EDV:OpenAFS/Install sun4x 510
Installation des OpenAFS-Clients auf Solaris 10
Dieses Beispiel bezieht sich auf:
#hostname fackel
#uname -a SunOS fackel 5.10 Generic_118833-17 sun4u sparc SUNW,Sun-Blade-100
Installationsdateien holen
Um dann den üblichen Weg über janus zu gehen müssen die Binaries dort hinterlegt werden:
mkdir /janus/misc/afs cd /janus/misc/afs wget http://openafs.org/dl/openafs/1.4.4/sun4x_510/sun4x_510.tar.gz gtar -xvzf sun4x_510.tar.gz
Ansonsten sind die Binaries schon im AFS und von jeden schon installierten Client aus abrufbar (z.B. kip1,kipfire):
/afs/kip/openafs/1.4.4/sun4x_510/sun4x_510.tar.gz
bzw. entpackt auch unter:
/afs/kip/sun4x_510
Erzeugen der AFS Verzeichnisse
mkdir /usr/vice mkdir /usr/vice/etc
AFS in den Solaris Kernel laden
Zu den Binaries gehen:
cd /janus/misc/afs/afs-1.4.4/sun4x_510/dest/root.client/usr/vice/etc/
Init-skript installieren:
cp -p modload/afs.rc /etc/init.d/afs chown root:sys /etc/init.d/afs chmod 755 /etc/init.d/afs
Kernel Modul kopieren (hier 64bit kein NFS-export):
cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs chown root:sys /kernel/fs/sparcv9/afs chmod 755 /kernel/fs/sparcv9/afs
AFS Starten: 
Dies erzeugt automatisch beim 1. Mal einen reboot!
/etc/init.d/afs start
Nach dem Neustart nochmal AFS starten (Warnungen über 'afsd' erstmal ignorieren):
/etc/init.d/afs start
Wichtigsten Binaries kopieren
Dateien kopieren:
cd /janus/misc/afs/afs-1.4.4/sun4x_510/dest/root.client/usr/vice/etc/ cp -p * /usr/vice/etc cp -rp C /usr/vice/etc
Das init-skript nicht doppelt:
rm /usr/vice/etc/afs.rc ln -s /etc/init.d/afs /usr/vice/etc/afs.rc
ThisCell erzeugen:
echo "kip.uni-heidelberg.de" >/usr/vice/etc/ThisCell
CellServDB erzeugen (oder von einem anderen Server/Client holen):
echo ">kip.uni-heidelberg.de # Kichhoff-Institut für Physik 129.206.176.40 # ldap.kip.uni-heidelberg.de 129.206.176.149 # ldap2.kip.uni-heidelberg.de >urz.uni-heidelberg.de # Universitaet Heidelberg 129.206.119.10 #afsdb.urz.uni-heidelberg.de 129.206.119.16 #afsdb1.urz.uni-heidelberg.de 129.206.119.17 #afsdb2.urz.uni-heidelberg.de " >/usr/vice/etc/CellServDB
| Die CellServDB und die ThisCell ist auch im AFS unter /afs/kip/common/etc. |
Cache konfigurieren
Cache- und AFS-Verzeichnis erzeugen:
mkdir /usr/vice/cache mkdir /afs
Cache Eintrag erzeugen (in Kilobyte):
echo "/afs:/usr/vice/cache:300000" > /usr/vice/etc/cacheinfo
Evtl. die Einstellungen in der /etc/init.d/afs überprüfen, bzgl. '-stat 2500 -daemons 4 -volume 100' ...
AFS Starten
Dann den AFS-Client starten:
/etc/init.d/afs start
Nun sollte auch AFS gehen:
ls -l /afs
AFS automatisch beim booten starten:
cd /etc/init.d ln -s ../init.d/afs /etc/rc3.d/S99afs ln -s ../init.d/afs /etc/rc0.d/K66afs
AFS Client Binaries verlinken
Sobald AFS läuft können wir auch die Binaries von dort verwenden:
ln -s /afs/kip.uni-heidelberg.de/@sys/usr/afsws /usr/afsws
Uns jetzt noch in der PATH-Variable hinzufügen in der /etc/profile.local:
... # --------------------------------------- #PATH="/opt/csw/bin:$PATH" XPATH=:$PATH: for dir in \ $HOME/bin \ /bin \ /usr/bin \ /usr/ucb \ + /usr/afsws/bin \ /usr/openwin/bin \ /usr/dt/bin \ /usr/local/bin \ ... ; do if [ "${XPATH/:$dir:/}" = "$XPATH" ] ; then [ -d $dir ] && PATH=$PATH:$dir # else # echo "$dir already included" fi done ...
Link zu Homeverzeichnissen anlegen
Da im LDAP dann nicht der komplette Pfad steht, sondern /afsuser/userX muss dieser Link angelegt werden:
ln -s /afs/kip.uni-heidelberg.de/user /afsuser
Enable AFS login
Perform the following steps to enable AFS login.
1. Mount the AFS CD-ROM for Solaris on the /cdrom directory, if it is not already. Then change directory as indicated.
cd /usr/lib/security
2. Copy the AFS authentication library file to the /usr/lib/security directory. Then create a symbolic link to it whose name does not mention the version. Omitting the version eliminates the need to edit the PAM configuration file if you later update the library file.
If you use the AFS Authentication Server (kaserver process):
cp /janus/misc/afs/afs-1.4.4/sun4x_510/dest/lib/pam_afs.so.1 . cp /janus/misc/afs/afs-1.4.4/sun4x_510/dest/lib/pam_afs.krb.so.1 . ln -s pam_afs.so.1 pam_afs.so
If you use a Kerberos implementation of AFS authentication:
cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 . cp /janus/misc/afs/afs-1.4.4/sun4x_510/dest/lib/pam_afs.krb.so.1 . ln -s pam_afs.krb.so.1 pam_afs.so
3. Edit the Authentication management section of the Solaris PAM configuration file, /etc/pam.conf by convention. The entries in this section have the value auth in their second field.
First edit the standard entries, which refer to the Solaris PAM module (usually, the file /usr/lib/security/pam_unix.so.1) in their fourth field. For each service for which you want to use AFS authentication, edit the third field of its entry to read optional. The pam.conf file in the Solaris distribution usually includes standard entries for the login, rlogin, and rsh services, for instance.
If there are services for which you want to use AFS authentication, but for which the pam.conf file does not already include a standard entry, you must create that entry and place the value optional in its third field. For instance, the Solaris pam.conf file does not usually include standard entries for the ftp or telnet services.
Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following example shows what the Authentication Management section looks like after you have you edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines only for legibility.
login auth optional /usr/lib/security/pam_unix.so.1
login auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root setenv_password_expires
rlogin auth optional /usr/lib/security/pam_unix.so.1
rlogin auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root setenv_password_expires
rsh auth optional /usr/lib/security/pam_unix.so.1
rsh auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root
ftp auth optional /usr/lib/security/pam_unix.so.1
ftp auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root
telnet auth optional /usr/lib/security/pam_unix.so.1
telnet auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root setenv_password_expires
4. If you use the Common Desktop Environment (CDE) on the machine and want users to obtain an AFS token as they log in, also add or edit the following four entries in the Authentication management section. Note that the AFS-related entries appear on two lines here only for legibility.
dtlogin auth optional /usr/lib/security/pam_unix.so.1
dtlogin auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root
dtsession auth optional /usr/lib/security/pam_unix.so.1
dtsession auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root
.. login auth sufficient pam_unix_auth.so.1 login auth sufficient pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999 login auth required pam_ldap.so.1 debug try_first_pass .. rlogin auth sufficient pam_unix_auth.so.1 rlogin auth sufficient pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999 rlogin auth required pam_ldap.so.1 debug try_first_pass .. sshd auth sufficient pam_unix.so.1 sshd auth sufficient pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999 sshd auth required pam_ldap.so.1 debug try_first_pass .. other auth sufficient pam_unix_auth.so.1 other auth sufficient pam_afs.krb.so.1 debug try_first_pass set_token setenv_password_expires ignore_uid 999 other auth required pam_ldap.so.1 debug try_first_pass .. dtlogin auth sufficient pam_unix_auth.so.1 dtlogin auth sufficient pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999 dtlogin auth required pam_ldap.so.1 debug try_first_pass .. xscreensaver auth sufficient pam_unix_auth.so.1 xscreensaver auth sufficient pam_afs.so debug try_first_pass refresh_token setenv_password_expires ignore_uid 999 xscreensaver auth required pam_ldap.so.1 debug try_first_pass ..
.. und falls auch die SunRayServerSoftware installiert ist, die betreffenden auth-Zeilen:
