EDV:OpenAFS/Install sun4x 59: Difference between revisions

From KIP Wiki
⧼kip-jumptonavigation⧽⧼kip-jumptosearch⧽
Line 212: Line 212:
dtsession auth optional /usr/lib/security/pam_unix.so.1
dtsession auth optional /usr/lib/security/pam_unix.so.1
dtsession auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root
dtsession auth optional /usr/lib/security/pam_afs.so try_first_pass ignore_root






..
login auth sufficient pam_unix_auth.so.1
'''login auth sufficient pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999'''
login auth required pam_ldap.so.1 debug try_first_pass
..
rlogin auth sufficient pam_unix_auth.so.1
'''rlogin auth sufficient pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999'''
rlogin auth required pam_ldap.so.1 debug try_first_pass
..
sshd auth sufficient pam_unix.so.1
'''sshd auth sufficient pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999'''
sshd auth required pam_ldap.so.1 debug try_first_pass
..
other auth sufficient pam_unix_auth.so.1
'''other auth sufficient pam_afs.krb.so.1 debug try_first_pass set_token setenv_password_expires ignore_uid 999'''
other auth required pam_ldap.so.1 debug try_first_pass
..
dtlogin auth sufficient pam_unix_auth.so.1
'''dtlogin auth sufficient pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999'''
dtlogin auth required pam_ldap.so.1 debug try_first_pass
..
xscreensaver auth sufficient pam_unix_auth.so.1
'''xscreensaver auth sufficient pam_afs.so debug try_first_pass refresh_token setenv_password_expires ignore_uid 999'''
xscreensaver auth required pam_ldap.so.1 debug try_first_pass
..

.. und falls auch die SunRayServerSoftware installiert ist, die betreffenden auth-Zeilen:

Revision as of 08:32, 22 March 2007

Installation des OpenAFS-Clients auf Solaris 9

Dieses Beispiel bezieht sich auf:

#hostname
kipfire
#uname -a
SunOS kipfire 5.9 Generic_118558-28 sun4u sparc SUNW,Sun-Fire-V440

Installationsdateien holen

Um dann den üblichen Weg über janus zu gehen müssen die Binaries dort hinterlegt werden:

mkdir /janus/misc/afs
cd /janus/misc/afs
wget http://openafs.org/dl/openafs/1.4.2/solaris-9/sun4x_59.tar.gz 
gtar -xvzf sun4x_59.tar.gz

Ansonsten sind die Binaries schon im AFS und von jeden schon installierten Client aus abrufbar (z.B. kip1,kipfire):

/afs/kip/openafs/1.4.2/solaris-9/sun4x_59.tar.gz

bzw. entpackt auch unter:

/afs/kip/sun4x_59

Erzeugen der AFS Verzeichnisse

mkdir /usr/vice
mkdir /usr/vice/etc

AFS in den Solaris Kernel laden

Zu den Binaries gehen:

cd /janus/misc/afs/sun4x_59/dest/root.client/usr/vice/etc/

Init-skript installieren:

cp -p modload/afs.rc /etc/init.d/afs
chown root:sys /etc/init.d/afs
chmod 755 /etc/init.d/afs

Kernel Modul kopieren (hier 64bit kein NFS-export):

cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs
chown root:sys /kernel/fs/sparcv9/afs
chmod 755 /kernel/fs/sparcv9/afs

AFS Starten: Achtung.svg Dies erzeugt automatisch beim 1. Mal einen reboot!

/etc/init.d/afs start

Nach dem Neustart nochmal AFS starten (Warnungen erstmal ignorieren):

/etc/init.d/afs start

Wichtigsten Binaries kopieren

Dateien kopieren:

cd /janus/misc/afs/sun4x_59/dest/root.client/usr/vice/etc/
cp -p * /usr/vice/etc
cp -rp C /usr/vice/etc

Das init-skript nicht doppelt:

rm /usr/vice/etc/afs.rc
ln -s /etc/init.d/afs /usr/vice/etc/afs.rc

ThisCell erzeugen:

echo "kip.uni-heidelberg.de" >/usr/vice/etc/ThisCell

CellServDB erzeugen (oder von einem anderen Server/Client holen):

echo ">kip.uni-heidelberg.de  # Kichhoff-Institut für Physik
129.206.176.40          # ldap.kip.uni-heidelberg.de
129.206.176.149         # ldap2.kip.uni-heidelberg.de
>urz.uni-heidelberg.de  # Universitaet Heidelberg
129.206.119.10          #afsdb.urz.uni-heidelberg.de
129.206.119.16          #afsdb1.urz.uni-heidelberg.de
129.206.119.17          #afsdb2.urz.uni-heidelberg.de
" >/usr/vice/etc/CellServDB
Die CellServDB und die ThisCell ist auch im AFS unter /afs/kip/common/etc.

Cache konfigurieren

Cache- und AFS-Verzeichnis erzeugen:

mkdir /usr/vice/cache
mkdir /afs

Cache Eintrag erzeugen (in Kilobyte):

echo "/afs:/usr/vice/cache:300000" > /usr/vice/etc/cacheinfo

Evtl. die Einstellungen in der /etc/init.d/afs überprüfen, bzgl. '-stat 2500 -daemons 4 -volume 100' ...

AFS Starten

Dazu am besten noch einmal einen reboot:

cd /
shutdown -i6 -g0 -y

Dann den AFS-Client starten:

/etc/init.d/afs start

Nun sollte auch AFS gehen:

ls -l /afs

AFS automatisch beim booten starten:

cd /etc/init.d
ln -s ../init.d/afs /etc/rc3.d/S99afs
ln -s ../init.d/afs /etc/rc0.d/K66afs

AFS Client Binaries verlinken

Sobald AFS läuft können wir auch die Binaries von dort verwenden:

ln -s /afs/kip.uni-heidelberg.de/@sys/usr/afsws /usr/afsws

Uns jetzt noch in der PATH-Variable hinzufügen in der /etc/profile.local:

...
  # ---------------------------------------
  #PATH="/opt/csw/bin:$PATH"
  XPATH=:$PATH:
  
  for dir in \
    $HOME/bin  \
    /bin \
    /usr/bin \
    /usr/ucb \
+   /usr/afsws/bin \
    /usr/openwin/bin \
    /usr/dt/bin \
    /usr/local/bin \ 

...
    ; do

    if [ ${XPATH/:$dir:/} = $XPATH ] ; then
       [ -d $dir ] && PATH=$PATH:$dir
  #  else
  #     echo "$dir already included"
    fi
  done
...

Link zu Homeverzeichnissen anlegen

Da im LDAP dann nicht der komplette Pfad steht, sondern /afsuser/userX muss dieser Link angelegt werden:

ln -s /afs/kip.uni-heidelberg.de/user /afsuser

Enable AFS login

Perform the following steps to enable AFS login.

1. Mount the AFS CD-ROM for Solaris on the /cdrom directory, if it is not already. Then change directory as indicated.

 cd /usr/lib/security

2. Copy the AFS authentication library file to the /usr/lib/security directory. Then create a symbolic link to it whose name does not mention the version. Omitting the version eliminates the need to edit the PAM configuration file if you later update the library file.

If you use the AFS Authentication Server (kaserver process):

 cp /janus/misc/afs/sun4x_59/dest/lib/pam_afs.so.1 .
 cp /janus/misc/afs/sun4x_59/dest/lib/pam_afs.krb.so.1 .
 ln -s pam_afs.so.1 pam_afs.so	

If you use a Kerberos implementation of AFS authentication:

 cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 .
 ln -s pam_afs.krb.so.1 pam_afs.so

3. Edit the Authentication management section of the Solaris PAM configuration file, /etc/pam.conf by convention. The entries in this section have the value auth in their second field.

First edit the standard entries, which refer to the Solaris PAM module (usually, the file /usr/lib/security/pam_unix.so.1) in their fourth field. For each service for which you want to use AFS authentication, edit the third field of its entry to read optional. The pam.conf file in the Solaris distribution usually includes standard entries for the login, rlogin, and rsh services, for instance.

If there are services for which you want to use AFS authentication, but for which the pam.conf file does not already include a standard entry, you must create that entry and place the value optional in its third field. For instance, the Solaris pam.conf file does not usually include standard entries for the ftp or telnet services.

Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following example shows what the Authentication Management section looks like after you have you edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines only for legibility.


     login   auth  optional  /usr/lib/security/pam_unix.so.1
     login   auth  optional  /usr/lib/security/pam_afs.so      try_first_pass  ignore_root  setenv_password_expires
     rlogin  auth  optional  /usr/lib/security/pam_unix.so.1
     rlogin  auth  optional  /usr/lib/security/pam_afs.so	try_first_pass  ignore_root  setenv_password_expires
     rsh     auth  optional  /usr/lib/security/pam_unix.so.1
     rsh     auth  optional  /usr/lib/security/pam_afs.so	try_first_pass  ignore_root 	     
     ftp     auth  optional  /usr/lib/security/pam_unix.so.1
     ftp     auth  optional  /usr/lib/security/pam_afs.so	try_first_pass  ignore_root
     telnet  auth  optional  /usr/lib/security/pam_unix.so.1
     telnet  auth  optional  /usr/lib/security/pam_afs.so	try_first_pass  ignore_root  setenv_password_expires
     

4. If you use the Common Desktop Environment (CDE) on the machine and want users to obtain an AFS token as they log in, also add or edit the following four entries in the Authentication management section. Note that the AFS-related entries appear on two lines here only for legibility.


     dtlogin	auth  optional  /usr/lib/security/pam_unix.so.1
     dtlogin	auth  optional  /usr/lib/security/pam_afs.so	try_first_pass  ignore_root
     dtsession  auth  optional /usr/lib/security/pam_unix.so.1
     dtsession  auth  optional /usr/lib/security/pam_afs.so	try_first_pass  ignore_root




..
login	auth sufficient		pam_unix_auth.so.1
login	auth sufficient		pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999
login	auth required		pam_ldap.so.1	debug try_first_pass
..
rlogin	auth sufficient		pam_unix_auth.so.1
rlogin	auth sufficient		pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999
rlogin	auth required		pam_ldap.so.1	debug try_first_pass
..
sshd	auth	sufficient	pam_unix.so.1
sshd	auth	sufficient	pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999
sshd	auth	required	pam_ldap.so.1	debug try_first_pass
..
other	auth sufficient		pam_unix_auth.so.1
other	auth sufficient		pam_afs.krb.so.1 debug try_first_pass set_token setenv_password_expires ignore_uid 999
other   auth required           pam_ldap.so.1 debug try_first_pass
..
dtlogin auth sufficient pam_unix_auth.so.1 
dtlogin	auth sufficient	pam_afs.so debug try_first_pass set_token setenv_password_expires ignore_uid 999
dtlogin auth required pam_ldap.so.1 debug try_first_pass
..
xscreensaver auth sufficient pam_unix_auth.so.1 
xscreensaver auth sufficient pam_afs.so debug try_first_pass refresh_token setenv_password_expires ignore_uid 999
xscreensaver auth required pam_ldap.so.1 debug try_first_pass
..

.. und falls auch die SunRayServerSoftware installiert ist, die betreffenden auth-Zeilen: