From 27b66f24aad04d1e74a7aa43d6ebcca0b98af18f Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Thu, 30 Oct 2014 19:38:50 -0400 Subject: [PATCH] Attempt to make the server install bits current Avoid using -noauth, and mention both the rxkad.keytab (1.6) and the KeyFileExt (as 1.8, though it's only master at present). To support these, move forward the use of kadmin to extract the afs/cell principal's keytab. Move the buserver's creation to the end of the list and mark it as optional (many sites do not run the AFS backup suite). Deindent some programlisting blocks so they don't flow off the page as much in the PDF version. Drop vos syncserv and vos syncvldb from the tasks for setting up a new server; they should not be needed, as the new db server should pick up the existing database when it joins the quorum. General edits for clarity, whitespace and such. Change-Id: I951ec3ee237e4c83a17c82802328f0a454b61097 Reviewed-on: http://gerrit.openafs.org/11581 Tested-by: BuildBot Reviewed-by: D Brashear --- doc/xml/QuickStartUnix/auqbg003.xml | 9 +- doc/xml/QuickStartUnix/auqbg004.xml | 79 +++-- doc/xml/QuickStartUnix/auqbg005.xml | 472 ++++++++++++++-------------- 3 files changed, 289 insertions(+), 271 deletions(-) diff --git a/doc/xml/QuickStartUnix/auqbg003.xml b/doc/xml/QuickStartUnix/auqbg003.xml index 4c360414c..ec7a1ba69 100644 --- a/doc/xml/QuickStartUnix/auqbg003.xml +++ b/doc/xml/QuickStartUnix/auqbg003.xml @@ -40,7 +40,14 @@ Related Documents The OpenAFS documentation set also includes the following - documents. + documents. Large portions of them are as released to the community + by IBM, and are not directly applicable to current releases of + OpenAFS. This document uses the legacy "Transarc" paths + (/usr/afs, + /usr/vice, etc.), which do not + correspond to the normal file system hierarchy on many modern + machines; the paths may need to be substituted according to + the local software installation. OpenAFS Administration Guide diff --git a/doc/xml/QuickStartUnix/auqbg004.xml b/doc/xml/QuickStartUnix/auqbg004.xml index c21124510..54e9332cb 100644 --- a/doc/xml/QuickStartUnix/auqbg004.xml +++ b/doc/xml/QuickStartUnix/auqbg004.xml @@ -10,8 +10,9 @@ read this chapter and the material from the OpenAFS Administration Guide listed in Recommended Reading List. It is also best to - read through Installing the First AFS - Machine before beginning the installation, so that you understand + read the entirety of certain sections of this document, in particular + Installing the First AFS + Machine, before beginning the installation, so that you understand the overall scope of the installation procedure. Similarly, before installing additional server or client machines it is best to read through Installing Additional Server @@ -27,7 +28,9 @@ authentication, please see the notes in kaserver and legacy Kerberos 5 authentication and the rest of Appendix B for how the installation - steps will differ from those described in the rest of this guide. + steps will differ from those described in the rest of this guide. + Do not use the kaserver for new + deployments of AFS; it uses extremely insecure cryptography. The Procedures Described in this Guide @@ -47,8 +50,7 @@ Incorporating AFS Into the Kernel You must incorporate AFS modifications into the kernel of - every client machine. On some operating systems you must also - incorporate these modifications into the kernels of server machines. + every client machine. Depending on the operating system, you either use a program for dynamic kernel loading, build a new static kernel, or can choose between the @@ -76,6 +78,12 @@ The first server machine in a cell performs several functions: + + It acts as the first database server + machine, running the server processes that + maintain the AFS administrative databases + + It may act as the system control machine, distributing certain @@ -88,15 +96,13 @@ machine for its system type, distributing AFS binaries to other server machines of its system type - - - It acts as the first database server - machine, running the server processes that - maintain the AFS administrative databases - + The latter two functions are performed by the Update Server, + which is considered to be deprecated and may be removed in a + future release. + After you install server and client functionality, you complete other procedures specific to the first machine, including setting up the top levels of your cell's AFS filespace. @@ -272,7 +278,8 @@ Login Identity Log into the machine you are installing as the local superuser root. When instructed, - also authenticate with AFS as the administrative user admin. + also authenticate to AFS using Kerberos as the administrative + user admin. overview general installation requirements @@ -290,7 +297,8 @@ You must have a Kerberos 5 realm running for your site, and the ability to create new principals within that realm. If you are - working with an existing cell using kaserver + working with an existing cell using the deprecated + kaserver or Kerberos v4 authentication, please see kaserver and legacy Kerberos 4 authentication for modifications to the following instructions. @@ -361,12 +369,10 @@ - The partition mounted on the /usr directory must have at least 18 MB of disk space - - available for storing the AFS server binaries (stored by convention in the /usr/afs/bin - directory). If the machine is also a client, there must be additional local disk space available, as specified in Client Machine Requirements. The complete set of AFS binaries requires yet more space, but they - are normally stored in an AFS volume rather than on a machine's local disk. + The partition mounted on the + /usr directory must have + a sufficient amount of space to hold the AFS binaries that will + be used; a few hundred MB should be more than sufficient. More significant amounts of space on the partition are required by the administrative databases stored in the /usr/afs/db directory and the server process log files stored in the - There must be at least one partition (or logical volume, if the operating system and AFS support them) dedicated - exclusively to storing AFS volumes. The total number and size of server partitions on all file server machines in the cell + There should be at least one partition (or logical + volume, if the operating system and AFS support them) dedicated + exclusively to storing AFS volumes. Special configuration is + required to use non-dedicated partitions as the backing store + for AFS file data. The total number and size of server + partitions on all file server machines in the cell determines how much space is available for AFS files. @@ -399,22 +409,24 @@ - The partition mounted on the /usr directory must have at least 4 MB of disk space - available for storing the AFS client binaries and kernel library files (stored by convention in the /usr/vice/etc directory). The complete set of AFS binaries requires more space, but they are - normally stored in an AFS volume rather than on a machine's local disk. For most system types, the instructions have you - copy only the one kernel library file appropriate for the machine you are installing. If you choose to store all of the - library files on the local disk, the space requirement can be significantly greater. + The partition mounted on the + /usr directory must have + a sufficient amount of disk space to store the AFS binaries that + will be used; a few hundred MB should be more than sufficient. On a client machine that uses a disk cache, there must be enough free space on the cache partition (by convention, mounted on the /usr/vice/cache directory) to accommodate the cache. The minimum - recommended cache size is 10 MB, but larger caches generally perform better. + recommended cache size is 50 MB, but larger caches generally + perform better. It is recommended to have a dedicated partition + for this cache, as the client does not degrade gracefully when + the partition containing the cache is filled by other + processes. - On a client machine that uses a memory cache, there must be at least 5 MB of machine memory to devote to caching, + On a client machine that uses a memory cache, there must be at least 50 MB of machine memory to devote to caching, but again more memory generally leads to better performance. For further discussion, see the sections in Installing Additional Client Machines about configuring the cache. @@ -462,8 +474,13 @@ About Upgrading the Operating System - Whenever you upgrade an AFS machine to a different operating system, you must take several actions to maintain proper AFS - functionality. These actions include, but are not necessarily limited to, the following. + On most modern systems, using Kerberos 5 for authentication and + the namei fileserver backend, no particular precautions need to be + taken across operating system upgrades. Legacy confiruations + involving kaserver authentication or inode fileserver backends + will need to undertake the following precautions. + + These actions include, but are not necessarily limited to, the following. On platforms running the inode fileserver, unmount the AFS server partitions (mounted at /vicepxx directories) on all file server machines, to prevent the vendor-supplied fsck program diff --git a/doc/xml/QuickStartUnix/auqbg005.xml b/doc/xml/QuickStartUnix/auqbg005.xml index fcf6e256a..434af648b 100644 --- a/doc/xml/QuickStartUnix/auqbg005.xml +++ b/doc/xml/QuickStartUnix/auqbg005.xml @@ -59,7 +59,7 @@ You have a Kerberos v5 realm running for your site. If you are - working with an existing cell which uses + working with an existing cell which uses legacy kaserver or Kerberos v4 for authentication, please see kaserver and Legacy Kerberos v4 Authentication @@ -172,7 +172,8 @@ - On some system types, install and configure an AFS-modified version of the fsck + On some system types (very rare), install and configure + an AFS-modified version of the fsck program @@ -212,12 +213,12 @@ Choosing the First AFS Machine - The first AFS machine you install must have sufficient disk space to store AFS volumes. To take best advantage of AFS's - capabilities, store client-side binaries as well as user files in volumes. When you later install additional file server + The first AFS machine you install must have sufficient disk space to store AFS volumes. + When you later install additional file server machines in your cell, you can distribute these volumes among the different machines as you see fit. - These instructions configure the first AFS machine as a database server machine, the binary - distribution machine for its system type, and the cell's system control machine. For a + These instructions configure the first AFS machine as a database server machine, and optionally as the binary + distribution machine for its system type and the cell's system control machine. For a description of these roles, see the OpenAFS Administration Guide. Installation of additional machines is simplest if the first machine has the lowest IP address of any database server @@ -281,7 +282,10 @@ packages for client and server functionality, and a seperate package containing a suitable kernel module for your running kernel. Consult the package lists on the OpenAFS website to determine the packages - appropriate for your system. + appropriate for your system. The preparer of such packages may + have included some helper scripts to partially automate the + creation of a new cell; such scripts can supersede much of the + procedures described in the rest of this document. If you are installing from a tarfile, or from a locally compiled source tree you should create the /usr/afs @@ -327,7 +331,10 @@ the AFS fileservers, must incorporate AFS extensions. On machines that use a dynamic kernel module loader, it is conventional to alter the machine's initialization script to load the AFS extensions - at each reboot. + at each reboot. The preparer of OS-format binary packages + may have included an init script which automates the loading + of the needed kernel module, eliminating a need to manually + configure this step. AFS server partition mounted on /vicep directory @@ -361,7 +368,7 @@ Configure server partitions or logical volumes to house AFS volumes. - Every AFS file server machine must have at least one partition or logical volume dedicated to storing AFS volumes + Every AFS file server machine should have at least one partition or logical volume dedicated to storing AFS volumes (for convenience, the documentation hereafter refers to partitions only). Each server partition is mounted at a directory named /vicepxx, where xx is one or two lowercase letters. By convention, the first 26 partitions are mounted on the directories called fileserver will refuse to mount any /vicepxx - folders that are not separate partitions. + folders that are not separate partitions without additional + configuration. The separate partition requirement may be overridden by @@ -406,7 +414,7 @@ - On system types using the inode storage format, install and configure a modified fsck program which + On (rare) system types using the inode storage format, install and configure a modified fsck program which recognizes the structures that the File Server uses to organize volume data on AFS server partitions. The fsck program provided with the operating system does not understand the AFS data structures, and so removes them to the lost+found directory. @@ -522,13 +530,15 @@ The procedure for starting up OpenAFS depends upon your distribution Fedora and RedHat Enterprise Linux - OpenAFS provides RPMS for all current Fedora and RedHat Enterprise Linux (RHEL) releases on the OpenAFS web site and the OpenAFS yum repository. + OpenAFS provides RPMS for all current Fedora and + RedHat Enterprise Linux (RHEL) releases prior to EL7 on the + OpenAFS web site and the OpenAFS yum repository. Browse to http://dl.openafs.org/dl/openafs/VERSION, where VERSION is the latest stable release of - OpenAFS. Download the + OpenAFS for Unix. Download the openafs-repository-VERSION.noarch.rpm file for Fedora systems or the openafs-repository-rhel-VERSION.noarch.rpm @@ -538,14 +548,14 @@ Install the downloaded RPM file using the following command: - # rpm -U openafs-repository*.rpm +# rpm -U openafs-repository*.rpm Install the RPM set for your operating system using the yum command as follows: - # yum -y install openafs-client openafs-server openafs-krb5 kmod-openafs +# yum -y install openafs-client openafs-server openafs-krb5 kmod-openafs @@ -557,7 +567,7 @@ To use dynamically-compiled kernel modules instead of statically compiled modules, use the following command instead of the kmod-openafs as shown above: - # yum install openafs-client openafs-server openafs-krb5 dkms-openafs +# yum install openafs-client openafs-server openafs-krb5 dkms-openafs @@ -847,7 +857,8 @@ auth required pam_unix.so try_first_pass details on the available options for the PAM configuration, see the Linux PAM documentation. - Sites which still require kaserver or + Sites which still require the deprecated + kaserver or external Kerberos v4 authentication should consult Enabling kaserver based AFS Login on Linux Systems for details of how to enable AFS login on Linux. @@ -1752,22 +1763,26 @@ auth required pam_unix.so try_first_pass Starting the BOS Server You are now ready to start the AFS server processes on this machine. - If you are not working from a packaged distribution, begin by copying the - AFS server binaries from the distribution to the conventional local disk + If you are not working from a packaged distribution, begin by installing the + AFS server binaries to the conventional local disk location, the /usr/afs/bin directory. The following instructions also create files in other subdirectories of the /usr/afs directory. - Then issue the bosserver command to initialize the Basic OverSeer (BOS) Server, which - monitors and controls other AFS server processes on its server machine. Include the -noauth - flag to disable authorization checking. Because you have not yet configured your cell's AFS authentication and authorization - mechanisms, the BOS Server cannot perform authorization checking as it does during normal operation. In no-authorization mode, - it does not verify the identity or privilege of the issuer of a bos command, and so performs - any operation for anyone. - - Disabling authorization checking gravely compromises cell security. You must complete all subsequent steps in one - uninterrupted pass and must not leave the machine unattended until you restart the BOS Server with authorization checking - enabled, in Verifying the AFS Initialization Script. + Then obtain a krb5 keytab for use by the servers in the cell. + Once the keytab is in place, issue the + bosserver command to initialize + the Basic OverSeer (BOS) Server, which + monitors and controls other AFS server processes on its server machine. + Because you have not yet configured your cell's AFS authentication and authorization + mechanisms, you must always use the + -localauth flag to commands, to use a + printed token that does not correspond to a normal krb5 identity. + Older versions of these instructions used the + -noauth flag, which completely disables + all authentication and authorization checking, allowing anyone at all + to control the system. Do not use this flag! It is highly insecure, + and is no longer needed. As it initializes for the first time, the BOS Server creates the following directories and files, setting the owner to the local superuser root and the mode bits to limit the ability to write (and in some cases, read) @@ -1849,13 +1864,153 @@ auth required pam_unix.so try_first_pass role="bold">ThisCell files in the /usr/vice/etc directory because they generally run on client machines. On machines that are AFS servers only (as this machine currently is), the files reside only in the /usr/afs/etc directory; the links enable the command interpreters to retrieve the information they need. - Later instructions for installing the client functionality replace the links with actual files. + Later instructions for installing the client functionality replace the links with actual files. + + Generating the Cell's Kerberos V5 Keys + + This guide uses krb5 for authentication; do not use the + legacy kaserver for new + installations. + This section creates only the cell-wide shared secret key; + administrative users will be created later in the procedure. + This cell-wide key has the principal name + afs/cell. + No user logs in under this identity, but it is used to encrypt the + server tickets that the KDC grants to AFS clients for presentation + to server processes during mutual authentication. (The + chapter in the OpenAFS Administration Guide + about cell configuration and administration describes the + role of server encryption keys in mutual authentication.) + The OpenAFS 1.8.x series stores the cell-wide shared keys in + the file /usr/afs/etc/KeyFileExt, + whereas the 1.6.x series uses a krb5 keytab format file in + /usr/afs/etc/rxkad.keytab. + These instructions create both files, but populating the + KeyFileExt file will only succeed + using the version of asetkey + from OpenAFS 1.8.x. + The examples below assume you are using MIT Kerberos. Please refer + to the documentation for your KDC's administrative interface if you are + using a different vendor + + + + Enter kadmin interactive mode. + + # kadmin + Authenticating as principal you/admin@YOUR REALM with password + Password for you/admin@REALM: your_password + + server encryption key + + in Kerberos Database + + creating + + server encryption key + + Kerberos Database + + + + + Issue the + add_principal command to create + a Kerberos Database entry for + afs/<cell name>. + + Note that when creating the + afs/<cell name> + entry, the encryption type list does not include any single-DES + encryption types. If such encryption types are included, + additional asetkey commands + will be needed to place those keys in the legacy + KeyFile and ensure proper + operation of the cell. + For more details regarding encryption types, see the documentation + for your Kerberos installation. + + + kadmin: add_principal -randkey -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal afs/<cell name> + Principal "afs/cell name@REALM" created. + + + + + + Extract the newly created key for + afs/cell + to a keytab on the local machine. + + The keytab contains the key material that ensures the security of your AFS cell. You should ensure that it is kept in a secure location at all times. + + + kadmin: ktadd -k /usr/afs/etc/rxkad.keytab -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal afs/<cell name> + Entry for principal afs/<cell name> with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/usr/afs/etc/rxkad.keytab + Entry for principal afs/<cell name> with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/usr/afs/etc/rxkad.keytab + + Make a note of the key version number (kvno) given in the + response, as you will need it to load the key into + the KeyFileExt in a later + step + + Note that each time you run + ktadd a new key is generated + for the item being extracted. This means that you cannot run ktadd + multiple times and end up with the same key material each time. + + + + + Issue the quit command to leave kadmin + interactive mode. + kadmin: quit + + + + + Issue the + asetkey command to set the AFS + server encryption key in the + /usr/afs/etc/KeyFileExt file. + This key + is created from the rxkad.keytab + file created earlier. + + asetkey requires the key version number (or kvno) of the + afs/cell + key, as well as the encryption type number of the key. + You should have made note of the kvno when creating the key + earlier. The key version number can also be found by running the + kvno command + + # kvno -kt /usr/afs/etc/rxkad.keytab + + The encryption type numbers can be found in the local krb5 + headers or the IANA registry. The most common numbers are + 18 for aes256-cts-hmac-sha1-96 and + 17 for aes128-cts-hmac-sha1-96. + + + Once the kvno and enctypes are known, the keys + can then be extracted using asetkey + + # asetkey add rxkad_krb5 <kvno> 18 /usr/afs/etc/rxkad.keytab afs/<cell name> + # asetkey add rxkad_krb5 <kvno> 17 /usr/afs/etc/rxkad.keytab afs/<cell name> + + + + + + Starting the Server Processes + + Now that the keys are in place, proceed to start the server + processes: + - If you are not working from a packaged distribution, you may need to copy files from the distribution media to the local /usr/afs directory. - - # cd /tmp/afsdist/sysname/root.server/usr/afs - # cp -rp * /usr/afs - + If you are building from source, you need to install the + compiled files to the local + /usr/afs directory. commands bosserver @@ -1865,9 +2020,9 @@ auth required pam_unix.so try_first_pass - Issue the bosserver command. Include the -noauth - flag to disable authorization checking. - # /usr/afs/bin/bosserver -noauth & + Issue the bosserver command. + + # /usr/afs/bin/bosserver @@ -2004,6 +2159,7 @@ auth required pam_unix.so try_first_pass first AFS machine as database server + @@ -2055,12 +2211,8 @@ auth required pam_unix.so try_first_pass Issue the bos setcellname command to set the cell name. # bos setcellname <machine name> <cell name> -noauth - - - Because you are not authenticated and authorization checking is disabled, the bos - command interpreter possibly produces error messages about being unable to obtain tickets and running unauthenticated. You - can safely ignore the messages. + role="bold">-localauth + commands bos listhosts @@ -2076,13 +2228,13 @@ auth required pam_unix.so try_first_pass displaying CellServDB file (server) entries - + Issue the bos listhosts command to verify that the machine you are installing is now registered as the cell's first database server machine. - # bos listhosts <machine name> -noauth + # bos listhosts <machine name> -localauth Cell name is cell_name Host 1 is machine_name @@ -2245,10 +2397,6 @@ auth required pam_unix.so try_first_pass in the /usr/afs/local/BosConfig file and start them running. The three processes run on database server machines only: - - The Backup Server (the buserver process) maintains the Backup Database - - The Protection Server (the ptserver process) maintains the Protection Database @@ -2258,6 +2406,10 @@ auth required pam_unix.so try_first_pass The Volume Location (VL) Server (the vlserver process) maintains the Volume Location Database (VLDB) + + + The optional Backup Server (the buserver process) maintains the Backup Database + @@ -2289,20 +2441,20 @@ auth required pam_unix.so try_first_pass create - Issue the bos create command to start the Backup Server. - # ./bos create <machine name> buserver simple /usr/afs/bin/buserver -noauth + Issue the bos create command to start the Protection Server. + # ./bos create <machine name> ptserver simple /usr/afs/bin/ptserver -localauth - Issue the bos create command to start the Protection Server. - # ./bos create <machine name> ptserver simple /usr/afs/bin/ptserver -noauth + Issue the bos create command to start the VL Server. + # ./bos create <machine name> vlserver simple /usr/afs/bin/vlserver -localauth - Issue the bos create command to start the VL Server. - # ./bos create <machine name> vlserver simple /usr/afs/bin/vlserver -noauth + Optionally, issue the bos create command to start the Backup Server. + # ./bos create <machine name> buserver simple /usr/afs/bin/buserver -localauth @@ -2391,7 +2543,7 @@ auth required pam_unix.so try_first_pass Initializing Cell Security with kaserver for installation instructions which replace this section. - Now initialize the cell's security mechanisms. Begin by creating the following two entires in your site's Kerberos database: + Now finish initializing the cell's security mechanisms. Begin by creating the following entry in your site's Kerberos database: A generic administrative account, called admin by convention. If you choose to assign a different name, substitute it throughout the remainder of this document. @@ -2401,24 +2553,6 @@ auth required pam_unix.so try_first_pass latter scheme implies somewhat more overhead, but provides a more informative audit trail for administrative operations. - - - The entry for AFS server processes, called either - afs or - afs/cell. - The latter form is preferred since it works regardless of whether - your cell name matches your Kerberos realm name and allows multiple - AFS cells to be served from a single Kerberos realm. - No user logs in under this identity, but it is used to encrypt the - server tickets that granted to AFS clients for presentation to - server processes during mutual authentication. (The - chapter in the OpenAFS Administration Guide about cell configuration and administration describes the - role of server encryption keys in mutual authentication.) - - In Step 7, you also place the initial AFS server encryption key into the /usr/afs/etc/KeyFile file. The AFS server processes refer to this file to learn the server - encryption key when they need to decrypt server tickets. - You also issue several commands that enable the new admin user to issue privileged @@ -2438,56 +2572,25 @@ auth required pam_unix.so try_first_pass # kadmin Authenticating as principal you/admin@YOUR REALM with password Password for you/admin@REALM: your_password - - server encryption key - - in Kerberos Database - - creating - - server encryption key - - Kerberos Database - + Issue the add_principal command to create - Kerberos Database entries called - admin and - afs/<cell name>. + the Kerberos Database entry for + admin. You should make the admin_passwd as long and complex as possible, but keep in mind that administrators - need to enter it often. It must be at least six characters long. - Note that when creating the - afs/<cell name> - entry, the encryption types should be restricted to des-cbc-crc:v4. - For more details regarding encryption types, see the documentation - for your Kerberos installation. - + need to enter it often. It must be at least six characters long. - kadmin: add_principal -randkey -e des-cbc-crc:v4 afs/<cell name> - Principal "afs/cell name@REALM" created. kadmin: add_principal admin Enter password for principal "admin@REALM": admin_password Principal "admin@REALM" created. - - commands - - kas examine - - - - kas commands - - examine - - displaying @@ -2497,39 +2600,6 @@ Password for you/admin@REALM: your_passw - - Issue the kadmin - get_principal command to display the afs/<cell name> entry. - - kadmin: get_principal afs/<cell name> - Principal: afs/cell - [ ... ] - Key: vno 2, DES cbc mode with CRC-32, no salt - [ ... ] - - - - - Extract the newly created key for afs/cell to a keytab on the local machine. We will use /etc/afs.keytab as the location for this keytab. - - The keytab contains the key material that ensures the security of your AFS cell. You should ensure that it is kept in a secure location at all times. - - - kadmin: ktadd -k /etc/afs.keytab -e des-cbc-crc:v4 afs/<cell name> -Entry for principal afs/<cell name> with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/afs.keytab - - Make a note of the key version number (kvno) given in the - response, as you will need it to load the key into bos in a later - step - - Note that each time you run - ktadd a new key is generated - for the item being extracted. This means that you cannot run ktadd - multiple times and end up with the same key material each time. - - - Issue the quit command to leave kadmin interactive mode. @@ -2572,7 +2642,7 @@ Entry for principal afs/<cell name> with kvno 3 role="bold">admin user to the /usr/afs/etc/UserList file. This enables the admin user to issue privileged bos and vos commands. - # ./bos adduser <machine name> admin -noauth + # ./bos adduser <machine name> admin -localauth commands @@ -2588,63 +2658,6 @@ Entry for principal afs/<cell name> with kvno 3 in KeyFile file - - - Issue the - asetkey command to set the AFS - server encryption key in the - /usr/afs/etc/KeyFile file. This key - is created from the /etc/afs.keytab - file created earlier. - - asetkey requires the key version number (or kvno) of the - afs/cell - key. You should have made note of the kvno when creating the key - earlier. The key version number can also be found by running the - kvno command - - # kvno -k /etc/afs.keytab afs/<cell name> - - - Once the kvno is known, the key can then be extracted using - asetkey - - # asetkey add <kvno> /etc/afs.keytab afs/<cell name> - - - - commands - bos listkeys - - - - bos commands - listkeys - - - - displaying - server encryption key - KeyFile file - - - - - Issue the - bos listkeys command to verify that - the key version number for the new key in the - KeyFile file is the same as the key - version number in the Authentication Database's - afs/cell name - entry, which you displayed in Step 3. - - # ./bos listkeys <machine name> -noauth - key 0 has cksum checksum - - - You can safely ignore any error messages indicating that bos failed to get tickets - or that authentication failed. - @@ -2653,10 +2666,16 @@ Entry for principal afs/<cell name> with kvno 3 Now continue to configure your cell's security systems by populating the Protection Database with the newly created admin user, and permitting it - to issue priviledged commands on the AFS filesystem. + to issue priviledged commands on the AFS filesystem. + There is nothing special about the name "admin"; it is just a + convenient name for these instructions. An other name could + be used throughout this document, or multiple privileged + accounts created. + Issue the pts createuser command to create a Protection Database entry for the + admin user. commands pts createuser @@ -2669,9 +2688,7 @@ Entry for principal afs/<cell name> with kvno 3 Protection Database - - Issue the pts createuser command to create a Protection Database entry for the - admin user. + By default, the Protection Server assigns AFS UID 1 (one) to the admin user, because it is the first user entry you are creating. If the local password file (cell name> with kvno 3 # pts createuser -name admin [-id <AFS UID>] -noauth + role="bold">-id <AFS UID>] -localauth User admin has id AFS UID @@ -2713,8 +2730,8 @@ Entry for principal afs/<cell name> with kvno 3 membership command to verify the new membership. Membership in the group enables the admin user to issue privileged pts commands and some privileged fs commands. - # ./pts adduser admin system:administrators -noauth - # ./pts membership admin -noauth + # ./pts adduser admin system:administrators -localauth + # ./pts membership admin -localauth Groups admin (id: 1) is a member of: system:administrators @@ -2734,14 +2751,6 @@ Entry for principal afs/<cell name> with kvno 3 on first AFS machine - - - Issue the bos restart command with the -all flag - to restart the database server processes, so that they start using the new server encryption key. - # ./bos restart <machine name> -all - -noauth - - @@ -2847,7 +2856,7 @@ Entry for principal afs/<cell name> with kvno 3 # ./bos create <machine name> dafs dafs /usr/afs/bin/dafileserver \ /usr/afs/bin/davolserver /usr/afs/bin/salvageserver \ - /usr/afs/bin/dasalvager -noauth + /usr/afs/bin/dasalvager -localauth @@ -2876,9 +2885,9 @@ Entry for principal afs/<cell name> with kvno 3 successfully by issuing the bos status command. Its output mentions two proc starts. - If you are running the Demand-Attach File Server: + - # ./bos status <machine name> dafs -long -noauth + # ./bos status <machine name> dafs -long -localauth @@ -2930,11 +2939,10 @@ Entry for principal afs/<cell name> with kvno 3 # ./vos create <machine name> <partition name> root.afs \ - -noauth + -localauth - The Volume Server produces a message confirming that it created the volume on the specified partition. You can - ignore error messages indicating that tokens are missing, or that authentication failed. + The Volume Server produces a message confirming that it created the volume on the specified partition. commands vos syncvldb @@ -2952,20 +2960,6 @@ Entry for principal afs/<cell name> with kvno 3 syncserv - - - If there are existing AFS file server machines and volumes in the cell, issue the vos - syncvldb and vos syncserv commands to synchronize the VLDB with the - actual state of volumes on the local machine. To follow the progress of the synchronization operation, which can - take several minutes, use the -verbose flag. - # ./vos syncvldb <machine name> -verbose -noauth - # ./vos syncserv <machine name> -verbose -noauth - - - You can ignore error messages indicating that tokens are missing, or that authentication failed. - @@ -3061,9 +3055,9 @@ Entry for principal afs/<cell name> with kvno 3 Overview: Installing Client Functionality - The machine you are installing is now an AFS file server machine, - database server machine, system control machine, and binary distribution - machine. Now make it a client machine by completing the following tasks: + The machine you are installing is now an AFS file server machine + and database server machine. + Now make it a client machine by completing the following tasks: Define the machine's cell membership for client processes -- 2.39.5