</listitem>
<listitem>
- <para>You have a Kerberos v5 realm running for your site</para>
+ <para>You have a Kerberos v5 realm running for your site. If you are
+ working with an existing cell which uses
+ <emphasis role="bold">kaserver</emphasis> or Kerberos v4 for
+ authentication, please see
+ <link linkend="KAS001">kaserver and Legacy Kerberos v4 Authentication</link>
+ for the modifications required to this installation procedure.</para>
</listitem>
<listitem>
<para>You have a NTP, or similar, time service deployed to ensure
- rough clock syncronistation between your clients and servers.</para>
+ rough clock syncronistation between your clients and servers. If you
+ wish to use AFS's built in timeservice (which is deprecated) please
+ see Appendix B for the necessary modifications to this installation
+ procedure.</para>
</listitem>
</itemizedlist></para>
<listitem>
<para>If the machine is to remain an AFS client machine, modify the machine's authentication system so that users obtain
an AFS token as they log into the local file system. Using AFS is simpler and more convenient for your users if you make
- the modifications on all client machines. Otherwise, users must perform a two-step login procedure (login to the local
- file system and then issue the <emphasis role="bold">aklog</emphasis> command). For further discussion of AFS
+ the modifications on all client machines. Otherwise, users must perform a two or three step login procedure (login to the local
+ system, then obtain Kerberos credentials, and then issue the <emphasis role="bold">aklog</emphasis> command). For further discussion of AFS
authentication, see the chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about cell configuration and
administration issues.</para>
</listitem>
automatically obtain AFS tokens at login. Following login, users can
obtain tokens by running the <emphasis role="bold">aklog</emphasis>
command</para>
+
+ <para>Sites which still require <emphasis role="bold">kaserver</emphasis>
+ or external Kerberos v4 authentication should consult
+ <link linkend="KAS012">Enabling kaserver based AFS login on AIX systems</link>
+ for details of how to enable AIX login.</para>
-<!--
- Follow the instructions in this section to incorporate AFS modifications into the AIX secondary authentication system.
- <orderedlist>
- <listitem>
- <para>Issue the <emphasis role="bold">ls</emphasis> command to verify that the <emphasis
- role="bold">afs_dynamic_auth</emphasis> and <emphasis role="bold">afs_dynamic_kerbauth</emphasis> programs are installed
- in the local <emphasis role="bold">/usr/vice/etc</emphasis> directory. <programlisting>
- # <emphasis role="bold">ls /usr/vice/etc</emphasis>
-</programlisting></para>
-
- <para>If the files do not exist, change directory as indicated and
- copy them.</para>
-
- <programlisting>
- # <emphasis role="bold">cd /tmp/afsdist/rs_aix42/root.client/usr/vice/etc</emphasis>
- # <emphasis role="bold">cp -p afs_dynamic* /usr/vice/etc</emphasis>
-</programlisting>
- </listitem>
-
- <listitem>
- <para>Edit the local <emphasis role="bold">/etc/security/user</emphasis> file, making changes to the indicated stanzas:
- <itemizedlist>
- <listitem>
- <para>In the default stanza, set the <computeroutput>registry</computeroutput> attribute to <emphasis
- role="bold">DCE</emphasis> (not to <emphasis role="bold">AFS</emphasis>), as follows: <programlisting>
- registry = DCE
-</programlisting></para>
- </listitem>
-
- <listitem>
- <para>In the default stanza, set the <computeroutput>SYSTEM</computeroutput> attribute as indicated.</para>
-
- <para>If the machine is an AFS client only, set the following value:</para>
-
- <programlisting>
- SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
-</programlisting>
-
- <para>If the machine is both an AFS and a DCE client, set the following value (it must appear on a single line in
- the file):</para>
-
- <programlisting>
- SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL] \
- AND compat[SUCCESS])"
-</programlisting>
- </listitem>
-
- <listitem>
- <para>In the <computeroutput>root</computeroutput> stanza, set the <computeroutput>registry</computeroutput>
- attribute as follows. It enables the local superuser <emphasis role="bold">root</emphasis> to log into the local
- file system only, based on the password listed in the local password file. <programlisting>
- root:
- registry = files
-</programlisting></para>
- </listitem>
- </itemizedlist></para>
- </listitem>
-
- <listitem>
- <para>Edit the local <emphasis role="bold">/etc/security/login.cfg</emphasis> file, creating or editing the indicated
- stanzas: <itemizedlist>
- <listitem>
- <para>In the <computeroutput>DCE</computeroutput> stanza, set the <computeroutput>program</computeroutput>
- attribute as follows.</para>
-
- <programlisting>
- DCE:
- program = /usr/vice/etc/afs_dynamic_kerbauth
-</programlisting>
- </listitem>
-
- <listitem>
- <para>In the <computeroutput>AFS</computeroutput> stanza, set the <computeroutput>program</computeroutput>
- attribute as follows.</para>
-
- <programlisting>
- AFS:
- program = /usr/vice/etc/afs_dynamic_kerbauth
-</programlisting>
- </listitem>
- </itemizedlist></para>
- </listitem>
-
- <listitem>
- <para>Proceed to <link linkend="HDRWQ50">Starting the BOS Server</link> (or if referring to these instructions while
- installing an additional file server machine, return to <link linkend="HDRWQ108">Starting Server
- Programs</link>).</para>
- </listitem>
- </orderedlist>
- -->
+ <para>Proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>
+ (or if referring to these instructions while installing an additional
+ file server machine, return to <link linkend="HDRWQ108">Starting Server
+ Programs</link>).</para>
</sect2>
</sect1>
<sect1 id="HDRWQ31">
<title>Getting Started on HP-UX Systems</title>
- <para>Begin by building AFS modifications into a new kernel; HP-UX does not support dynamic loading. Then create partitions for
- storing AFS volumes, and install and configure the AFS-modified <emphasis role="bold">fsck</emphasis> program to run on AFS
- server partitions. If the machine is to remain an AFS client machine, incorporate AFS into the machine's Pluggable
- Authentication Module (PAM) scheme. <indexterm>
+ <para>Begin by building AFS modifications into a new kernel; HP-UX
+ does not support dynamic loading. Then create partitions for storing
+ AFS volumes, and install and configure the AFS-modified <emphasis
+ role="bold">fsck</emphasis> program to run on AFS server
+ partitions. If the machine is to remain an AFS client machine,
+ incorporate AFS into the machine's Pluggable Authentication Module
+ (PAM) scheme. <indexterm>
<primary>incorporating AFS kernel extensions</primary>
<secondary>first AFS machine</secondary>
<note><para>If you plan to remove client functionality from this machine after completing the installation, skip this section and proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para></note>
- <para>At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM
- integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for
- authenticated access to and from the machine.</para>
-
- <para>Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of
- settings in the PAM configuration file (for example, how the <computeroutput>other</computeroutput> entry works, the effect of
- marking an entry as <computeroutput>required</computeroutput>, <computeroutput>optional</computeroutput>, or
- <computeroutput>sufficient</computeroutput>, and so on).</para>
+ <para>At this point you incorporate AFS into the operating system's
+ Pluggable Authentication Module (PAM) scheme. PAM integrates all
+ authentication mechanisms on the machine, including login, to
+ provide the security infrastructure for authenticated access to and
+ from the machine.</para>
<para>In modern AFS installations, you should be using Kerberos v5
- for user login, and obtaining AFS tokens subsequent to this authentication
- step. OpenAFS does not currently distribute a PAM module allowing AFS
- tokens to be automatically gained at login. Whilst there are a number of
- third party modules providing this functionality, it is not know if these
- have been tested with HP/UX.</para>
+ for user login, and obtaining AFS tokens subsequent to this
+ authentication step. OpenAFS does not currently distribute a PAM
+ module allowing AFS tokens to be automatically gained at
+ login. Whilst there are a number of third party modules providing
+ this functionality, it is not know if these have been tested with
+ HP/UX.</para>
- <para>Following login, users can
- obtain tokens by running the <emphasis role="bold">aklog</emphasis>
- command</para>
-
-<!--
- <note>
- <para>The instructions specify that you mark each entry as <computeroutput>optional</computeroutput>. However, marking some
- modules as optional can mean that they grant access to the corresponding service even when the user does not meet all of the
- module's requirements. In some operating system revisions, for example, if you mark as optional the module that controls
- login via a dial-up connection, it allows users to login without providing a password. See the <emphasis>OpenAFS Release
- Notes</emphasis> for a discussion of any limitations that apply to this operating system.</para>
- </note>
-
- <para>Also, with some operating system versions you must install patches for PAM to interact correctly with certain
- authentication programs. For details, see the <emphasis>OpenAFS Release Notes</emphasis>.</para>
-
- <para>The recommended AFS-related entries in the PAM configuration file make use of one or more of the following three
- attributes. <variablelist>
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>try_first_pass</computeroutput></emphasis></term>
-
- <listitem>
- <para>This is a standard PAM attribute that can be included on entries after the first one for a service; it directs
- the module to use the password that was provided to the first module. For the AFS module, it means that AFS
- authentication succeeds if the password provided to the module listed first is the user's correct AFS password. For
- further discussion of this attribute and its alternatives, see the operating system's PAM documentation.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>ignore_root</computeroutput></emphasis></term>
-
- <listitem>
- <para>This attribute, specific to the AFS PAM module, directs it to ignore not only the local superuser <emphasis
- role="bold">root</emphasis>, but also any user with UID 0 (zero).</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>setenv_password_expires</computeroutput></emphasis></term>
-
- <listitem>
- <para>This attribute, specific to the AFS PAM module, sets the environment variable PASSWORD_EXPIRES to the expiration
- date of the user's AFS password, which is recorded in the Authentication Database.</para>
- </listitem>
- </varlistentry>
- </variablelist></para>
-
- <para>Perform the following steps to enable AFS login. <orderedlist>
- <listitem>
- <para>Change directory as indicated. <programlisting>
- # <emphasis role="bold">cd /usr/lib/security</emphasis>
-</programlisting></para>
- </listitem>
-
- <listitem>
- <para>Copy the AFS authentication library file to the <emphasis role="bold">/usr/lib/security</emphasis> directory. Then
- create a symbolic link to it whose name does not mention the version. Omitting the version eliminates the need to edit
- the PAM configuration file if you later update the library file.</para>
-
- <para>If you use the AFS Authentication Server (<emphasis role="bold">kaserver</emphasis> process) in the cell:</para>
-
- <programlisting>
- # <emphasis role="bold">cp /cdrom/hp_ux110/lib/pam_afs.so.1 .</emphasis>
- # <emphasis role="bold">ln -s pam_afs.so.1 pam_afs.so</emphasis>
-</programlisting>
-
- <para>If you use a Kerberos implementation of AFS authentication:</para>
-
- <programlisting>
- # <emphasis role="bold">cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1 .</emphasis>
- # <emphasis role="bold">ln -s pam_afs.krb.so.1 pam_afs.so</emphasis>
-</programlisting>
- </listitem>
-
- <listitem>
- <para>Edit the <computeroutput>Authentication management</computeroutput> section of the HP-UX PAM configuration file,
- <emphasis role="bold">/etc/pam.conf</emphasis> by convention. The entries in this section have the value
- <computeroutput>auth</computeroutput> in their second field.</para>
-
- <para>First edit the standard entries, which refer to the HP-UX PAM module (usually, the file <emphasis
- role="bold">/usr/lib/security/libpam_unix.1</emphasis>) in their fourth field. For each service for which you want to
- use AFS authentication, edit the third field of its entry to read <computeroutput>optional</computeroutput>. The
- <emphasis role="bold">pam.conf</emphasis> file in the HP-UX distribution usually includes standard entries for the
- <emphasis role="bold">login</emphasis> and <emphasis role="bold">ftp</emphasis> services, for instance.</para>
-
- <para>If there are services for which you want to use AFS authentication, but for which the <emphasis
- role="bold">pam.conf</emphasis> file does not already include a standard entry, you must create that entry and place the
- value <computeroutput>optional</computeroutput> in its third field. For instance, the HP-UX <emphasis
- role="bold">pam.conf</emphasis> file does not usually include standard entries for the <emphasis
- role="bold">remsh</emphasis> or <emphasis role="bold">telnet</emphasis> services.</para>
-
- <para>Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following
- example shows what the <computeroutput>Authentication Management</computeroutput> section looks like after you have you
- edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines
- only for legibility.</para>
-
- <programlisting>
- login auth optional /usr/lib/security/libpam_unix.1
- login auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
- ftp auth optional /usr/lib/security/libpam_unix.1
- ftp auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- remsh auth optional /usr/lib/security/libpam_unix.1
- remsh auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- telnet auth optional /usr/lib/security/libpam_unix.1
- telnet auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
-</programlisting>
- </listitem>
-
- <listitem>
- <para>If you use the Common Desktop Environment (CDE) on the machine and want users to obtain an AFS token as they log
- in, also add or edit the following four entries in the <computeroutput>Authentication management</computeroutput>
- section. Note that the AFS-related entries appear on two lines here only for legibility. <programlisting>
- dtlogin auth optional /usr/lib/security/libpam_unix.1
- dtlogin auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- dtaction auth optional /usr/lib/security/libpam_unix.1
- dtaction auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
-</programlisting></para>
- </listitem>
--->
- <para>Proceed to <link linkend="HDRWQ50">Starting the BOS Server</link> (or if referring to these instructions while
- installing an additional file server machine, return to <link linkend="HDRWQ108">Starting Server
- Programs</link>).</para>
-
+ <para>Following login, users can obtain tokens by running the
+ <emphasis role="bold">aklog</emphasis> command</para>
+
+ <para>Sites which still require <emphasis
+ role="bold">kaserver</emphasis> or external Kerberos v4
+ authentication should consult <link linkend="KAS013">Enabling
+ kaserver based AFS login on HP-UX systems</link> for details of how
+ to enable HP-UX login.</para>
+
+ <para>Proceed to <link linkend="HDRWQ50">Starting the BOS
+ Server</link> (or if referring to these instructions while
+ installing an additional file server machine, return to <link
+ linkend="HDRWQ108">Starting Server Programs</link>).</para>
</sect2>
</sect1>
<emphasis role="bold">login</emphasis> program and the
graphical <emphasis role="bold">xdm</emphasis> login program both have
the ability to grant AFS tokens, this ability relies upon the deprecated
- kaserver authentication system. As this system is not recommended for
- new installations, this is not documented here.</para>
+ kaserver authentication system.</para>
<para>Users who have been successfully authenticated via Kerberos 5
authentication may obtain AFS tokens following login by running the
<emphasis role="bold">aklog</emphasis> command.</para>
-
-<!--
- <para>The standard IRIX command-line <emphasis role="bold">login</emphasis> program and the graphical <emphasis
- role="bold">xdm</emphasis> login program both automatically grant an AFS token when AFS is incorporated into the machine's
- kernel. However, some IRIX distributions use another login utility by default, and it does not necessarily incorporate the
- required AFS modifications. If that is the case, you must disable the default utility if you want AFS users to obtain AFS
- tokens at login. For further discussion, see the <emphasis>OpenAFS Release Notes</emphasis>.</para>
-
- <para>If you configure the machine to use an AFS-modified login utility, then the <emphasis
- role="bold">afsauthlib.so</emphasis> and <emphasis role="bold">afskauthlib.so</emphasis> files (included in the AFS
- distribution) must reside in the <emphasis role="bold">/usr/vice/etc</emphasis> directory. Issue the <emphasis
- role="bold">ls</emphasis> command to verify.</para>
-
- <programlisting>
- # <emphasis role="bold">ls /usr/vice/etc</emphasis>
-</programlisting>
- <para>If the files do not exist, change directory as indicated, and copy
- them.</para>
+ <para>Sites which still require <emphasis role="bold">kaserver</emphasis>
+ or external Kerberos v4 authentication should consult
+ <link linkend="KAS014">Enabling kaserver based AFS Login on IRIX Systems</link>
+ for details of how to enable IRIX login.</para>
- <programlisting>
- # <emphasis role="bold">cd /tmp/afsdist/sgi_65/root.client/usr/vice/etc</emphasis>
- # <emphasis role="bold">cp -p *authlib* /usr/vice/etc</emphasis>
-</programlisting>
--->
- <para>After taking any necessary action, proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
+ <para>After taking any necessary action, proceed to
+ <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
</sect2>
</sect1>
RedHat Enterprise Linux packages distributed by OpenAFS. Additional
instructions are provided for those building from source.</para>
- <para>Begin by running the AFS client startup scripts, which call the <emphasis role="bold">modprobe</emphasis> program, which
- dynamically loads AFS modifications into the kernel. Then create partitions for storing AFS volumes. You do not need to replace
- the Linux <emphasis role="bold">fsck</emphasis> program. If the machine is to remain an AFS client machine, incorporate AFS into
- the machine's Pluggable Authentication Module (PAM) scheme. <indexterm>
+ <para>Begin by running the AFS client startup scripts, which call the
+ <emphasis role="bold">modprobe</emphasis> program, which dynamically
+ loads AFS modifications into the kernel. Then create partitions for
+ storing AFS volumes. You do not need to replace the Linux <emphasis
+ role="bold">fsck</emphasis> program. If the machine is to remain an
+ AFS client machine, incorporate AFS into the machine's Pluggable
+ Authentication Module (PAM) scheme. <indexterm>
<primary>incorporating AFS kernel extensions</primary>
<secondary>first AFS machine</secondary>
<title>Enabling AFS Login on Linux Systems</title>
<note>
- <para>If you plan to remove client functionality from this machine after completing the installation, skip this section and
- proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
+ <para>If you plan to remove client functionality from this machine
+ after completing the installation, skip this section and proceed
+ to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
</note>
- <para>At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM
- integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for
- authenticated access to and from the machine.</para>
-
- <para>Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of
- settings in the PAM configuration file (for example, how the <computeroutput>other</computeroutput> entry works, the effect of
- marking an entry as <computeroutput>required</computeroutput>, <computeroutput>optional</computeroutput>, or
- <computeroutput>sufficient</computeroutput>, and so on).</para>
-
- <para>At this time, we recommend that new sites requiring AFS credentials
- to be gained as part of PAM authentication use Russ Alberry's
- pam_afs_session, rather than utilising the bundled pam_afs2 module.
- A typical PAM stack should authenticate the user using an external
- Kerberos V service, and then use the AFS PAM module to obtain AFS
- credentials in the <computeroutput>session</computeroutput> section</para>
-
- <orderedlist>
- <listitem>
- <para>Proceed to <link linkend="HDRWQ50">Starting the BOS Server</link> (or if referring to these instructions while
- installing an additional file server machine, return to <link linkend="HDRWQ108">Starting Server
- Programs</link>).</para>
- </listitem>
- </orderedlist>
+ <para>At this point you incorporate AFS into the operating system's
+ Pluggable Authentication Module (PAM) scheme. PAM integrates all
+ authentication mechanisms on the machine, including login, to provide
+ the security infrastructure for authenticated access to and from the
+ machine.</para>
+
+ <para>You should first configure your system to obtain Kerberos v5
+ tickets as part of the authentication process, and then run an AFS PAM
+ module to obtain tokens from those tickets after authentication. Many
+ Linux distributions come with a Kerberos v5 PAM module (usually called
+ pam-krb5 or pam_krb5), or you can download and install <ulink
+ url="http://www.eyrie.org/~eagle/software/pam-krb5">Russ Allbery's
+ Kerberos v5 PAM module</ulink>, which is tested regularly with AFS.
+ See the instructions of whatever PAM module you use for how to
+ configure it.</para>
+
+ <para>Some Kerberos v5 PAM modules do come with native AFS support
+ (usually requiring the Heimdal Kerberos implementation rather than the
+ MIT Kerberos implementation). If you are using one of those PAM
+ modules, you can configure it to obtain AFS tokens. It's more common,
+ however, to separate the AFS token acquisition into a separate PAM
+ module.</para>
+
+ <para>The recommended AFS PAM module is <ulink
+ url="http://www.eyrie.org/~eagle/software/pam-afs-session/">Russ
+ Allbery's pam-afs-session module</ulink>. It should work with any of
+ the Kerberos v5 PAM modules. To add it to the PAM configuration, you
+ often only need to add configuration to the session group:</para>
+
+ <example>
+ <title>Linux PAM session example</title>
+ <literallayout>session required pam_afs_session.so</literallayout>
+ </example>
+
+ <para>If you also want to obtain AFS tokens for <command>scp</command>
+ and similar commands that don't open a session, you will also need to
+ add the AFS PAM module to the auth group so that the PAM
+ <function>setcred</function> call will obtain tokens. The
+ <literal>pam_afs_session</literal> module will always return success
+ for authentication so that it can be added to the auth group only for
+ <function>setcred</function>, so make sure that it's not marked as
+ <literal>sufficient</literal>.</para>
+
+ <example>
+ <title>Linux PAM auth example</title>
+<literallayout>auth [success=ok default=1] pam_krb5.so
+auth [default=done] pam_afs_session.so
+auth required pam_unix.so try_first_pass</literallayout>
+ </example>
+
+ <para>This example will work if you want to try Kerberos v5 first and
+ then fall back to regular Unix authentication.
+ <literal>success=ok</literal> for the Kerberos PAM module followed by
+ <literal>default=done</literal> for the AFS PAM module will cause a
+ successful Kerberos login to run the AFS PAM module and then skip the
+ Unix authentication module. <literal>default=1</literal> on the
+ Kerberos PAM module causes failure of that module to skip the next
+ module (the AFS PAM module) and fall back to the Unix module. If you
+ want to try Unix authentication first and rearrange the order, be sure
+ to use <literal>default=die</literal> instead.</para>
+
+ <para>The PAM configuration is stored in different places in different
+ Linux distributions. On Red Hat, look in
+ <filename>/etc/pam.d/system-auth</filename>. On Debian and
+ derivatives, look in <filename>/etc/pam.d/common-session</filename>
+ and <filename>/etc/pam.d/common-auth</filename>.</para>
+
+ <para>For additional configuration examples and the configuration
+ options of the AFS PAM module, see its documentation. For more
+ details on the available options for the PAM configuration, see the
+ Linux PAM documentation.</para>
+
+ <para>Sites which still require <command>kaserver</command> or
+ external Kerberos v4 authentication should consult <link
+ linkend="KAS015">Enabling kaserver based AFS Login on Linux
+ Systems</link> for details of how to enable AFS login on Linux.</para>
+
+ <para>Proceed to <link linkend="HDRWQ50">Starting the BOS
+ Server</link> (or if referring to these instructions while installing
+ an additional file server machine, return to <link
+ linkend="HDRWQ108">Starting Server Programs</link>).</para>
</sect2>
</sect1>
proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
</listitem>
</orderedlist></para>
+ </sect2>
+ <sect2 id="HDRWQ49">
+ <title>Enabling AFS Login on Solaris Systems</title>
<indexterm>
<primary>enabling AFS login</primary>
<tertiary>file server machine</tertiary>
</indexterm>
+ <note>
+ <para>If you plan to remove client functionality from this machine after completing the installation, skip this section and
+ proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
+ </note>
+
+ <para>At this point you incorporate AFS into the operating system's
+ Pluggable Authentication Module (PAM) scheme. PAM integrates all
+ authentication mechanisms on the machine, including login, to provide
+ the security infrastructure for authenticated access to and from the
+ machine.</para>
+
+ <para>Explaining PAM is beyond the scope of this document. It is
+ assumed that you understand the syntax and meanings of settings in the
+ PAM configuration file (for example, how the
+ <computeroutput>other</computeroutput> entry works, the effect of
+ marking an entry as <computeroutput>required</computeroutput>,
+ <computeroutput>optional</computeroutput>, or
+ <computeroutput>sufficient</computeroutput>, and so on).</para>
+
+ <para>You should first configure your system to obtain Kerberos v5
+ tickets as part of the authentication process, and then run an AFS PAM
+ module to obtain tokens from those tickets after authentication.
+ Current versions of Solaris come with a Kerberos v5 PAM module that
+ will work, or you can download and install <ulink
+ url="http://www.eyrie.org/~eagle/software/pam-krb5">Russ Allbery's
+ Kerberos v5 PAM module</ulink>, which is tested regularly with AFS.
+ See the instructions of whatever PAM module you use for how to
+ configure it.</para>
+
+ <para>Some Kerberos v5 PAM modules do come with native AFS support
+ (usually requiring the Heimdal Kerberos implementation rather than the
+ MIT Kerberos implementation). If you are using one of those PAM
+ modules, you can configure it to obtain AFS tokens. It's more common,
+ however, to separate the AFS token acquisition into a separate PAM
+ module.</para>
+
+ <para>The recommended AFS PAM module is <ulink
+ url="http://www.eyrie.org/~eagle/software/pam-afs-session/">Russ
+ Allbery's pam-afs-session module</ulink>. It should work with any of
+ the Kerberos v5 PAM modules. To add it to the PAM configuration, you
+ often only need to add configuration to the session group in
+ <filename>pam.conf</filename>:</para>
+
+ <example>
+ <title>Solaris PAM session example</title>
+ <literallayout>login session required pam_afs_session.so</literallayout>
+ </example>
+
+ <para>This example enables PAM authentication only for console login.
+ You may want to add a similar line for the ssh service and for any
+ other login service that you use, including possibly the
+ <literal>other</literal> service (which serves as a catch-all). You
+ may also want to add options to the AFS PAM session module
+ (particularly <literal>retain_after_close</literal>, which is
+ necessary for some versions of Solaris.</para>
+
+ <para>For additional configuration examples and the configuration
+ options of the AFS PAM module, see its documentation. For more
+ details on the available options for the PAM configuration, see the
+ <filename>pam.conf</filename> manual page.</para>
+
+ <para>Sites which still require <emphasis
+ role="bold">kaserver</emphasis> or external Kerberos v4 authentication
+ should consult <link linkend="KAS016">Enabling kaserver based AFS
+ Login on Solaris Systems"</link> for details of how to enable AFS
+ login on Solaris.</para>
+
+ <para>Proceed to <link linkend="HDRWQ49a">Editing the File Systems
+ Clean-up Script on Solaris Systems</link></para>
+ </sect2>
+ <sect2 id="HDRWQ49a">
+ <title>Editing the File Systems Clean-up Script on Solaris Systems</title>
<indexterm>
<primary>Solaris</primary>
<tertiary>file server machine</tertiary>
</indexterm>
- </sect2>
-
- <sect2 id="HDRWQ49">
- <title>Enabling AFS Login and Editing the File Systems Clean-up Script on Solaris Systems</title>
-
- <note>
- <para>If you plan to remove client functionality from this machine after completing the installation, skip this section and
- proceed to <link linkend="HDRWQ50">Starting the BOS Server</link>.</para>
- </note>
-
- <para>At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM
- integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for
- authenticated access to and from the machine.</para>
- <para>Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of
- settings in the PAM configuration file (for example, how the <computeroutput>other</computeroutput> entry works, the effect of
- marking an entry as <computeroutput>required</computeroutput>, <computeroutput>optional</computeroutput>, or
- <computeroutput>sufficient</computeroutput>, and so on).</para>
-
- <para>In modern AFS installations, you should be using Kerberos v5
- for user login, and obtaining AFS tokens subsequent to this authentication
- step. OpenAFS does not currently distribute a PAM module allowing AFS
- tokens to be automatically gained at login. Whilst there are a number of
- third party modules providing this functionality, it is not know if these
- have been tested with HP/UX.</para>
- <para>Following login, users can
- obtain tokens by running the <emphasis role="bold">aklog</emphasis>
- command</para>
-
-<!--
- <para>The following instructions explain how to alter the entries in the PAM configuration file for each service for which you
- wish to use AFS authentication. Other configurations possibly also work, but the instructions specify the recommended and
- tested configuration.</para>
-
- <note>
- <para>The instructions specify that you mark each entry as <computeroutput>optional</computeroutput>. However, marking some
- modules as optional can mean that they grant access to the corresponding service even when the user does not meet all of the
- module's requirements. In some operating system revisions, for example, if you mark as optional the module that controls
- login via a dial-up connection, it allows users to login without providing a password. See the <emphasis>OpenAFS Release
- Notes</emphasis> for a discussion of any limitations that apply to this operating system.</para>
-
- <para>Also, with some operating system versions you must install patches for PAM to interact correctly with certain
- authentication programs. For details, see the <emphasis>OpenAFS Release Notes</emphasis>.</para>
- </note>
-
- <para>The recommended AFS-related entries in the PAM configuration file make use of one or more of the following three
- attributes. <variablelist>
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>try_first_pass</computeroutput></emphasis></term>
-
- <listitem>
- <para>This is a standard PAM attribute that can be included on entries after the first one for a service; it directs
- the module to use the password that was provided to the first module. For the AFS module, it means that AFS
- authentication succeeds if the password provided to the module listed first is the user's correct AFS password. For
- further discussion of this attribute and its alternatives, see the operating system's PAM documentation.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>ignore_root</computeroutput></emphasis></term>
-
- <listitem>
- <para>This attribute, specific to the AFS PAM module, directs it to ignore not only the local superuser <emphasis
- role="bold">root</emphasis>, but also any user with UID 0 (zero).</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>setenv_password_expires</computeroutput></emphasis></term>
-
- <listitem>
- <para>This attribute, specific to the AFS PAM module, sets the environment variable PASSWORD_EXPIRES to the expiration
- date of the user's AFS password, which is recorded in the Authentication Database.</para>
- </listitem>
- </varlistentry>
- </variablelist></para>
-
- <para>Perform the following steps to enable AFS login. <orderedlist>
- <listitem>
- <para>Mount the AFS CD-ROM for Solaris on the <emphasis role="bold">/cdrom</emphasis> directory, if it is not already.
- Then change directory as indicated. <programlisting>
- # <emphasis role="bold">cd /usr/lib/security</emphasis>
-</programlisting></para>
- </listitem>
-
- <listitem>
- <para>Copy the AFS authentication library file to the <emphasis role="bold">/usr/lib/security</emphasis> directory. Then
- create a symbolic link to it whose name does not mention the version. Omitting the version eliminates the need to edit
- the PAM configuration file if you later update the library file.</para>
-
- <para>If you use the AFS Authentication Server (<emphasis role="bold">kaserver</emphasis> process):</para>
-
- <programlisting>
- # <emphasis role="bold">cp /cdrom/sun4x_56/lib/pam_afs.so.1 .</emphasis>
- # <emphasis role="bold">ln -s pam_afs.so.1 pam_afs.so</emphasis>
-</programlisting>
-
- <para>If you use a Kerberos implementation of AFS authentication:</para>
-
- <programlisting>
- # <emphasis role="bold">cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .</emphasis>
- # <emphasis role="bold">ln -s pam_afs.krb.so.1 pam_afs.so</emphasis>
-</programlisting>
- </listitem>
-
- <listitem>
- <para>Edit the <computeroutput>Authentication management</computeroutput> section of the Solaris PAM configuration file,
- <emphasis role="bold">/etc/pam.conf</emphasis> by convention. The entries in this section have the value
- <computeroutput>auth</computeroutput> in their second field.</para>
-
- <para>First edit the standard entries, which refer to the Solaris PAM module (usually, the file <emphasis
- role="bold">/usr/lib/security/pam_unix.so.1</emphasis>) in their fourth field. For each service for which you want to
- use AFS authentication, edit the third field of its entry to read <computeroutput>optional</computeroutput>. The
- <emphasis role="bold">pam.conf</emphasis> file in the Solaris distribution usually includes standard entries for the
- <emphasis role="bold">login</emphasis>, <emphasis role="bold">rlogin</emphasis>, and <emphasis
- role="bold">rsh</emphasis> services, for instance.</para>
-
- <para>If there are services for which you want to use AFS authentication, but for which the <emphasis
- role="bold">pam.conf</emphasis> file does not already include a standard entry, you must create that entry and place the
- value <computeroutput>optional</computeroutput> in its third field. For instance, the Solaris <emphasis
- role="bold">pam.conf</emphasis> file does not usually include standard entries for the <emphasis
- role="bold">ftp</emphasis> or <emphasis role="bold">telnet</emphasis> services.</para>
-
- <para>Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following
- example shows what the <computeroutput>Authentication Management</computeroutput> section looks like after you have you
- edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines
- only for legibility.</para>
-
- <programlisting>
- login auth optional /usr/lib/security/pam_unix.so.1
- login auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
- rlogin auth optional /usr/lib/security/pam_unix.so.1
- rlogin auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
- rsh auth optional /usr/lib/security/pam_unix.so.1
- rsh auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- ftp auth optional /usr/lib/security/pam_unix.so.1
- ftp auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- telnet auth optional /usr/lib/security/pam_unix.so.1
- telnet auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
-</programlisting>
- </listitem>
-
- <listitem>
- <para>If you use the Common Desktop Environment (CDE) on the machine and want users to obtain an AFS token as they log
- in, also add or edit the following four entries in the <computeroutput>Authentication management</computeroutput>
- section. Note that the AFS-related entries appear on two lines here only for legibility. <programlisting>
- dtlogin auth optional /usr/lib/security/pam_unix.so.1
- dtlogin auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- dtsession auth optional /usr/lib/security/pam_unix.so.1
- dtsession auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
-</programlisting></para>
- </listitem>
--->
<orderedlist>
<listitem>
<para>Some Solaris distributions include a script that locates and removes unneeded files from various file systems. Its
them. For a description of the contents and function of these directories and files, see the chapter in the <emphasis>OpenAFS
Administration Guide</emphasis> about administering server machines. For further discussion of the mode bit settings, see <link
linkend="HDRWQ96">Protecting Sensitive AFS Directories</link>. <indexterm>
- <primary>CD-ROM</primary>
+ <primary>Binary Distribution</primary>
<secondary>copying server files from</secondary>
kaserver was based on <emphasis>Kerberos v4</emphasis>, as such, it is
not recommended for new cells. This guide assumes you have already
configured a Kerberos v5 realm for your site, and details the procedures
- required to use AFS with this realm.</para>
+ required to use AFS with this realm. If you do wish to use
+ <emphasis role="bold">kaserver</emphasis>, please see the modifications
+ to these instructions detailed in
+ <link linkend="KAS006">Starting the kaserver Database Server Process</link>
+ </para>
</note>
<para>The remaining instructions in this chapter include the <emphasis role="bold">-cell</emphasis> argument on all applicable
</sect1>
<sect1 id="HDRWQ53">
- <title>Initializing Cell Security</title>
+ <title>Initializing Cell Security </title>
+ <para>If you are working with an existing cell which uses
+ <emphasis role="bold">kaserver</emphasis> or Kerberos v4 for authentication,
+ please see
+ <link linkend="HDRWQ53">Initializing Cell Security with kaserver</link>
+ for installation instructions which replace this section.</para>
+
<para>Now initialize the cell's security mechanisms. Begin by creating the following two entires in your site's Kerberos database: <itemizedlist>
<listitem>
<para>A generic administrative account, called <emphasis role="bold">admin</emphasis> by convention. If you choose to
<para>The following instructions do not configure all of the security mechanisms related to the AFS Backup System. See the
chapter in the <emphasis>OpenAFS Administration Guide</emphasis> about configuring the Backup System.</para>
- <para>The examples below assume you are using MIT Kerberos. Please refer to the documentation for your KDC's administrative interface if you are using a different vendor</para>
+ <para>The examples below assume you are using MIT Kerberos. Please refer
+ to the documentation for your KDC's administrative interface if you are
+ using a different vendor</para>
-<orderedlist>
+ <orderedlist>
<listitem>
<para>Enter <emphasis role="bold">kadmin</emphasis> interactive mode.
<programlisting>
<para>Once the kvno is known, the key can then be extracted using
asetkey</para>
<programlisting>
- # <emphasis role="bold">asetkey</emphasis> <<replaceable>kvno</replaceable>> <emphasis role="bold">/etc/afs.keytab afs/</emphasis><<replaceable>cell name</replaceable>>
+ # <emphasis role="bold">asetkey add</emphasis> <<replaceable>kvno</replaceable>> <emphasis role="bold">/etc/afs.keytab afs/</emphasis><<replaceable>cell name</replaceable>>
</programlisting>
<indexterm>
<primary>commands</primary>
-
<secondary>bos listkeys</secondary>
</indexterm>
<indexterm>
<primary>bos commands</primary>
-
<secondary>listkeys</secondary>
</indexterm>
<indexterm>
<primary>displaying</primary>
-
<secondary>server encryption key</secondary>
-
<tertiary>KeyFile file</tertiary>
</indexterm>
</listitem>
<para>You can safely ignore any error messages indicating that <emphasis role="bold">bos</emphasis> failed to get tickets
or that authentication failed.</para>
-
-<!--
- <para>If the keys are different, issue the following commands, making sure that the <replaceable>afs_passwd</replaceable>
- string is the same in each case. The <replaceable>checksum</replaceable> strings reported by the <emphasis role="bold">kas
- examine</emphasis> and <emphasis role="bold">bos listkeys</emphasis> commands must match; if they do not, repeat these
- instructions until they do, using the <emphasis role="bold">-kvno</emphasis> argument to increment the key version number
- each time.</para>
-
- <programlisting>
- # <emphasis role="bold">./kas -cell</emphasis> <<replaceable>cell name</replaceable>> <emphasis role="bold">-noauth</emphasis>
- ka> <emphasis role="bold">setpassword afs -kvno 1</emphasis>
- new_password: <replaceable>afs_passwd</replaceable>
- Verifying, please re-enter initial_password: <replaceable>afs_passwd</replaceable>
- ka> <emphasis role="bold">examine afs</emphasis>
- User data for afs
- key (1) cksum is <replaceable>checksum</replaceable> . . .
- ka> <emphasis role="bold">quit</emphasis>
- # <emphasis role="bold">./bos addkey</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">-kvno 1 -cell</emphasis> <<replaceable>cell name</replaceable>> <emphasis
- role="bold">-noauth</emphasis>
- Input key: <replaceable>afs_passwd</replaceable>
- Retype input key: <replaceable>afs_passwd</replaceable>
- # <emphasis role="bold">./bos listkeys</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">-cell</emphasis> <<replaceable>cell name</replaceable>> <emphasis
- role="bold">-noauth</emphasis>
- key 1 has cksum <replaceable>checksum</replaceable>
-</programlisting>
--->
+ </listitem>
+ </orderedlist>
+ </sect1>
+ <sect1 id="HDRWQ53a">
+ <title>Initializing the Protection Database</title>
+
+ <para>Now continue to configure your cell's security systems by
+ populating the Protection Database with the newly created
+ <emphasis role="bold">admin</emphasis> user, and permitting it
+ to issue priviledged commands on the AFS filesystem.</para>
+
+ <orderedlist>
+ <listitem>
<indexterm>
<primary>commands</primary>
-
<secondary>pts createuser</secondary>
</indexterm>
<indexterm>
<primary>pts commands</primary>
-
<secondary>createuser</secondary>
</indexterm>
<indexterm>
<primary>Protection Database</primary>
</indexterm>
- </listitem>
-
- <listitem>
<para>Issue the <emphasis role="bold">pts createuser</emphasis> command to create a Protection Database entry for the
<emphasis role="bold">admin</emphasis> user.</para>
<indexterm>
<primary>commands</primary>
-
<secondary>pts adduser</secondary>
</indexterm>
<indexterm>
<primary>pts commands</primary>
-
<secondary>adduser</secondary>
</indexterm>
<indexterm>
<primary>admin account</primary>
-
<secondary>adding</secondary>
-
<tertiary>to system:administrators group</tertiary>
</indexterm>
</listitem>
system:administrators
</programlisting> <indexterm>
<primary>commands</primary>
-
<secondary>bos restart</secondary>
-
<tertiary>on first AFS machine</tertiary>
</indexterm> <indexterm>
<primary>bos commands</primary>
-
<secondary>restart</secondary>
-
<tertiary>on first AFS machine</tertiary>
</indexterm> <indexterm>
<primary>restarting server process</primary>
-
<secondary>on first AFS machine</secondary>
</indexterm> <indexterm>
<primary>server process</primary>
-
<secondary>restarting</secondary>
-
<tertiary>on first AFS machine</tertiary>
</indexterm></para>
</listitem>
</sect1>
<sect1 id="HDRWQ60">
- <title>Starting the File Server, Volume Server, and Salvager</title>
-
- <para>Start the <emphasis role="bold">fs</emphasis> process, which consists of the File Server, Volume Server, and Salvager
- (<emphasis role="bold">fileserver</emphasis>, <emphasis role="bold">volserver</emphasis> and <emphasis
- role="bold">salvager</emphasis> processes). <orderedlist>
+ <title>Starting the File Server processes</title>
+
+ <para>Start either the <emphasis role="bold">fs</emphasis> process or, if you want to run the Demand-Attach File Server, the
+ <emphasis role="bold">dafs</emphasis> process. The <emphasis role="bold">fs</emphasis> process consists of the File Server,
+ Volume Server, and Salvager (<emphasis role="bold">fileserver</emphasis>, <emphasis role="bold">volserver</emphasis> and
+ <emphasis role="bold">salvager</emphasis> processes). The <emphasis role="bold">dafs</emphasis> process consists of the
+ Demand-Attach File Server, Volume Server, Salvage Server, and Salvager (<emphasis role="bold">dafileserver</emphasis>,
+ <emphasis role="bold"> davolserver</emphasis>, <emphasis role="bold">salvageserver</emphasis>, and <emphasis
+ role="bold">dasalvager</emphasis> processes). For information about the Demand-Attach File Server and to see whether or not
+ you should run it, see <link linkend="DAFS">Appendix C, The Demand-Attach File Server</link>.
+ <orderedlist>
<listitem>
<para>Issue the <emphasis role="bold">bos create</emphasis> command to start the <emphasis role="bold">fs</emphasis>
- process. The command appears here on multiple lines only for legibility. <programlisting>
+ process or the <emphasis role="bold">dafs</emphasis> process. The commands appear here on multiple lines only for legibility.
+
+ <itemizedlist>
+ <listitem>
+ <para>If you are not planning on running the Demand-Attach File Server, create the <emphasis role="bold">fs</emphasis>
+ process:
+ <programlisting>
# <emphasis role="bold">./bos create</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">fs fs /usr/afs/bin/fileserver</emphasis> \
<emphasis role="bold">/usr/afs/bin/volserver /usr/afs/bin/salvager</emphasis> \
<emphasis role="bold">-cell</emphasis> <<replaceable>cell name</replaceable>> <emphasis role="bold">-noauth</emphasis>
</programlisting></para>
+ </listitem>
+ <listitem>
+ <para>If you are planning on running the Demand-Attach File Server, create the <emphasis
+ role="bold">dafs</emphasis> process:
+ <programlisting>
+ # <emphasis role="bold">./bos create</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">fs fs /usr/afs/bin/dafileserver</emphasis> \
+ <emphasis role="bold">/usr/afs/bin/davolserver /usr/afs/bin/salvageserver</emphasis> \
+ <emphasis role="bold">/usr/afs/bin/salvager -cell</emphasis> <<replaceable>cell name</replaceable>> <emphasis role="bold">-noauth</emphasis>
+</programlisting></para>
+ </listitem>
+ </itemizedlist>
+ </para>
<para>Sometimes a message about Volume Location Database (VLDB) initialization appears, along with one or more instances
of an error message similar to the following:</para>
<secondary>status</secondary>
</indexterm></para>
- <para>You can verify that the <emphasis role="bold">fs</emphasis> process has started successfully by issuing the
- <emphasis role="bold">bos status</emphasis> command. Its output mentions two <computeroutput>proc
+ <para>You can verify that the <emphasis role="bold">fs</emphasis> or <emphasis role="bold">dafs</emphasis> process has started
+ successfully by issuing the <emphasis role="bold">bos status</emphasis> command. Its output mentions two <computeroutput>proc
starts</computeroutput>.</para>
+ <itemizedlist>
+ <listitem>
+ <para>If you are not running the Demand-Attach File Server:
+
<programlisting>
# <emphasis role="bold">./bos status</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">fs -long -noauth</emphasis>
-</programlisting>
+</programlisting></para></listitem>
+
+ <listitem>
+ <para>If you are running the Demand-Attach File Server:
+ <programlisting>
+ # <emphasis role="bold">./bos status</emphasis> <<replaceable>machine name</replaceable>> <emphasis role="bold">dafs -long -noauth</emphasis>
+</programlisting></para></listitem>
+ </itemizedlist>
+
</listitem>
<listitem>
<emphasis role="bold">fs newcell</emphasis> command to update the list in kernel memory directly; see the chapter in the
<emphasis>OpenAFS Administration Guide</emphasis> about administering client machines.</para>
- <para>The AFS distribution includes the file <emphasis role="bold">CellServDB.dist</emphasis>. It includes an entry for all AFS cells that agreed to share
- their database server machine information at the time the distribution was
- created. A copy of this file is maintained at grand.central.org, from where
- updates may also be obtained.</para>
+ <para>The AFS distribution includes the file
+ <emphasis role="bold">CellServDB.dist</emphasis>. It includes an entry for
+ all AFS cells that agreed to share their database server machine
+ information at the time the distribution was
+ created. The definitive copy of this file is maintained at
+ grand.central.org, and updates may be obtained from
+ /afs/grand.central.org/service/CellServDB or
+ <ulink url="http://grand.central.org/dl/cellservdb/CellServDB">
+ http://grand.central.org/dl/cellservdb/CellServDB</ulink></para>
<para>The <emphasis role="bold">CellServDB.dist</emphasis> file can be a
good basis for the client <emphasis role="bold">CellServDB</emphasis> file,
<note>
<para>If you are running on a Fedora or RHEL based system, the
- openafs-client initilization script behaves differently from that
+ openafs-client initialization script behaves differently from that
described above. It sources /etc/sysconfig/openafs, in which the
AFSD_ARGS variable may be set to contain any, or all, of the afsd options
detailed. Note that this script does not support setting an OPTIONS
a synthetic root (as discussed in <link linkend="HDRWQ91">Enabling Access
to Foreign Cells</link>). As some distributions ship with this enabled, it
may be necessary to remove any occurences of the
- <emhpasis role="bold">-dynroot</emphasis> and
+ <emphasis role="bold">-dynroot</emphasis> and
<emphasis role="bold">-afsdb</emphasis> options from both the AFS
initialisation script and options file. If this functionality is
required it may be renabled as detailed in
</programlisting></para>
</listitem>
</orderedlist></para>
-
- <indexterm>
- <primary>commands</primary>
-
- <secondary>klog</secondary>
- </indexterm>
-
- <indexterm>
- <primary>klog command</primary>
- </indexterm>
</listitem>
<listitem>
role="bold">V</emphasis><replaceable>n</replaceable> files in the cache directory. Subsequent Cache Manager
initializations do not take nearly as long, because the <emphasis role="bold">V</emphasis><replaceable>n</replaceable>
files already exist.</para>
+ </listitem>
+ <listitem>
+
+ <indexterm>
+ <primary>commands</primary>
+ <secondary>aklog</secondary>
+ </indexterm>
+ <indexterm>
+ <primary>aklog command</primary>
+ </indexterm>
+
+ <para>If you are working with an existing cell which uses
+ <emphasis role="bold">kaserver</emphasis> for authentication,
+ please recall the note in
+ <link linkend="KAS003">Using this Appendix</link> detailing the
+ substitution of <emphasis role="bold">kinit</emphasis> and
+ <emphasis role="bold">aklog</emphasis> with
+ <emphasis role="bold">klog</emphasis>.</para>
+
<para>As a basic test of correct AFS functioning, issue the
<emphasis role="bold">kinit</emphasis> and
<emphasis role="bold">aklog</emphasis> commands to authenticate
role="bold">system:administrators</emphasis> group. It is a default entry that AFS places on every new volume's root
directory.</para>
+ <para>The top-level AFS directory, typically /afs, is a special case:
+ when the client is configured to run in dynroot mode (e.g.
+ <emphasis role="bold">afsd -dynroot</emphasis>, attempts to set
+ the ACL on this directory will return <emphasis role="bold">
+ Connection timed out</emphasis>. This is because the dynamically-
+ generated root directory is not a part of the global AFS space,
+ and cannot have an access control list set on it.</para>
+
<programlisting>
# <emphasis role="bold">/usr/afs/bin/fs setacl /afs system:anyuser rl</emphasis>
</programlisting>
addition to this enables DNS lookups for any cells that are not found in
the client's CellServDB file. Both of these options are added to the AFS
initialisation script, or options file, as detailed in
- <link linked="HDRWQ70">Configuring the Cache Manager</link>.
+ <link linkend="HDRWQ70">Configuring the Cache Manager</link>.</para>
</sect2>
<sect2>
- <title>Adding foreign cells to a conventional root volume</root>
+ <title>Adding foreign cells to a conventional root volume</title>
<para>In this section you create a mount point in your AFS filespace for the <emphasis role="bold">root.cell</emphasis> volume
of each foreign cell that you want to enable your users to access. For users working on a client machine to access the cell,
# <emphasis role="bold">ls /afs/</emphasis><replaceable>foreign_cell</replaceable>
</programlisting></para>
</listitem>
-
- <!-- XXX - Add stuff about registering your cell with
- grand.central.org, and about configuring your DNS -->
<listitem>
<para>If you wish to participate in the global AFS namespace, and only
intend running one database server, please
register your cell with grand.central.org at this time.
To do so, email the <emphasis role="bold">CellServDB</emphasis> fragment
- describing your cell to <!-- XXX - where does this get sent -->. If you intend
- on deploying multiple database servers, please wait until you have installed
- all of them before registering your cell.</para>
+ describing your cell, together with a contact name and email address
+ for any queries, to cellservdb@grand.central.org. If you intend
+ on deploying multiple database servers, please wait until you have
+ installed all of them before registering your cell.</para>
</listitem>
<listitem>
<para>If you wish to allow your cell to be located through DNS lookups,
at this time you should also add the necessary configuration to your
- DNS. <!-- XXX - detail what this is -->
+ DNS.</para>
+
+ <para>AFS database servers may be located by creating AFSDB records
+ in the DNS for the domain name corresponding to the name of your cell.
+ It's outside the scope of this guide to give an indepth description of
+ managing, or configuring, your site's DNS. You should consult the
+ documentation for your DNS server for further details on AFSDB
+ records.</para>
</listitem>
</orderedlist></para>
+ </sect2>
+ </sect1>
+
+ <sect1 id="HDRWQ93">
+ <title>Improving Cell Security</title>
<indexterm>
<primary>cell</primary>
<secondary>controlling access by root superuser</secondary>
</indexterm>
- </sect1>
-
- <sect1 id="HDRWQ93">
- <title>Improving Cell Security</title>
<para>This section discusses ways to improve the security of AFS data
in your cell. Also see the chapter in the <emphasis>OpenAFS
<para>Following are suggestions for managing AFS administrative privilege: <itemizedlist>
<listitem>
- <para>Create an administrative account for each administrator named something like
- <replaceable>username</replaceable><emphasis role="bold">.admin</emphasis>. Administrators authenticate under these
- identities only when performing administrative tasks, and destroy the administrative tokens immediately after finishing
- the task (either by issuing the <emphasis role="bold">unlog</emphasis> command, or the <emphasis
- role="bold">aklog</emphasis> command to adopt their regular identity).</para>
+ <para>Create an administrative account for each administrator named
+ something like
+ <replaceable>username</replaceable><emphasis role="bold">.admin</emphasis>.
+ Administrators authenticate under these identities only when
+ performing administrative tasks, and destroy the administrative
+ tokens immediately after finishing the task (either by issuing the
+ <emphasis role="bold">unlog</emphasis> command, or the
+ <emphasis role="bold">kinit</emphasis> and
+ <emphasis role="bold">aklog</emphasis> commands to adopt their
+ regular identity).</para>
</listitem>
<listitem>