welcome: please sign in

Diff for "AndrewFileSystem"

Differences between revisions 3 and 24 (spanning 21 versions)
Revision 3 as of 2007-02-17 19:32:42
Size: 2050
Editor: AdamChlipala
Comment: Creating a new user
Revision 24 as of 2008-12-13 02:58:33
Size: 291
Editor: 213
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Basic Architecture =

Using the shared filesystem involves a combination of LDAP, Kerberos, and OpenAFS. DavorOcelic might fill in more information here. :-)

= File conventions =

The `/afs` tree contains shared filesystems. `/afs/hcoop.net` (symlinked from `/afs/hcoop` as well) is our piece of the AFS-o-sphere. Subdirectories include:

 * `/afs/hcoop.net/usr`, the home of home directories
 * `/afs/hcoop.net/usr/$USERNAME/home`, `$USERNAME`'s home directory
 * `/afs/hcoop.net/common/etc`, the home of non-platform-specific fun stuff like DomTool

= Connecting to AFS from an HCoop server =

I found this handy summary of the commands that must be run:
  http://www.eos.ncsu.edu/remoteaccess/LinuxOpenAfs/kreset_debian/kreset

On our servers, it seems sufficient to run:
{{{kinit
aklog}}}

These should be run automatically if you log in normally, but admins `sudo`ing around to different users seem to need to run `aklog` manually to access AFS.

= Creating a new user =

We follow the convention that Kerberos users for daemons are named `$DAEMON/$HOST`, where `$DAEMON` is the name of the daemon (for instance, the name of its `/etc/init.d` file) and `$HOST` is the primary fully-qualified domain name for the host where the daemon runs.

To add the Kerberos principal for a daemon, run:{{{
addprinc -randkey -policy host $DAEMON/$HOST}}}

AFS users exist separately from Kerberos principals. To add the AFS user for a daemon to which you want to assign UID `$UID`, run:{{{
pts createuser -name $DAEMON.$HOST -id $UID}}}
Note the period, not slash, between `$DAEMON` and `$HOST`. The `-id $UID` can be omitted if you want a randomly-generated UID.

"keytab" files smooth the way to running daemons that run with AFS privileges. An access-protected local file contains a user's credentials, and daemons read these files on starting up in order to authenticate.

To create a keytab for a daemon, run:{{{
ktadd -k /etc/keytab/$DAEMON.keytab -e "des3-hmac-sha1:normal rc4-hmac:normal" $DAEMON/$HOST}}}
<a href='http://haschucka.interfree.it/news-canola-20081127.html'>canola seed</a> <a href="http://haschucka.interfree.it/news-canola-20081127.html">canola plant</a> [link=http://haschucka.interfree.it/news-canola-20081127.html]canola come does from oil where[/link]
----
CategoryTemplate

AndrewFileSystem (last edited 2018-11-15 03:45:21 by ClintonEbadi)