EDV:OpenAFS/Install hp ux110: Difference between revisions

From KIP Wiki
⧟kip-jumptonavigation⧽⧟kip-jumptosearch⧽
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 20: Line 20:


cp usr/vice/etc/dkload/afs.rc /sbin/init.d/afs
cp usr/vice/etc/dkload/afs.rc /sbin/init.d/afs
chmod 755 /sbin/init.d/afs


4. Copy the file afs.driver to the local /usr/conf/master.d directory, changing its name to afs as you do.
4. Copy the file afs.driver to the local /usr/conf/master.d directory, changing its name to afs as you do.
Line 43: Line 44:


* To use the SAM program:
* To use the SAM program:
*# Invoke the SAM program, specifying the hostname of the local machine as local_hostname. The SAM graphical user interface pops up.

*#:<pre>
** Invoke the SAM program, specifying the hostname of the local machine as local_hostname. The SAM graphical user interface pops up.
sam&
*#: sam
oder
*#: oder
sam -display local_hostname:0
*#: sam -display local_hostname:0</pre>
*# Choose the Kernel Configuration icon, then the Drivers icon. From the list of drivers, select afs.
*# Open the pull-down Actions menu and choose the Add Driver to Kernel option.
** Choose the Kernel Configuration icon, then the Drivers icon. From the list of drivers, select afs.
** Open the pull-down Actions menu and choose the Add Driver to Kernel option.
*# Open the Actions menu again and choose the Create a New Kernel option.
*# Confirm your choices by choosing Yes and OK when prompted by subsequent pop-up windows. The SAM program builds the kernel and '''reboots''' the system.
** Open the Actions menu again and choose the Create a New Kernel option.
*# Login again as the superuser root.
** Confirm your choices by choosing Yes and OK when prompted by subsequent pop-up windows. The SAM program builds the kernel and reboots the system.
*#:<pre>
** Login again as the superuser root.
*#:login: root
*#:Password: root_password</pre>
login: root
Password: root_password


* To use individual commands:
* To use individual commands:
*# Edit the file /stand/system, adding an entry for afs to the Subsystems section.
*# Change to the /stand/build directory and issue the mk_kernel command to build the kernel.
*#:<pre>
*#:cd /stand/build
*#:mk_kernel</pre>
*# Move the new kernel to the standard location (/stand/vmunix), '''reboot''' the machine to start using it, and login again as the superuser root.
*#:<pre>
*#:mv /stand/build/vmunix_test /stand/vmunix
*#:cd /
*#:shutdown -r now
*#:
*#:login: root
*#:Password: root_password</pre>


== Client-Software installieren und konfigurieren ==
** Edit the file /stand/system, adding an entry for afs to the Subsystems section.

** Change to the /stand/build directory and issue the mk_kernel command to build the kernel.
=== Erzeugen der AFS Verzeichnisse ===
cd /stand/build

mk_kernel
mkdir /usr/vice
** Move the new kernel to the standard location (/stand/vmunix), reboot the machine to start using it, and login again as the superuser root.
mkdir /usr/vice/etc
mv /stand/build/vmunix_test /stand/vmunix

=== Wichtigsten Binaries kopieren ===

Dateien kopieren:
cd /afsinst/root.client/usr/vice/etc/
cp -p * /usr/vice/etc
cp -rp C /usr/vice/etc

Das init-skript nicht doppelt:
ln -s /sbin/init.d/afs /usr/vice/etc/afs.rc

=== Konfiguration ===

ThisCell erzeugen:
echo "kip.uni-heidelberg.de" >/usr/vice/etc/ThisCell

CellServDB erzeugen (oder von einem anderen Server/Client holen):
echo ">kip.uni-heidelberg.de # Kichhoff-Institut fuer Physik
129.206.176.40 # ldap.kip.uni-heidelberg.de
129.206.176.149 # ldap2.kip.uni-heidelberg.de
>urz.uni-heidelberg.de # Universitaet Heidelberg
129.206.119.10 #afsdb.urz.uni-heidelberg.de
129.206.119.16 #afsdb1.urz.uni-heidelberg.de
129.206.119.17 #afsdb2.urz.uni-heidelberg.de
" >/usr/vice/etc/CellServDB

{{Achtung|Die CellServDB und die ThisCell ist auch im AFS unter '''/afs/kip/common/etc'''.}}

=== Cache konfigurieren ===

Cache- und AFS-Verzeichnis erzeugen:
mkdir /usr/vice/cache
mkdir /afs

Cache Eintrag erzeugen (in Kilobyte):
echo "/afs:/usr/vice/cache:300000" > /usr/vice/etc/cacheinfo

Evtl. die Einstellungen in der /etc/init.d/afs ĂźberprĂźfen, bzgl. '-stat 2500 -daemons 4 -volume 100' ...

{{Achtung|Der Cache MUSS auf einem HFS Volumen liegen, VxFS wird nicht unterst&uuml;tzt.}}

=== AFS Starten ===

Dazu am besten noch einmal einen reboot:
cd /
cd /
shutdown -r now
shutdown -i6 -g0 -y

Dann den AFS-Client starten:
/sbin/init.d/afs start

Nun sollte auch AFS gehen:
ls -l /afs

AFS automatisch beim booten starten:
cd /sbin/init.d
ln -s ../init.d/afs /sbin/rc3.d/S990afs
ln -s ../init.d/afs /sbin/rc0.d/K660afs

=== AFS Client Binaries verlinken ===

Sobald AFS läuft kÜnnen wir auch die Binaries von dort verwenden:
ln -s /afs/kip.uni-heidelberg.de/@sys/usr/afsws /usr/afsws

Uns jetzt noch in der PATH-Variable hinzufĂźgen in der '''/etc/profile.local''':
<span style="color:#ff0000;">...</span>
# ---------------------------------------
#PATH="/opt/csw/bin:$PATH"
XPATH=:$PATH:
for dir in \
$HOME/bin \
/bin \
/usr/bin \
/usr/ucb \
<span style="color:#ff0000;">'''+'''</span> '''/usr/afsws/bin \'''
/usr/openwin/bin \
/usr/dt/bin \
/usr/local/bin \
<span style="color:#ff0000;">...</span>
login: root
; do
Password: root_password
if [ ${XPATH/:$dir:/} = $XPATH ] ; then
== Client-Software installieren und konfigurieren ==
[ -d $dir ] && PATH=$PATH:$dir
# else
# echo "$dir already included"
fi
done
<span style="color:#ff0000;">...</span>


=== Link zu Homeverzeichnissen anlegen ===
Da im LDAP dann nicht der komplette Pfad steht, sondern '''/afsuser/userX''' muss dieser Link angelegt werden:
ln -s /afs/kip.uni-heidelberg.de/user /afsuser




Line 91: Line 189:


try_first_pass
try_first_pass
This is a standard PAM attribute that can be included on entries after the first one for a service; it directs the module to use the password that was provided to the first module. For the AFS module, it means that AFS authentication succeeds if the password provided to the module listed first is the user's correct AFS password. For further discussion of this attribute and its alternatives, see the operating system's PAM documentation.
* This is a standard PAM attribute that can be included on entries after the first one for a service; it directs the module to use the password that was provided to the first module. For the AFS module, it means that AFS authentication succeeds if the password provided to the module listed first is the user's correct AFS password. For further discussion of this attribute and its alternatives, see the operating system's PAM documentation.


ignore_root
ignore_root
This attribute, specific to the AFS PAM module, directs it to ignore not only the local superuser root, but also any user with UID 0 (zero).
* This attribute, specific to the AFS PAM module, directs it to ignore not only the local superuser root, but also any user with UID 0 (zero).


setenv_password_expires
setenv_password_expires
This attribute, specific to the AFS PAM module, sets the environment variable PASSWORD_EXPIRES to the expiration date of the user's AFS password, which is recorded in the Authentication Database.
* This attribute, specific to the AFS PAM module, sets the environment variable PASSWORD_EXPIRES to the expiration date of the user's AFS password, which is recorded in the Authentication Database.


Perform the following steps to enable AFS login.
'''Perform the following steps to enable AFS login.'''


1. Mount the AFS CD-ROM for HP-UX on the /cdrom directory, if it is not already. Then change directory as indicated.
1. Mount the AFS CD-ROM for HP-UX on the /cdrom directory, if it is not already. Then change directory as indicated.


Line 107: Line 205:


2. Copy the AFS authentication library file to the /usr/lib/security directory. Then create a symbolic link to it whose name does not mention the version. Omitting the version eliminates the need to edit the PAM configuration file if you later update the library file.
2. Copy the AFS authentication library file to the /usr/lib/security directory. Then create a symbolic link to it whose name does not mention the version. Omitting the version eliminates the need to edit the PAM configuration file if you later update the library file.


If you use the AFS Authentication Server (kaserver process) in the cell:
If you use the AFS Authentication Server (kaserver process) in the cell:


Line 116: Line 214:
# ln -s pam_afs.so.1 pam_afs.so
# ln -s pam_afs.so.1 pam_afs.so


If you use a Kerberos implementation of AFS authentication:
If you use a Kerberos implementation of AFS authentication:


Line 124: Line 222:


3. Edit the Authentication management section of the HP-UX PAM configuration file, /etc/pam.conf by convention. The entries in this section have the value auth in their second field.
3. Edit the Authentication management section of the HP-UX PAM configuration file, /etc/pam.conf by convention. The entries in this section have the value auth in their second field.


First edit the standard entries, which refer to the HP-UX PAM module (usually, the file /usr/lib/security/libpam_unix.1) in their fourth field. For each service for which you want to use AFS authentication, edit the third field of its entry to read optional. The pam.conf file in the HP-UX distribution usually includes standard entries for the login and ftp services, for instance.
First edit the standard entries, which refer to the HP-UX PAM module (usually, the file /usr/lib/security/libpam_unix.1) in their fourth field. For each service for which you want to use AFS authentication, edit the third field of its entry to read optional. The pam.conf file in the HP-UX distribution usually includes standard entries for the login and ftp services, for instance.


If there are services for which you want to use AFS authentication, but for which the pam.conf file does not already include a standard entry, you must create that entry and place the value optional in its third field. For instance, the HP-UX pam.conf file does not usually include standard entries for the remsh or telnet services.
If there are services for which you want to use AFS authentication, but for which the pam.conf file does not already include a standard entry, you must create that entry and place the value optional in its third field. For instance, the HP-UX pam.conf file does not usually include standard entries for the remsh or telnet services.


Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following example shows what the Authentication Management section looks like after you have you edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines only for legibility.
Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following example shows what the Authentication Management section looks like after you have you edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines only for legibility.


Line 147: Line 245:


4. If you use the Common Desktop Environment (CDE) on the machine and want users to obtain an AFS token as they log in, also add or edit the following four entries in the Authentication management section. Note that the AFS-related entries appear on two lines here only for legibility.
4. If you use the Common Desktop Environment (CDE) on the machine and want users to obtain an AFS token as they log in, also add or edit the following four entries in the Authentication management section. Note that the AFS-related entries appear on two lines here only for legibility.



Latest revision as of 12:41, 19 April 2007

Getting Started on HP-UX Systems

In this section you build AFS into the HP-UX kernel. Then incorporate AFS modifications into the machine's Pluggable Authentication Module (PAM) system, if you wish to enable AFS login.

Building AFS into the HP-UX Kernel

On HP-UX systems, you must build AFS modifications into a new static kernel; HP-UX does not support dynamic loading. If the machine's hardware and software configuration exactly matches another HP-UX machine on which AFS is already built into the kernel, you can choose to copy the kernel from that machine to this one. In general, however, it is better to build AFS modifications into the kernel on each machine according to the following instructions.

1. Move the existing kernel-related files to a safe location.

cp /stand/vmunix /stand/vmunix.noafs
         
cp /stand/system /stand/system.noafs

2. Mount the AFS CD-ROM for HP-UX on the local /cdrom directory. For instructions on mounting CD-ROMs (either locally or remotely via NFS), see your HP-UX documentation. Then change directory as indicated.

cd /cdrom/hp_ux110/root.client

3. Copy the AFS initialization file to the local directory for initialization files (by convention, /sbin/init.d on HP-UX machines). Note the removal of the .rc extension as you copy the file.

cp usr/vice/etc/dkload/afs.rc  /sbin/init.d/afs
chmod 755 /sbin/init.d/afs

4. Copy the file afs.driver to the local /usr/conf/master.d directory, changing its name to afs as you do.

cp  usr/vice/etc/afs.driver  /usr/conf/master.d/afs

5. Copy the AFS kernel module to the local /usr/conf/lib directory.

Wenn der Kernel mit 32 Bit arbeitet:

cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a

und mit 64 Bit :

cp bin/libafs64.nonfs.a /usr/conf/lib/libafs.a

Mit wievielen Bit der aktuelle Kernel arbeitet, kann man mit getconf erfahren:

# getconf KERNEL_BITS
32

6. Incorporate the AFS driver into the kernel, either using the SAM program or a series of individual commands.

  • To use the SAM program:
    1. Invoke the SAM program, specifying the hostname of the local machine as local_hostname. The SAM graphical user interface pops up.
      sam
      oder
      sam -display local_hostname:0
    2. Choose the Kernel Configuration icon, then the Drivers icon. From the list of drivers, select afs.
    3. Open the pull-down Actions menu and choose the Add Driver to Kernel option.
    4. Open the Actions menu again and choose the Create a New Kernel option.
    5. Confirm your choices by choosing Yes and OK when prompted by subsequent pop-up windows. The SAM program builds the kernel and reboots the system.
    6. Login again as the superuser root.
      login: root
      Password: root_password
  • To use individual commands:
    1. Edit the file /stand/system, adding an entry for afs to the Subsystems section.
    2. Change to the /stand/build directory and issue the mk_kernel command to build the kernel.
      cd /stand/build
      mk_kernel
    3. Move the new kernel to the standard location (/stand/vmunix), reboot the machine to start using it, and login again as the superuser root.
      mv /stand/build/vmunix_test /stand/vmunix
      cd /
      shutdown -r now
      login: root
      Password: root_password

Client-Software installieren und konfigurieren

Erzeugen der AFS Verzeichnisse

mkdir /usr/vice
mkdir /usr/vice/etc

Wichtigsten Binaries kopieren

Dateien kopieren:

cd /afsinst/root.client/usr/vice/etc/
cp -p * /usr/vice/etc
cp -rp C /usr/vice/etc

Das init-skript nicht doppelt:

ln -s /sbin/init.d/afs /usr/vice/etc/afs.rc

Konfiguration

ThisCell erzeugen:

echo "kip.uni-heidelberg.de" >/usr/vice/etc/ThisCell

CellServDB erzeugen (oder von einem anderen Server/Client holen):

echo ">kip.uni-heidelberg.de  # Kichhoff-Institut fuer Physik
129.206.176.40          # ldap.kip.uni-heidelberg.de
129.206.176.149         # ldap2.kip.uni-heidelberg.de
>urz.uni-heidelberg.de  # Universitaet Heidelberg
129.206.119.10          #afsdb.urz.uni-heidelberg.de
129.206.119.16          #afsdb1.urz.uni-heidelberg.de
129.206.119.17          #afsdb2.urz.uni-heidelberg.de
" >/usr/vice/etc/CellServDB
Die CellServDB und die ThisCell ist auch im AFS unter /afs/kip/common/etc.

Cache konfigurieren

Cache- und AFS-Verzeichnis erzeugen:

mkdir /usr/vice/cache
mkdir /afs

Cache Eintrag erzeugen (in Kilobyte):

echo "/afs:/usr/vice/cache:300000" > /usr/vice/etc/cacheinfo

Evtl. die Einstellungen in der /etc/init.d/afs ĂźberprĂźfen, bzgl. '-stat 2500 -daemons 4 -volume 100' ...

Der Cache MUSS auf einem HFS Volumen liegen, VxFS wird nicht unterstützt.

AFS Starten

Dazu am besten noch einmal einen reboot:

cd /
shutdown -i6 -g0 -y

Dann den AFS-Client starten:

/sbin/init.d/afs start

Nun sollte auch AFS gehen:

ls -l /afs

AFS automatisch beim booten starten:

cd /sbin/init.d
ln -s ../init.d/afs /sbin/rc3.d/S990afs
ln -s ../init.d/afs /sbin/rc0.d/K660afs

AFS Client Binaries verlinken

Sobald AFS läuft kÜnnen wir auch die Binaries von dort verwenden:

ln -s /afs/kip.uni-heidelberg.de/@sys/usr/afsws /usr/afsws

Uns jetzt noch in der PATH-Variable hinzufĂźgen in der /etc/profile.local:

...
  # ---------------------------------------
  #PATH="/opt/csw/bin:$PATH"
  XPATH=:$PATH:
  
  for dir in \
    $HOME/bin  \
    /bin \
    /usr/bin \
    /usr/ucb \
+   /usr/afsws/bin \
    /usr/openwin/bin \
    /usr/dt/bin \
    /usr/local/bin \ 

...
    ; do

    if [ ${XPATH/:$dir:/} = $XPATH ] ; then
       [ -d $dir ] && PATH=$PATH:$dir
  #  else
  #     echo "$dir already included"
    fi
  done
...

Link zu Homeverzeichnissen anlegen

Da im LDAP dann nicht der komplette Pfad steht, sondern /afsuser/userX muss dieser Link angelegt werden:

ln -s /afs/kip.uni-heidelberg.de/user /afsuser


Enabling AFS Login on HP-UX Systems

At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for authenticated access to and from the machine.

Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of settings in the PAM configuration file (for example, how the other entry works, the effect of marking an entry as required, optional, or sufficient, and so on).

The following instructions explain how to alter the entries in the PAM configuration file for each service for which you wish to use AFS authentication. Other configurations possibly also work, but the instructions specify the recommended and tested configuration. Note: The instructions specify that you mark each entry as optional. However, marking some modules as optional can mean that they grant access to the corresponding service even when the user does not meet all of the module's requirements. In some operating system revisions, for example, if you mark as optional the module that controls login via a dial-up connection, it allows users to login without providing a password. See the IBM AFS Release Notes for a discussion of any limitations that apply to this operating system.

Also, with some operating system versions you must install patches for PAM to interact correctly with certain authentication programs. For details, see the IBM AFS Release Notes.

The recommended AFS-related entries in the PAM configuration file make use of one or more of the following three attributes.

try_first_pass

  • This is a standard PAM attribute that can be included on entries after the first one for a service; it directs the module to use the password that was provided to the first module. For the AFS module, it means that AFS authentication succeeds if the password provided to the module listed first is the user's correct AFS password. For further discussion of this attribute and its alternatives, see the operating system's PAM documentation.

ignore_root

  • This attribute, specific to the AFS PAM module, directs it to ignore not only the local superuser root, but also any user with UID 0 (zero).

setenv_password_expires

  • This attribute, specific to the AFS PAM module, sets the environment variable PASSWORD_EXPIRES to the expiration date of the user's AFS password, which is recorded in the Authentication Database.

Perform the following steps to enable AFS login.

1. Mount the AFS CD-ROM for HP-UX on the /cdrom directory, if it is not already. Then change directory as indicated.


        # cd /usr/lib/security
        

2. Copy the AFS authentication library file to the /usr/lib/security directory. Then create a symbolic link to it whose name does not mention the version. Omitting the version eliminates the need to edit the PAM configuration file if you later update the library file.

If you use the AFS Authentication Server (kaserver process) in the cell:


        # cp /cdrom/hp_ux110/lib/pam_afs.so.1  .
       
        # ln -s  pam_afs.so.1  pam_afs.so   

If you use a Kerberos implementation of AFS authentication:


        # cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1   .
       
        # ln -s pam_afs.krb.so.1 pam_afs.so
        

3. Edit the Authentication management section of the HP-UX PAM configuration file, /etc/pam.conf by convention. The entries in this section have the value auth in their second field.

First edit the standard entries, which refer to the HP-UX PAM module (usually, the file /usr/lib/security/libpam_unix.1) in their fourth field. For each service for which you want to use AFS authentication, edit the third field of its entry to read optional. The pam.conf file in the HP-UX distribution usually includes standard entries for the login and ftp services, for instance.

If there are services for which you want to use AFS authentication, but for which the pam.conf file does not already include a standard entry, you must create that entry and place the value optional in its third field. For instance, the HP-UX pam.conf file does not usually include standard entries for the remsh or telnet services.

Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following example shows what the Authentication Management section looks like after you have you edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines only for legibility.


        login   auth  optional  /usr/lib/security/libpam_unix.1
        login   auth  optional  /usr/lib/security/pam_afs.so      \
              try_first_pass  ignore_root  setenv_password_expires
        ftp     auth  optional  /usr/lib/security/libpam_unix.1
        ftp     auth  optional  /usr/lib/security/pam_afs.so      \
              try_first_pass  ignore_root
        remsh   auth  optional  /usr/lib/security/libpam_unix.1
        remsh   auth  optional  /usr/lib/security/pam_afs.so      \
              try_first_pass  ignore_root		
        telnet  auth  optional  /usr/lib/security/libpam_unix.1
        telnet  auth  optional  /usr/lib/security/pam_afs.so      \
              try_first_pass  ignore_root  setenv_password_expires
        

4. If you use the Common Desktop Environment (CDE) on the machine and want users to obtain an AFS token as they log in, also add or edit the following four entries in the Authentication management section. Note that the AFS-related entries appear on two lines here only for legibility.


        dtlogin   auth  optional  /usr/lib/security/libpam_unix.1
        dtlogin   auth  optional  /usr/lib/security/pam_afs.so     \
              try_first_pass  ignore_root
        dtaction  auth  optional  /usr/lib/security/libpam_unix.1
        dtaction  auth  optional  /usr/lib/security/pam_afs.so     \
              try_first_pass  ignore_root