.
-<P>If you use the AFS Authentication Server (<B>kaserver</B>
-process):
-<PRE>
- AFS:
- program = /usr/vice/etc/afs_dynamic_auth
-</PRE>
-<P>If you use a Kerberos implementation of AFS authentication:
-<PRE>
- AFS:
- program = /usr/vice/etc/afs_dynamic_kerbauth
-
-</PRE>
-</UL>
-<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
-</OL>
-<A NAME="IDX2945"></A>
-<A NAME="IDX2946"></A>
-<A NAME="IDX2947"></A>
-<A NAME="IDX2948"></A>
-<A NAME="IDX2949"></A>
-<A NAME="IDX2950"></A>
-<A NAME="IDX2951"></A>
-<A NAME="IDX2952"></A>
-<A NAME="IDX2953"></A>
-<HR><H2><A NAME="HDRWQ137" HREF="auqbg002.htm#ToC_122">Getting Started on Digital UNIX Systems</A></H2>
-<P>In this section you build AFS into the Digital UNIX
-kernel. Then incorporate AFS modifications into the machine's
-Security Integration Architecture (SIA) matrix, if you wish to enable AFS
-login.
-<P><H3><A NAME="Header_123" HREF="auqbg002.htm#ToC_123">Building AFS into the Digital UNIX Kernel</A></H3>
-<P>On Digital UNIX systems, you must build AFS modifications into a new
-static kernel; Digital UNIX does not support dynamic loading. If
-the machine's hardware and software configuration exactly matches another
-Digital UNIX machine on which AFS is already built into the kernel, you can
-choose to copy the kernel from that machine to this one. In general,
-however, it is better to build AFS modifications into the kernel on each
-machine according to the following instructions.
-<OL TYPE=1>
-<P><LI>Create a copy called <B>AFS</B> of the basic kernel configuration file
-included in the Digital UNIX distribution as
-<B>/usr/sys/conf/</B><VAR>machine_name</VAR>, where <VAR>machine_name</VAR> is
-the machine's hostname in all uppercase letters.
-<PRE>
- # <B>cd /usr/sys/conf</B>
-
- # <B>cp</B> <VAR>machine_name</VAR> <B>AFS</B>
-
-</PRE>
-<P><LI>Add AFS to the list of options in the configuration file you created in
-the previous step, so that the result looks like the following:
-<PRE> . .
- . .
- options UFS
- options NFS
- options AFS
- . .
- . .
-
-</PRE>
-<P><LI>Add an entry for AFS to two places in the file
-<B>/usr/sys/conf/files</B>.
-<UL>
-<P><LI>Add a line for AFS to the list of <TT>OPTIONS</TT>, so that the result
-looks like the following:
-<PRE> . . .
- . . .
- OPTIONS/nfs optional nfs
- OPTIONS/afs optional afs
- OPTIONS/nfs_server optional nfs_server
- . . .
- . . .
-
-</PRE>
-<P><LI>Add an entry for AFS to the list of <TT>MODULES</TT>, so that the result
-looks like the following:
-<PRE> . . . .
- . . . .
- #
- MODULE/nfs_server optional nfs_server Binary
- nfs/nfs_server.c module nfs_server optimize -g3
- nfs/nfs3_server.c module nfs_server optimize -g3
- #
- MODULE/afs optional afs Binary
- afs/libafs.c module afs
- #
-
-</PRE>
-</UL>
-<P><LI>Add an entry for AFS to two places in the file
-<B>/usr/sys/vfs/vfs_conf.c</B>.
-<UL>
-<P><LI>Add AFS to the list of defined file systems, so that the result looks like
-the following:
-<PRE> . .
- . .
- #include <afs.h>
- #if defined(AFS) && AFS
- extern struct vfsops afs_vfsops;
- #endif
- . .
- . .
-
-</PRE>
-<P><LI>Put a declaration for AFS in the <B>vfssw[]</B> table's
-MOUNT_ADDON slot, so that the result looks like the following:
-<PRE> . . .
- . . .
- &fdfs_vfsops, "fdfs", /* 12 = MOUNT_FDFS */
- #if defined(AFS)
- &afs_vfsops, "afs",
- #else
- (struct vfsops *)0, "", /* 13 = MOUNT_ADDON */
- #endif
- #if NFS && INFS_DYNAMIC
- &nfs3_vfsops, "nfsv3", /* 14 = MOUNT_NFS3 */
-
-</PRE>
-</UL>
-<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
-directory. For instructions on mounting CD-ROMs (either locally or
-remotely via NFS), see your Digital UNIX documentation. Then change
-directory as indicated.
-<PRE>
- # <B>cd /cdrom/alpha_dux40/root.client</B>
-
-</PRE>
-<P><LI>Copy the AFS initialization script to the local directory for
-initialization files (by convention, <B>/sbin/init.d</B> on Digital
-UNIX machines). Note the removal of the <B>.rc</B> extension
-as you copy the script.
-<PRE>
- # <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
-
-</PRE>
-<P><LI>Copy the AFS kernel module to the local <B>/usr/sys/BINARY</B>
-directory.
-<P>If the machine's kernel supports NFS server functionality:
-<PRE>
- # <B>cp bin/libafs.o /usr/sys/BINARY/afs.mod</B>
-</PRE>
-<P>If the machine's kernel does not support NFS server
-functionality:
-<PRE>
- # <B>cp bin/libafs.nonfs.o /usr/sys/BINARY/afs.mod</B>
-
-</PRE>
-<P><LI>Configure and build the kernel. Respond to any prompts by pressing
-<<B>Return</B>>. The resulting kernel resides in the file
-<B>/sys/AFS/vmunix</B>.
-<PRE>
- # <B>doconfig -c AFS</B>
-
-</PRE>
-<P><LI>Rename the existing kernel file and copy the new, AFS-modified file to the
-standard location.
-<PRE>
- # <B>mv /vmunix /vmunix_noafs</B>
-
- # <B>cp /sys/AFS/vmunix /vmunix</B>
-
-</PRE>
-<P><LI>Reboot the machine to start using the new kernel, and login again as the
-superuser <B>root</B>.
-<PRE>
- # <B>cd /</B>
-
- # <B>shutdown -r now</B>
-
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
-</PRE>
-</OL>
-<P><H3><A NAME="Header_124" HREF="auqbg002.htm#ToC_124">Enabling AFS Login on Digital UNIX Systems</A></H3>
-<P>On Digital UNIX systems, the AFS initialization script automatically
-incorporates the AFS authentication library file into the Security Integration
-Architecture (SIA) matrix on the machine, so that users with AFS accounts
-obtain a token at login. In this section you copy the library file to
-the appropriate location.
-<P>For more information on SIA, see the Digital UNIX reference page for
-<B>matrix.conf</B>, or consult the section on security in your
-Digital UNIX documentation.
-<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If the machine runs both the DCE and AFS client software, AFS must start
-after DCE. Consult the AFS initialization script for suggested symbolic
-links to create for correct ordering. Also, the system startup script
-order must initialize SIA before any long-running process that uses
-authentication.
-</TD></TR></TABLE>
-<P>Perform the following steps to enable AFS login.
-<OL TYPE=1>
-<P><LI>Mount the AFS CD-ROM for Digital UNIX on the local <B>/cdrom</B>
-directory, if it is not already. Change directory as indicated.
-<PRE>
- # <B>cd /cdrom/alpha_dux40/lib/afs</B>
-
-</PRE>
-<P><LI>Copy the appropriate AFS authentication library file to the local
-<B>/usr/shlib</B> directory.
-<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
-the cell:
-<PRE>
- # <B>cp libafssiad.so /usr/shlib</B>
-</PRE>
-<P>If you use a Kerberos implementation of AFS authentication, rename the
-library file as you copy it:
-<PRE>
- # <B>cp libafssiad.krb.so /usr/shlib/libafssiad.so</B>
-
-</PRE>
-<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
-</OL>
-<A NAME="IDX2954"></A>
-<A NAME="IDX2955"></A>
-<A NAME="IDX2956"></A>
-<A NAME="IDX2957"></A>
-<A NAME="IDX2958"></A>
-<A NAME="IDX2959"></A>
-<A NAME="IDX2960"></A>
-<A NAME="IDX2961"></A>
-<A NAME="IDX2962"></A>
-<HR><H2><A NAME="HDRWQ138" HREF="auqbg002.htm#ToC_125">Getting Started on HP-UX Systems</A></H2>
-<P>In this section you build AFS into the HP-UX kernel.
-Then incorporate AFS modifications into the machine's Pluggable
-Authentication Module (PAM) system, if you wish to enable AFS login.
-<P><H3><A NAME="Header_126" HREF="auqbg002.htm#ToC_126">Building AFS into the HP-UX Kernel</A></H3>
-<P>On HP-UX systems, you must build AFS modifications into a new static
-kernel; HP-UX does not support dynamic loading. If the
-machine's hardware and software configuration exactly matches another
-HP-UX machine on which AFS is already built into the kernel, you can choose to
-copy the kernel from that machine to this one. In general, however, it
-is better to build AFS modifications into the kernel on each machine according
-to the following instructions.
-<OL TYPE=1>
-<P><LI>Move the existing kernel-related files to a safe location.
-<PRE>
- # <B>cp /stand/vmunix /stand/vmunix.noafs</B>
-
- # <B>cp /stand/system /stand/system.noafs</B>
-
-</PRE>
-<P><LI>Mount the AFS CD-ROM for HP-UX on the local <B>/cdrom</B>
-directory. For instructions on mounting CD-ROMs (either locally or
-remotely via NFS), see your HP-UX documentation. Then change directory
-as indicated.
-<PRE>
- # <B>cd /cdrom/hp_ux110/root.client</B>
-
-</PRE>
-<P><LI>Copy the AFS initialization file to the local directory for initialization
-files (by convention, <B>/sbin/init.d</B> on HP-UX
-machines). Note the removal of the <B>.rc</B> extension as
-you copy the file.
-<PRE>
- # <B>cp usr/vice/etc/afs.rc /sbin/init.d/afs</B>
-
-</PRE>
-<P><LI>Copy the file <B>afs.driver</B> to the local
-<B>/usr/conf/master.d</B> directory, changing its name to
-<B>afs</B> as you do.
-<PRE>
- # <B>cp usr/vice/etc/afs.driver /usr/conf/master.d/afs</B>
-
-</PRE>
-<P><LI>Copy the AFS kernel module to the local <B>/usr/conf/lib</B>
-directory.
-<P>If the machine's kernel supports NFS server functionality:
-<PRE>
- # <B>cp bin/libafs.a /usr/conf/lib</B>
-</PRE>
-<P>If the machine's kernel does not support NFS server functionality,
-change the file's name as you copy it:
-<PRE>
- # <B>cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a</B>
-
-</PRE>
-<P><LI>Incorporate the AFS driver into the kernel, either using the
-<B>SAM</B> program or a series of individual commands.
-<UL>
-<P><LI>To use the <B>SAM</B> program:
-<OL TYPE=a>
-<P><LI>Invoke the <B>SAM</B> program, specifying the hostname of the local
-machine as <VAR>local_hostname</VAR>. The <B>SAM</B> graphical user
-interface pops up.
-<PRE>
- # <B>sam -display</B> <VAR>local_hostname</VAR><B>:0</B>
-
-</PRE>
-<P><LI>Choose the <B>Kernel Configuration</B> icon, then the
-<B>Drivers</B> icon. From the list of drivers, select
-<B>afs</B>.
-<P><LI>Open the pull-down <B>Actions</B> menu and choose the <B>Add Driver
-to Kernel</B> option.
-<P><LI>Open the <B>Actions</B> menu again and choose the <B>Create a New
-Kernel</B> option.
-<P><LI>Confirm your choices by choosing <B>Yes</B> and <B>OK</B> when
-prompted by subsequent pop-up windows. The <B>SAM</B> program
-builds the kernel and reboots the system.
-<P><LI>Login again as the superuser <B>root</B>.
-<PRE>
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
-</PRE>
-</OL>
-<P><LI>To use individual commands:
-<OL TYPE=a>
-<P><LI>Edit the file <B>/stand/system</B>, adding an entry for <B>afs</B>
-to the <TT>Subsystems</TT> section.
-<P><LI>Change to the <B>/stand/build</B> directory and issue the
-<B>mk_kernel</B> command to build the kernel.
-<PRE>
- # <B>cd /stand/build</B>
-
- # <B>mk_kernel</B>
-
-</PRE>
-<P><LI>Move the new kernel to the standard location (<B>/stand/vmunix</B>),
-reboot the machine to start using it, and login again as the superuser
-<B>root</B>.
-<PRE>
- # <B>mv /stand/build/vmunix_test /stand/vmunix</B>
-
- # <B>cd /</B>
-
- # <B>shutdown -r now</B>
-
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
-</PRE>
-</OL>
-</UL>
-</OL>
-<P><H3><A NAME="Header_127" HREF="auqbg002.htm#ToC_127">Enabling AFS Login on HP-UX Systems</A></H3>
-<P>At this point you incorporate AFS into the operating system's
-Pluggable Authentication Module (PAM) scheme. PAM integrates all
-authentication mechanisms on the machine, including login, to provide the
-security infrastructure for authenticated access to and from the
-machine.
-<P>Explaining PAM is beyond the scope of this document. It is assumed
-that you understand the syntax and meanings of settings in the PAM
-configuration file (for example, how the <TT>other</TT> entry works, the
-effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
-<TT>sufficient</TT>, and so on).
-<P>The following instructions explain how to alter the entries in the PAM
-configuration file for each service for which you wish to use AFS
-authentication. Other configurations possibly also work, but the
-instructions specify the recommended and tested configuration.
-<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
-<TT>optional</TT>. However, marking some modules as optional can mean
-that they grant access to the corresponding service even when the user does
-not meet all of the module's requirements. In some operating
-system revisions, for example, if you mark as optional the module that
-controls login via a dial-up connection, it allows users to login without
-providing a password. See the <I>IBM AFS Release Notes</I> for a
-discussion of any limitations that apply to this operating system.
-<P>Also, with some operating system versions you must install patches for PAM
-to interact correctly with certain authentication programs. For
-details, see the <I>IBM AFS Release Notes</I>.
-</TD></TR></TABLE>
-<P>The recommended AFS-related entries in the PAM configuration file make use
-of one or more of the following three attributes.
-<DL>
-<P><DT><B><TT>try_first_pass</TT>
-</B><DD>This is a standard PAM attribute that can be included on entries after the
-first one for a service; it directs the module to use the password that
-was provided to the first module. For the AFS module, it means that AFS
-authentication succeeds if the password provided to the module listed first is
-the user's correct AFS password. For further discussion of this
-attribute and its alternatives, see the operating system's PAM
-documentation.
-<P><DT><B><TT>ignore_root</TT>
-</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
-only the local superuser <B> root</B>, but also any user with UID 0
-(zero).
-<P><DT><B><TT>setenv_password_expires</TT>
-</B><DD>This attribute, specific to the AFS PAM module, sets the environment
-variable PASSWORD_EXPIRES to the expiration date of the user's AFS
-password, which is recorded in the Authentication Database.
-</DL>
-<P>Perform the following steps to enable AFS login.
-<OL TYPE=1>
-<P><LI>Mount the AFS CD-ROM for HP-UX on the <B>/cdrom</B> directory, if it
-is not already. Then change directory as indicated.
-<PRE>
- # <B>cd /usr/lib/security</B>
-
-</PRE>
-<P><LI>Copy the AFS authentication library file to the
-<B>/usr/lib/security</B> directory. Then create a symbolic link to
-it whose name does not mention the version. Omitting the version
-eliminates the need to edit the PAM configuration file if you later update the
-library file.
-<P>If you use the AFS Authentication Server (<B>kaserver</B> process) in
-the cell:
-<PRE>
- # <B>cp /cdrom/hp_ux110/lib/pam_afs.so.1 .</B>
-
- # <B>ln -s pam_afs.so.1 pam_afs.so</B>
-</PRE>
-<P>If you use a Kerberos implementation of AFS authentication:
-<PRE>
- #<B> cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1 .</B>
-
- # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
-
-</PRE>
-<P><LI>Edit the <TT>Authentication management</TT> section of the HP-UX PAM
-configuration file, <B>/etc/pam.conf</B> by convention. The
-entries in this section have the value <TT>auth</TT> in their second
-field.
-<P>First edit the standard entries, which refer to the HP-UX PAM module
-(usually, the file <B>/usr/lib/security/libpam_unix.1</B>) in their
-fourth field. For each service for which you want to use AFS
-authentication, edit the third field of its entry to read
-<TT>optional</TT>. The <B>pam.conf</B> file in the HP-UX
-distribution usually includes standard entries for the <B>login</B> and
-<B>ftp</B> services, for instance.
-<P>If there are services for which you want to use AFS authentication, but for
-which the <B>pam.conf</B> file does not already include a standard
-entry, you must create that entry and place the value <TT>optional</TT> in
-its third field. For instance, the HP-UX <B>pam.conf</B>
-file does not usually include standard entries for the <B>remsh</B> or
-<B>telnet</B> services.
-<P>Then create an AFS-related entry for each service, placing it immediately
-below the standard entry. The following example shows what the
-<TT>Authentication Management</TT> section looks like after you have you
-edited or created entries for the services mentioned previously. Note
-that the example AFS entries appear on two lines only for legibility.
-<PRE>
- login auth optional /usr/lib/security/libpam_unix.1
- login auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
- ftp auth optional /usr/lib/security/libpam_unix.1
- ftp auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- remsh auth optional /usr/lib/security/libpam_unix.1
- remsh auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- telnet auth optional /usr/lib/security/libpam_unix.1
- telnet auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
-
-</PRE>
-<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
-users to obtain an AFS token as they log in, also add or edit the following
-four entries in the <TT>Authentication management</TT> section. Note
-that the AFS-related entries appear on two lines here only for
-legibility.
-<PRE>
- dtlogin auth optional /usr/lib/security/libpam_unix.1
- dtlogin auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- dtaction auth optional /usr/lib/security/libpam_unix.1
- dtaction auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
-
-</PRE>
-<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
-</OL>
-<A NAME="IDX2963"></A>
-<A NAME="IDX2964"></A>
-<A NAME="IDX2965"></A>
-<HR><H2><A NAME="HDRWQ139" HREF="auqbg002.htm#ToC_128">Getting Started on IRIX Systems</A></H2>
-<P>In this section you incorporate AFS into the IRIX kernel,
-choosing one of two methods:
-<UL>
-<P><LI>Dynamic loading using the <B>ml</B> program distributed by Silicon
-Graphics, Incorporated (SGI).
-<P><LI>Building a new static kernel.
-</UL>
-<P>Then see <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A> to read about integrated AFS login on IRIX systems.
-<P>In preparation for either dynamic loading or kernel building, perform the
-following procedures:
-<OL TYPE=1>
-<P><LI>Mount the AFS CD-ROM for IRIX on the <B>/cdrom</B> directory.
-For instructions on mounting CD-ROMs (either locally or remotely via NFS), see
-your IRIX documentation. Then change directory as indicated.
-<PRE>
- # <B>cd /cdrom/sgi_65/root.client</B>
-
-</PRE>
-<P><LI>Copy the AFS initialization script to the local directory for
-initialization files (by convention, <B>/etc/init.d</B> on IRIX
-machines). Note the removal of the <B>.rc</B> extension as
-you copy the script.
-<PRE>
- # <B>cp -p usr/vice/etc/afs.rc /etc/init.d/afs</B>
-
-</PRE>
-<P><LI>Issue the <B>uname -m</B> command to determine the machine's CPU
-board type. The <B>IP</B><VAR>xx</VAR> value in the output must match
-one of the supported CPU board types listed in the <I>IBM AFS Release
-Notes</I> for the current version of AFS.
-<PRE>
- # <B>uname -m</B>
-
-</PRE>
-<P><LI>Proceed to either <A HREF="#HDRWQ140">Loading AFS into the IRIX Kernel</A> or <A HREF="#HDRWQ141">Building AFS into the IRIX Kernel</A>.
-</OL>
-<A NAME="IDX2966"></A>
-<A NAME="IDX2967"></A>
-<A NAME="IDX2968"></A>
-<A NAME="IDX2969"></A>
-<A NAME="IDX2970"></A>
-<A NAME="IDX2971"></A>
-<A NAME="IDX2972"></A>
-<P><H3><A NAME="HDRWQ140" HREF="auqbg002.htm#ToC_129">Loading AFS into the IRIX Kernel</A></H3>
-<P>The <B>ml</B> program is the dynamic kernel loader
-provided by SGI for IRIX systems. If you use it rather than building
-AFS modifications into a static kernel, then for AFS to function correctly the
-<B>ml</B> program must run each time the machine reboots.
-Therefore, the AFS initialization script (included on the AFS CD-ROM) invokes
-it automatically when the <B>afsml</B> configuration variable is
-activated. In this section you activate the variable and run the
-script.
-<P>In a later section you verify that the script correctly initializes the
-Cache Manager, then create the links that incorporate AFS into the IRIX
-startup and shutdown sequence.
-<OL TYPE=1>
-<P><LI>Create the local <B>/usr/vice/etc/sgiload</B> directory to house the
-AFS kernel library file.
-<PRE>
- # <B>mkdir /usr/vice/etc/sgiload</B>
-
-</PRE>
-<P><LI>Copy the appropriate AFS kernel library file to the
-<B>/usr/vice/etc/sgiload</B> directory. The
-<B>IP</B><VAR>xx</VAR> portion of the library file name must match the value
-previously returned by the <B>uname -m</B> command. Also choose the
-file appropriate to whether the machine's kernel supports NFS server
-functionality (NFS must be supported for the machine to act as an NFS/AFS
-Translator). Single- and multiprocessor machines use the same library
-file.
-<P>(You can choose to copy all of the kernel library files into the <B>
-/usr/vice/etc/sgiload</B> directory, but they require a significant amount
-of space.)
-<P>If the machine's kernel supports NFS server functionality:
-<PRE>
- # <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.o /usr/vice/etc/sgiload</B>
-</PRE>
-<P>If the machine's kernel does not support NFS server
-functionality:
-<PRE>
- # <B>cp -p usr/vice/etc/sgiload/libafs.IP</B><VAR>xx</VAR><B>.nonfs.o</B> \
- <B>/usr/vice/etc/sgiload</B>
-
-</PRE>
-<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afsml</B>
-configuration variable.
-<PRE>
- # <B>/etc/chkconfig -f afsml on</B>
-</PRE>
-<P>If the machine is to function as an NFS/AFS Translator and the kernel
-supports NFS server functionality, activate the <B>afsxnfs</B>
-variable.
-<PRE>
- # <B>/etc/chkconfig -f afsxnfs on</B>
-
-</PRE>
-<P><LI>Run the <B>/etc/init.d/afs</B> script to load AFS extensions
-into the kernel. The script invokes the <B>ml</B> command,
-automatically determining which kernel library file to use based on this
-machine's CPU type and the activation state of the <B>afsxnfs</B>
-variable.
-<P>You can ignore any error messages about the inability to start the BOS
-Server or the Cache Manager or AFS client.
-<PRE>
- # <B>/etc/init.d/afs start</B>
-
-</PRE>
-<P><LI>Proceed to <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A>.
-</OL>
-<A NAME="IDX2973"></A>
-<P><H3><A NAME="HDRWQ141" HREF="auqbg002.htm#ToC_130">Building AFS into the IRIX Kernel</A></H3>
-<P>If you prefer to build a kernel, and the machine's
-hardware and software configuration exactly matches another IRIX machine on
-which AFS is already built into the kernel, you can choose to copy the kernel
-from that machine to this one. In general, however, it is better to
-build AFS modifications into the kernel on each machine according to the
-following instructions.
-<OL TYPE=1>
-<P><LI>Copy the kernel initialization file <B>afs.sm</B> to the local
-<B>/var/sysgen/system</B> directory, and the kernel master file
-<B>afs</B> to the local <B>/var/sysgen/master.d</B>
-directory.
-<PRE>
- # <B>cp -p bin/afs.sm /var/sysgen/system</B>
-
- # <B>cp -p bin/afs /var/sysgen/master.d</B>
-
-</PRE>
-<P><LI>Copy the appropriate AFS kernel library file to the local file
-<B>/var/sysgen/boot/afs.a</B>; the <B>IP</B><VAR>xx</VAR>
-portion of the library file name must match the value previously returned by
-the <B>uname -m</B> command. Also choose the file appropriate to
-whether the machine's kernel supports NFS server functionality (NFS must
-be supported for the machine to act as an NFS/AFS Translator). Single-
-and multiprocessor machines use the same library file.
-<P>If the machine's kernel supports NFS server functionality:
-<PRE>
- # <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.a /var/sysgen/boot/afs.a</B>
-</PRE>
-<P>If the machine's kernel does not support NFS server
-functionality:
-<PRE>
- # <B>cp -p bin/libafs.IP</B><VAR>xx</VAR><B>.nonfs.a /var/sysgen/boot/afs.a</B>
-
-</PRE>
-<P><LI>Issue the <B>chkconfig</B> command to deactivate the <B>afsml</B>
-configuration variable.
-<PRE>
- # <B>/etc/chkconfig -f afsml off</B>
-</PRE>
-<P>If the machine is to function as an NFS/AFS Translator and the kernel
-supports NFS server functionality, activate the <B>afsxnfs</B>
-variable.
-<PRE>
- # <B>/etc/chkconfig -f afsxnfs on</B>
-
-</PRE>
-<P><LI>Copy the existing kernel file, <B>/unix</B>, to a safe
-location. Compile the new kernel, which is created in the file
-<B>/unix.install</B>. It overwrites the existing
-<B>/unix</B> file when the machine reboots in the next step.
-<PRE>
- # <B>cp /unix /unix_noafs</B>
-
- # <B>autoconfig</B>
-
-</PRE>
-<P><LI>Reboot the machine to start using the new kernel, and login again as the
-superuser <B>root</B>.
-<PRE>
- # <B>cd /</B>
-
- # <B>shutdown -i6 -g0 -y</B>
-
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
-</PRE>
-<P><LI>Proceed to <A HREF="#HDRWQ142">Enabling AFS Login on IRIX Systems</A>.
-</OL>
-<A NAME="IDX2974"></A>
-<A NAME="IDX2975"></A>
-<A NAME="IDX2976"></A>
-<P><H3><A NAME="HDRWQ142" HREF="auqbg002.htm#ToC_131">Enabling AFS Login on IRIX Systems</A></H3>
-<P>The standard IRIX command-line <B>login</B> program and
-the graphical <B>xdm</B> login program both automatically grant an AFS
-token when AFS is incorporated into the machine's kernel. However,
-some IRIX distributions use another login utility by default, and it does not
-necessarily incorporate the required AFS modifications. If that is the
-case, you must disable the default utility if you want AFS users to obtain AFS
-tokens at login. For further discussion, see the <I>IBM AFS Release
-Notes</I>.
-<P>If you configure the machine to use an AFS-modified login utility, then the
-<B>afsauthlib.so</B> and <B>afskauthlib.so</B> files
-(included in the AFS distribution) must reside in the <B>/usr/vice/etc</B>
-directory. Issue the <B>ls</B> command to verify.
-<PRE>
- # <B>ls /usr/vice/etc</B>
-</PRE>
-<P>If the files do not exist, mount the AFS CD-ROM for IRIX (if it is not
-already), change directory as indicated, and copy them.
-<PRE>
- # <B>cd /cdrom/sgi_65/root.client/usr/vice/etc</B>
-
- # <B>cp -p *authlib* /usr/vice/etc</B>
-</PRE>
-<P>After taking any necessary action, proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
-<A NAME="IDX2977"></A>
-<A NAME="IDX2978"></A>
-<A NAME="IDX2979"></A>
-<A NAME="IDX2980"></A>
-<A NAME="IDX2981"></A>
-<A NAME="IDX2982"></A>
-<A NAME="IDX2983"></A>
-<A NAME="IDX2984"></A>
-<A NAME="IDX2985"></A>
-<HR><H2><A NAME="HDRWQ143" HREF="auqbg002.htm#ToC_132">Getting Started on Linux Systems</A></H2>
-<P>In this section you load AFS into the Linux kernel.
-Then incorporate AFS modifications into the machine's Pluggable
-Authentication Module (PAM) system, if you wish to enable AFS login.
-<P><H3><A NAME="Header_133" HREF="auqbg002.htm#ToC_133">Loading AFS into the Linux Kernel</A></H3>
-<P>The <B>insmod</B> program is the dynamic kernel loader for
-Linux. Linux does not support incorporation of AFS modifications during
-a kernel build.
-<P>For AFS to function correctly, the <B>insmod</B> program must run each
-time the machine reboots, so the AFS initialization script (included on the
-AFS CD-ROM) invokes it automatically. The script also includes commands
-that select the appropriate AFS library file automatically. In this
-section you run the script.
-<P>In a later section you also verify that the script correctly initializes
-the Cache Manager, then activate a configuration variable, which results in
-the script being incorporated into the Linux startup and shutdown
-sequence.
-<OL TYPE=1>
-<P><LI>Mount the AFS CD-ROM for Linux on the local <B>/cdrom</B>
-directory. For instructions on mounting CD-ROMs (either locally or
-remotely via NFS), see your Linux documentation. Then change directory
-as indicated.
-<PRE>
- # <B>cd /cdrom/i386_linux22/root.client/usr/vice/etc</B>
-
-</PRE>
-<P><LI>Copy the AFS kernel library files to the local
-<B>/usr/vice/etc/modload</B> directory. The filenames for the
-libraries have the format
-<B>libafs-</B><VAR>version</VAR><B>.o</B>, where <VAR>version</VAR>
-indicates the kernel build level. The string <B>.mp</B> in
-the <VAR>version</VAR> indicates that the file is appropriate for machines
-running a multiprocessor kernel.
-<PRE>
- # <B>cp -rp modload /usr/vice/etc</B>
-
-</PRE>
-<P><LI>Copy the AFS initialization script to the local directory for
-initialization files (by convention, <B>/etc/rc.d/init.d</B>
-on Linux machines). Note the removal of the <B>.rc</B>
-extension as you copy the script.
-<PRE>
- # <B>cp -p afs.rc /etc/rc.d/init.d/afs</B>
-
-</PRE>
-<P><LI>Run the AFS initialization script to load AFS extensions into the
-kernel. You can ignore any error messages about the inability to start
-the BOS Server or the Cache Manager or AFS client.
-<PRE>
- # <B>/etc/rc.d/init.d/afs start</B>
-
-</PRE>
-</OL>
-<P><H3><A NAME="Header_134" HREF="auqbg002.htm#ToC_134">Enabling AFS Login on Linux Systems</A></H3>
-<P>At this point you incorporate AFS into the operating system's
-Pluggable Authentication Module (PAM) scheme. PAM integrates all
-authentication mechanisms on the machine, including login, to provide the
-security infrastructure for authenticated access to and from the
-machine.
-<P>Explaining PAM is beyond the scope of this document. It is assumed
-that you understand the syntax and meanings of settings in the PAM
-configuration file (for example, how the <TT>other</TT> entry works, the
-effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
-<TT>sufficient</TT>, and so on).
-<P>The following instructions explain how to alter the entries in the PAM
-configuration file for each service for which you wish to use AFS
-authentication. Other configurations possibly also work, but the
-instructions specify the recommended and tested configuration.
-<P>The recommended AFS-related entries in the PAM configuration file make use
-of one or more of the following three attributes.
-<DL>
-<h4><br>Authentication Management</h4>
-<P><DT><B><TT>try_first_pass</TT>
-</B><DD>This is a standard PAM attribute that can be included on entries after the
-first one for a service; it directs the module to use the password that
-was provided to the first module. For the AFS module, it means that AFS
-authentication succeeds if the password provided to the module listed first is
-the user's correct AFS password. For further discussion of this
-attribute and its alternatives, see the operating system's PAM
-documentation.
-<P>
-<P><DT><B><TT>ignore_root</TT>
-</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
-only the local superuser <B> root</B>, but also any user with UID 0
-(zero).
-<P><DT><B><TT>ignore_uid <i>uid</i></TT>
-</B><DD>This option is an extension of the "ignore_root" switch. The additional
-parameter is a limit. Users with a uid up to the given parameter are ignored
-by <i>pam_afs.so</i>. Thus, a system administrator still has the opportunity to
-add local user accounts to his system by choosing between "low" and
-"high" user ids.<br>
-An example /etc/passwd file for "ignore_uid 100" may have entries like these:
-<PRE>
- .
- .
-afsuserone:x:99:100::/afs/afscell/u/afsuserone:/bin/bash
-afsusertwo:x:100:100::/afs/afscell/u/afsusertwo:/bin/bash
-localuserone:x:101:100::/home/localuserone:/bin/bash
-localusertwo:x:102:100::/home/localusertwo:/bin/bash
- .
- .
-</PRE><br>
-AFS accounts should be locked in the file /etc/shadow like this:
-<PRE>
- .
- .
-afsuserone:!!:11500:0:99999:7:::
-afsusertwo:!!:11500:0:99999:7:::
-localuserone:<thelocaluserone'skey>:11500:0:99999:7:::
-localusertwo:<thelocalusertwo'skey>:11500:0:99999:7:::
- .
- .
-</PRE><br>
-There is no need to store a local key in this file since the AFS
-password is sent and verfied at the AFS cell server!
-
-<P><DT><B><TT>setenv_password_expires</TT>
-</B><DD>This attribute, specific to the AFS PAM module, sets the environment
-variable PASSWORD_EXPIRES to the expiration date of the user's AFS
-password, which is recorded in the Authentication Database.
-<P><DT><B><TT>set_token</TT>
-</B><DD>Some applications don't call <i>pam_setcred()</i> in order to retrieve the appropriate
-credentials (here the AFS token) for their session. This switch sets the credentials
-already in <i>pam_sm_authenticate()</i> obsoleting a call to <i>pam_setcred()</i>.<br>
-<b>Caution: Don't use this switch for applications which do call <i>pam_setcred()</i>!</b>
-One example for an application not calling <i>pam_setcred()</i> are older versions of
-the samba server.<br>
-Nevertheless, using applications with working pam session management is recommended as this
-setup conforms better with the PAM definitions.
-<P><DT><B><TT>refresh_token</TT>
-</B><DD>This options is identical to "set_token" except that no new PAG is generated.
-This is necessary to handle processes like xlock or xscreensaver. It is not enough to give
-the screen and the keyboard free for the user who reactivated his screen typing in the
-correct AFS password, but one may also need fresh tokens with full
-livetime in order to work on, and the new token must be refreshed in the already existing PAG
-for the processes that have been started. This is achieved using this option.
-<P><DT><B><TT>use_klog</TT>
-</B><DD>Activating this switch the authentication is done by calling the external program "klog".
-One program requiring this is for example <i>kdm</i> of KDE 2.x.<br></DD>
-<P><DT><B><TT>dont_fork</TT>
-</B><DD>Usually, the password verification and the establishment of the token is performed
-in a sub process. Using this option pam_afs does not fork and performs all actions in a single
-process. <b>Only use this options in case you notice serious problems caused by the sub process.</b>
-This option has been developed in respect to the "mod_auth_pam"-project (see also
-<A HREF="http://pam.sourceforge.net/mod_auth_pam/">mod_auth_pam</A>). The mod_auth_pam
-module enables PAM authentication for the apache http server package.
-
-<h4><br>Session Management</h4>
-
-<P><DT><B><TT>no_unlog</TT>
-</B><DD>Normally the tokens are deleted (in memory) after the session ends. Using this options the tokens are left
-untouched. <b>This behaviour has been the default in pam_afs until openafs-1.1.1!</b>
-<P><DT><B><TT>remainlifetime <i>sec</i></TT>
-</B><DD>The tokens are kept active for <i>sec</i> seconds before they are deleted. X display managers
-i.e. are used to inform the applications started in the X session before the logout and then
-end themselves. If the token was deleted immediately the applications would have no chance to
-write back their settings to i.e. the user's AFS home space. This option may help to avoid the
-problem.<br>
-
-</DL>
-<P>Perform the following steps to enable AFS login.
-<OL TYPE=1>
-<P><LI>Mount the AFS CD-ROM for Linux on the <B>/cdrom</B> directory, if it
-is not already. Then change to the directory for PAM modules, which
-depends on which Linux distribution you are using.
-<P>If you are using a Linux distribution from Red Hat Software:
-<PRE>
- # <B>cd /lib/security</B>
-</PRE>
-<P>If you are using another Linux distribution:
-<PRE>
- # <B>cd /usr/lib/security</B>
-
-</PRE>
-<P><LI>Copy the appropriate AFS authentication library file to the directory to
-which you changed in the previous step. Create a symbolic link whose
-name does not mention the version. Omitting the version eliminates the
-need to edit the PAM configuration file if you later update the library
-file.
-<P>If you use the AFS Authentication Server (<B>kaserver</B>
-process):
-<PRE>
- # <B>cp /cdrom/i386_linux22/lib/pam_afs.so.1 .</B>
-
- # <B>ln -s pam_afs.so.1 pam_afs.so</B>
-</PRE>
-<P>If you use a Kerberos implementation of AFS authentication:
-<PRE>
- # <B>cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1 .</B>
-
- # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
-
-</PRE>
-<P><LI>For each service with which you want to use AFS authentication, insert an
-entry for the AFS PAM module into the <TT>auth</TT> section of the
-service's PAM configuration file. (Linux uses a separate
-configuration file for each service, unlike some other operating systems which
-list all services in a single file.) Mark the entry as
-<TT>sufficient</TT> in the second field.
-<P>Place the AFS entry below any entries that impose conditions under which
-you want the service to fail for a user who does not meet the entry's
-requirements. Mark these entries <TT>required</TT>. Place the
-AFS entry above any entries that need to execute only if AFS authentication
-fails.
-<P>Insert the following AFS entry if using the Red Hat distribution:
-<PRE>
- auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
-</PRE>
-<P>Insert the following AFS entry if using another distribution:
-<PRE>
- auth sufficient /usr/lib/security/pam_afs.so try_first_pass ignore_root
-</PRE>
-<P>Check the PAM config files also for "session" entries. If there are
-lines beginning with "session" then please insert this line too:
-<PRE>
- session optional /lib/security/pam_afs.so
-</PRE>
-<P>or
-<PRE>
- session optional /usr/lib/security/pam_afs.so
-</PRE>
-<P>This guaranties that the user's tokens are deleted from memory after his
-session ends so that no other user coincidently gets those tokens without authorization!
-The following examples illustrate the recommended configuration of the
-configuration file for several services:<br>
-
-<h4><br>Authentication Management</h4>
-
-(<B>/etc/pam.d/login</B>)
-<PRE>
- #%PAM-1.0
- auth required /lib/security/pam_securetty.so
- auth required /lib/security/pam_nologin.so
- auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
- # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- #This enables AFS authentication for every user but root
- auth required /lib/security/pam_pwdb.so shadow nullok
- account required /lib/security/pam_pwdb.so
- password required /lib/security/pam_cracklib.so
- password required /lib/security/pam_pwdb.so shadow nullok use_authtok
- session optional /lib/security/pam_afs.so
- #Make sure tokens are deleted after the user logs out
- session required /lib/security/pam_pwdb.so
-
-</PRE><br>
-(<b>/etc/pam.d/samba</b>)
-<PRE>
- auth required /lib/security/pam_afs.so ignore_uid 100 set_token
- # ^^^^^^^^^^^^^^^^^^^^^^^^
- #Here, users with uid>100 are considered to belong to the AFS and users
- #with uid<=100 are ignored by pam_afs. The token is retrieved already in
- #pam_sm_authenticate() (this is an example pam config for a samba version
- #that does not call pam_setcred(), it also does no sense to include session
- #entries here since they would be ignored by this version of samba ).
- account required /lib/security/pam_pwdb.so
-</PRE>
-(<b>/etc/pam.d/xscreensaver</b>)
-<PRE>
- auth sufficient /lib/security/pam_afs.so ignore_uid 100 refresh_token
- # ^^^^^^^^^^^^^
- #Avoid generating a new PAG for the new tokens, use the already existing PAG and
- #establish a fresh token in it.
- auth required /lib/security/pam_pwdb.so try_first_pass
-</PRE>
-(<b>/etc/pam.d/httpd</b>)
-<PRE>
- auth required /lib/security/pam_afs.so ignore_uid 100 dont_fork
- # ^^^^^^^^^
- #Don't fork for the verification of the password.
-</PRE>
-
-<h4><br>Session Management</h4>
-
-(<b>/etc/pam.d/su</b>)
-<PRE>
- auth sufficient /lib/security/pam_afs.so ignore_uid 100
- auth required /lib/security/pam_pwdb.so try_first_pass
- account required /lib/security/pam_pwdb.so
- password required /lib/security/pam_cracklib.so
- password required /lib/security/pam_pwdb.so use_authtok
- session required /lib/security/pam_pwdb.so
- session optional /lib/security/pam_afs.so no_unlog
- # ^^^^^^^^
- #Don't delete the token in this case, since the user may still
- #need it (for example if somebody logs in and changes to root
- #afterwards he may still want to access his home space in AFS).
- session required /lib/security/pam_login_access.so
- session optional /lib/security/pam_xauth.so
-</PRE>
-(<b>/etc/pam.d/xdm</b>)
-<PRE>
- auth required /lib/security/pam_nologin.so
- auth required /lib/security/pam_login_access.so
- auth sufficient /lib/security/pam_afs.so ignore_uid 100 use_klog
- auth required /lib/security/pam_pwdb.so try_first_pass
- account required /lib/security/pam_pwdb.so
- password required /lib/security/pam_cracklib.so
- password required /lib/security/pam_pwdb.so shadow nullok use_authtok
- session optional /lib/security/pam_afs.so remainlifetime 10
- # ^^^^^^^^^^^^^^^^^
- #Wait 10 seconds before deleting the AFS tokens in order to give
- #the programs of the X session some time to save their settings
- #to AFS.
- session required /lib/security/pam_pwdb.so
-</PRE>
-
-<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
-</OL>
-<A NAME="IDX2986"></A>
-<A NAME="IDX2987"></A>
-<A NAME="IDX2988"></A>
-<A NAME="IDX2989"></A>
-<A NAME="IDX2990"></A>
-<A NAME="IDX2991"></A>
-<A NAME="IDX2992"></A>
-<A NAME="IDX2993"></A>
-<A NAME="IDX2994"></A>
-<A NAME="IDX2995"></A>
-<A NAME="IDX2996"></A>
-<A NAME="IDX2997"></A>
-<HR><H2><A NAME="HDRWQ144" HREF="auqbg002.htm#ToC_135">Getting Started on Solaris Systems</A></H2>
-<P>In this section you load AFS into the Solaris kernel.
-Then incorporate AFS modifications into the machine's Pluggable
-Authentication Module (PAM) system, if you wish to enable AFS login.
-<P><H3><A NAME="Header_136" HREF="auqbg002.htm#ToC_136">Loading AFS into the Solaris Kernel</A></H3>
-<P>The <B>modload</B> program is the dynamic kernel loader provided by
-Sun Microsystems for Solaris systems. Solaris does not support
-incorporation of AFS modifications during a kernel build.
-<P>For AFS to function correctly, the <B>modload</B> program must run each
-time the machine reboots, so the AFS initialization script (included on the
-AFS CD-ROM) invokes it automatically. In this section you copy the
-appropriate AFS library file to the location where the <B>modload</B>
-program accesses it and then run the script.
-<P>In a later section you verify that the script correctly initializes the
-Cache Manager, then create the links that incorporate AFS into the Solaris
-startup and shutdown sequence.
-<OL TYPE=1>
-<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B>
-directory. For instructions on mounting CD-ROMs (either locally or
-remotely via NFS), see your Solaris documentation. Then change
-directory as indicated.
-<PRE>
- # <B>cd /cdrom/sun4x_56/root.client/usr/vice/etc</B>
-
-</PRE>
-<P><LI>Copy the AFS initialization script to the local directory for
-initialization files (by convention, <B>/etc/init.d</B> on Solaris
-machines). Note the removal of the <B>.rc</B> extension as
-you copy the script.
-<PRE>
- # <B>cp -p afs.rc /etc/init.d/afs</B>
-
-</PRE>
-<P><LI>Copy the appropriate AFS kernel library file to the local file
-<B>/kernel/fs/afs</B>.
-<P>If the machine is running Solaris 2.6 or the 32-bit version of
-Solaris 7, its kernel supports NFS server functionality, and the
-<B>nfsd</B> process is running:
-<PRE>
- # <B>cp -p modload/libafs.o /kernel/fs/afs</B>
-</PRE>
-<P>If the machine is running Solaris 2.6 or the 32-bit version of
-Solaris 7, and its kernel does not support NFS server functionality or the
-<B>nfsd</B> process is not running:
-<PRE>
- # <B>cp -p modload/libafs.nonfs.o /kernel/fs/afs</B>
-</PRE>
-<P>If the machine is running the 64-bit version of Solaris 7, its kernel
-supports NFS server functionality, and the <B>nfsd</B> process is
-running:
-<PRE>
- # <B>cp -p modload/libafs64.o /kernel/fs/sparcv9/afs</B>
-</PRE>
-<P>If the machine is running the 64-bit version of Solaris 7, and its
-kernel does not support NFS server functionality or the <B>nfsd</B>
-process is not running:
-<PRE>
- # <B>cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs</B>
-
-</PRE>
-<P><LI>Run the AFS initialization script to load AFS modifications into the
-kernel. You can ignore any error messages about the inability to start
-the BOS Server or the Cache Manager or AFS client.
-<PRE>
- # <B>/etc/init.d/afs start</B>
-</PRE>
-<P>When an entry called <TT>afs</TT> does not already exist in the local
-<B>/etc/name_to_sysnum</B> file, the script automatically creates it and
-reboots the machine to start using the new version of the file. If this
-happens, log in again as the superuser <B>root</B> after the reboot and
-run the initialization script again. This time the required entry
-exists in the <B>/etc/name_to_sysnum</B> file, and the <B>modload</B>
-program runs.
-<PRE>
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
- # <B>/etc/init.d/afs start</B>
-
-</PRE>
-</OL>
-<P><H3><A NAME="Header_137" HREF="auqbg002.htm#ToC_137">Enabling AFS Login on Solaris Systems</A></H3>
-<P>At this point you incorporate AFS into the operating system's
-Pluggable Authentication Module (PAM) scheme. PAM integrates all
-authentication mechanisms on the machine, including login, to provide the
-security infrastructure for authenticated access to and from the
-machine.
-<P>Explaining PAM is beyond the scope of this document. It is assumed
-that you understand the syntax and meanings of settings in the PAM
-configuration file (for example, how the <TT>other</TT> entry works, the
-effect of marking an entry as <TT>required</TT>, <TT>optional</TT>, or
-<TT>sufficient</TT>, and so on).
-<P>The following instructions explain how to alter the entries in the PAM
-configuration file for each service for which you wish to use AFS
-authentication. Other configurations possibly also work, but the
-instructions specify the recommended and tested configuration.
-<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The instructions specify that you mark each entry as
-<TT>optional</TT>. However, marking some modules as optional can mean
-that they grant access to the corresponding service even when the user does
-not meet all of the module's requirements. In some operating
-system revisions, for example, if you mark as optional the module that
-controls login via a dial-up connection, it allows users to login without
-providing a password. See the <I>IBM AFS Release Notes</I> for a
-discussion of any limitations that apply to this operating system.
-<P>Also, with some operating system versions you must install patches for PAM
-to interact correctly with certain authentication programs. For
-details, see the <I>IBM AFS Release Notes</I>.
-</TD></TR></TABLE>
-<P>The recommended AFS-related entries in the PAM configuration file make use
-of one or more of the following three attributes.
-<DL>
-<h4><br>Authentication Management</h4>
-<P><DT><B><TT>try_first_pass</TT>
-</B><DD>This is a standard PAM attribute that can be included on entries after the
-first one for a service; it directs the module to use the password that
-was provided to the first module. For the AFS module, it means that AFS
-authentication succeeds if the password provided to the module listed first is
-the user's correct AFS password. For further discussion of this
-attribute and its alternatives, see the operating system's PAM
-documentation.
-<P><DT><B><TT>ignore_root</TT>
-</B><DD>This attribute, specific to the AFS PAM module, directs it to ignore not
-only the local superuser <B> root</B>, but also any user with UID 0
-(zero).
-<P><DT><B><TT>setenv_password_expires</TT>
-</B><DD>This attribute, specific to the AFS PAM module, sets the environment
-variable PASSWORD_EXPIRES to the expiration date of the user's AFS
-password, which is recorded in the Authentication Database.
-</DL>
-<P>Perform the following steps to enable AFS login.
-<OL TYPE=1>
-<P><LI>Mount the AFS CD-ROM for Solaris on the <B>/cdrom</B> directory, if it
-is not already. Then change directory as indicated.
-<PRE>
- # <B>cd /usr/lib/security</B>
-
-</PRE>
-<P><LI>Copy the AFS authentication library file to the
-<B>/usr/lib/security</B> directory. Then create a symbolic link to
-it whose name does not mention the version. Omitting the version
-eliminates the need to edit the PAM configuration file if you later update the
-library file.
-<P>If you use the AFS Authentication Server (<B>kaserver</B>
-process):
-<PRE>
- #<B> cp /cdrom/sun4x_56/lib/pam_afs.so.1 .</B>
-
- # <B>ln -s pam_afs.so.1 pam_afs.so</B>
-</PRE>
-<P>If you use a Kerberos implementation of AFS authentication:
-<PRE>
- # <B>cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .</B>
-
- # <B>ln -s pam_afs.krb.so.1 pam_afs.so</B>
-
-</PRE>
-<P><LI>Edit the <TT>Authentication management</TT> section of the Solaris PAM
-configuration file, <B>/etc/pam.conf</B> by convention. The
-entries in this section have the value <TT>auth</TT> in their second
-field.
-<P>First edit the standard entries, which refer to the Solaris PAM module
-(usually, the file <B>/usr/lib/security/pam_unix.so.1</B>)
-in their fourth field. For each service for which you want to use AFS
-authentication, edit the third field of its entry to read
-<TT>optional</TT>. The <B>pam.conf</B> file in the Solaris
-distribution usually includes standard entries for the <B>login</B>,
-<B>rlogin</B>, and <B>rsh</B> services, for instance.
-<P>If there are services for which you want to use AFS authentication, but for
-which the <B>pam.conf</B> file does not already include a standard
-entry, you must create that entry and place the value <TT>optional</TT> in
-its third field. For instance, the Solaris <B>pam.conf</B>
-file does not usually include standard entries for the <B>ftp</B> or
-<B>telnet</B> services.
-<P>Then create an AFS-related entry for each service, placing it immediately
-below the standard entry. The following example shows what the
-<TT>Authentication Management</TT> section looks like after you have you
-edited or created entries for the services mentioned previously. Note
-that the example AFS entries appear on two lines only for legibility.
-<PRE>
- login auth optional /usr/lib/security/pam_unix.so.1
- login auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
- rlogin auth optional /usr/lib/security/pam_unix.so.1
- rlogin auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
- rsh auth optional /usr/lib/security/pam_unix.so.1
- rsh auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- ftp auth optional /usr/lib/security/pam_unix.so.1
- ftp auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- telnet auth optional /usr/lib/security/pam_unix.so.1
- telnet auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
-
-</PRE>
-<P><LI>If you use the Common Desktop Environment (CDE) on the machine and want
-users to obtain an AFS token as they log in, also add or edit the following
-four entries in the <TT>Authentication management</TT> section. Note
-that the AFS-related entries appear on two lines here only for
-legibility.
-<PRE>
- dtlogin auth optional /usr/lib/security/pam_unix.so.1
- dtlogin auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- dtsession auth optional /usr/lib/security/pam_unix.so.1
- dtsession auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
-
-</PRE>
-<P><LI>Some Solaris distributions include a script that locates and removes
-unneeded files from various file systems. Its conventional location is
-<B>/usr/lib/fs/nfs/nfsfind</B>. The script generally uses an
-argument to the <B>find</B> command to define which file systems to
-search. In this step you modify the command to exclude the
-<B>/afs</B> directory. Otherwise, the command traverses the AFS
-filespace of every cell that is accessible from the machine, which can take
-many hours. The following alterations are possibilities, but you must
-verify that they are appropriate for your cell.
-<P>The first possible alteration is to add the <B>-local</B> flag to the
-existing command, so that it looks like the following:
-<PRE>
- find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;
-</PRE>
-<P>Another alternative is to exclude any directories whose names begin with
-the lowercase letter <B>a</B> or a non-alphabetic character.
-<PRE>
- find /[A-Zb-z]* <VAR>remainder of existing command</VAR>
-</PRE>
-<P>Do not use the following command, which still searches under the
-<B>/afs</B> directory, looking for a subdirectory of type
-<B>4.2</B>.
-<PRE>
- find / -fstype 4.2 /* <VAR>do not use</VAR> */
-
-</PRE>
-<P><LI>Proceed to <A HREF="#HDRWQ145">Loading and Creating Client Files</A>.
-</OL>
-<A NAME="IDX2998"></A>
-<A NAME="IDX2999"></A>
-<A NAME="IDX3000"></A>
-<A NAME="IDX3001"></A>
-<A NAME="IDX3002"></A>
-<A NAME="IDX3003"></A>
-<A NAME="IDX3004"></A>
-<A NAME="IDX3005"></A>
-<A NAME="IDX3006"></A>
-<A NAME="IDX3007"></A>
-<A NAME="IDX3008"></A>
-<A NAME="IDX3009"></A>
-<HR><H2><A NAME="HDRWQ145" HREF="auqbg002.htm#ToC_138">Loading and Creating Client Files</A></H2>
-<P>Now copy files from the AFS CD-ROM to the
-<B>/usr/vice/etc</B> directory. On some platforms that use a
-dynamic loader program to incorporate AFS modifications into the kernel, you
-have already copied over some the files. Copying them again does no
-harm.
-<P>Every AFS client machine has a copy of the
-<B>/usr/vice/etc/ThisCell</B> file on its local disk to define the
-machine's cell membership for the AFS client programs that run on
-it. Among other functions, this file determines the following:
-<UL>
-<P><LI>The cell in which users authenticate when they log onto the machine,
-assuming it is using an AFS-modified login utility
-<P><LI>The cell in which users authenticate by default when they issue the
-<B>klog</B> command
-<P><LI>The cell membership of the AFS server processes that the AFS command
-interpreters on this machine contact by default
-</UL>
-<P>Similarly, the <B>/usr/vice/etc/CellServDB</B> file on a client
-machine's local disk lists the database server machines in each cell that
-the local Cache Manager can contact. If there is no entry in the file
-for a cell, or the list of database server machines is wrong, then users
-working on this machine cannot access the cell. The chapter in the
-<I>IBM AFS Administration Guide</I> about administering client machines
-explains how to maintain the file after creating it. A version of the
-client <B>CellServDB</B> file was created during the installation of your
-cell's first machine (in <A HREF="auqbg005.htm#HDRWQ66">Creating the Client CellServDB File</A>). It is probably also appropriate for use on this
-machine.
-<P>Remember that the Cache Manager consults the
-<B>/usr/vice/etc/CellServDB</B> file only at reboot, when it copies the
-information into the kernel. For the Cache Manager to perform properly,
-the <B>CellServDB</B> file must be accurate at all times. Refer to
-the chapter in the <I>IBM AFS Administration Guide</I> about administering
-client machines for instructions on updating this file, with or without
-rebooting.
-<OL TYPE=1>
-<P><LI>On the local <B>/cdrom</B> directory, mount the AFS CD-ROM for this
-machine's system type, if it is not already. For instructions on
-mounting CD-ROMs (either locally or remotely via NFS), consult the operating
-system documentation.
-<P><LI>Copy files to the local <B>/usr/vice/etc</B> directory.
-<P>This step places a copy of the AFS initialization script (and related
-files, if applicable) into the <B>/usr/vice/etc</B> directory. In
-the preceding instructions for incorporating AFS into the kernel, you copied
-the script directly to the operating system's conventional location for
-initialization files. When you incorporate AFS into the machine's
-startup sequence in a later step, you can choose to link the two files.
-<P>On some system types that use a dynamic kernel loader program, you
-previously copied AFS library files into a subdirectory of the
-<B>/usr/vice/etc</B> directory. On other system types, you copied
-the appropriate AFS library file directly to the directory where the operating
-system accesses it. The following commands do not copy or recopy the
-AFS library files into the <B>/usr/vice/etc</B> directory, because on some
-system types the library files consume a large amount of space. If you
-want to copy them, add the <B>-r</B> flag to the first <B>cp</B>
-command and skip the second <B>cp</B> command.
-<PRE>
- # <B>cd /cdrom/</B><VAR>sysname</VAR><B>/root.client/usr/vice/etc</B>
-
- # <B>cp -p * /usr/vice/etc</B>
-
- # <B>cp -rp C /usr/vice/etc</B>
-
-</PRE>
-<P><LI>Create the <B>/usr/vice/etc/ThisCell</B> file.
-<PRE>
- # <B>echo "</B><VAR>cellname</VAR><B>" > /usr/vice/etc/ThisCell</B>
-
-</PRE>
-<P><LI>Create the <B>/usr/vice/etc/CellServDB</B> file. Use a network
-file transfer program such as <B>ftp</B> or NFS to copy it from one of the
-following sources, which are listed in decreasing order of preference:
-<UL>
-<P><LI>Your cell's central <B>CellServDB</B> source file (the
-conventional location is
-<B>/afs/</B><VAR>cellname</VAR><B>/common/etc/CellServDB</B>)
-<P><LI>The global <B>CellServDB</B> file maintained by the AFS Product
-Support group
-<P><LI>An existing client machine in your cell
-<P><LI>The <B>CellServDB.sample</B> file included in the
-<VAR>sysname</VAR><B>/root.client/usr/vice/etc</B> directory of each
-AFS CD-ROM; add an entry for the local cell by following the instructions
-in <A HREF="auqbg005.htm#HDRWQ66">Creating the Client CellServDB File</A>
-</UL>
-</OL>
-<A NAME="IDX3010"></A>
-<A NAME="IDX3011"></A>
-<A NAME="IDX3012"></A>
-<A NAME="IDX3013"></A>
-<A NAME="IDX3014"></A>
-<A NAME="IDX3015"></A>
-<A NAME="IDX3016"></A>
-<A NAME="IDX3017"></A>
-<A NAME="IDX3018"></A>
-<A NAME="IDX3019"></A>
-<A NAME="IDX3020"></A>
-<A NAME="IDX3021"></A>
-<A NAME="IDX3022"></A>
-<A NAME="IDX3023"></A>
-<A NAME="IDX3024"></A>
-<A NAME="IDX3025"></A>
-<HR><H2><A NAME="HDRWQ146" HREF="auqbg002.htm#ToC_139">Configuring the Cache</A></H2>
-<P>The Cache Manager uses a cache on the local disk or in
-machine memory to store local copies of files fetched from file server
-machines. As the <B>afsd</B> program initializes the Cache Manager,
-it sets basic cache configuration parameters according to definitions in the
-local <B>/usr/vice/etc/cacheinfo</B> file. The file has three
-fields:
-<OL TYPE=1>
-<P><LI>The first field names the local directory on which to mount the AFS
-filespace. The conventional location is the <B>/afs</B>
-directory.
-<P><LI>The second field defines the local disk directory to use for the disk
-cache. The conventional location is the <B>/usr/vice/cache</B>
-directory, but you can specify an alternate directory if another partition has
-more space available. There must always be a value in this field, but
-the Cache Manager ignores it if the machine uses a memory cache.
-<P><LI>The third field specifies the number of kilobyte (1024 byte) blocks to
-allocate for the cache.
-</OL>
-<P>The values you define must meet the following requirements.
-<UL>
-<P><LI>On a machine using a disk cache, the Cache Manager expects always to be
-able to use the amount of space specified in the third field. Failure
-to meet this requirement can cause serious problems, some of which can be
-repaired only by rebooting. You must prevent non-AFS processes from
-filling up the cache partition. The simplest way is to devote a
-partition to the cache exclusively.
-<P><LI>The amount of space available in memory or on the partition housing the
-disk cache directory imposes an absolute limit on cache size.
-<P><LI>The maximum supported cache size can vary in each AFS release; see
-the <I>IBM AFS Release Notes</I> for the current version.
-<P><LI>For a disk cache, you cannot specify a value in the third field that
-exceeds 95% of the space available on the partition mounted at the directory
-named in the second field. If you violate this restriction, the
-<B>afsd</B> program exits without starting the Cache Manager and prints an
-appropriate message on the standard output stream. A value of 90% is
-more appropriate on most machines. Some operating systems (such as AIX)
-do not automatically reserve some space to prevent the partition from filling
-completely; for them, a smaller value (say, 80% to 85% of the space
-available) is more appropriate.
-<P><LI>For a memory cache, you must leave enough memory for other processes and
-applications to run. If you try to allocate more memory than is
-actually available, the <B>afsd</B> program exits without initializing the
-Cache Manager and produces the following message on the standard output
-stream.
-<PRE>
- afsd: memCache allocation failure at <VAR>number</VAR> KB
-</PRE>
-<P>The <VAR>number</VAR> value is how many kilobytes were allocated just before
-the failure, and so indicates the approximate amount of memory
-available.
-</UL>
-<P>Within these hard limits, the factors that determine appropriate cache size
-include the number of users working on the machine, the size of the files with
-which they work, and (for a memory cache) the number of processes that run on
-the machine. The higher the demand from these factors, the larger the
-cache needs to be to maintain good performance.
-<P>Disk caches smaller than 10 MB do not generally perform well.
-Machines serving multiple users usually perform better with a cache of at
-least 60 to 70 MB. The point at which enlarging the cache further does
-not really improve performance depends on the factors mentioned previously and
-is difficult to predict.
-<P>Memory caches smaller than 1 MB are nonfunctional, and the performance of
-caches smaller than 5 MB is usually unsatisfactory. Suitable upper
-limits are similar to those for disk caches but are probably determined more
-by the demands on memory from other sources on the machine (number of users
-and processes). Machines running only a few processes possibly can use
-a smaller memory cache.
-<P><H3><A NAME="HDRWQ147" HREF="auqbg002.htm#ToC_140">Configuring a Disk Cache</A></H3>
-<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Not all file system types that an operating system supports
-are necessarily supported for use as the cache partition. For possible
-restrictions, see the <I>IBM AFS Release Notes</I>.
-</TD></TR></TABLE>
-<P>To configure the disk cache, perform the following procedures:
-<OL TYPE=1>
-<P><LI>Create the local directory to use for caching. The following
-instruction shows the conventional location,
-<B>/usr/vice/cache</B>. If you are devoting a partition exclusively
-to caching, as recommended, you must also configure it, make a file system on
-it, and mount it at the directory created in this step.
-<PRE>
- # <B>mkdir /usr/vice/cache</B>
-
-</PRE>
-<P><LI>Create the <B>cacheinfo</B> file to define the configuration
-parameters discussed previously. The following instruction shows the
-standard mount location, <B>/afs</B>, and the standard cache location,
-<B>/usr/vice/cache</B>.
-<PRE>
- # <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
-</PRE>
-<P>The following example defines the disk cache size as 50,000 KB:
-<PRE>
- # <B>echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo</B>
-</PRE>
-</OL>
-<P><H3><A NAME="HDRWQ148" HREF="auqbg002.htm#ToC_141">Configuring a Memory Cache</A></H3>
-<P>To configure a memory cache, create the <B>cacheinfo</B>
-file to define the configuration parameters discussed previously. The
-following instruction shows the standard mount location, <B>/afs</B>, and
-the standard cache location, <B>/usr/vice/cache</B> (though the exact
-value of the latter is irrelevant for a memory cache).
-<PRE>
- # <B>echo "/afs:/usr/vice/cache:</B><VAR>#blocks</VAR><B>" > /usr/vice/etc/cacheinfo</B>
-</PRE>
-<P>The following example allocates 25,000 KB of memory for the cache.
-<PRE>
- # <B>echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo</B>
-</PRE>
-<A NAME="IDX3026"></A>
-<A NAME="IDX3027"></A>
-<A NAME="IDX3028"></A>
-<A NAME="IDX3029"></A>
-<A NAME="IDX3030"></A>
-<A NAME="IDX3031"></A>
-<A NAME="IDX3032"></A>
-<A NAME="IDX3033"></A>
-<A NAME="IDX3034"></A>
-<A NAME="IDX3035"></A>
-<A NAME="IDX3036"></A>
-<A NAME="IDX3037"></A>
-<A NAME="IDX3038"></A>
-<A NAME="IDX3039"></A>
-<A NAME="IDX3040"></A>
-<A NAME="IDX3041"></A>
-<A NAME="IDX3042"></A>
-<A NAME="IDX3043"></A>
-<A NAME="IDX3044"></A>
-<A NAME="IDX3045"></A>
-<A NAME="IDX3046"></A>
-<A NAME="IDX3047"></A>
-<A NAME="IDX3048"></A>
-<A NAME="IDX3049"></A>
-<A NAME="IDX3050"></A>
-<A NAME="IDX3051"></A>
-<A NAME="IDX3052"></A>
-<A NAME="IDX3053"></A>
-<HR><H2><A NAME="HDRWQ149" HREF="auqbg002.htm#ToC_142">Configuring the Cache Manager</A></H2>
-<P>By convention, the Cache Manager mounts the AFS filespace on
-the local <B>/afs</B> directory. In this section you create that
-directory.
-<P>The <B>afsd</B> program sets several cache configuration parameters as
-it initializes the Cache Manager, and starts daemons that improve
-performance. You can use the <B>afsd</B> command's arguments
-to override the parameters' default values and to change the number of
-some of the daemons. Depending on the machine's cache size, its
-amount of RAM, and how many people work on it, you can sometimes improve Cache
-Manager performance by overriding the default values. For a discussion
-of all of the <B>afsd</B> command's arguments, see its reference page
-in the <I>IBM AFS Administration Reference</I>.
-<P>The <B>afsd</B> command line in the AFS initialization script on each
-system type includes an <TT>OPTIONS</TT> variable. You can use it to
-set nondefault values for the command's arguments, in one of the
-following ways:
-<UL>
-<P><LI>You can create an <B>afsd</B> <I>options file</I> that sets values
-for arguments to the <B>afsd</B> command. If the file exists, its
-contents are automatically substituted for the <TT>OPTIONS</TT> variable in
-the AFS initialization script. The AFS distribution for some system
-types includes an options file; on other system types, you must create
-it.
-<P>You use two variables in the AFS initialization script to specify the path
-to the options file: <TT>CONFIG</TT> and <TT>AFSDOPT</TT>. On
-system types that define a conventional directory for configuration files, the
-<TT>CONFIG</TT> variable indicates it by default; otherwise, the
-variable indicates an appropriate location.
-<P>List the desired <B>afsd</B> options on a single line in the options
-file, separating each option with one or more spaces. The following
-example sets the <B>-stat</B> argument to 2500, the <B>-daemons</B>
-argument to 4, and the <B>-volumes</B> argument to 100.
-<PRE>
- -stat 2500 -daemons 4 -volumes 100
-
-</PRE>
-<P><LI>On a machine that uses a disk cache, you can set the <TT>OPTIONS</TT>
-variable in the AFS initialization script to one of <TT>$SMALL</TT>,
-<TT>$MEDIUM</TT>, or <TT>$LARGE</TT>. The AFS initialization script
-uses one of these settings if the <B>afsd</B> options file named by the
-<TT>AFSDOPT</TT> variable does not exist. In the script as
-distributed, the <TT>OPTIONS</TT> variable is set to the value
-<TT>$MEDIUM</TT>.
-<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">Do not set the <TT>OPTIONS</TT> variable to <TT>$SMALL</TT>,
-<TT>$MEDIUM</TT>, or <TT>$LARGE</TT> on a machine that uses a memory
-cache. The arguments it sets are appropriate only on a machine that
-uses a disk cache.
-</TD></TR></TABLE>
-<P>The script (or on some system types the <B>afsd</B> options file named
-by the <TT>AFSDOPT</TT> variable) defines a value for each of
-<TT>SMALL</TT>, <TT>MEDIUM</TT>, and <TT>LARGE</TT> that sets
-<B>afsd</B> command arguments appropriately for client machines of
-different sizes:
-<UL>
-<P><LI><TT>SMALL</TT> is suitable for a small machine that serves one or two
-users and has approximately 8 MB of RAM and a 20-MB cache
-<P><LI><TT>MEDIUM</TT> is suitable for a medium-sized machine that serves two
-to six users and has 16 MB of RAM and a 40-MB cache
-<P><LI><TT>LARGE</TT> is suitable for a large machine that serves five to ten
-users and has 32 MB of RAM and a 100-MB cache
-</UL>
-<P><LI>You can choose not to create an <B>afsd</B> options file and to set
-the <TT>OPTIONS</TT> variable in the initialization script to a null value
-rather than to the default <TT>$MEDIUM</TT> value. You can then
-either set arguments directly on the <B>afsd</B> command line in the
-script, or set no arguments (and so accept default values for all Cache
-Manager parameters).
-</UL>
-<OL TYPE=1>
-<P><LI>Create the local directory on which to mount the AFS filespace, by
-convention <B>/afs</B>. If the directory already exists, verify
-that it is empty.
-<PRE>
- # <B>mkdir /afs</B>
-
-</PRE>
-<P><LI>On AIX systems, add the following line to the <B>/etc/vfs</B>
-file. It enables AIX to unmount AFS correctly during shutdown.
-<PRE>
- afs 4 none none
-
-</PRE>
-<P><LI>On Linux systems, copy the <B>afsd</B> options file from the
-<B>/usr/vice/etc</B> directory to the <B>/etc/sysconfig</B> directory,
-removing the <B>.conf</B> extension as you do so.
-<PRE>
- # <B>cp /usr/vice/etc/afs.conf /etc/sysconfig/afs</B>
-
-</PRE>
-<P><LI>Edit the machine's AFS initialization script or <B>afsd</B>
-options file to set appropriate values for <B>afsd</B> command
-parameters. The appropriate file for each system type is as
-follows:
-<UL>
-<P><LI>On AIX systems, <B>/etc/rc.afs</B>
-<P><LI>On Digital UNIX systems, <B>/sbin/init.d/afs</B>
-<P><LI>On HP-UX systems, <B>/sbin/init.d/afs</B>
-<P><LI>On IRIX systems, <B>/etc/init.d/afs</B>
-<P><LI>On Linux systems, <B>/etc/sysconfig/afs</B> (the <B>afsd</B>
-options file)
-<P><LI>On Solaris systems, <B>/etc/init.d/afs</B>
-</UL>
-<P>Use one of the methods described in the introduction to this section to add
-the following flags to the <B>afsd</B> command line. Also set any
-performance-related arguments you wish.
-<UL>
-<P><LI>Add the <B>-memcache</B> flag if the machine is to use a memory
-cache.
-<P><LI>Add the <B>-verbose</B> flag to display a trace of the Cache
-Manager's initialization on the standard output stream.
-</UL>
-</OL>
-<A NAME="IDX3054"></A>
-<A NAME="IDX3055"></A>
-<A NAME="IDX3056"></A>
-<A NAME="IDX3057"></A>
-<A NAME="IDX3058"></A>
-<HR><H2><A NAME="HDRWQ150" HREF="auqbg002.htm#ToC_143">Starting the Cache Manager and Installing the AFS Initialization Script</A></H2>
-<P>In this section you run the AFS initialization script to
-start the Cache Manager. If the script works correctly, perform the
-steps that incorporate it into the machine's startup and shutdown
-sequence. If there are problems during the initialization, attempt to
-resolve them. The AFS Product Support group can provide assistance if
-necessary.
-<P>On machines that use a disk cache, it can take a while for the
-<B>afsd</B> program to run the first time on a machine, because it must
-create all of the <B>V</B><VAR>n</VAR> files in the cache directory.
-Subsequent Cache Manager initializations do not take nearly as long, because
-the <B>V</B><VAR>n</VAR> files already exist.
-<P>On system types that use a dynamic loader program, you must reboot the
-machine before running the initialization script, so that it can freshly load
-AFS modifications into the kernel.
-<P>Proceed to the instructions for your system type:
-<UL>
-<P><LI><A HREF="#HDRWQ151">Running the Script on AIX Systems</A>
-<P><LI><A HREF="#HDRWQ152">Running the Script on Digital UNIX Systems</A>
-<P><LI><A HREF="#HDRWQ153">Running the Script on HP-UX Systems</A>
-<P><LI><A HREF="#HDRWQ154">Running the Script on IRIX Systems</A>
-<P><LI><A HREF="#HDRWQ155">Running the Script on Linux Systems</A>
-<P><LI><A HREF="#HDRWQ156">Running the Script on Solaris Systems</A>
-</UL>
-<A NAME="IDX3059"></A>
-<A NAME="IDX3060"></A>
-<A NAME="IDX3061"></A>
-<A NAME="IDX3062"></A>
-<P><H3><A NAME="HDRWQ151" HREF="auqbg002.htm#ToC_144">Running the Script on AIX Systems</A></H3>
-<OL TYPE=1>
-<P><LI>Reboot the machine and log in again as the local superuser
-<B>root</B>.
-<PRE>
- # <B>cd /</B>
-
- # <B>shutdown -r now</B>
-
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
-</PRE>
-<P><LI>Run the AFS initialization script.
-<PRE>
- # <B>/etc/rc.afs</B>
-
-</PRE>
-<P><LI>Edit the AIX initialization file, <B>/etc/inittab</B>, adding the
-following line to invoke the AFS initialization script. Place it just
-after the line that starts NFS daemons.
-<PRE>
- rcafs:2:wait:/etc/rc.afs > /dev/console 2>&1 # Start AFS services
-
-</PRE>
-<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
-in both the <B>/usr/vice/etc</B> and <B>/etc</B> directories.
-If you want to avoid potential confusion by guaranteeing that they are always
-the same, create a link between them. You can always retrieve the
-original script from the AFS CD-ROM if necessary.
-<PRE>
- # <B>cd /usr/vice/etc</B>
-
- # <B>rm rc.afs</B>
-
- # <B>ln -s /etc/rc.afs</B>
-
-</PRE>
-<P><LI>If a volume for housing AFS binaries for this machine's system type
-does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
-</OL>
-<A NAME="IDX3063"></A>
-<A NAME="IDX3064"></A>
-<A NAME="IDX3065"></A>
-<A NAME="IDX3066"></A>
-<P><H3><A NAME="HDRWQ152" HREF="auqbg002.htm#ToC_145">Running the Script on Digital UNIX Systems</A></H3>
-<OL TYPE=1>
-<P><LI>Run the AFS initialization script.
-<PRE>
- # <B>/sbin/init.d/afs start</B>
-
-</PRE>
-<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
-<B>ln -s</B> command to create symbolic links that incorporate the AFS
-initialization script into the Digital UNIX startup and shutdown
-sequence.
-<PRE>
- # <B>cd /sbin/init.d</B>
-
- # <B>ln -s ../init.d/afs /sbin/rc3.d/S67afs</B>
-
- # <B>ln -s ../init.d/afs /sbin/rc0.d/K66afs</B>
-
-</PRE>
-<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
-in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
-directories. If you want to avoid potential confusion by guaranteeing
-that they are always the same, create a link between them. You can
-always retrieve the original script from the AFS CD-ROM if necessary.
-<PRE>
- # <B>cd /usr/vice/etc</B>
-
- # <B>rm afs.rc</B>
-
- # <B>ln -s /sbin/init.d/afs afs.rc</B>
-
-</PRE>
-<P><LI>If a volume for housing AFS binaries for this machine's system type
-does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
-</OL>
-<A NAME="IDX3067"></A>
-<A NAME="IDX3068"></A>
-<A NAME="IDX3069"></A>
-<P><H3><A NAME="HDRWQ153" HREF="auqbg002.htm#ToC_146">Running the Script on HP-UX Systems</A></H3>
-<OL TYPE=1>
-<P><LI>Run the AFS initialization script.
-<PRE>
- # <B>/sbin/init.d/afs start</B>
-
-</PRE>
-<P><LI>Change to the <B>/sbin/init.d</B> directory and issue the
-<B>ln -s</B> command to create symbolic links that incorporate the AFS
-initialization script into the HP-UX startup and shutdown sequence.
-<PRE>
- # <B>cd /sbin/init.d</B>
-
- # <B>ln -s ../init.d/afs /sbin/rc2.d/S460afs</B>
-
- # <B>ln -s ../init.d/afs /sbin/rc2.d/K800afs</B>
-
-</PRE>
-<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
-in both the <B>/usr/vice/etc</B> and <B>/sbin/init.d</B>
-directories. If you want to avoid potential confusion by guaranteeing
-that they are always the same, create a link between them. You can
-always retrieve the original script from the AFS CD-ROM if necessary.
-<PRE>
- # <B>cd /usr/vice/etc</B>
-
- # <B>rm afs.rc</B>
-
- # <B>ln -s /sbin/init.d/afs afs.rc</B>
-
-</PRE>
-<P><LI>If a volume for housing AFS binaries for this machine's system type
-does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
-</OL>
-<A NAME="IDX3070"></A>
-<A NAME="IDX3071"></A>
-<A NAME="IDX3072"></A>
-<A NAME="IDX3073"></A>
-<A NAME="IDX3074"></A>
-<A NAME="IDX3075"></A>
-<A NAME="IDX3076"></A>
-<P><H3><A NAME="HDRWQ154" HREF="auqbg002.htm#ToC_147">Running the Script on IRIX Systems</A></H3>
-<OL TYPE=1>
-<P><LI>If you have configured the machine to use the <B>ml</B> dynamic loader
-program, reboot the machine and log in again as the local superuser
-<B>root</B>.
-<PRE>
- # <B>cd /</B>
-
- # <B>shutdown -i6 -g0 -y</B>
-
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
-</PRE>
-<P><LI>Issue the <B>chkconfig</B> command to activate the
-<B>afsclient</B> configuration variable.
-<PRE>
- # <B>/etc/chkconfig -f afsclient on</B>
-
-</PRE>
-<P><LI>Run the AFS initialization script.
-<PRE>
- # <B>/etc/init.d/afs start</B>
-
-</PRE>
-<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
-<B>ln -s</B> command to create symbolic links that incorporate the AFS
-initialization script into the IRIX startup and shutdown sequence.
-<PRE>
- # <B>cd /etc/init.d</B>
-
- # <B>ln -s ../init.d/afs /etc/rc2.d/S35afs</B>
-
- # <B>ln -s ../init.d/afs /etc/rc0.d/K35afs</B>
-
-</PRE>
-<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
-in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
-directories. If you want to avoid potential confusion by guaranteeing
-that they are always the same, create a link between them. You can
-always retrieve the original script from the AFS CD-ROM if necessary.
-<PRE>
- # <B>cd /usr/vice/etc</B>
-
- # <B>rm afs.rc</B>
-
- # <B>ln -s /etc/init.d/afs afs.rc</B>
-
-</PRE>
-<P><LI>If a volume for housing AFS binaries for this machine's system type
-does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
-</OL>
-<A NAME="IDX3077"></A>
-<A NAME="IDX3078"></A>
-<A NAME="IDX3079"></A>
-<A NAME="IDX3080"></A>
-<P><H3><A NAME="HDRWQ155" HREF="auqbg002.htm#ToC_148">Running the Script on Linux Systems</A></H3>
-<OL TYPE=1>
-<P><LI>Reboot the machine and log in again as the local superuser
-<B>root</B>.
-<PRE>
- # <B>cd /</B>
-
- # <B>shutdown -r now</B>
-
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
-</PRE>
-<P><LI>Run the AFS initialization script.
-<PRE>
- # <B>/etc/rc.d/init.d/afs start</B>
-
-</PRE>
-<P><LI>Issue the <B>chkconfig</B> command to activate the <B>afs</B>
-configuration variable. Based on the instruction in the AFS
-initialization file that begins with the string <TT>#chkconfig</TT>, the
-command automatically creates the symbolic links that incorporate the script
-into the Linux startup and shutdown sequence.
-<PRE>
- # <B>/sbin/chkconfig --add afs</B>
-
-</PRE>
-<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
-in both the <B>/usr/vice/etc</B> and
-<B>/etc/rc.d/init.d</B> directories, and copies of the
-<B>afsd</B> options file in both the <B>/usr/vice/etc</B> and
-<B>/etc/sysconfig</B> directories. If you want to avoid potential
-confusion by guaranteeing that the two copies of each file are always the
-same, create a link between them. You can always retrieve the original
-script or options file from the AFS CD-ROM if necessary.
-<PRE>
- # <B>cd /usr/vice/etc</B>
-
- # <B>rm afs.rc afs.conf</B>
-
- # <B>ln -s /etc/rc.d/init.d/afs afs.rc</B>
-
- # <B>ln -s /etc/sysconfig/afs afs.conf</B>
-
-</PRE>
-<P><LI>If a volume for housing AFS binaries for this machine's system type
-does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
-</OL>
-<A NAME="IDX3081"></A>
-<A NAME="IDX3082"></A>
-<A NAME="IDX3083"></A>
-<P><H3><A NAME="HDRWQ156" HREF="auqbg002.htm#ToC_149">Running the Script on Solaris Systems</A></H3>
-<OL TYPE=1>
-<P><LI>Reboot the machine and log in again as the local superuser
-<B>root</B>.
-<PRE>
- # <B>cd /</B>
-
- # <B>shutdown -i6 -g0 -y</B>
-
- login: <B>root</B>
- Password: <VAR>root_password</VAR>
-
-</PRE>
-<P><LI>Run the AFS initialization script.
-<PRE>
- # <B>/etc/init.d/afs start</B>
-
-</PRE>
-<P><LI>Change to the <B>/etc/init.d</B> directory and issue the
-<B>ln -s</B> command to create symbolic links that incorporate the AFS
-initialization script into the Solaris startup and shutdown sequence.
-<PRE>
- # <B>cd /etc/init.d</B>
-
- # <B>ln -s ../init.d/afs /etc/rc3.d/S99afs</B>
-
- # <B>ln -s ../init.d/afs /etc/rc0.d/K66afs</B>
-
-</PRE>
-<P><LI><B>(Optional)</B> There are now copies of the AFS initialization file
-in both the <B>/usr/vice/etc</B> and <B>/etc/init.d</B>
-directories. If you want to avoid potential confusion by guaranteeing
-that they are always the same, create a link between them. You can
-always retrieve the original script from the AFS CD-ROM if necessary.
-<PRE>
- # <B>cd /usr/vice/etc</B>
-
- # <B>rm afs.rc</B>
-
- # <B>ln -s /etc/init.d/afs afs.rc</B>
-
-</PRE>
-<P><LI>If a volume for housing AFS binaries for this machine's system type
-does not already exist, proceed to <A HREF="#HDRWQ157">Setting Up Volumes and Loading Binaries into AFS</A>. Otherwise, the installation is complete.
-</OL>
-<A NAME="IDX3084"></A>
-<A NAME="IDX3085"></A>
-<A NAME="IDX3086"></A>
-<A NAME="IDX3087"></A>
-<A NAME="IDX3088"></A>
-<A NAME="IDX3089"></A>
-<HR><H2><A NAME="HDRWQ157" HREF="auqbg002.htm#ToC_150">Setting Up Volumes and Loading Binaries into AFS</A></H2>
-<P>In this section, you link <B>/usr/afsws</B> on the local
-disk to the directory in AFS that houses AFS binaries for this system
-type. The conventional name for the AFS directory is
-<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>.
-<P>If this machine is an existing system type, the AFS directory presumably
-already exists. You can simply create a link from the local
-<B>/usr/afsws</B> directory to it. Follow the instructions in <A HREF="#HDRWQ158">Linking /usr/afsws on an Existing System Type</A>.
-<P>If this machine is a new system type (there are no AFS machines of this
-type in your cell), you must first create and mount volumes to store its AFS
-binaries, and then create the link from <B>/usr/afsws</B> to the new
-directory. See <A HREF="#HDRWQ159">Creating Binary Volumes for a New System Type</A>.
-<P>You can also store UNIX system binaries (the files normally stored in local
-disk directories such as <B>/bin</B>, <B>/etc</B>, and
-<B>/lib</B>) in volumes mounted under
-<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>. See <A HREF="auqbg005.htm#HDRWQ88">Storing System Binaries in AFS</A> .
-<P><H3><A NAME="HDRWQ158" HREF="auqbg002.htm#ToC_151">Linking /usr/afsws on an Existing System Type</A></H3>
-<P>If this client machine is an existing system type, there is
-already a volume mounted in the AFS filespace that houses AFS client binaries
-for it.
-<OL TYPE=1>
-<P><LI>Create <B>/usr/afsws</B> on the local disk as a symbolic link to the
-directory <B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>.
-You can specify the actual system name instead of <B>@sys</B> if you wish,
-but the advantage of using <B>@sys</B> is that it remains valid if you
-upgrade this machine to a different system type.
-<PRE>
- # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
-
-</PRE>
-<P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
-the AFS documents in a certain format via a local disk directory, create
-<B>/usr/afsdoc</B> on the local disk as a symbolic link to the
-documentation directory in AFS
-(<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
-<P>
-<PRE>
- # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
-</PRE>
-<P>An alternative is to create a link in each user's home directory to
-the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
-directory.
-</OL>
-<P><H3><A NAME="HDRWQ159" HREF="auqbg002.htm#ToC_152">Creating Binary Volumes for a New System Type</A></H3>
-<P>If this client machine is a new system type, you must create
-and mount volumes for its binaries before you can link the local
-<B>/usr/afsws</B> directory to an AFS directory.
-<P>To create and mount the volumes, you use the <B>klog</B> command to
-authenticate as an administrator and then issue commands from the
-<B>vos</B> and <B>fs</B> command suites. However, the command
-binaries are not yet available on this machine (by convention, they are
-accessible via the <B>/usr/afsws</B> link that you are about to
-create). You have two choices:
-<UL>
-<P><LI>Perform all steps except the last one (Step <A HREF="#LIWQ162">10</A>) on an existing AFS machine. On a file server
-machine, the <B>klog</B>, <B>fs</B> and <B>vos</B> binaries reside
-in the <B>/usr/afs/bin</B> directory. On client machines, the
-<B>klog</B> and <B>fs</B> binaries reside in the
-<B>/usr/afsws/bin</B> directory and the <B>vos</B> binary in the
-<B>/usr/afsws/etc</B> directory. Depending on how your PATH
-environment variable is set, you possibly need to precede the command names
-with a pathname.
-<P>If you work on another AFS machine, be sure to substitute the new system
-type name for the <VAR>sysname</VAR> argument in the following commands, not the
-system type of the machine on which you are issuing the commands.
-<P><LI>Copy the necessary command binaries to a temporary location on the local
-disk, which enables you to perform the steps on the local machine. The
-following procedure installs them in the <B>/tmp</B> directory and removes
-them at the end. Depending on how your PATH environment variable is
-set, you possibly need to precede the command names with a pathname.
-</UL>
-<P>Perform the following steps to create a volume for housing AFS
-binaries.
-<OL TYPE=1>
-<P><LI>Working either on the local machine or another AFS machine, mount the AFS
-CD-ROM for the new system type on the <B>/cdrom</B> directory, if it is
-not already. For instructions on mounting CD-ROMs (either locally or
-remotely via NFS), consult the operating system documentation.
-<P><LI>If working on the local machine, copy the necessary binaries to a
-temporary location on the local disk. Substitute a different directory
-name for <B>/tmp</B> if you wish.
-<PRE>
- # <B>cd /cdrom/</B><VAR>new_sysname</VAR><B>/root.server/usr/afs/bin</B>
-
- # <B>cp -p klog /tmp</B>
-
- # <B>cp -p fs /tmp</B>
-
- # <B>cp -p vos /tmp</B>
-
-</PRE>
-<P><LI>Authenticate as the user <B>admin</B>.
-<PRE>
- # <B>klog admin</B>
- Password: <VAR>admin_password</VAR>
-
-</PRE>
-<P><LI><A NAME="LIWQ160"></A>Issue the <B>vos create</B> command to create volumes for
-storing the AFS client binaries for this system type. The following
-example instruction creates volumes called <VAR>sysname</VAR>,
-<VAR>sysname</VAR>.<B>usr</B>, and
-<VAR>sysname</VAR>.<B>usr.afsws</B>. Refer to the
-<I>IBM AFS Release Notes</I> to learn the proper value of <VAR>sysname</VAR>
-for this system type.
-<PRE>
- # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR>
-
- # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr</B>
-
- # <B>vos create</B> <<VAR>machine name</VAR>> <<VAR>partition name</VAR>> <VAR>sysname</VAR><B>.usr.afsws</B>
-
-</PRE>
-<P><LI>Issue the <B>fs mkmount</B> command to mount the newly created
-volumes. Because the <B>root.cell</B> volume is replicated,
-you must precede the <I>cellname</I> part of the pathname with a period to
-specify the read/write mount point, as shown. Then issue the <B>vos
-release</B> command to release a new replica of the
-<B>root.cell</B> volume, and the <B>fs checkvolumes</B> command
-to force the local Cache Manager to access them.
-<PRE>
- # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR> <B>-vol</B> <VAR>sysname</VAR>
-
- # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr</B>
-
- # <B>fs mkmount -dir /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B> <B>-vol</B> <VAR>sysname</VAR><B>.usr.afsws</B>
-
- # <B>vos release root.cell</B>
-
- # <B>fs checkvolumes</B>
-
-</PRE>
-<P><LI>Issue the <B>fs setacl</B> command to grant the <B>l</B>
-(<B>lookup</B>) and <B>r</B> (<B>read</B>) permissions to the
-<B>system:anyuser</B> group on each new directory's ACL.
-<PRE>
- # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR>
-
- # <B>fs setacl -dir . usr usr/afsws -acl system:anyuser rl</B>
-
-</PRE>
-<P><LI>Issue the <B>fs setquota</B> command to set an unlimited quota on the
-volume mounted at the
-<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
-directory. This enables you to copy all of the appropriate files from
-the CD-ROM into the volume without exceeding the volume's quota.
-<P>If you wish, you can set the volume's quota to a finite value after
-you complete the copying operation. At that point, use the <B>vos
-examine</B> command to determine how much space the volume is
-occupying. Then issue the <B>fs setquota</B> command to set a quota
-that is slightly larger.
-<PRE>
- # <B>fs setquota /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws 0</B>
-
-</PRE>
-<P><LI><A NAME="LIWQ161"></A>Copy the contents of the indicated directories from the CD-ROM
-into the
-<B>/afs/</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
-directory.
-<PRE>
- # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
-
- # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/bin .</B>
-
- # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/etc .</B>
-
- # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/include .</B>
-
- # <B>cp -rp /cdrom/</B><VAR>sysname</VAR><B>/lib .</B>
-
-</PRE>
-<P><LI>Issue the <B>fs setacl</B> command to set the ACL on each directory
-appropriately. To comply with the terms of your AFS License agreement,
-you must prevent unauthorized users from accessing AFS software. To
-enable access for locally authenticated users only, set the ACL on the
-<B>etc</B>, <B>include</B>, and <B>lib</B> subdirectories to grant
-the <B>l</B> and <B>r</B> permissions to the
-<B>system:authuser</B> group rather than the
-<B>system:anyuser</B> group. The
-<B>system:anyuser</B> group must retain the <B>l</B> and
-<B>r</B> permissions on the <B>bin</B> subdirectory to enable
-unauthenticated users to access the <B>klog</B> binary. To ensure
-that unauthorized users are not accessing AFS software, check periodically
-that the ACLs on these directories are set properly.
-<PRE>
- # <B>cd /afs/.</B><VAR>cellname</VAR><B>/</B><VAR>sysname</VAR><B>/usr/afsws</B>
-
- # <B>fs setacl -dir etc include lib -acl system:authuser rl</B> \
- <B>system:anyuser none</B>
-
-</PRE>
-<P><LI><A NAME="LIWQ162"></A>Perform this step on the new client machine even if you have
-performed the previous steps on another machine. Create
-<B>/usr/afsws</B> on the local disk as a symbolic link to the directory
-<B>/afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws</B>. You can
-specify the actual system name instead of <B>@sys</B> if you wish, but the
-advantage of using <B>@sys</B> is that it remains valid if you upgrade
-this machine to a different system type.
-<PRE>
- # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/@sys/usr/afsws /usr/afsws</B>
-
-</PRE>
-<P><LI><B>(Optional)</B> To enable users to issue commands from the AFS
-suites (such as <B>fs</B>) without having to specify a pathname to their
-binaries, include the <B>/usr/afsws/bin</B> and <B>/usr/afsws/etc</B>
-directories in the PATH environment variable you define in each user's
-shell initialization file (such as <B>.cshrc</B>).
-<P><LI><B>(Optional)</B> If you believe it is helpful to your users to access
-the AFS documents in a certain format via a local disk directory, create
-<B>/usr/afsdoc</B> on the local disk as a symbolic link to the
-documentation directory in AFS
-(<B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>).
-<P>
-<PRE>
- # <B>ln -s /afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR> <B>/usr/afsdoc</B>
-</PRE>
-<P>An alternative is to create a link in each user's home directory to
-the <B>/afs/</B><VAR>cellname</VAR><B>/afsdoc/</B><VAR>format_name</VAR>
-directory.
-<P><LI><B>(Optional)</B> If working on the local machine, remove the AFS
-binaries from the temporary location. They are now accessible in the
-<B>/usr/afsws</B> directory.
-<PRE>
- # <B>cd /tmp</B>
-
- # <B>rm klog fs vos</B>
-
-</PRE>
-</OL>
-<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auqbg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auqbg006.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auqbg008.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auqbg009.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
-<!-- Begin Footer Records ========================================== -->
-<P><HR><B>
-<br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
-</B>
-<!-- End Footer Records ============================================ -->
-<A NAME="Bot_Of_Page"></A>
-</BODY></HTML>
git://git.openafs.org / openafs.git / blobdiff