2226
Comment: Improving new user instructions
|
85
XqghVZ <a href="http://ulibkjrjwlmr.com/">ulibkjrjwlmr</a>
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Basic Architecture = Using the shared filesystem involves a combination of LDAP, Kerberos, and OpenAFS. DavorOcelic might fill in more information here. :-) = File conventions = The `/afs` tree contains shared filesystems. `/afs/hcoop.net` (symlinked from `/afs/hcoop` as well) is our piece of the AFS-o-sphere. Subdirectories include: * `/afs/hcoop.net/usr`, the home of home directories * `/afs/hcoop.net/usr/$USERNAME/home`, `$USERNAME`'s home directory * `/afs/hcoop.net/common/etc`, the home of non-platform-specific fun stuff like DomTool = Connecting to AFS from an HCoop server = I found this handy summary of the commands that must be run: http://www.eos.ncsu.edu/remoteaccess/LinuxOpenAfs/kreset_debian/kreset On our servers, it seems sufficient to run: {{{kinit aklog}}} These should be run automatically if you log in normally, but admins `sudo`ing around to different users seem to need to run `aklog` manually to access AFS. = The kadmin shell = Many Kerberos administration commands are run from a special shell. Enter it as root by running `sudo kadmin.local`. = Creating a new user = We follow the convention that Kerberos users for daemons are named `$DAEMON/$HOST`, where `$DAEMON` is the name of the daemon (for instance, the name of its `/etc/init.d` file) and `$HOST` is the primary fully-qualified domain name for the host where the daemon runs. To add the Kerberos principal for a daemon, run this in kadmin:{{{ addprinc -randkey -policy host $DAEMON/$HOST}}} AFS users exist separately from Kerberos principals. To add the AFS user for a daemon to which you want to assign UID `$UID`, run:{{{ pts createuser -name $DAEMON.$HOST -id $UID}}} Note the period, not slash, between `$DAEMON` and `$HOST`. The `-id $UID` can be omitted if you want a randomly-generated UID. "keytab" files smooth the way to running daemons that run with AFS privileges. An access-protected local file contains a user's credentials, and daemons read these files on starting up in order to authenticate. To create a keytab for a daemon, run this in kadmin:{{{ ktadd -k /etc/keytabs/$DAEMON.keytab -e "des3-hmac-sha1:normal rc4-hmac:normal" $DAEMON/$HOST}}} |
XqghVZ <a href="http://ulibkjrjwlmr.com/">ulibkjrjwlmr</a> ---- CategoryCategory |