by danang.wijanarko@gmail.com
I'm using kerberos integration, so you better read kerberos too. Here are my links: Kerberos and Central auth
→ What to know first
Filespace
Is a gateway to the AFS. By convention is named /afs, and it functions as the root of AFS filespace
Cell and Site
Cell is the a single administrative domain of multiple AFS servers (that we're going to build). Site is grouping of one or more related cells.
By convention the cell's filespace is named like this.
/afs/its.ac.id : its.ac.id is the cell
Volumes and Mount Point
AFS devides partition into volumes, that each volume houses subtrees of related files and directories. Volume can be moved from one fielserver to other fileserver transparent to user. Volume is actually what AFS fileserver share.
Accessing AFS simply done by accessing the mount point. For example of user volume of dd in cell its.ac.id would be named user.dd and is mountes at some directory like this.
/afs/its.ac.id/usr/dd
This volume is stored in different machine, so when the machine down only this volume that become inaccessible.
Note.
However is a volume's mount point resides in a volume in an inaccessible machine, the former volume is also inaccessible.
AFS use patition that houses AFS volumes on a file servers machine and it must be mounted in this directory
/vicepindex
Where index is one or two lowercase letters. By convention, the 1st AFS partition created is mounted at the /vicepa, 2nd at the /vicepb so on through the /vicepz. Continue with /vicepaa through /vicepzz.
Each /vicep*[*] directory must be an entire partition or logical volume, and must be a subdirectory of the root directory ( / ). Also, do not store non-AFS files on AFS server partitions. The File Server and Volume Server expect to have available all of the space on the partition. Sharing space also creates competition between AFS and the local UNIX file system for access to the partition, particularly if the UNIX files are frequently used.
Volume's Quota
A volume has a quota, that's it, it has amount of bytes that it can consume to use in disk.
AFS process' servers
The File Server (/usr/lib/openafs/fileserver)
The most fundamental of the servers, delivers data files from the file server machine to local workstations as requested, and stores the files again when the user saves any changes to the files.
The Basic OverSeer Server (BOS Server) (/usr/sbin/bosserver)
Ensures that the other AFS server processes on this server machine are running correctly as much of the time as possible, since a server is useful only if it is available. The BOS Server relieves system administrators of much of the responsibility for overseeing system operations.
The Authentication Server
Helps ensure that communications on the network are secure. It verifies user identities at login and provides the facilities through which participants in transactions prove their identities to one another (mutually authenticate). It maintains the Authentication Database.
The Protection Server (/usr/lib/openafs/ptserver)
Helps users control who has access to their files and directories. Users can grant access to several other users at once by putting them all in a group entry in the Protection Database maintained by the Protection Server.
The Volume Server (/usr/lib/openafs/volserver)
Performs all types of volume manipulation. It helps the administrator move volumes from one server machine to another to balance the workload among the various machines.
The Volume Location Server (VL Server) (/usr/lib/openafs/vlserver)
Maintains the Volume Location Database (VLDB), in which it records the location of volumes as they move from file server machine to file server machine. This service is the key to transparent file access for users.
The Update Server
Distributes new versions of AFS server process software and configuration information to all file server machines. It is crucial to stable system performance that all server machines run the same software.
The Backup Server (/usr/lib/openafs/buserver)
Maintains the Backup Database, in which it stores information related to the Backup System. It enables the administrator to back up data from volumes to tape. The data can then be restored from tape in the event that it is lost from the file system.
The Salvager (/usr/lib/openafs/salvager)
Is not a server in the sense that others are. It runs only after the File Server or Volume Server fails; it repairs any inconsistencies caused by the failure. The system administrator can invoke it directly if necessary.
Cache Manager
It resides on client machine. When we need to access some of file in AFS filespace, it then copies the file into local filespace for fast access performance. The sync of change is done by AFS.
AFS server machine
In cells that have more than one server machine, not all server machines have to perform exactly the same functions. The are some possible roles a machine can assume, determined by which server processes it is running. A machine can assume more than one role by running all of the relevant processes.
1. Database server machine
Runs the specific processes that maintain the AFS replicated administrative databases:
- ptserver (mandatory) : maintain the Protection Database
- vlserver (mandatory) : maintain the Volume Location Database
- buserver : maintain the Backup Database
2. Simple File Server Machines
Runs only the fs server processes that store and deliver AFS files to client machines,
monitor process status,
and pick up configuration files from the cell's system control machines
- fs instance
- upclient process
3. Single system control machine
Stores and distributes system configuration files shared by all of the server machines in the cell.
- upserver process
Common file to distributed is /etc/openafs/server/*
We kwo also these instance.
buserver : The Backup Server process
fs : The process that combines the File Server,
Volume Server,
and Salvager processes.
(fileserver, volserver, and salvager)
kaserver : The Authentication Server process
ptserver : The Protection Server process
runntp : The controller process for the Network Time Protocol Daemon
upclientbin : The client portion of the Update Server process that retrieves binary files
from the /usr/lib/openafs directory of the binary distribution machine
for this machine's CPU/operating system type.
(The name of the binary is upclient, but the bin suffix distinguishes this process from upclientetc.)
upclientetc : The client portion of the Update Server process that retrieves configuration files
from the /etc/openafs/server directory of the system control machine.
Do not run this process in cells that use the international edition of AFS.
(The name of the binary is upclient, but the etc suffix distinguishes this process from upclientbin.)
upserver : The server portion of the Update Server process
vlserver : The Volume Location (VL) Server process
Change by multiple users
It regards to the conventional UNIX file system, the last change saved is the last current file. To get more detail, AFS has more PLUS point.
1. Password and mutual authentication.
Ensures that only authenticate users access the AFS filespaces.
2. ACL list
Enables users to restrict or permit access to their own directories.
Different between AFS and UNIX
File sharing
It is clear that
- UNIX : Pointing to remote's fs is done by log to remote machine first or creating local file where remote's fs is mounted
- AFS : Simply by accessing AFS filespace
Login and Authentication
User need to give password first to become an authenticate AFS user. Some method of this look nice.
1. Using AFS-modified login utility, logging in is one step process.
Initial login to local machine is automatically authenticates to AFS.
2. Using non-AFS-modified login utility, logging in is 2 steps processes.
- Logging in to local machine
- Use klog command with -setpag to authenticate with AFS and get the token.
File protection
AFS doesn't relay to conventional UNIX bit-mode protection, but instead it uses ACL.
1. UNIX has r,w, and x protection.
AFS has r(ead), l(ookup), i(nsert), d(elete), w(rite), (loc)k, and a(dminister).
2. UNIX uses 3 users model, USER, GROUP, and OTHER.
AFS uses up to 20 entries, and all up to you to give it details.
3. UNIX's mode bit protection works to individual file or directory.
AFS' mode protection works to all of files in the directory.
AFS System Group In ptserver
Well maybe we have some little confusion about user. They are in the ptserver database and some of them also in /etc/openafs/server/UserList, what is that mean ? The ptserver only deal on the specific service function. On the other hand /etc/openafs/server/UserList deal with the user who is GRANTED TO ADMINISTER ALL SERVER.
In addition to the groups that users and administrators can create, AFS defines the following three system groups. The Protection Server creates them automatically when it builds the first version of a cell's Protection Database, and always assigns them the same AFS GIDs.
1. system:anyuser
Represents all users able to access the cell's filespace from the local and foreign cells, authenticated or not.
Its AFS GID is -101.
The group has no stable membership listed in the Protection Database.
Accordingly, the pts examine command displays 0 in its membership field,
and the pts membership command does not list any members for it.
Placing this group on an ACL is a convenient way to extend access to all users.
The File Server automatically places this group on the CPS of any user who requests access to data stored on a file server machine.
(Every unauthenticated user is assigned the identity anonymous and this group is the only entry on the CPS for anonymous.)
2. system:authuser
Represents all users who are able to access the cell's filespace from the local and foreign cells and
who have successfully obtained an AFS token in the local cell (are authenticated).
Its AFS GID is -102.
Like the system:anyuser group, it has no stable membership listed in the Protection Database.
Accordingly, the pts examine command displays 0 in its membership field, and the pts membership command does not list any members for it.
Placing this group on an ACL is therefore a convenient way to extend access to all authenticated users.
The File Server automatically places this group on the CPS of any authenticated user who requests access to data stored on a file server machine.
3. system:administrators
Represents the small number of cell administrators authorized to issue privileged pts commands and the fs commands that set quota.
The ACL on the root directory of every newly created volume grants all permissions to the group.
Even if you remove that entry, the group implicitly retains the a (administer), and by default also the l (lookup), permission on every ACL.
Its AFS GID is -204.
Assigning Volume Names
You can name your volumes anything you choose, subject to a few restrictions.
* Read/write volume names can be up to 22 characters in length.
The maximum length for volume names is 31 characters, and there must be room to add the .readonly extension on read-only volumes.
* Do not add the .readonly and .backup extensions to volume names yourself, even if they are appropriate.
The Volume Server adds them automatically as it creates a read-only or backup version of a volume.
* There must be volumes named root.afs and root.cell,
mounted respectively at the top (/afs) level in the filespace and just below that level,
at the cell's name (for example, at /afs/abc.com in the ABC Corporation cell).
Deviating from these names only creates confusion and extra work. Changing the name of the root.afs volume, for instance, means that you must use the -rootvol argument to the afsd program on every client machine, to name the alternate volume.
Similarly, changing the root.cell volume name prevents users in foreign cells from accessing your filespace, if the mount point for your cell in their filespace refers to the conventional root.cell name. Of course, this is one way to make your cell invisible to other cells.
→ Doing installation
First i assume you've set kerberos server in a well manner. :=)
AFS is a client / server model communication with modules that should be build first.
Modules : openafs-modules-source
Server : openafs-dbserver, openafs-fileserver
Client : openafs-client
Optional : openafs-krb5
Common to client and server
Get out wet with modules.
# apt-get install openafs-modules-source module-assistant
# module-assistant prepare openafs-modules
apt-get install kernel-headers-2.6.8-2-686-smp
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
kernel-headers-2.6.8-2 kernel-kbuild-2.6-3
The following NEW packages will be installed:
kernel-headers-2.6.8-2 kernel-headers-2.6.8-2-686-smp kernel-kbuild-2.6-3
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 3392kB of archives.
After unpacking 42.3MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://debian.its.ac.id sarge/main kernel-kbuild-2.6-3 2.6.8-2 [363kB]
Get:2 http://debian.its.ac.id sarge/main kernel-headers-2.6.8-2 2.6.8-16 [2777kB]
Get:3 http://debian.its.ac.id sarge/main kernel-headers-2.6.8-2-686-smp 2.6.8-16 [252kB]
Fetched 3392kB in 3s (1076kB/s)
Selecting previously deselected package kernel-kbuild-2.6-3.
(Reading database ... 24962 files and directories currently installed.)
Unpacking kernel-kbuild-2.6-3 (from .../kernel-kbuild-2.6-3_2.6.8-2_i386.deb) ...
Selecting previously deselected package kernel-headers-2.6.8-2.
Unpacking kernel-headers-2.6.8-2 (from .../kernel-headers-2.6.8-2_2.6.8-16_i386.deb) ...
Selecting previously deselected package kernel-headers-2.6.8-2-686-smp.
Unpacking kernel-headers-2.6.8-2-686-smp (from .../kernel-headers-2.6.8-2-686-smp_2.6.8-16_i386.deb) ...
Setting up kernel-kbuild-2.6-3 (2.6.8-2) ...
Setting up kernel-headers-2.6.8-2 (2.6.8-16) ...
Setting up kernel-headers-2.6.8-2-686-smp (2.6.8-16) ...
apt-get install build-essential
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
build-essential
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/6520B of archives.
After unpacking 49.2kB of additional disk space will be used.
Selecting previously deselected package build-essential.
(Reading database ... 33833 files and directories currently installed.)
Unpacking build-essential (from .../build-essential_10.1_i386.deb) ...
Setting up build-essential (10.1) ...
Done!
# module-assistant auto-build openafs-modules
Reading Package Lists... Done
Building Dependency Tree... Done
openafs-modules-source is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Updated infos about 1 packages
Extracting the package tarball, /usr/src/openafs.tar.gz
Done with /usr/src/openafs-modules-2.6.8-2-686-smp_1.3.81-3sarge1+2.6.8-16_i386.deb .
# cd /usr/src; dpkg -i openafs-modules-2.6.8-2-686-smp_1.3.81-3sarge1+2.6.8-16_i386.deb
Selecting previously deselected package openafs-modules-2.6.8-2-686-smp.
(Reading database ... 33842 files and directories currently installed.)
Unpacking openafs-modules-2.6.8-2-686-smp (from openafs-modules-2.6.8-2-686-smp_1.3.81-3sarge1+2.6.8-16_i386.deb) ...
Setting up openafs-modules-2.6.8-2-686-smp (1.3.81-3sarge1+2.6.8-16) ...
After this you will have /lib/modules/2.6.8-2-686-smp/fs/openafs.ko. Then use that module.
# modprobe openafs
Add the module at /etc/modules.
...
openafs
...
Set the server.
# apt-get install openafs-dbserver openafs-fileserver openafs-client openafs-krb5
AFS cell : its.ac.id
AFS cache(kb) : 50000
Dynamically generate the contents of /afs : No
What hosts are DB servers for your home cell? : noir.its.ac.id
Run Openafs client now and at boot? : No
Next prepare the volume. I have partitioned my disk by 2 addition partition /dev/sdb1 and /dev/sdb2 (these partition that i'm going to set as my volumes). Remember that /vicepa and /vicepb is mount point of really sole partition dedicated to AFS.
# mount /dev/sdb1 /vicepa
# mount /dev/sdb2 /vicepb
AFS uses a area of the disk to cache remote files for faster access. This cache will be mounted on /var/cache/openafs. It is important that the cache not overfill the partition it is located on. Often, people find it useful to dedicate a partition to their AFS cache.
The AFS client cache must be on an ext2 or ext3 partition. Other file systems often do not support the semantics required by the AFS kernel module and will cause kernel faults. In particular, XFS and ReiserFS will NOT work.
# dd if=/dev/zero of=/var/cache/afs_cache_block_virt bs=1024k count=100
# mkfs.ext3 /var/cache/afs_cache_block_virt
mke2fs 1.37 (21-Mar-2005)
afs_cache_block_virt is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
25688 inodes, 102400 blocks
5120 blocks (5.00%) reserved for the super user
First data block=1
13 block groups
8192 blocks per group, 8192 fragments per group
1976 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Then edit /etc/fstab and add this
...
/var/cache/afs_cache_block_virt /var/cache/openafs ext3 rw,loop=/dev/loop0 0 2
...
Then set up initial database server for AFS cell. And UHH !!! debian get some error script there, according to what i've search via google, they still doing some fixing on this script. I just do some litle hack there, customising things to match the environment.
# apt-get install afs-hack
Make sure /etc/openafs/CellServDB contain the cell and server that we're now currently set
>its.ac.id
202.154.63.27 # noir.its.ac.id
Then let's start (remember i don't explain kerberos here, you have to read them according what i've said previously). Now we need to create some principals
# kadmin -p krb5-admin/admin
Authenticating as principal krb5-admin/admin with password.
Password for krb5-admin/admin@ITS.AC.ID:
kadmin: addprinc -randkey afs/its.ac.id
WARNING: no policy specified for afs/its.ac.id@ITS.AC.ID; defaulting to no policy
Principal "afs/its.ac.id@ITS.AC.ID" created.
kadmin: addprinc afs-admin/admin
WARNING: no policy specified for afs-admin/admin@ITS.AC.ID; defaulting to no policy
Enter password for principal "afs-admin/admin@ITS.AC.ID":
Re-enter password for principal "afs-admin/admin@ITS.AC.ID":
Principal "afs-admin/admin@ITS.AC.ID" created.
kadmin: quit
Now take the keytab to be used by asetkey. BIG FAT NOTE USE kadmin.local !!! because we want to work with -e des-cbc-crc:v4 option in kadmin.local to force the afs key to be DES.
# ssh nermus.its.ac.id
Password:
nermus.its.ac.id:~# kadmin.local -e des-cbc-crc:v4
Authenticating as principal root/admin@ITS.AC.ID with password.
kadmin.local: ktadd -k ./KeyFile afs/its.ac.id
Entry for principal afs/its.ac.id with kvno 9, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:./KeyFile.
kadmin.local: quit
nermus.its.ac.id:~# scp ./KeyFile root@noir.its.ac.id:
Password:
KeyFile 100% 56 0.1KB/s 00:00
nermus.its.ac.id:~# rm KeyFile
nermus.its.ac.id:~# logout
Connection to nermus.its.ac.id closed.
See we've created afs/its.ac.id@ITS.AC.ID service and afs-admin/admin@ITS.AC.ID afs administrator needed for afs-newcell script principals in the Kerberos database and also generate keytab ./KeyFile from afs/its.ac.id@ITS.AC.ID's principal.
Next convert the Kerberos keytab ./KeyFile to /etc/openafs/server/KeyFile to be understood by AFS.
# klist -k ./KeyFile ← for seeking the kvno, here we see the afs/its.ac.id@ITS.AC.ID's kvno in keytab ./KeyFile is 9
Keytab name: FILE:KeyFile
KVNO Principal
---- --------------------------------------------------------------------------
9 afs/its.ac.id@ITS.AC.ID
# asetkey add 9 ./KeyFile afs/its.ac.id ← this will produce /etc/openafs/server/KeyFile
# afs-newcell
...
---snip---
Do you meet these requirements? [y/n] y
What administrative principal should be used? afs-admin/admin
Trying to stop and start to produce clean slate, if the fileserver is not running, this may hang for 30 seconds.
/etc/init.d/openafs-fileserver stop
Stopping AFS Server: bosserver.
/etc/init.d/openafs-fileserver start
Starting AFS Server: bosserver.
bos addhost noir.its.ac.id noir.its.ac.id -localauth
bos adduser noir.its.ac.id afs-admin.admin -localauth
pt_util: /var/lib/openafs/db/prdb.DB0: Bad UBIK_MAGIC. Is 0 should be 354545
Ubik Version is: 2.0
Error while creating system:administrators: Entry for id already exists
pt_util: Ubik Version number changed during execution.
Old Version = 2.0, new version = 33554432.0
bos create noir.its.ac.id ptserver simple /usr/lib/openafs/ptserver -localauth
bos create noir.its.ac.id vlserver simple /usr/lib/openafs/vlserver -localauth
bos create noir.its.ac.id fs fs -cmd /usr/lib/openafs/fileserver -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauth
Waiting for database elections: done.
vos create noir.its.ac.id a root.afs -localauth
Volume 536870912 created on partition /vicepa of noir.its.ac.id
/etc/init.d/openafs-client force-start
Starting AFS services: afsd: All AFS daemons started.
afsd.
Now, get tokens (using Kerberos kinit) as afs-admin.admin in the this cell.
Then, run
afs-rootvol.
Ok now get the ticket for AFS admin (principal afs-admin/admin@ITS.AC.ID)
# kinit -p afs-admin/admin
Password for afs-admin/admin@ITS.AC.ID:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afs-admin/admin@ITS.AC.ID
Valid starting Expires Service principal
10/12/05 01:32:01 10/12/05 11:32:00 krbtgt/ITS.AC.ID@ITS.AC.ID
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Then use the ticket to get obtain tokens for authentication to AFS, using aklog program. And then run afs-rootvol.
# aklog its.ac.id -k ITS.AC.ID
# afs-rootvol
---snip---
...(very long, according to /etc/openafs/CellServDB)
---snip---
# ls /afs/
--snip--
...(also depend to /etc/openafs/CellServDB)
--snip--
→ Doing administration
We have many tool related, this is only brief overview
Administrative program
pts and pt-util
They're used to manipulating AFS protection database as administrative interface to the Protection Server.
pt_util : Utility to load/dump AFS protection database in direct way (explicit).
pts : Legacy administrative interface to to the Protection Server, that implicitly manage AFS protection database.
bos
The administrative interface to the Basic OverSeer (BOS) Server on currently running machine.
Some common job.
- start and stop AFS server processes : bos create, bos restart
- set and verify AFS server process and server machine status : bos setrestart, bos status
- restore file system consistency : bos salvage
- administer server process binary files : bos install, bos unistall
fs
The main administrative interface to the Cache Manager on an AFS client machine, which is responsible for fetching AFS data from file server machines on behalf of applications running on the client machine.
Some common job.
- set and report how the Cache Manager interacts with server machines : fs checkservers, fs getcellstatus, fs getserverprefs, fs listcells, fs newcell, fs setcell
- administer access control lists (ACLs) : fs cleanacl, fs copyacl, fs listacl, and fs setacl
- administer server machines,
volumes or partitions that house a given file or directory : fs diskfree, fs examine, fs listquota, fs quota, fs setquota, fs setvol
- administer the local client cache and related information : fs checkvolumes, fs flush, fs flushvolume, fs getcacheparms, fs setcachesize
- administer volume mount points : fs lsmount, fs mkmount, fs rmmount
- control monitoring and tracing : fs debug, fs messages
- administer the Cache Manager's interaction with other file systems : fs exportafs
vos
The administrative interface to the Volume Server and Volume Location (VL) Server. System administrators use vos commands to create, move, delete, replicate, back up and examine volumes, among other operations. The VL Server automatically records in the Volume Location Database (VLDB) changes in volume status and location that result from vos commands.
Some common job.
- create, move, and rename volumes : vos create, vos move, and vos rename
- remove VLDB volume records or volumes or both : vos delentry, vos remove, vos zap
- edit or display VLDB server entries : vos changeaddr, vos listaddrs
- create and restore dump files : vos dump, vos restore
- administer replicated volumes : vos addsite, vos release, vos remsite
- display VLDB records, volume headers, or both : vos examine, vos listvldb, vos listvol
- display information about partitions that house volumes : vos listpart, vos partinfo
- restore consistency between the VLDB and volume headers : vos syncserv, vos syncvldb
- lock and unlock VLDB entries : vos lock, vos unlock, vos unlockvldb
- report Volume Server status : vos status
Common manual step of configuration (When we're not using afs-newcell and afs-rootvol)
Cell and hostname
Edit /etc/openafs/server/CellServDB to only include this (When we install the first AFS server)
>its.ac.id
And also /etc/openafs/server/ThisCell
its.ac.id
BIG FAT NOTE
Directory /etc/openafs/ is intended for AFS client
Directory /etc/openafs/server/ is intended for AFS server
Then get the keytab of service principal afs/its.ac.id. See previous chapter about how to do this using kadmin.local.
After we have kerberos service principal afs/its.ac.id (in ./KeytabFile for example), than give it to AFS by invoking this command
# klist -k ./KeytabFile
Keytab name: FILE:KeyFile
KVNO Principal
---- --------------------------------------------------------------------------
9 afs/its.ac.id@ITS.AC.ID
# asetkey add 9 ./KeyFile afs/its.ac.id ← this will produce /etc/openafs/server/KeyFile
Ok, now stop and start the /etc/init.d/openafs-fileserver.
# /etc/init.d/openafs-fileserver stop
Stopping AFS Server: bosserver.
# /etc/init.d/openafs-fileserver start
Starting AFS Server: bosserver.
Now add /etc/openafs/server/CellServDB the host we intend to use (For this first time we only add 1 server don't we ?)
# bos addhost -server noir.its.ac.id -host noir.its.ac.id -localauth
This would add noir.its.ac.id's ip address in /etc/openafs/server/CellServDB.
First adminstrator
Now add an administrator
# bos adduser -server noir.its.ac.id -user afs-admin.admin
Please note that we wrote "afs-admin.admin" and not "afs-admin/admin" as AFS is still based on Kerberos 4 which used dot as instance separator instead of the Kerberos 5 slash. This would add /etc/openafs/server/UserList.
Then do direct manipulation in AFS protection database to add user afs-admin/admin in afs database protection
# pt_util -p /var/lib/openafs/db/prdb.DB0 -w
> afs-admin.admin 128/20 1 -204 -204\n
> system:administrators 130/20 -204 -204 -204\n
> afs-admin.admin 1
The 1 is a user ID, substitute if necessary.
It is supposed to complain about the system:administrators line, it is just there to make the last line work. The last line MUST begin with a space.
AFS service server instance
Start the AFS servers instance
- Protection server (ptserver)
# bos create -server noir.its.ac.id -instance ptserver -type simple -cmd /usr/lib/openafs/ptserver -localauth
- Volume location server (vlserver)
# bos create -server noir.its.ac.id -instance vlserver -type simple -cmd /usr/lib/openafs/vlserver -localauth
- File server (fileserver, volserver, salvager)
# bos create -server noir.its.ac.id -instance fs -type fs \
> -cmd /usr/lib/openafs/fileserver
> -cmd /usr/lib/openafs/volserver
> -cmd /usr/lib/openafs/salvager
> -localauth
Past this, just wait about 1 minute to take AFS database election
Checking and troubleshooting
Check time
# bos status -server noir.its.ac.id -localauth -long
Instance ptserver, (type is simple) currently running normally.
Process last started at Wed Oct 12 03:21:21 2005 (1 proc starts)
Command 1 is '/usr/lib/openafs/ptserver'
Instance vlserver, (type is simple) currently running normally.
Process last started at Wed Oct 12 03:21:21 2005 (1 proc starts)
Command 1 is '/usr/lib/openafs/vlserver'
Instance fs, (type is fs) currently running normally.
Auxiliary status is: file server running.
Process last started at Wed Oct 12 03:21:21 2005 (2 proc starts)
Command 1 is '/usr/lib/openafs/fileserver'
Command 2 is '/usr/lib/openafs/volserver'
Command 3 is '/usr/lib/openafs/salvager'
# pt_util -u
Ubik Version is: 33554432.0
afs-admin.admin 128/20 1 -204 -204
anonymous 128/20 32766 -204 -204
# pt_util -m
Ubik Version is: 33554432.0
system:backup 2/0 -205 -204 -204
system:administrators 130/20 -204 -204 -204
afs-admin.admin 1
system:ptsviewers 2/0 -203 -204 -204
system:authuser 2/0 -102 -204 -204
system:anyuser 2/0 -101 -204 -204
There just be creative as administrator :-). Check the /var/log/openafs logs. Make sure there is only one entry per IP in CellServDB.
Creating first volumes
We will create root.afs (/afs) and root.cell (/afs/its.ac.id) on our /vicepa so that it can easily be replicated on other machines later on.
# vos create -server noir.its.ac.id -partition a -name root.afs -localauth -verbose
# vos create -server noir.its.ac.id -partition a -name root.cell -localauth -verbose
If you have an error message "no quorum elected" means that you should wait, as the server is still trying to figure out who is the master server.
If "vos create" hangs, the vlserver may be having issues. Do a "killall -TSTP vlserver" a couple of times to increase the logging output to VLLog.
Next set the ACL, we have to be an authenticate user to do this. So take this
# kinit -p afs-admin/admin
Password for afs-admin/admin@ITS.AC.ID:
# aklog its.ac.id -k ITS.AC.ID
The /afs directory is currently empty. We'll fix that by adding our own cell (and perhaps a few others because anything you find in /etc/openafs/CellServDB can be added in this fasion).
# fs mkmount -dir /afs/its.ac.id -vol root.cell -cell its.ac.id -fast
Now to make sure that anyone is able to access to /afs and /afs/its.ac.id.
# fs setacl -dir /afs -acl system:anyuser rl
# fs setacl -dir /afs/its.ac.id -acl system:anyuser rl
The root.afs and root.cell volumes will and should be replicated, meaning that they will mainly be read-only. To access the read-write copy of the volumes, we create the following mount points.
# fs mkmount -dir /afs/.its.ac.id -vol root.cell -cell its.ac.id -rw
# fs mkmount -dir /afs/.root.afs -vol root.afs -rw
Now that we are sure we have access to the read-write copies, we can create the read-only ones.
vos addsite -server noir.its.ac.id -partition a -id root.afs -localauth
vos addsite -server noir.its.ac.id -partition a -id root.cell -localauth
vos release -id root.afs -localauth
vos release -id root.cell -localauth
Creating more volume (home volume).
# kinit -p afs-admin/admin
Password for afs-admin/admin@ITS.AC.ID:
# aklog its.ac.id -k ITS.AC.ID
# vos create -server noir.its.ac.id -partition a -name home -localauth
# fs mkmount -dir /afs/its.ac.id/home -vol home
# fs setacl -dir /afs/its.ac.id/home -acl system:anyuser rl
# vos addsite -server noir.its.ac.id -partition a -id home
# vos release -id home
Now /afs/its.ac.id/service is a replicated read-only directory which can be accessed for writing as /afs/.its.ac.id/service.
We want to create home for bejo, and bejo has principal bejo/user@ITS.AC.ID.
# mkdir /afs/.its.ac.id/home/b
# vos create -server noir.its.ac.id -partition a -name H.bejo
# fs mkmount -dir /afs/its.ac.id/home/b/bejo -vol H.bejo -rw
# fs setacl -dir /afs/.its.ac.id/home/b -acl system:anyuser rl
# vos release home
Home directories should never be read-only, or things simply would stop working. The "H" in "H.bejo" is just convenient way of shortening "home.bejo", not an official standard but a good one.
# fs sa /afs/its.ac.id/home/b/bejo -acl bejo.user rlidwka
# fs sa /afs/its.ac.id/home/b/bejo -acl system:anyuser l
# fs sa /afs/its.ac.id/home/b/bejo -acl system:backup read
# chown bejo.user /afs/its.ac.id/home/b/bejo
Creating more user (home volume)
All user creation MUST BE ADDED to Kerberos database too.
Ex1: User bejo/user@ITS.AC.ID.
# kinit -p afs-admin/admin
# aklog its.ac.id -k ITS.AC.ID
# pts createuser -name bejo.user -id 1003
# pts adduser -user bejo.user -group system:anyuser
Ex2: Admin dd/admin@ITS.AC.ID.
# kinit -p afs-admin/admin
# aklog its.ac.id -k ITS.AC.ID
# pts createuser -name dd.admin -id 1000
# pts adduser -user dd.admin -group system:administrator
Note:
Everything will look much better if AFS UID and UNIX UID match for users.
→ Adding additional server
If you decide one server is not enough, here is roughly what needs to happen:
1) Copy securely (using scp , encrypted Kerberized rcp or some other
secure method) /etc/openafs/server to the new server.
2) Start a bosserver.
3) If the machine is to be a file server, create an fs instance using
bos create. For file servers this is all you need to do.
4) For database servers, you also need to do a bos addhost on all
servers (including the new server) to add the new server to
/etc/openafs/server/CellServDB. Then create ptserver and vlserver
instances.
→ Activationg upserver and upclient
Start the server portion of the upserver process, to distribute the contents of directories on this machine to other server machines in the cell. It becomes active when you configure the client portion of the upclient process on additional server machines. Distributing the contents of its /usr/afs/etc directory makes this machine become the cell's system control machine.
Server
# bos create -server noir.its.ac.id -instance upserver -type simple -cmd "/usr/sbin/upserver -crypt /etc/openafs/server" -localauth
Client to update every 300 seconds
# bos create -server ares.its.ac.id -instance upclientetc -type simple -cmd "/usr/sbin/upclient noir.its.ac.id -t 300 /etc/openafs/server" -localauth
→ Ticket (and token) expiration
Verifying that you have expired tokens is easy. AFS supplies the tokens command, which is similar to the klist command for Kerberos, but it deals only with AFS tokens (which are stored in the kernel of the machine you are using).
# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@its.ac.id [Expires Oct 13 18:57]
--End of list--
...is the normal output of the tokens command. When you have expired tokens, the output will be similar to this.
# tokens
Tokens held by the Cache Manager:
--End of list--
Getting new tokens is as easy as typing kinit, which will retrieve you new Kerberos credentials, and as a side effect, also retrieve, or update, your AFS tokens.
# kinit
Password for afs-admin/admin@ITS.AC.ID:
...and you can continue working.
We can automate the kinit by using keytab, ofcourse you must create keytab first for the secific user.
→ Seem could be done, but not tested yet !!
If you wanted to support V4 and AFS salted keys, you might have.
[realms]
ITS.AC.ID = {
supported_keytypes = des:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
- d
