User:Tiicoo/AFSKRB/AFSConfig

As Kerberos is running we may start with a basic configuration of Kerberos.

Connect Kerberos REALM with an AFS cell
First of all we have to find out where the AFS configuration files are located. We can do so by typing

bos setcellname -server torpedo-bay.secure.ilm -name secure.ilm

In case you did not copy necessary files like    you will get an error message like root@torpedo-bay:/usr/etc# bos setcellname -server torpedo-bay.secure.ilm -name secure.ilm bos: can't open cell database (/usr/etc/openafs)

Hence you have to find the file  in your OpenAFS distribution. If you found it copy to the relevant location give by the above command - in this case. The file  contains many global OpenAFS servers. Logically it will not know our servers. Therefore we have to add our server by appending

>secure.ilm #'secure' cell 192.168.2.10 #torpedo-bay.secure.ilm

to. Now you have two possibilities telling AFS software what your cellname is. It can be done by either setting environment variable  or by echo secure.ilm > ThisCell

If you are nosy and would like to test the command  again you will the errors like bos: a pioctl failed (getting tickets) bos: running unauthenticated

As we did not tell AFS which tickets to get we will not receive tickets either. Note: Some AFS packages need a subdirectory  in the configuration directory containg the files   and   again.

We will add a keytab to the basic overseer by using the following command asetkey add 0 /etc/kdc/kdc.keytab.afs afs/secure.ilm

Number  is necessary because keys are enumerated. In case you already added some keys to your AFS database you should use a number different from. If everything is OK you should see something like root@torpedo-bay:/usr/src# asetkey list kvno   0: key is: 20988f61dae6516e All done.

Create one volume for the salvager and the file server
In case you already know how many volumes you are going to need you can create the directories Anyway the Salvager needs "something to look at". In case you have a free partition or your volume manager is able to provide some free space create a file system on that partition and mount it on. In case you will have many small or sparse files you can use ReiserFS or result common comparissons on file systems to decide which file system to use.

Start an initial cell structure
As configuration of basic authentication via Kerberos is done we will start the basic overseer without authentication because we will ... . Please be aware that a continuous operation in this mode is not recommended because of security issues.

The basic overseer can be started by bosserver -noauth

We know from chapter Overview on Kerberos and OpenAFS that AFS consists of many small components providing high funcionality. For now we will configure the basic overseer and the protection server in order to get basic functionality. At first we will connect the host  with the cell   via   command. We have a look at all possible options here

TODO: expand this table for better reading

One important service is the protection server. It is responsible for user accounting. We add the server by bos create torpedo-bay.secure.ilm ptserver simple /usr/libexec/openafs/ptserver -cell secure.ilm -noauth

Of course we have a look at the current status by root@torpedo-bay:~# bos listhosts -cell secure.ilm -server torpedo-bay.secure.ilm bos: a pioctl failed (getting tickets) bos: running unauthenticated Cell name is secure.ilm Host 1 is torpedo-bay.secure.ilm

The volume location server can be added by root@torpedo-bay:~# bos create torpedo-bay.secure.ilm vlserver simple /usr/libexec/openafs/vlserver -cell secure.ilm -noauth

The next step should be adding an administrator to your cell by pts createuser -name afsadmin -cell secure.ilm -noauth User afsadmin has id 1

Because the protection server needs to know that the user  is supposed to be a very powerful user we add it to the administrators group by pts adduser afsadmin system:administrators -cell secure.ilm -noauth

Please be aware of the fact that adding the user to the protection server the basic overseer does not yet know that user. bos adduser torpedo-bay.secure.ilm afsadmin -noauth changes that. As the protection servers and volume location servers are already running we have to start the fileserver, volume server and the salvager by bos create torpedo-bay.secure.ilm fs fs /usr/libexec/openafs/fileserver /usr/libexec/openafs/volserver /usr/libexec/openafs/salvager -cell secure.ilm

We may now shutdown and restart the basic overseer by bos shutdown torpedo-bay.secure.ilm -noauth killall bosserver bosserver

Initialize the Cache Manager and related daemons
Because the Cache Manager needs some space for caching files and of course for caching the AFS tokens we have to find a directory serving our requirements. Please be aware that the cache size may not be above 95% of the disk space provided by the partition the cache directory is located at. The file  is structed as follows: : : /var/openafs:/afs:5873470

The size of the partition could be  and. Tokens are cached in the directory  and the cache for files located in the directory   with 5.9GiB of disk space. Because our cache manager uses AFS system calls we have to provide the cache manager with the appropriate API by loading the kernel module.

Now we can start the cache manager by afsd -verbose At the beginning we will use the verbose option in order to recognize errors related to a possible misconfiguration. Furthermore you can now watch the logs of the daemons. If you do not know where your daemons log actions do lsof | grep afs or lsof | grep bos You will see opened files on your hard disk and sockets. Find out which files are being used for logging.