UNC AFS Client Installation Guide for Solaris Systems
Loading Client Files onto the Local Disk
From ftp.unc.edu anonymous FTP server, download the file pub/openafs/openafs-x.x.x/sun4x_XX.client.tar to the local machine (where XX is the version number of the OS, e.g. sun4x_59, or sun4x_510). Once you have the tar file on the local machine, move it to the root directory and untar it.
# mv <full path of tar file> /
# cd /
# tar -xvf sun4x_XX.client.tar
Incorporating AFS Modifications into the Kernel
1. Verify that the modload binary is available to the local disk and that the /usr/vice/etc/modload directory on the local disk contains libafs.nonfs.o and libafs64.nonfs.o .
2. Create the /kernel/fs/afs file as a link to the 32-bit version of the kernel extensions, libafs.nonfs.o .
# ln -s /usr/vice/etc/modload/libafs.nonfs.o /kernel/fs/afs
3. Create the /kernel/fs/sparcv9/afs file as a link to the 64-bit version of the kernel extensions, libafs64.nonfs.o .
# ln -s /usr/vice/etc/modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs
4. Create an entry for AFS in the /etc/name_to_sysnum file to allow the kernel to make AFS system calls.
In the file /etc/name_to_sysnum , create an "afs" entry in slot 65 (the slot just before the "tasksys" entry). When the addition has been made, the file should look like this:
reexit 1
. .
. .
. .
ulimit 63
afs 65
tacksys 70
5. Reboot the machine.
# /usr/sbin/shutdown -i6
6. Copy the initialization script in /usr/vice/etc/modload/afs.rc to the /etc/init.d directory, make sure that it is executable, and link it to the two locations where Solaris expects to find it.
# cd /etc/init.d
# cp -p /usr/vice/etc/modload/afs.rc afs
# chmod 555 afs
# ln -s .. /init.d/afs /etc/rc3.d/S14afs
# ln -s .. /init.d/afs /etc/rc2.d/K66afs
Setting Up the Cache
Every AFS client must have a cache in which to store local copies of files brought over from file server machines. The Cache Manager can cache either on disk or in machine memory.
For both type of caching, afsd consults the /usr/vice/etc/cacheinfo file as it initializes the Cache Manager and the cache. It does this to learn the dafaults for cache size and where to mount AFS locally.
The file has three fields:
1. The first field specifies where to mount AFS on the local disk. The standard choice is /afs .
2. The second field defines the local disk directory to be used for caching in the case of disk cache. The standard choice is /usr/vice/cache . It is highly recommended that this cache directory actually be a mount point for a separate partition.
3. The third field defines cache size as a number of kilobytes (1024 byte) blocks. A good size is around 100 MB, but do not make the cache larger than 90% of the space available on the partition housing the cache.
Setting up a disk cache
Pick an unused partition and place a UFS filesystem on it. If you are creating a new partition, a good size for the partition might be 128 MBs. Then make alterations to the /etc/vfstab file so that this partition is mounted as /usr/vice/cache when the system comes back up. Make the mount point and mount the partition. Finally, update the cacheinfo file.
Create the partition:
# newfs /dev/rdsk/<partition>
Add a line to your /etc/vfstab file, such as:
# /dev/dsk/<partition> /dev/rdsk/<partition> /usr/vice/cache ufs 2 yes -
Make the mount point at /usr/vice/cache and mount the partition:
# mkdir /usr/vice/cache
# mount /usr/vice/cache
Update the cacheinfo file:
# echo "/afs:/usr/vice/cache:<#blocks>" > /usr/vice/etc/cacheinfo
For example, to devote 100000 one-kilobyte blocks (100 MB) to the cache directory on this machine, type
# echo "/afs:/usr/vice/cache:100000" > /usr/vice/etc/cacheinfo
Creating /afs and Starting the Cache Manager
Create the mount point for AFS.
# mkdir /afs
# chmod 777 /afs
Start the Cache Manager; the easiest way of doing this is to use the initialization scripts.
# cd /etc/init.d
# . /afs start
Create a local link to AFS binaries
Make a link from your local space to AFS space to gain easier access to binaries.
# ln -s /afs/isis.unc.edu/@sys/usr/afsws /usr/afsws
Setting Up PAM
Copy the Kerberos version of AFS authentication library file into the /usr/lib/security directory. The standard installed directory location of the AFS library file is /usr/afsws/lib .
# cp -p /usr/afsws/lib/pam_krb5afs.so.1 /usr/lib/security
Make sure this file is owned by root, its group is sys, and its permissions are set to 644. If they are not, issue the following two commands:
# chown root:sys /usr/lib/security/pam_krb5afs.so.1
# chmod 644 /usr/lib/security/pam_krb5afs.so.1
Then add the following to the corresponding PAM configuration (/etc/pam.conf) file.
For Solaris 10 - the ssh lines are required, and the others are important if you use a Solaris 10 console:
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
#
# SSH Authentication management
#
sshd auth optional pam_unix_cred.so.1
sshd auth optional pam_krb5afs.so.1 krb4_convert try_first_pass ignore_root no_warn
sshd auth optional pam_unix_auth.so.1
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth optional pam_unix_cred.so.1
login auth optional pam_krb5afs.so.1 krb4_convert use_first_pass ignore_root no_warn
login auth optional pam_unix_auth.so.1
#
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# dtlogin service
#
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth optional pam_unix_cred.so.1
dtlogin auth sufficient pam_krb5afs.so.1 krb4_convert use_first_pass ignore_root no_warn
dtlogin auth optional pam_unix_auth.so.1
#
# dtsession service
#
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth optional pam_unix_cred.so.1
dtsession auth optional pam_krb5afs.so.1 krb4_convert use_first_pass ignore_root no_warn
dtsession auth optional pam_unix_auth.so.1
#
# xscreensaver service
#
xscreensaver auth requisite pam_authtok_get.so.1
xscreensaver auth required pam_dhkeys.so.1
xscreensaver auth optional pam_krb5afs.so.1 use_first_pass ignore_root no_warn
xscreensaver auth optional pam_unix_auth.so.1
#
# xlock service
#
xlock auth requisite pam_authtok_get.so.1
xlock auth required pam_dhkeys.so.1
xlock auth optional pam_krb5afs.so.1 use_first_pass ignore_root no_warn
xlock auth optional pam_unix_auth.so.1
#
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth optional pam_krb5afs.so.1 use_first_pass ignore_root no_warn
other auth optional pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
For Solaris 9:
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
sshd auth optional pam_unix_auth.so.1
sshd auth optional pam_krb5afs.so debug=false try_first_pass krb4_convert=true
#
# ftp
#
ftp auth optional pam_unix.so.1 debug
ftp auth optional pam_afs.so.1 debug
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
su auth requisite pam_authtok_get.so.1
su auth sufficient pam_unix_auth.so.1
su auth required pam_krb5afs.so debug=false try_first_pass=true krb4_convert=true
# rlogin service (explicit because of pam_rhost_auth)
#
#rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
#rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
Some Isis users have their default shell running from AFS space. In order to let these users login, the /etc/shells file needs to be updated. Add the following lines to this file:
# /afs/isis/pkg/tcsh/bin/tcsh
# /afs/isis/pkg/bash/bin/bash
Now try to login in through different services, making sure that you still have an open session that can edit the pam.conf. Check that you can see AFS space and that you have been given your correct AFS tokens.
To check whether you have tokens though telnet, use the tokens command:
# /usr/afsws/bin/tokens
Tokens held by the Cache Manager:
User's (AFS ID 9798) tokens for afs@isis.unc.edu [Expires Oct 29 11:33]
User godehn's tokens for krbtgt.ISIS.UNC.EDU@isis.unc.edu [Expires Oct 29 11:33]
--End of list--
If your list is empty, you don't have your tokens and something is wrong.
To check whether you have tokens through FTP, login and make sure you can access a directory that is protected, for example ~/private.
If you have any problems, make sure that the permissions on files you have created are as specified in this document and that you are using the correct version of pam.conf.
Document Overview
Tags: AFS , OpenAFS , Solaris , installSubjects: Data Storage , AFS (H Drive)
Audience: UNC-CH Campus
This work is licensed under a Creative Commons Attribution 3.0 United States License.
