Linux System Administration |
Home | Tech | Linux | Links | Consulting |
|
Kerberos-OpenAFS master
This page describes how to set up a host that is an MIT Kerberos V master server, as well as an OpenAFS database and file server that is the first of a new AFS cell, which is created in the process. In this example, OpenAFS is installed on a host running Debian 5.0 (lenny). If followed properly, this step-by-step process should produce a new cell with an initial AFS database and file server. Before this process of installing OpenAFS can begin, it will first be necessary to install Debian lenny on a new host called kas1.example.com. The new host must have one extra free disk partition (/dev/hdb1 will be used here) and also a DNS server must be available on the network with a zone file to which forward and reverse mappings can be added for this host, as well as an alias for it called kas.example.com. After the initial installation of the operating system, make sure these packages are installed on the system as well: ~# apt-get install ssh ntp ntpdate xinetd nmap Afterwards, edit /etc/ntp.conf so that the machine synchronizes to a common NTP server (preferably a local one) and edit /etc/default/ntpdate to use the same host also. Now the installation process for the OpenAFS server can begin: 1. Kerberos server install On the new host, kas1.example.com, start by installing these two packages: ~# apt-get install krb5-{admin-server,user} A total of five packages are installed as a result, including three dependencies: krb5-admin-server 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos master server (kadmind) krb5-config 1.22 Configuration files for Kerberos Version V krb5-kdc 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos key server (KDC) krb5-user 1.6.dfsg.4~beta1-5lenny1 Basic programs to authenticate using MIT Kerberos libkadm55 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos administration runtime libraries During package installation, the default realm is automatically set to EXAMPLE.COM. A few questions are asked regarding the krb5-admin-server package that should be answered as follows: Kerberos servers for your realm: kas1.example.com Administrative server for your Kerberos realm: kas.example.com Following this automated configuration sequence for the package, two problems appear. First, a comment is displayed to inform xinetd users that manual conversion to xinetd format is necessary for a hashed-out kpropd entry that has been added to /etc/inetd.conf. This is for the Kerberos V database propagation daemon, which in this case is necessary to support KDC slave servers. Running at least one slave is recommended for the sake of redundancy, so fix it now by creating a file called /etc/xinetd.d/krb_prop with the following contents: service krb_prop { disable = no socket_type = stream protocol = tcp user = root wait = no server = /usr/sbin/kpropd } After saving this file, restart xinetd: ~# /etc/init.d/xinetd restart It should be said that, although it is not required to run kpropd on the master KDC (only on slaves), it is nice to have this service available in case it becomes necessary to change its role. The second problem is that kadmind, the administration daemon, failed to start. This is because the realm, EXAMPLE.COM, or rather the database file for it (/var/lib/krb5kdc/principal), has not yet been created. 2. Realm creation To create the new realm, use the krb5_newrealm command. Be careful, because it should be used only once. ~# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: ammodytes Re-enter KDC database master key to verify: ammodytes Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide. ~# _ This can sometimes take a while, but eventually the only request that is made is for a password: ammodytes was used here. The KDC database master key is a very important password, so do not forget it! 3. Admin authorization Edit /etc/krb5kdc/kadm5.acl and enable/add the following two lines: */admin * admin * This is to allow certain principals, admin and names ending in /admin, to perform any operation. 4. Realm config file Edit the Kerberos realm configuration file, /etc/krb5.conf. This file is initially created by the Debian installer and contains information about the realms of a number of famous institutions, but none of that is necessary in this case. Instead, replace its contents with this: [libdefaults] default_realm = EXAMPLE.COM forwardable = true proxiable = true [realms] EXAMPLE.COM = { kdc = kas1.example.com admin_server = kas.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [logging] kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/kadmin.log default = FILE:/var/log/krb5/kadmin.log This file is divided into a number of sections. The first, [libdefaults], contains default values used by the Kerberos V library. It has many possible settings, but the only ones used here are default_realm, which is used by the client, and forwardable and proxiable, which apply to initial tickets. The [realms] section contains subsections that start with the name of a Kerberos realm. In turn, each subsection contains information specific to that realm, such as (possibly multiple) kdc and (a single) admin_server entries to locate important hosts. The [domain_realm] section is for mapping DNS domain names to Kerberos realms. It may seem unnecessary in cases such as this when they are the same (DNS entries are not case sensitive), but of course this is not always so. Each tag is written in lower case and can be a hostname or a domain name, the latter being prefixed with a dot. If no mappings apply, the realm is obtained by converting the domain portion of a hostname to upper case. The last section, [logging], is optional, but recommended. It determines how a particular host should perform its logging. The settings used here specify that Kerberos log output from the KDC server should be sent to one log file and output from the administrative server to another. A default log file has also been defined, but in practice it may never be used, so in this case its output is also sent to the log file for the administrative server. After /etc/krb5.conf has been saved, create the Kerberos log directory: ~# mkdir /var/log/krb5 To prevent the log files from growing too large, create a pair of logrotate configuration files. First, edit /etc/logrotate.d/krb5-kdc and give it the following contents: /var/log/krb5/kdc.log { daily missingok rotate 7 compress delaycompress notifempty postrotate /etc/init.d/krb5-kdc restart > /dev/null endscript } Then edit /etc/logrotate.d/krb5-kadmin and give it this slightly different configuration: /var/log/krb5/kadmin.log { daily missingok rotate 7 compress delaycompress notifempty postrotate /etc/init.d/krb5-admin-server restart > /dev/null endscript } 5. Ticket lifetime Start up the administrative interface for the Kerberos database and use it to allow more flexible lifetime and renewal time frames for the ticket granting ticket (TGT) service. The commands and their responses should look like this: ~# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: modprinc -maxlife "1 day" -maxrenewlife "90 day" \ krbtgt/EXAMPLE.COM@EXAMPLE.COM Principal "krbtgt/EXAMPLE.COM@EXAMPLE.COM" modified. kadmin.local: q ~# _ The values entered above are instead of 10 hours and 1 day respectively, which are the default values. However, every organization should use values that best suit their own security needs. As for kadmin.local, this is a fail-safe version of the kadmin tool that can only be used on the KDC as root and requires no password to modify the database directly. The kadmin tool, on the other hand, can be used from anywhere on the network. Now edit /etc/krb5kdc/kdc.conf and modify these two lines to reflect the changes made above: max_life = 1d 0h 0m 0s max_renewable_life = 90d 0h 0m 0s 6. Server restart Restart the Kerberos admin and KDC servers: ~# /etc/init.d/krb5-admin-server restart ; /etc/init.d/krb5-kdc restart Restarting these servers is only necessary after any associated configuration files have been changed. 7. Admin principal Start up kadmin.local once more to create the admin principal: ~# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc admin WARNING: no policy specified for admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "admin@EXAMPLE.COM": xanthina Re-enter password for principal "admin@EXAMPLE.COM": xanthina Principal "admin@EXAMPLE.COM" created. kadmin.local: q ~# _ To be sure, the password given here is xanthina. 8. Host princ & keytab Use kadmin to create a host principal and a keytab file for the new master KDC by issuing the following commands: ~# kadmin -p admin Authenticating as principal admin with password. Password for admin@EXAMPLE.COM: xanthina kadmin: addprinc -randkey host/kas1.example.com WARNING: no policy specified for host/kas1.example.com@EXAMPLE.COM; defaulting to no policy Principal "host/kas1.example.com@EXAMPLE.COM" created. kadmin: ktadd host/kas1.example.com Entry for principal host/kas1.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kas1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kas1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kas1.example.com with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: q ~# _ If a line exists in /etc/hosts that maps a loopback address to the FQDN, which in this case is kas1.example.com, it can prevent kadmin from starting up. If this line exists, remove it. The -randkey switch is used because a machine cannot enter a password. By default, Kerberos saves its keys in /etc/krb5.keytab. To list the keys in this file, use the klist -ke command. Such keytab files should be created for and saved on all of the various client machines that are part of a Kerberos realm. 9. Kinit test Using some standard tools, there are a number of ways to test that the new KDC is working. Start by requesting a valid ticket for the new principal, admin: ~# kinit admin Password for admin@EXAMPLE.COM: xanthina ~# _ Once given the right password (xanthina), a list of the tickets obtained can be viewed: ~# klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 11/04/09 00:43:20 11/05/09 00:43:20 krbtgt/EXAMPLE.COM@EXAMPLE.COM ~# _ 10. Debconf reconfig From this point on, a more detailed level of questioning will be required from debconf. To achieve this, run the following command: ~# dpkg-reconfigure debconf Answer the questions as follows: Interface to use: Dialog Ignore questions with a priority less than: low 11. AFS kernel module The objective here is to build and install the OpenAFS kernel module from source. Start by installing the module assistant: ~# apt-get install module-assistant This gets installed: module-assistant 0.11.3 tool to make module package creation easier Then use it to download the source code for the AFS kernel module, compile and install it: ~# m-a prepare openafs ; m-a a-i openafs As a result, 49 new packages will be installed in four stages, the last of which involves the compilation and installation of the AFS kernel module: binutils 2.18.1~cvs20080103-7 The GNU assembler, linker and binary utilities bison 1:2.3.dfsg-5 A parser generator that is compatible with YACC build-essential 11.4 Informational list of build-essential packages bzip2 1.0.5-1 high-quality block-sorting file compressor - utilit cpp 4:4.3.2-2 The GNU C preprocessor (cpp) cpp-4.1 4.1.2-25 The GNU C preprocessor cpp-4.3 4.3.2-1.1 The GNU C preprocessor debhelper 7.0.15 helper programs for debian/rules dpkg-dev 1.14.28 Debian package development tools flex 2.5.35-6 A fast lexical analyzer generator. g++ 4:4.3.2-2 The GNU C++ compiler g++-4.3 4.3.2-1.1 The GNU C++ compiler gcc 4:4.3.2-2 The GNU C compiler gcc-4.1 4.1.2-25 The GNU C compiler gcc-4.1-base 4.1.2-25 The GNU Compiler Collection (base package) gcc-4.3 4.3.2-1.1 The GNU C compiler gettext 0.17-4 GNU Internationalization utilities html2text 1.3.2a-5 advanced HTML to text converter intltool-debian 0.35.0+20060710.1 Help i18n of RFC822 compliant config files libc6-dev 2.7-18lenny2 GNU C Library: Development Libraries and Header Fil libcompress-raw-zlib-perl 2.012-1lenny1 low-level interface to zlib compression library libcompress-zlib-perl 2.012-1 Perl module for creation and manipulation of gzip f libdigest-hmac-perl 1.01-7 create standard message integrity checks libdigest-sha1-perl 2.11-2+b1 NIST SHA-1 message digest algorithm libfile-remove-perl 1.42-1 remove files and directories, accepts wildcards libgmp3c2 2:4.2.2+dfsg-3 Multiprecision arithmetic library libgomp1 4.3.2-1.1 GCC OpenMP (GOMP) support library libio-compress-base-perl 2.012-1 Base Class for IO::Compress modules libio-compress-zlib-perl 2.012-1 Perl interface to zlib libio-stringy-perl 2.110-4 Perl modules for IO from scalars and arrays libmail-box-perl 2.082-2 Manage a message-folder libmail-sendmail-perl 0.79-5 Send email from a perl script libmailtools-perl 2.03-1 Manipulate email in perl programs libmime-types-perl 1.24-1 Perl extension for determining MIME types and Trans libmpfr1ldbl 2.3.1.dfsg.1-2 multiple precision floating-point computation libobject-realize-later-perl 0.18-1 Delayed creation of objects libstdc++6-4.3-dev 4.3.2-1.1 The GNU Standard C++ Library v3 (development files) libsys-hostname-long-perl 1.4-2 Figure out the long (fully-qualified) hostname libtimedate-perl 1.1600-9 Time and date functions for Perl liburi-perl 1.35.dfsg.1-1 Manipulates and accesses URI strings libuser-identity-perl 0.92-2 manages different identities/roles used by a physic linux-headers-2.6.26-2-686 2.6.26-21lenny3 Header files for Linux 2.6.26-2-686 linux-headers-2.6.26-2-common 2.6.26-21lenny3 Common header files for Linux 2.6.26-2 linux-kbuild-2.6.26 2.6.26-3 Kbuild infrastructure for Linux 2.6.26 linux-libc-dev 2.6.26-21lenny3 Linux support headers for userspace development make 3.81-5 The GNU version of the "make" utility. openafs-modules-2.6.26-2-686 1.4.7.dfsg1-6+lenny2+2.6.26-21lenny3 AFS distributed filesystem kernel module openafs-modules-source 1.4.7.dfsg1-6+lenny2 AFS distributed filesystem kernel module source po-debconf 1.0.15 manage translated Debconf templates files with gett After it has been built and installed, test the OpenAFS kernel module by loading it: ~# modprobe openafs Here it what it looks like when the module has been loaded: ~# lsmod |grep afs openafs 473948 0 ~# 12. OpenAFS client install Install the OpenAFS client. Now install these two packages: ~# apt-get install openafs-{client,krb5} Only these two packages are installed as a result: openafs-client 1.4.7.dfsg1-6+lenny2 AFS distributed filesystem client support openafs-krb5 1.4.7.dfsg1-6+lenny2 AFS distributed filesystem Kerberos 5 integration Following the installation process, debconf will ask a few questions regarding the openafs-client package. Answer them as follows: AFS cell this workstation belongs to: example.com Size of AFS cache in kB: 50000 Run Openafs client now and at boot? No Look up AFS cells in DNS? Yes Encrypt authenticated traffic with AFS fileserver? No Dynamically generate the contents of /afs? Yes Use fakestat to avoid hangs when listing /afs? Yes DB server host names for your home cell: kas1 Regarding the AFS cache, the default size is about 50 MB and is located in the /var/cache/openafs/ directory. Often, the cache is increased to around 512 MB, but usually less than 1 GB; larger cache sizes may lengthen the startup time, as all files within the cache must be prechecked with the servers. It is vital that OpenAFS is never in danger of running out of cache space, since it is not designed to handle such situations gracefully. A requirement is also that an ext2 or ext3 file system is used for the cache directory; a file containing such a file system, or a dedicated partition can be used for this purpose, but its even possible to use a memory-based cache, which offers signifigant performance benefits. 13. OpenAFS server install To install the OpenAFS server, start by installing these two packages: ~# apt-get install openafs-{fileserver,dbserver} These are also the only two packages that are installed as a result: openafs-dbserver 1.4.7.dfsg1-6+lenny2 AFS distributed filesystem database server openafs-fileserver 1.4.7.dfsg1-6+lenny2 AFS distributed filesystem file server One question must be answered for the openafs-fileserver package: Cell this server serves files for: example.com 14. AFS princ & keytab Use kadmin.local to create a Kerberos principal for the AFS service and a matching keytab file by issuing a few commands: ~# kadmin -p admin Authenticating as principal admin with password. Password for admin@EXAMPLE.COM: xanthina kadmin: addprinc -randkey -e des-cbc-crc:normal afs/example.com WARNING: no policy specified for afs/example.com@EXAMPLE.COM; defaulting to no policy Principal "afs/example.com@EXAMPLE.COM" created. kadmin: ktadd -k /tmp/afs.keytab -e des-cbc-crc:normal afs/example.com Entry for principal afs/example.com with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/afs.keytab. kadmin: q ~# _ This principal is not host-specific, since it is meant to be used not only by this AFS server, but also by any other AFS servers that may eventually be added to this cell. The key created above is a single-DES key, which is relatively weak compared to what is offered by newer versions of Kerberos, but improvements are coming: newer version of OpenAFS already include AES encryption, although this has not yet made it into the standard releases. In the mean time, these weak cryptographic keys are accepted because the version of Kerberos V used here, 1.6, includes an apparently undocumented [libdefaults] setting in /etc/krb5.conf − allow_weak_crypto − that by default is set to "true." However, as of version 1.8 its default has been changed to "false." So, if Debian's next stable release does include Kerberos V 1.8, but not the new cryptographic improvements for OpenAFS, then allow_weak_crypto = true will have to be added to /etc/krb5.conf. After the key has been created, it must be loaded into the AFS key file: ~# asetkey add 3 /tmp/afs.keytab afs/example.com ~# _ The number 3 reflects the key version number, which must match KVNO number reported after the ktadd command during the previous kadmin session. To verify that the new key has been loaded and that there is only one Kerberos key in the AFS keyfile, run the following command: ~# bos listkeys kas1 -localauth key 3 has cksum 336878116 Keys last changed on Mon Feb 22 00:52:07 2010. All done. ~# _ The results are approximately what should be expected. 15. AFS partition OpenAFS is usually set up to work with dedicated partitions of which each server can maintain up to 256. These partitions are associated with mount points just below the root that follow a particular naming convention, /vicepXX/, where XX can be any letter, or two-letter combination. In this exercise, a separate partition, /dev/hdb1, will be formatted with the ext3 file system and mounted at /vicepa/. Actually, in cases where a separate partition is not available, it is also possible for OpenAFS to simply use a /vicepXX/ directory in the root partition. This is because OpenAFS does not require any particular low-level format for its partitions. AFS partitions can therefore be explored with ordinary UNIX tools, although the data stored therein is structured in a way that is only meaningful to OpenAFS. Assuming a partition has already been created on the disk, format it with: ~# mkfs.ext3 /dev/hdb1 mke2fs 1.41.3 (12-Oct-2008) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 262144 inodes, 1048564 blocks 52428 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=1073741824 32 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 26 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. ~# _ Then edit /etc/fstab and add this line to the end of the file: /dev/hdb1 /vicepa ext3 defaults 0 0 Now create the mount point and mount the new partition: ~# mkdir /vicepa ; mount /vicepa/ ~# _ 16. Cell creation With OpenAFS, information regarding file locations, server systems and namespace management is centrally controlled and stored in custom-built internal databases that are replicated to reduce the risk of server failure. Should such a failure occur, the clients can automatically fail-over to the next available database server. Together, these database and file servers and their clients are referred to as an AFS cell. Run the script that will create a new cell: ~# afs-newcell Prerequisites In order to set up a new AFS cell, you must meet the following: 1) You need a working Kerberos realm with Kerberos4 support. You should install Heimdal with KTH Kerberos compatibility or MIT Kerberos 5. 2) You need to create the single-DES AFS key and load it into /etc/openafs/server/KeyFile. If your cell's name is the same as your Kerberos realm then create a principal called afs. Otherwise, create a principal called afs/cellname in your realm. The cell name should be all lower case, unlike Kerberos realms which are all upper case. You can use asetkey from the openafs-krb5 package, or if you used AFS3 salt to create the key, the bos addkey command. 3) This machine should have a filesystem mounted on /vicepa. If you do not have a free partition, then create a large file by using dd to extract bytes from /dev/zero. Create a filesystem on this file and mount it using -oloop. 4) You will need an administrative principal created in a Kerberos realm. This principal will be added to susers and system:administrators and thus will be able to run administrative commands. Generally the user is a root or admin instance of some administrative user. For example if jruser is an administrator then it would be reasonable to create jruser/admin (or jruser/root) and specify that as the user to be added in this script. 5) The AFS client must not be running on this workstation. It will be at the end of this script. Do you meet these requirements? [y/n] y If the fileserver is not running, this may hang for 30 seconds. /etc/init.d/openafs-fileserver stop What administrative principal should be used? admin /etc/openafs/server/CellServDB already exists, renaming to .old /etc/init.d/openafs-fileserver start bos adduser kas1.example.com admin -localauth Creating initial protection database. This will print some errors about an id already existing and a bad ubik magic. These errors can be safely ignored. pt_util: /var/lib/openafs/db/prdb.DB0: Bad UBIK_MAGIC. Is 0 should be 354545 Ubik Version is: 2.0 Error while creating system:administrators: Entry for id already exists bos create kas1.example.com ptserver simple /usr/lib/openafs/ptserver -localauth bos create kas1.example.com vlserver simple /usr/lib/openafs/vlserver -localauth bos create kas1.example.com fs fs -cmd '/usr/lib/openafs/fileserver -p 23 -busyat 600 -rxpck 400 -s 1200 -l 1200 -cb 65535 -b 240 -vc 1200' -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauth bos setrestart kas1.example.com -time never -general -localauth Waiting for database elections: done. vos create kas1.example.com a root.afs -localauth Volume 536870912 created on partition /vicepa of kas1.example.com /etc/init.d/openafs-client force-start Starting AFS services: openafs afsd. afsd: All AFS daemons started. Now, get tokens as admin in the example.com cell. Then, run afs-rootvol. ~# _ 17. AFS tokens Obtain AFS tokens as the admin user, as advised near the end of the afs-newcell session: ~# kinit admin Password for admin@EXAMPLE.COM: xanthina ~# aklog ~# klist -5f Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/22/10 02:13:59 02/23/10 02:13:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: FPIA 02/22/10 02:14:22 02/23/10 02:13:59 afs/example.com@EXAMPLE.COM Flags: FPAT ~# tokens Tokens held by the Cache Manager: User's (AFS ID 1) tokens for afs@example.com [Expires Feb 23 02:13] --End of list-- ~# _ 18. Root volume creation OpenAFS stores files in structures called volumes and the first volume of an AFS cell is always called root.afs. Create it now with this command: ~# afs-rootvol Prerequisites In order to set up the root.afs volume, you must meet the following pre-conditions: 1) The cell must be configured, running a database server with a volume location and protection server. The afs-newcell script will set up these services. 2) You must be logged into the cell with tokens in for a user in system:administrators and with a principal that is in the UserList file of the servers in the cell. 3) You need a fileserver in the cell with partitions mounted and a root.afs volume created. Presumably, it has no volumes on it, although the script will work so long as nothing besides root.afs exists. The afs-newcell script will set up the file server. 4) The AFS client must be running pointed at the new cell. Do you meet these conditions? (y/n) y You will need to select a server (hostname) and AFS partition on which to create the root volumes. What AFS Server should volumes be placed on? kas1 What partition? [a] a vos create kas1 a root.cell -localauth Volume 536870915 created on partition /vicepa of kas1 fs mkm /afs/example.com/.root.afs root.afs -rw fs sa /afs/example.com/.root.afs system:anyuser rl fs mkm /afs/example.com/.root.afs/example.com root.cell -cell example.com -fast || true fs mkm /afs/example.com/.root.afs/grand.central.org root.cell -cell grand.central.org -fast || true fs mkm /afs/example.com/.root.afs/wu-wien.ac.at root.cell -cell wu-wien.ac.at -fast || true fs mkm /afs/example.com/.root.afs/hephy.at root.cell -cell hephy.at -fast || true fs mkm /afs/example.com/.root.afs/cgv.tugraz.at root.cell -cell cgv.tugraz.at -fast || true fs mkm /afs/example.com/.root.afs/itp.tugraz.at root.cell -cell itp.tugraz.at -fast || true fs mkm /afs/example.com/.root.afs/sums.math.mcgill.ca root.cell -cell sums.math.mcgill.ca -fast || true fs mkm /afs/example.com/.root.afs/cern.ch root.cell -cell cern.ch -fast || true fs mkm /afs/example.com/.root.afs/ams.cern.ch root.cell -cell ams.cern.ch -fast || true fs mkm /afs/example.com/.root.afs/epfl.ch root.cell -cell epfl.ch -fast || true fs mkm /afs/example.com/.root.afs/ethz.ch root.cell -cell ethz.ch -fast || true fs mkm /afs/example.com/.root.afs/psi.ch root.cell -cell psi.ch -fast || true fs mkm /afs/example.com/.root.afs/extundo.com root.cell -cell extundo.com -fast || true fs mkm /afs/example.com/.root.afs/membrain.com root.cell -cell membrain.com -fast || true fs mkm /afs/example.com/.root.afs/setfilepointer.com root.cell -cell setfilepointer.com -fast || true fs mkm /afs/example.com/.root.afs/sodre.cx root.cell -cell sodre.cx -fast || true fs mkm /afs/example.com/.root.afs/ruk.cuni.cz root.cell -cell ruk.cuni.cz -fast || true fs mkm /afs/example.com/.root.afs/desy.de root.cell -cell desy.de -fast || true fs mkm /afs/example.com/.root.afs/gppc.de root.cell -cell gppc.de -fast || true fs mkm /afs/example.com/.root.afs/cms.hu-berlin.de root.cell -cell cms.hu-berlin.de -fast || true fs mkm /afs/example.com/.root.afs/ifh.de root.cell -cell ifh.de -fast || true fs mkm /afs/example.com/.root.afs/lrz-muenchen.de root.cell -cell lrz-muenchen.de -fast || true fs mkm /afs/example.com/.root.afs/ipp-garching.mpg.de root.cell -cell ipp-garching.mpg.de -fast || true fs mkm /afs/example.com/.root.afs/mpe.mpg.de root.cell -cell mpe.mpg.de -fast || true fs mkm /afs/example.com/.root.afs/i1.informatik.rwth-aachen.de root.cell -cell i1.informatik.rwth-aachen.de -fast || true fs mkm /afs/example.com/.root.afs/combi.tfh-wildau.de root.cell -cell combi.tfh-wildau.de -fast || true fs mkm /afs/example.com/.root.afs/tu-bs.de root.cell -cell tu-bs.de -fast || true fs mkm /afs/example.com/.root.afs/tu-chemnitz.de root.cell -cell tu-chemnitz.de -fast || true fs mkm /afs/example.com/.root.afs/e18.ph.tum.de root.cell -cell e18.ph.tum.de -fast || true fs mkm /afs/example.com/.root.afs/uni-bonn.de root.cell -cell uni-bonn.de -fast || true fs mkm /afs/example.com/.root.afs/atlass01.physik.uni-bonn.de root.cell -cell atlass01.physik.uni-bonn.de -fast || true fs mkm /afs/example.com/.root.afs/uni-freiburg.de root.cell -cell uni-freiburg.de -fast || true fs mkm /afs/example.com/.root.afs/physik.uni-freiburg.de root.cell -cell physik.uni-freiburg.de -fast || true fs mkm /afs/example.com/.root.afs/urz.uni-heidelberg.de root.cell -cell urz.uni-heidelberg.de -fast || true fs mkm /afs/example.com/.root.afs/uni-hohenheim.de root.cell -cell uni-hohenheim.de -fast || true fs mkm /afs/example.com/.root.afs/rz.uni-jena.de root.cell -cell rz.uni-jena.de -fast || true fs mkm /afs/example.com/.root.afs/impetus.uni-koeln.de root.cell -cell impetus.uni-koeln.de -fast || true fs mkm /afs/example.com/.root.afs/meteo.uni-koeln.de root.cell -cell meteo.uni-koeln.de -fast || true fs mkm /afs/example.com/.root.afs/rrz.uni-koeln.de root.cell -cell rrz.uni-koeln.de -fast || true fs mkm /afs/example.com/.root.afs/physik.uni-mainz.de root.cell -cell physik.uni-mainz.de -fast || true fs mkm /afs/example.com/.root.afs/uni-mannheim.de root.cell -cell uni-mannheim.de -fast || true fs mkm /afs/example.com/.root.afs/uni-paderborn.de root.cell -cell uni-paderborn.de -fast || true fs mkm /afs/example.com/.root.afs/physik.uni-wuppertal.de root.cell -cell physik.uni-wuppertal.de -fast || true fs mkm /afs/example.com/.root.afs/s-et.aau.dk root.cell -cell s-et.aau.dk -fast || true fs mkm /afs/example.com/.root.afs/ies.auc.dk root.cell -cell ies.auc.dk -fast || true fs mkm /afs/example.com/.root.afs/asu.edu root.cell -cell asu.edu -fast || true fs mkm /afs/example.com/.root.afs/eecs.berkeley.edu root.cell -cell eecs.berkeley.edu -fast || true fs mkm /afs/example.com/.root.afs/hep.caltech.edu root.cell -cell hep.caltech.edu -fast || true fs mkm /afs/example.com/.root.afs/ugcs.caltech.edu root.cell -cell ugcs.caltech.edu -fast || true fs mkm /afs/example.com/.root.afs/clarkson.edu root.cell -cell clarkson.edu -fast || true fs mkm /afs/example.com/.root.afs/andrew.cmu.edu root.cell -cell andrew.cmu.edu -fast || true fs mkm /afs/example.com/.root.afs/club.cc.cmu.edu root.cell -cell club.cc.cmu.edu -fast || true fs mkm /afs/example.com/.root.afs/chem.cmu.edu root.cell -cell chem.cmu.edu -fast || true fs mkm /afs/example.com/.root.afs/cs.cmu.edu root.cell -cell cs.cmu.edu -fast || true fs mkm /afs/example.com/.root.afs/ece.cmu.edu root.cell -cell ece.cmu.edu -fast || true fs mkm /afs/example.com/.root.afs/scotch.ece.cmu.edu root.cell -cell scotch.ece.cmu.edu -fast || true fs mkm /afs/example.com/.root.afs/qatar.cmu.edu root.cell -cell qatar.cmu.edu -fast || true fs mkm /afs/example.com/.root.afs/sbp.ri.cmu.edu root.cell -cell sbp.ri.cmu.edu -fast || true fs mkm /afs/example.com/.root.afs/cnf.cornell.edu root.cell -cell cnf.cornell.edu -fast || true fs mkm /afs/example.com/.root.afs/msc.cornell.edu root.cell -cell msc.cornell.edu -fast || true fs mkm /afs/example.com/.root.afs/dbic.dartmouth.edu root.cell -cell dbic.dartmouth.edu -fast || true fs mkm /afs/example.com/.root.afs/northstar.dartmouth.edu root.cell -cell northstar.dartmouth.edu -fast || true fs mkm /afs/example.com/.root.afs/cs.hm.edu root.cell -cell cs.hm.edu -fast || true fs mkm /afs/example.com/.root.afs/eecs.harvard.edu root.cell -cell eecs.harvard.edu -fast || true fs mkm /afs/example.com/.root.afs/iastate.edu root.cell -cell iastate.edu -fast || true fs mkm /afs/example.com/.root.afs/athena.mit.edu root.cell -cell athena.mit.edu -fast || true fs mkm /afs/example.com/.root.afs/dev.mit.edu root.cell -cell dev.mit.edu -fast || true fs mkm /afs/example.com/.root.afs/net.mit.edu root.cell -cell net.mit.edu -fast || true fs mkm /afs/example.com/.root.afs/sipb.mit.edu root.cell -cell sipb.mit.edu -fast || true fs mkm /afs/example.com/.root.afs/soap.mit.edu root.cell -cell soap.mit.edu -fast || true fs mkm /afs/example.com/.root.afs/msu.edu root.cell -cell msu.edu -fast || true fs mkm /afs/example.com/.root.afs/nd.edu root.cell -cell nd.edu -fast || true fs mkm /afs/example.com/.root.afs/crc.nd.edu root.cell -cell crc.nd.edu -fast || true fs mkm /afs/example.com/.root.afs/pitt.edu root.cell -cell pitt.edu -fast || true fs mkm /afs/example.com/.root.afs/cs.pitt.edu root.cell -cell cs.pitt.edu -fast || true fs mkm /afs/example.com/.root.afs/psc.edu root.cell -cell psc.edu -fast || true fs mkm /afs/example.com/.root.afs/scoobydoo.psc.edu root.cell -cell scoobydoo.psc.edu -fast || true fs mkm /afs/example.com/.root.afs/cede.psu.edu root.cell -cell cede.psu.edu -fast || true fs mkm /afs/example.com/.root.afs/rose-hulman.edu root.cell -cell rose-hulman.edu -fast || true fs mkm /afs/example.com/.root.afs/cs.rose-hulman.edu root.cell -cell cs.rose-hulman.edu -fast || true fs mkm /afs/example.com/.root.afs/rpi.edu root.cell -cell rpi.edu -fast || true fs mkm /afs/example.com/.root.afs/hep.sc.edu root.cell -cell hep.sc.edu -fast || true fs mkm /afs/example.com/.root.afs/cs.stanford.edu root.cell -cell cs.stanford.edu -fast || true fs mkm /afs/example.com/.root.afs/ir.stanford.edu root.cell -cell ir.stanford.edu -fast || true fs mkm /afs/example.com/.root.afs/slac.stanford.edu root.cell -cell slac.stanford.edu -fast || true fs mkm /afs/example.com/.root.afs/ucdavis.edu root.cell -cell ucdavis.edu -fast || true fs mkm /afs/example.com/.root.afs/home.ucdavis.edu root.cell -cell home.ucdavis.edu -fast || true fs mkm /afs/example.com/.root.afs/physics.ucsb.edu root.cell -cell physics.ucsb.edu -fast || true fs mkm /afs/example.com/.root.afs/cats.ucsc.edu root.cell -cell cats.ucsc.edu -fast || true fs mkm /afs/example.com/.root.afs/acm.uiuc.edu root.cell -cell acm.uiuc.edu -fast || true fs mkm /afs/example.com/.root.afs/illigal.uiuc.edu root.cell -cell illigal.uiuc.edu -fast || true fs mkm /afs/example.com/.root.afs/ncsa.uiuc.edu root.cell -cell ncsa.uiuc.edu -fast || true fs mkm /afs/example.com/.root.afs/umbc.edu root.cell -cell umbc.edu -fast || true fs mkm /afs/example.com/.root.afs/glue.umd.edu root.cell -cell glue.umd.edu -fast || true fs mkm /afs/example.com/.root.afs/wam.umd.edu root.cell -cell wam.umd.edu -fast || true fs mkm /afs/example.com/.root.afs/umich.edu root.cell -cell umich.edu -fast || true fs mkm /afs/example.com/.root.afs/atlas.umich.edu root.cell -cell atlas.umich.edu -fast || true fs mkm /afs/example.com/.root.afs/citi.umich.edu root.cell -cell citi.umich.edu -fast || true fs mkm /afs/example.com/.root.afs/lsa.umich.edu root.cell -cell lsa.umich.edu -fast || true fs mkm /afs/example.com/.root.afs/sph.umich.edu root.cell -cell sph.umich.edu -fast || true fs mkm /afs/example.com/.root.afs/isis.unc.edu root.cell -cell isis.unc.edu -fast || true fs mkm /afs/example.com/.root.afs/physics.unc.edu root.cell -cell physics.unc.edu -fast || true fs mkm /afs/example.com/.root.afs/uncc.edu root.cell -cell uncc.edu -fast || true fs mkm /afs/example.com/.root.afs/eng.utah.edu root.cell -cell eng.utah.edu -fast || true fs mkm /afs/example.com/.root.afs/cs.uwm.edu root.cell -cell cs.uwm.edu -fast || true fs mkm /afs/example.com/.root.afs/cs.wisc.edu root.cell -cell cs.wisc.edu -fast || true fs mkm /afs/example.com/.root.afs/engr.wisc.edu root.cell -cell engr.wisc.edu -fast || true fs mkm /afs/example.com/.root.afs/hep.wisc.edu root.cell -cell hep.wisc.edu -fast || true fs mkm /afs/example.com/.root.afs/physics.wisc.edu root.cell -cell physics.wisc.edu -fast || true fs mkm /afs/example.com/.root.afs/ciemat.es root.cell -cell ciemat.es -fast || true fs mkm /afs/example.com/.root.afs/ifca.unican.es root.cell -cell ifca.unican.es -fast || true fs mkm /afs/example.com/.root.afs/ific.uv.es root.cell -cell ific.uv.es -fast || true fs mkm /afs/example.com/.root.afs/biocenter.helsinki.fi root.cell -cell biocenter.helsinki.fi -fast || true fs mkm /afs/example.com/.root.afs/dapnia.saclay.cea.fr root.cell -cell dapnia.saclay.cea.fr -fast || true fs mkm /afs/example.com/.root.afs/grif.fr root.cell -cell grif.fr -fast || true fs mkm /afs/example.com/.root.afs/in2p3.fr root.cell -cell in2p3.fr -fast || true fs mkm /afs/example.com/.root.afs/mcc.ac.gb root.cell -cell mcc.ac.gb -fast || true fs mkm /afs/example.com/.root.afs/anl.gov root.cell -cell anl.gov -fast || true fs mkm /afs/example.com/.root.afs/rhic.bnl.gov root.cell -cell rhic.bnl.gov -fast || true fs mkm /afs/example.com/.root.afs/usatlas.bnl.gov root.cell -cell usatlas.bnl.gov -fast || true fs mkm /afs/example.com/.root.afs/fnal.gov root.cell -cell fnal.gov -fast || true fs mkm /afs/example.com/.root.afs/ic-afs.arc.nasa.gov root.cell -cell ic-afs.arc.nasa.gov -fast || true fs mkm /afs/example.com/.root.afs/jpl.nasa.gov root.cell -cell jpl.nasa.gov -fast || true fs mkm /afs/example.com/.root.afs/nersc.gov root.cell -cell nersc.gov -fast || true fs mkm /afs/example.com/.root.afs/bme.hu root.cell -cell bme.hu -fast || true fs mkm /afs/example.com/.root.afs/kfki.hu root.cell -cell kfki.hu -fast || true fs mkm /afs/example.com/.root.afs/caspur.it root.cell -cell caspur.it -fast || true fs mkm /afs/example.com/.root.afs/enea.it root.cell -cell enea.it -fast || true fs mkm /afs/example.com/.root.afs/fusione.it root.cell -cell fusione.it -fast || true fs mkm /afs/example.com/.root.afs/icemb.it root.cell -cell icemb.it -fast || true fs mkm /afs/example.com/.root.afs/infn.it root.cell -cell infn.it -fast || true fs mkm /afs/example.com/.root.afs/ba.infn.it root.cell -cell ba.infn.it -fast || true fs mkm /afs/example.com/.root.afs/kloe.infn.it root.cell -cell kloe.infn.it -fast || true fs mkm /afs/example.com/.root.afs/le.infn.it root.cell -cell le.infn.it -fast || true fs mkm /afs/example.com/.root.afs/lnf.infn.it root.cell -cell lnf.infn.it -fast || true fs mkm /afs/example.com/.root.afs/lngs.infn.it root.cell -cell lngs.infn.it -fast || true fs mkm /afs/example.com/.root.afs/pi.infn.it root.cell -cell pi.infn.it -fast || true fs mkm /afs/example.com/.root.afs/psm.it root.cell -cell psm.it -fast || true fs mkm /afs/example.com/.root.afs/tgrid.it root.cell -cell tgrid.it -fast || true fs mkm /afs/example.com/.root.afs/ictp.trieste.it root.cell -cell ictp.trieste.it -fast || true fs mkm /afs/example.com/.root.afs/math.unifi.it root.cell -cell math.unifi.it -fast || true fs mkm /afs/example.com/.root.afs/ing.uniroma1.it root.cell -cell ing.uniroma1.it -fast || true fs mkm /afs/example.com/.root.afs/dia.uniroma3.it root.cell -cell dia.uniroma3.it -fast || true fs mkm /afs/example.com/.root.afs/vn.uniroma3.it root.cell -cell vn.uniroma3.it -fast || true fs mkm /afs/example.com/.root.afs/italia root.cell -cell italia -fast || true fs mkm /afs/example.com/.root.afs/cmf.nrl.navy.mil root.cell -cell cmf.nrl.navy.mil -fast || true fs mkm /afs/example.com/.root.afs/lcp.nrl.navy.mil root.cell -cell lcp.nrl.navy.mil -fast || true fs mkm /afs/example.com/.root.afs/es.net root.cell -cell es.net -fast || true fs mkm /afs/example.com/.root.afs/laroia.net root.cell -cell laroia.net -fast || true fs mkm /afs/example.com/.root.afs/sinenomine.net root.cell -cell sinenomine.net -fast || true fs mkm /afs/example.com/.root.afs/slackers.net root.cell -cell slackers.net -fast || true fs mkm /afs/example.com/.root.afs/tproa.net root.cell -cell tproa.net -fast || true fs mkm /afs/example.com/.root.afs/interdose.net root.cell -cell interdose.net -fast || true fs mkm /afs/example.com/.root.afs/nikhef.nl root.cell -cell nikhef.nl -fast || true fs mkm /afs/example.com/.root.afs/1ts.org root.cell -cell 1ts.org -fast || true fs mkm /afs/example.com/.root.afs/acm-csuf.org root.cell -cell acm-csuf.org -fast || true fs mkm /afs/example.com/.root.afs/bazquux.org root.cell -cell bazquux.org -fast || true fs mkm /afs/example.com/.root.afs/coed.org root.cell -cell coed.org -fast || true fs mkm /afs/example.com/.root.afs/dementia.org root.cell -cell dementia.org -fast || true fs mkm /afs/example.com/.root.afs/dsrw.org root.cell -cell dsrw.org -fast || true fs mkm /afs/example.com/.root.afs/hackish.org root.cell -cell hackish.org -fast || true fs mkm /afs/example.com/.root.afs/idahofuturetruck.org root.cell -cell idahofuturetruck.org -fast || true fs mkm /afs/example.com/.root.afs/mrph.org root.cell -cell mrph.org -fast || true fs mkm /afs/example.com/.root.afs/nimlabs.org root.cell -cell nimlabs.org -fast || true fs mkm /afs/example.com/.root.afs/nomh.org root.cell -cell nomh.org -fast || true fs mkm /afs/example.com/.root.afs/oc7.org root.cell -cell oc7.org -fast || true fs mkm /afs/example.com/.root.afs/riscpkg.org root.cell -cell riscpkg.org -fast || true fs mkm /afs/example.com/.root.afs/kth.se root.cell -cell kth.se -fast || true fs mkm /afs/example.com/.root.afs/hallf.kth.se root.cell -cell hallf.kth.se -fast || true fs mkm /afs/example.com/.root.afs/isk.kth.se root.cell -cell isk.kth.se -fast || true fs mkm /afs/example.com/.root.afs/it.kth.se root.cell -cell it.kth.se -fast || true fs mkm /afs/example.com/.root.afs/md.kth.se root.cell -cell md.kth.se -fast || true fs mkm /afs/example.com/.root.afs/mech.kth.se root.cell -cell mech.kth.se -fast || true fs mkm /afs/example.com/.root.afs/nada.kth.se root.cell -cell nada.kth.se -fast || true fs mkm /afs/example.com/.root.afs/pdc.kth.se root.cell -cell pdc.kth.se -fast || true fs mkm /afs/example.com/.root.afs/stacken.kth.se root.cell -cell stacken.kth.se -fast || true fs mkm /afs/example.com/.root.afs/syd.kth.se root.cell -cell syd.kth.se -fast || true fs mkm /afs/example.com/.root.afs/physto.se root.cell -cell physto.se -fast || true fs mkm /afs/example.com/.root.afs/sanchin.se root.cell -cell sanchin.se -fast || true fs mkm /afs/example.com/.root.afs/su.se root.cell -cell su.se -fast || true fs mkm /afs/example.com/.root.afs/f9.ijs.si root.cell -cell f9.ijs.si -fast || true fs mkm /afs/example.com/.root.afs/p-ng.si root.cell -cell p-ng.si -fast || true fs mkm /afs/example.com/.root.afs/hep-ex.physics.metu.edu.tr root.cell -cell hep-ex.physics.metu.edu.tr -fast || true fs mkm /afs/example.com/.root.afs/phy.bris.ac.uk root.cell -cell phy.bris.ac.uk -fast || true fs mkm /afs/example.com/.root.afs/inf.ed.ac.uk root.cell -cell inf.ed.ac.uk -fast || true fs mkm /afs/example.com/.root.afs/ic.ac.uk root.cell -cell ic.ac.uk -fast || true fs mkm /afs/example.com/.root.afs/hep.man.ac.uk root.cell -cell hep.man.ac.uk -fast || true fs mkm /afs/example.com/.root.afs/rl.ac.uk root.cell -cell rl.ac.uk -fast || true fs sa /afs/example.com system:anyuser rl fs mkm /afs/example.com/.root.afs/.example.com root.cell -cell example.com -rw fs mkm /afs/example.com/.root.afs/.root.afs root.afs -rw vos create kas1 a user -localauth Volume 536870918 created on partition /vicepa of kas1 fs mkm /afs/example.com/user user fs sa /afs/example.com/user system:anyuser rl vos create kas1 a service -localauth Volume 536870921 created on partition /vicepa of kas1 fs mkm /afs/example.com/service service fs sa /afs/example.com/service system:anyuser rl ln -s example.com /afs/example.com/.root.afs/example ln -s .example.com /afs/example.com/.root.afs/.example fs rmm /afs/example.com/.root.afs vos addsite kas1 a root.afs -localauth Added replication site kas1 /vicepa for volume root.afs vos addsite kas1 a root.cell -localauth Added replication site kas1 /vicepa for volume root.cell vos release root.afs -localauth Released volume root.afs successfully vos release root.cell -localauth Released volume root.cell successfully ~# _ The answer given to the question "What partition?" − a − is the only one possible, because it relates to the previously configured AFS partition, /vicepa/. 19. AFS client & test Now that the OpenAFS server is up and running, enable the OpenAFS client. It was installed much earlier, but configured not to start up automatically. Change that by editing /etc/openafs/afs.conf.client and changing the following line: AFS_CLIENT=true Now restart the client: ~# /etc/init.d/openafs-client restart Stopping AFS services: afsd openafs. Starting AFS services: openafs afsd. afsd: All AFS daemons started. ~# _ After the AFS client has been started, check out the contents of the new AFS volume in the /afs/ directory: ~# ls /afs | head 1ts.org/ acm-csuf.org/ acm.uiuc.edu/ ams.cern.ch/ andrew.cmu.edu/ anl.gov/ asu.edu/ athena.mit.edu/ atlass01.physik.uni-bonn.de/ atlas.umich.edu/ ~# ls /afs | wc -l 188 ~# _ Besides those for the local cell, /afs/example.com and /afs/.example.com, the afs-rootvol script is also responsible for creating all of the other directories (AFS mount points) in the /afs/ directory, but these can easily be created or removed. As opposed to the other 186 directories, those for the local cell are not visible globally; for that, a request would have to be submitted to have them included in the global CellServDB file. However, the fact that its existence has not been published officially does not necessarily mean that it is inaccessible from the Internet, so local security is still important. 20. New account & test To add a new user account to this system, the account must be added to both Kerberos and OpenAFS. In this exercise, the new account will be ccolumbus and the password NewWorld. Start by creating the Kerberos account: ~# kadmin -p admin Authenticating as principal admin with password. Password for admin@EXAMPLE.COM: xanthina kadmin: addprinc ccolumbus WARNING: no policy specified for ccolumbus@EXAMPLE.COM; defaulting to no policy Enter password for principal "ccolumbus@EXAMPLE.COM": NewWorld Re-enter password for principal "ccolumbus@EXAMPLE.COM": NewWorld Principal "ccolumbus@EXAMPLE.COM" created. kadmin: q ~# _ Before the AFS account can be created, obtain a Kerberos ticket for the admin account, as well as the matching AFS token for it: ~# kinit admin ; aklog Password for admin@EXAMPLE.COM: xanthina root@kas1:~# klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/26/10 16:44:47 02/27/10 16:44:43 krbtgt/EXAMPLE.COM@EXAMPLE.COM 02/26/10 16:44:47 02/27/10 16:44:43 afs/example.com@EXAMPLE.COM ~# _ Use the following command to create the new AFS account: ~# pts createuser -name ccolumbus -id 20001 User ccolumbus has id 20001 ~# _ Now that the account for user ccolumbus exists in both Kerberos and OpenAFS, a corresponding AFS data volume must also be created for it that will be mounted in the location of the user's home directory in AFS: ~# vos create -server kas1 -partition /vicepa \ -name user.ccolumbus -maxquota 100000 Volume 536870927 created on partition /vicepa of kas1 ~# _ NB: Since the maximum space quota for the user is given in kilobytes, this will create a read/write volume of a mere 100 MB for the user. Should it later become necessary to increase the space quota for this volume, that can easily be done with the fs setquota command. The following command will display information about the new volume: ~# vos examine -id user.ccolumbus user.ccolumbus 536870927 RW 2 K On-line kas1.example.com /vicepa RWrite 536870927 ROnly 0 Backup 0 MaxQuota 100000 K Creation Fri Feb 26 17:24:33 2010 Copy Fri Feb 26 17:24:33 2010 Backup Never Last Update Never RWrite: 536870927 number of sites -> 1 server kas1.example.com partition /vicepa RW Site ~# _ Once a volume has been created for an account, it should be mounted in a proper location: in this case /afs/example.com/user/c/cc/ccolumbus/. Instead of using a more shallow directory structure, such as e.g. /afs/example.com/user/ccolumbus/, those that use the two extra sublevels follow an AFS convention that allows many libnss-afs and third-party management scripts to be used without modification. Create the necessary two-sublevel directory structure to accomodate the new user volume: ~# mkdir -p /afs/example.com/user/c/cc ~# _ Now create the mount point for the new user volume: ~# fs mkmount -dir /afs/example.com/user/c/cc/ccolumbus \ -vol user.ccolumbus -rw ~# _ If a mistake is made, the mount point can be removed again with the fs rmmount command. This command can be used to view information about a (possible) AFS mount point: ~# fs lsmount -dir /afs/example.com/user/c/cc '/afs/example.com/user/c/cc' is not a mount point. ~# fs lsmount -dir /afs/example.com/user/c/cc/ccolumbus '/afs/example.com/user/c/cc/ccolumbus' is a mount point for volume '%user.ccolumbus' ~# _ Once this information is known, the vos examine command can be used to display information about the volume in question as shown above. Or, a related command can be used: ~# fs examine -p /afs/example.com/user/c/cc/ccolumbus File /afs/example.com/user/c/cc/ccolumbus (536870927.1.1) contained in volume 536870927 Volume status for vid = 536870927 named user.ccolumbus Current disk quota is 100000 Current blocks used are 2 The partition has 3843644 blocks available out of 3918688 ~# _ Finally, there is the issue of permissions. By default, the new account does not have any rights in the volume that was just created for it: ~# fs listacl -path /afs/example.com/user/c/cc/ccolumbus Access list for /afs/example.com/user/c/cc/ccolumbus is Normal rights: system:administrators rlidwka ~# _ Grant the new account all rights to its namesake volume with this command: ~# fs setacl -dir /afs/example.com/user/c/cc/ccolumbus -acl ccolumbus all ~# _ Now verify that the new account has the appropriate access: ~# fs listacl -path /afs/example.com/user/c/cc/ccolumbus Access list for /afs/example.com/user/c/cc/ccolumbus is Normal rights: system:administrators rlidwka ccolumbus rlidwka ~# _ To test that the new account works, first logout of AFS and Kerberos and login as the new user: ~# unlog ; kdestroy ~# kinit ccolumbus ; aklog Password for ccolumbus@EXAMPLE.COM: NewWorld ~# _ Now, as ccolumbus, make an attempt to write information to the account's new home directory: ~# date > /afs/example.com/user/c/cc/ccolumbus/date.txt ~# cat /afs/example.com/user/c/cc/ccolumbus/date.txt Fri Feb 26 22:54:08 CET 2010 ~# That was a success! 21. See also 22. Further reading
23. Sources
Last modified: 2017-08-02, 17:50
©2003-2020 RJ Systems. Permission is granted to copy, distribute and/or modify the content of this page under the terms of the OpenContent License, version 1.0. |