Differences

This shows you the differences between two versions of the page.

--- user:jbrant:csit1320:afs_install [2010/05/14 09:57] – jbrant
+++ user:jbrant:csit1320:afs_install [2010/05/15 17:55] (current) – jbrant
@@ Line 1: / Line 1: @@
+====== The first thing we need to do is create a virtual disk: ======
+**dd if=/dev/zero of=/xen/domains/vm14/vicepa.disk count=900 bs=1M**
+**mkfs -t ext3 vicepa.disk**
+**vi /xen/conf/vm14.cfg**
+add the highlighted line below \\
+# \\
+root        = '/dev/xvda2 ro' \\
+disk        = [
+                'file:/xen/domains/vm14/swap.img,xvda1,w',
+                'file:/xen/domains/vm14/disk.img,xvda2,w',
+                'file:/xen/domains/vm14/vicepa.disk,xvda3,w',
+              ]
+after saving the file then do a shutdown of vm14 and bring it back up.(a reboot will not work
+Next we need to logon to vm14 and mount the disk: \\
+**mount -o loop -t ext3 /dev/xvda3 /vicepa** \\
+next do a df -k to verify that the disk is mounted. \\
+**df -k**
+<code>
+Filesystem           1K-blocks      Used Available Use% Mounted on
+/dev/xvda2             2064208    685996   1273356  36% /
+tmpfs                    65632         0     65632   0% /lib/init/rw
+udev                     10240       476      9764   5% /dev
+tmpfs                    65632         4     65628   1% /dev/shm
+/dev/xvda3              907096     17560    843456   3% /vicepa
+</code>
+====== Now we are ready to start the afs install ======
+To get it going we will us the  module-assistant method.:
+**apt-get install module-assistant** \\
+**m-a prepare openafs** \\
+**m-a a-i openafs**
+After the kernel module is installed, we can proceed with installing the OpenAFS client: \\
+This will be run on vm14, vm15, and vm16
+ **apt-get install openafs-{client,krb5}**
+AFS cell this workstation belongs to: student.lab
+# (Your domain name in lowercase, matching the Kerberos realm in uppercase)
+Size of AFS cache in kB? **50000**
+Run Openafs client now and at boot? **No**
+Look up AFS cells in DNS? **Yes**
+Encrypt authenticated traffic with AFS fileserver? **No**
+Dynamically generate the contents of /afs? **Yes**
+Use fakestat to avoid hangs when listing /afs? **Yes**
+DB server host names for your home cell: **afs1**
+now on vm14 we will install the server software.
+** apt-get install openafs-{fileserver,dbserver}**
+Cell this server serves files for: **student.lab**
+====== Now for the configuration part of the work: ======
+Next to configure the server.
+ **kadmin.local**
+Authenticating as principal root/admin@student.lab with password.
+kadmin.local:  **addprinc -policy service -randkey -e des-cbc-crc:normal afs/student.lab** \\
+Principal "afs@student.lab" created.
+kadmin.local: ** ktadd -k /tmp/afs.keytab -e des-cbc-crc:normal afs/student.lab**
+Entry for principal afs with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/afs.keytab.
+kadmin.local:  **quit**
+Once the key's been created and exported to file /tmp/afs.keytab as shown, we need to load it into the AFS KeyFile. Note that the number "2" in the following command is the key version number, which has to match KVNO reported in the 'ktadd' step above.
+ **asetkey add 2 /tmp/afs.keytab afs/student.lab**
+To verify the key has been loaded and that there is only one key in the AFS KeyFile, run bos listkeys:
+ **bos listkeys afs1 -localauth**
+You should get something like this:
+key 2 has cksum 2035850286
+Keys last changed on Tue Jun 24 14:04:02 2008.
+edit the  /etc/krb5.conf  section "[libdefaults]", and explicitly set "allow_weak_crypto = true".
+Restart krb5-kdc with  **invoke-rc.d krb5-kdc restart**
+After restarting kerbros we need to create the afs cell.
+====== Next we will create the AFS cell: ======
+ **afs-newcell**
+Do you meet these requirements? [y/n]** y**
+What administrative principal should be used? **root/admin**
+This will creating initial protection database.  Some errors  will be generated
+about an id already existing and a bad ubik magic. We can ignore them.
+The next thing to do is to setup our first partition
+first we need to get an admin token.
+**kinit root/admin**
+Password for root/admin@student.lab: //PASSWORD//
+**aklog**
+We need to  verify that you hold the Kerberos ticket and AFS token:
+**klist -5f** \\
+You will get some thing like this:
+Ticket cache: FILE:/tmp/krb5cc_1116
+Default principal: root/admin@student.lab
+Valid starting     Expires            Service principal
+/09/10 17:18:18  02/10/10 03:18:18  krbtgt/student.lab@STUDENT.LAB
+renew until 02/10/10 17:18:16, Flags: FPRIA
+/09/10 17:18:18  02/10/10 03:18:18  afs/student.lab@STUDENT.LAB
+renew until 02/10/10 17:18:16, Flags: FPRAT
+tokens
+Tokens held by the Cache Manager:
+apri
+User's (AFS ID 1) tokens for afs@student.lab [Expires Apr 15 03:18]
+   --End of list--
+   -
+Now, with a successful kinit and aklog in place, we can run afs-rootvol:
+**afs-rootvol**
+	 The AFS client must be running and pointed at the new cell.
+Do you meet these conditions? (y/n)** y**
+What AFS Server should volumes be placed on? **afs1**
+What partition? [a]** a**
+====== We now have an afs cell there is still some configuration left to do ======
+lets enable the client in /etc/openafs/afs.conf.client we need to  edit the line AFS_CLIENT=false and make it  **AFS_CLIENT=true**:
+ **perl -pi -e's/AFS_CLIENT=false/AFS_CLIENT=true/' /etc/openafs/afs.conf.client**
+ **invoke-rc.d openafs-client restart**
+next to check the mount point of our afs cell.
+**fs lsm /afs/student.lab**
+'/afs/student.lab' is a mount point for volume '#student.lab:root.cell'
+Let's check the  volume stats
+**fs lv /afs/student.lab**
+File /afs/student.lab (536870919.1.1) contained in volume 536870919
+Volume status for vid = 536870919 named root.cell.readonly
+Current disk quota is 5000
+Current blocks used are 4
+The partition has 843456 blocks available out of 907096
+now to test that we can read and write to the afs cell.
+**cd /afs/student.lab**
+**ls -al**
+total 14
+drwxrwxrwx 2 root root 2048 2008-06-25 02:05 .
+drwxrwxrwx 2 root root 8192 2008-06-25 02:05 ..
+drwxrwxrwx 2 root root 2048 2008-06-25 02:05 service
+drwxrwxrwx 2 root root 2048 2008-06-25 02:05 user
+**echo TEST > testfile**
+-bash: testfile: Read-only file system
+**cd /afs/.student.lab**
+**echo TEST > testfile**
+-bash: testfile: Permission denied
+inorder to write we will need to get a token.
+**cd /afs/.student.lab**
+**
+fs la .**
+Access list for . is
+Normal rights:
+  system:administrators rlidwka
+  system:anyuser rl
+**kinit root/admin; aklog**
+Password for root/admin@student.lab: //PASSWORD//
+**echo TEST > testfile**
+**cat testfile**
+TEST
+**rm testfile**
+====== Adding new users to AFS ======
+In order to add new user to AFS you will need to first set them up in Kerberos and then in afs.\\
+Once we have the user setup in Kerberos now we can add them to AFS. \\
+**pts createuser mirko 20000**
+User mirko has id 20000
+next we need to create the home volume for user.
+**vos create afs1 a user.mirko 20000**
+Volume 536997357 created on partition /vicepa of afs1
+**vos examine user.mirko**
+user.mirko                        536997357 RW          2 K  On-line
+    afs1.student.lab /vicepa
+    RWrite  536997357 ROnly          0 Backup          0
+    MaxQuota     20000 K
+    Creation    Mon Apr 19 18:30:24 2010
+    Copy        Sun Apr 19 18:30:45 2010
+    Backup      Never
+    Last Update Never
+    RWrite: 536997357
+    number of sites -> 1
+       server afs1.student.lab partition /vicepa RW Site
+======  We will now mount the volume ======
+**cd /afs/student.lab/user**
+**
+mkdir -p m/mi**
+**
+fs mkm m/mi/mirko user.mirko -rw**
+next to view volume and directory information:
+**fs lsm m/mi/mirko**
+'m/mi/mirko' is a mount point for volume '#user.mirko'
+**fs lv m/mi/mirko**
+File m/mi/mirko (536997357.1.1) contained in volume 536997357
+Volume status for vid = 536997357 named user.mirko
+Current disk quota is 20000
+Current blocks used are 2
+The partition has 843456 blocks available out of 907096
+now  lets view the permissions on the volume:
+**fs la m/mi/mirko**
+Access list for m/mi/mirko is
+Normal rights:
+  system:administrators rlidwka
+**fs sa  m/mi/mirko mirko all**
+**fs la  m/mi/mirko**
+Access list for m/mi/mirko is
+Normal rights:
+  system:administrators rlidwka
+  mirko rlidwka
+Next we are going to switch user to mirko and make sure we still have access to the home directory:
+**unlog; kdestroy**
+**kinit mirko; aklog**
+Password for mirko@student.lab: //PASSWORD//
+**cd /afs/student.lab/user/m/mi/mirko**
+**echo IT WORKS > test**
+**cat test**
+now to check the volume data size quota and increase it from the default 5 MB to 100 MB:
+**cd /afs/.student.lab**
+**fs lq**
+Volume Name                   Quota      Used %Used   Partition
+root.cell                      5000        28    1%         38%
+**fs sq . 100000**
+**fs lq**
+Volume Name                   Quota      Used %Used   Partition
+root.cell.readonly           100000        28    1%         38%
+====== Updating Ldap ======
+Now we need to let ldap know where the new home directory for mirko is located.
+We first need to create a  ldif file we will put it in tmp.
+**vi /tmp/homechange.ldif**
+**dn: uid=mirko,ou=people,dc=student,dc=lab**
+**changetype: modify**
+**replace: homeDirectory**
+**homeDirectory: /afs/student.lab/user/m/mi/mirko**
+**:wq!**
+Once the file has been create then we need to apply it to the ldap database.
+**ldapmodify -c -x -D cn=admin,dc=spinlock,dc=hr -W -f /tmp/homechange.ldif**
+let verify that the change took:
+**getent passwd mirko**
+mirko:x:20000:65534:mirko:/afs/hcoop.net/user/m/mi/mirko:/bin/bash
+====== The final step is to make the need pam configuration files changes ======
+These will need to be done on the server and all client systems.
+apt-get install libpam-afs-session
+To limit the chance of get locked out of the system will doing the PAM configurations. It is best to have another root terminal open and that you make a backup of all of the /etc/pam.d/common* files. To do this, preform  the following in that root terminal you started, make sure to leave the terminal open:
+**cd /etc**
+**cp -a pam.d pam.d,orig**
+Note:If after you finish these step and you can not login then the above will allow you to be able to  revert back to a functioning state by using the open root terminal and executing:
+**cp -a pam.d,orig/* pam.d/**
+Once you have edited the PAM files shown below it is best to restart the services. This isn't necessary, but it do ensures that the services will read the new PAM configuration.
+ **
+vi /etc/pam.d/common-auth**
+auth    sufficient        pam_unix.so nullok_secure
+auth    sufficient        pam_krb5.so use_first_pass
+**auth    optional          pam_afs_session.so program=/usr/bin/aklog**
+auth    required          pam_deny.so
+vi /etc/pam.d/common-session
+session required pam_limits.so
+session optional pam_krb5.so
+session optional pam_unix.so
+**session optional pam_afs_session.so program=/usr/bin/aklog**
+At this point you can scp these two file to the afs clients, vm15 and vm16 or you could log on to each and make the need pam changes I would go with the SCP as it removes the chance of a typo.
+At this point you now have a working afs file system.
+====== Reference: ======
+http://techpubs.spinlocksolutions.com/dklar/afs.html

Lab46 Wiki

User Tools

Site Tools

Differences

Page Tools