cache, but you may want to tune it further. There are also other
options configured in that file you may want to consider.
- The AFS client cache must be on an ext2 or ext3 partition. Other file
- systems often do not support the semantics required by the AFS kernel
- module and will cause afsd to abort (to avoid kernel panics). In
- particular, XFS, ReiserFS, and tmpfs will NOT work. If you are using
- one of those file systems and don't have a spare partition for a
- separate file system for the cache, you need to use the -memcache option
- to afsd (although this is not always stable) or create a large file with
- dd, create an ext2 file system in it with mkfs, and then mount it with
- mount -o loop for use as a cache partition.
-
FAM does not work correctly with AFS except for directories that are
world-readable since it does not run in the user's security context and
therefore doesn't have the user's AFS tokens. If you are using FAM,
Build Options
+ The OpenAFS file server has been built with --enable-demand-attach-fs,
+ which enables a new method of handling volume attachment. Volumes will
+ be attached only when needed, and the file server will persist state to
+ disk when shutting down for faster restarts. This file server mode is
+ experimental and should not yet be used for production data. Please
+ report any bugs you encounter.
+
The OpenAFS servers have been built with --enable-supergroups, which
permits nesting of PTS groups. Be aware that the PT database created by
these packages is not compatible with servers not built with
you need the openafs-dbserver package to interoperate with ptservers
that aren't built with this option, don't use this capability.
- bosserver is built with --enable-bos-new-config. If
- /etc/openafs/BosConfig.new exists when bosserver starts, it will be
- renamed to /etc/openafs/BosConfig before the configuration file is
- read. This allows queuing of changes to the configuration that will
- take effect at the next restart.
+ The OpenAFS client and kernel module have been built with
+ --enable-disconnected, which enables experimental support for
+ disconnected operations. This support is still experimental and known
+ to have problems, but should not interfere with normal use of AFS. If
+ you want to experiment with it, see fs help discon.
Changes Relative to Stock OpenAFS
To distinguish between an SMP and a non-SMP kernel module package, use
--append_to_version; see README.modules for more information.
- The OpenAFS servers have been patched to support listing up to four
- realms in /etc/openafs/server/krb.conf. Any realms listed in that file
- (all on one line, space-separated) will be treated as local for
- authorization decisions (in other words, the relam will be stripped off
- and the unqualified principal name checked against AFS ACLs, UserList,
- PTS groups, and so forth). The default OpenAFS server only supports
- listing one realm in this file.
-
The AFS up utility is installed as afs-up, since the standard name is
rather generic.
kaserver is not included. New AFS cells should use Kerberos v5 rather
than the old K4-based kaserver KDC.
- The OpenAFS PAM modules have been built with pthreads rather than the
- standard LWP AFS libraries for compatibility with a threaded sshd.
-
Debugging and Bug Reporting
The current OpenAFS installation process installs fileserver and
information automatically.
Eventually the openafs-dbg package will contain debugging information
- for all OpenAFS binaries. This is pending upstream changes to the stock
- OpenAFS installation rules.
+ for all OpenAFS binaries.
When reporting a bug in the OpenAFS client, please include your exact
kernel version and architecture (reportbug will do this for you). Also,
Any new OpenAFS cell is strongly encouraged to use Kerberos v5 for
authentication. If you want PAM to automatically obtain AFS credentials
and you are using Kerberos v5, you will want to install the libpam-krb5
- and libpam-openafs-session packages and then put something like the
+ and libpam-afs-session packages and then put something like the
following in /etc/pam.d/common-auth:
auth [success=ok default=1] pam_krb5.so ignore_root
- auth [default=done] pam_openafs_session.so
+ auth [default=done] pam_afs_session.so
auth required pam_unix.so nullok_secure try_first_pass
and something like the following in /etc/pam.d/common-session:
session optional pam_krb5.so ignore_root
- session optional pam_openafs_session.so
+ session optional pam_afs_session.so
session required pam_unix.so
You'll probably also want the following in /etc/pam.d/common-account:
the openafs-kpasswd package to get the administrative utilities for
managing those Kerberos accounts.
- -- Russ Allbery <rra@debian.org>, Mon, 17 Dec 2007 18:29:42 -0800
+ -- Russ Allbery <rra@debian.org>, Tue, 6 Apr 2010 15:04:42 -0700