welcome: please sign in

Diff for "AndrewFileSystem"

Differences between revisions 4 and 44 (spanning 40 versions)
Revision 4 as of 2007-02-17 19:43:24
Size: 2226
Editor: AdamChlipala
Comment: Improving new user instructions
Revision 44 as of 2011-04-21 17:48:45
Size: 85
Editor: 46
Comment: XqghVZ <a href="http://ulibkjrjwlmr.com/">ulibkjrjwlmr</a>
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Basic Architecture =

Using the shared filesystem involves a combination of LDAP, Kerberos, and OpenAFS. DavorOcelic might fill in more information here. :-)

= File conventions =

The `/afs` tree contains shared filesystems. `/afs/hcoop.net` (symlinked from `/afs/hcoop` as well) is our piece of the AFS-o-sphere. Subdirectories include:

 * `/afs/hcoop.net/usr`, the home of home directories
 * `/afs/hcoop.net/usr/$USERNAME/home`, `$USERNAME`'s home directory
 * `/afs/hcoop.net/common/etc`, the home of non-platform-specific fun stuff like DomTool

= Connecting to AFS from an HCoop server =

I found this handy summary of the commands that must be run:
  http://www.eos.ncsu.edu/remoteaccess/LinuxOpenAfs/kreset_debian/kreset

On our servers, it seems sufficient to run:
{{{kinit
aklog}}}

These should be run automatically if you log in normally, but admins `sudo`ing around to different users seem to need to run `aklog` manually to access AFS.

= The kadmin shell =

Many Kerberos administration commands are run from a special shell. Enter it as root by running `sudo kadmin.local`.

= Creating a new user =

We follow the convention that Kerberos users for daemons are named `$DAEMON/$HOST`, where `$DAEMON` is the name of the daemon (for instance, the name of its `/etc/init.d` file) and `$HOST` is the primary fully-qualified domain name for the host where the daemon runs.

To add the Kerberos principal for a daemon, run this in kadmin:{{{
addprinc -randkey -policy host $DAEMON/$HOST}}}

AFS users exist separately from Kerberos principals. To add the AFS user for a daemon to which you want to assign UID `$UID`, run:{{{
pts createuser -name $DAEMON.$HOST -id $UID}}}
Note the period, not slash, between `$DAEMON` and `$HOST`. The `-id $UID` can be omitted if you want a randomly-generated UID.

"keytab" files smooth the way to running daemons that run with AFS privileges. An access-protected local file contains a user's credentials, and daemons read these files on starting up in order to authenticate.

To create a keytab for a daemon, run this in kadmin:{{{
ktadd -k /etc/keytabs/$DAEMON.keytab -e "des3-hmac-sha1:normal rc4-hmac:normal" $DAEMON/$HOST}}}
XqghVZ <a href="http://ulibkjrjwlmr.com/">ulibkjrjwlmr</a>
----
CategoryCategory

AndrewFileSystem (last edited 2018-11-15 03:45:21 by ClintonEbadi)