UNC OpenAFS Client Installation Guide for AIX Systems

Prerequisites

The following filesets are required:

1. krb5.client.rte

2. krb5.toolkit.adt

Both filesets can be installed from the Expansion Pack CD.

Loading AFS client binaries onto the local disk

From ftp.unc.edu anonymous FTP server, download the file pub/openafs/current/rs_aixXX.client.tar to the local machine ( XX is the version number of the OS, e.g. rs_aix53, rs_aix61). Once you have the tar file on the local machine, move it to the root directory and untar it:

#  mv  <full  path  of  tar  file>  /

#  cd  /

#  tar  -xvf  rs_aixXX.client.tar

Setting up AFS disk cache

Every AFS client must have a cache in which to store local copies of files brought over from AFS file server machines. The Cache Manager can cache either on disk or in machine memory. For both type of caching, afsd consults the /usr/vice/etc/cacheinfo file as it initializes the Cache Manager and cache to learn the defaults for cache size and where to mount AFS locally.

The /usr/vice/etc/cacheinfo file has three fields:

1. The first field specifies where to mount AFS on the local disk. The standard choice is /afs

2. The second field defines the local disk directory to be used for caching. The standard choice is /usr/vice/cache .

3. The third field specifies the number of kilobyte (1024 byte) blocks to allocate for the cache. A good size is around 100 MB, but do not make the cache larger than 85% of the space available on the partition housing the cache, because AIX operating systems do not automatically reserve some space to prevent the partition from filling completely

The following example creates a 125 megabyte jfs filesystem housing the disk cache size as 100MB:

1. Invoke "smitty jfs".

2. Select "Add a Journaled File System" and press .

3. Select "Add a Standard Journaled File System" and press .

4. Select "rootvg" and press .

5. Fill in the following fields with the following information:

SIZE of file system : 262144

MOUNT POINT : /usr/vice/cache

Mount AUTOMATICALLY at system restart? : yes

6. Exit smitty.

7. mount /usr/vice/cache

8. echo "/afs:/usr/vice/cache:100000" > /usr/vice/etc/cacheinfo     

Starting the Cache Manager

1. Create the local directory on which to mount the AFS filespace, by convention /afs.

#  mkdir  /afs

2. Copy over the rc.afs file.

#  cp  /usr/vice/etc/dkload/rc.afs  /etc/rc.afs

3. Edit AFS initialization script /etc/rc.afs to set OPTIONS variable to either $SMALL, $MEDIUM, $LARGE, or $HUGE.

SMALL is suitable for a small machine that serves one or two users and has approximately 1 GB of RAM and a 80 MB cache.

MEDIUM is suitable for a medium-sized machine that serves two to six users and has 2 GB of RAM and a 200 MB cache.

LARGE is suitable for a large machine that serves five to ten users and has 4GB of RAM and a 400 MB cache.

HUGE is suitable for a huge machine that serves more than ten users and has > 4GB of RAM and a > 400 MB cache.

4. Set permissions on the rc.afs file.

#  chmod  755  /etc/rc.afs

5. Edit the AIX initialization file, /etc/inittab , adding the following line to invoke the AFS initialization script. Place it just after the line that starts "NFS daemons".

rcafs:2:wait:/etc/rc.afs  >  /dev/console  2>&1  #  Start  AFS  services

6. Add the following line to the /etc/vfs file. It enables AIX to unmount AFS correctly during shutdown.

afs        4                none        none

7. Make links from your local space to AFS space to gain easier access to AFS binaries.

ln  -s  /afs/isis/@sys/usr/afsws  /usr/afsws

8. To enable users to issue commands from the AFS suites (such as fs) without having to specify a pathname to their binaries, include the /usr/afsws/bin and /usr/afsws/etc directories in the PATH environment variable in /etc/environment file or in the PATH environment variable you define in each user's shell initialization file (such as .cshrc, kshrc).

9. To start up the cache manager, run the AFS initialization script /etc/rc.afs . It can take a while for the afsd program to run the first time on a machine, because it must create all of the Vn files in the cache directory. Subsequent Cache Manager initializations do not take nearly as long, because the Vn files already exist.

AFS & Kerberos intergated login for AIX

Edit the local /etc/security/user file, making changes to the indicated stanzas:

1. In the default stanza, set the registry attribute and the SYSTEM attribute as follows.

                registry  =  KRB5files

                SYSTEM  =  "KRB5files[SUCCESS]  AND  K5AFS"

2. In the root stanza, set the registry attribute and the SYSTEM attribute as follows.

                registry  =  files

                SYSTEM  =  "compat"

It enables the local superuser root to log into the local file system only, based on the local password file.

Add the following stanzas to the /usr/lib/security/methods.cfg file:

                KRB5:

                                program  =  /usr/lib/security/KRB5A

                                program_64  =  /usr/lib/security/KRB5A_64

                                options  =  authonly,tgt_verify=no

                KRB5files:

                                options  =  db=BUILTIN,auth=KRB5

                K5AFS:

                                program  =  /usr/vice/etc/aklog_dynamic_auth

                                options  =  authonly

Create the /etc/krb5.conf file

1. cp /afs/isis/pkg/heimdal/etc/krb5.conf to /etc/krb5

2. ln -s /etc/krb5/krb5.conf /etc/krb5.conf

Other Configurations

To make a service authenticate Onyens, follow Openssh Installation Instructions to install ITS supported version of openssh.

Now that a OpenAFS client has been installed, Onyens can be added to the system. There exists a mechanism that pulls information about selected Onyens from a central database and makes entries in the system files. This mechanism is called prop and it needs to be configured and run to add Onyens to the system.

Some users have their default shell running from AFS package space. In order to let these users login, the /etc/security/login.cfg file needs to be updated. Add the following lines to the shells stanza:

            #  /afs/isis/pkg/tcsh/bin/tcsh

            #  /afs/isis/pkg/bash/bin/bash

OpenAFS Client Install Verification

Once other configurations have been completed, try to login from another machine. Check that you can access AFS space and that you have been given your correct AFS tokens.

To check whether you have tokens, use the /usr/afsws/bin/tokens command:

                Tokens  held  by  the  Cache  Manager:

                User's  (AFS  ID  62083)  tokens  for  afs@isis.unc.edu  [Expires  Aug    3  09:05]
                User  hpham's  tokens  for  krbtgt.ISIS.UNC.EDU@isis.unc.edu  [Expires  Aug    3  09:18]
                    --End  of  list--
                

• Administrative (Remedy, Financial)
• Advanced Computing (Research, Statistics)
• Blackboard (Educational Technology)
• Campus Information (Calendars, Directories)
• Communication (Phones, Conferencing)
• Data Storage (Backup, Recovery)
• Email (Lists, Webmail)
• Networking (Wireless, VPN)
• Security (Policy, Viruses)
• Software (MS Office, Operating System)
• Support (Laptops, Printing)
• Web (Browsers, Web Design)