This chapter describes how to install AFS client machines after you have installed the first AFS machine. Some parts of the installation differ depending on whether or not the new client is of the same AFS system type (uses the same AFS binaries) as a previously installed client machine.
Create the /usr/vice/etc directory on the local disk, to house client binaries and configuration files. Subsequent instructions copy files from the AFS CD-ROM into them. Create the /cdrom directory as a mount point for the CD-ROM, if it does not already exist.
      
   # mkdir /usr/vice
      
   # mkdir /usr/vice/etc
   
   # mkdir /cdrom
   
Every AFS client machine's kernel must incorporate AFS modifications. Some system types use a dynamic kernel loader program, whereas on other system types you build AFS modifications into a static kernel. Some system types support both methods.
Also modify the machine's authentication system so that users obtain an AFS token as they log into the local file system. Using AFS is simpler and more convenient for your users if you make the modifications on all client machines. Otherwise, users must perform a two-step login procedure (login to the local file system and then issue the klog command). For further discussion of AFS authentication, see the chapter in the IBM AFS Administration Guide about cell configuration and administration issues.
For convenience, the following sections group the two procedures by system type. Proceed to the appropriate section.
In this section you load AFS into the AIX kernel. Then incorporate AFS modifications into the machine's secondary authentication system, if you wish to enable AFS login.
The AIX kernel extension facility is the dynamic kernel loader provided by IBM Corporation. AIX does not support incorporation of AFS modifications during a kernel build.
For AFS to function correctly, the kernel extension facility must run each time the machine reboots, so the AFS initialization script (included in the AFS distribution) invokes it automatically. In this section you copy the script to the conventional location and edit it to select the appropriate options depending on whether NFS is also to run.
After editing the script, you run it to incorporate AFS into the kernel. In a later section you verify that the script correctly initializes the Cache Manager, then configure the AIX inittab file so that the script runs automatically at reboot.
# cd /cdrom/rs_aix42/root.client/usr/vice/etc
   
   # cp -rp  dkload  /usr/vice/etc
   
   # cp -p  rc.afs  /etc/rc.afs
    
If the machine is not to function as an NFS/AFS Translator, set the NFS variable as follows.
NFS=$NFS_NONE
If the machine is to function as an NFS/AFS Translator and is running AIX 4.2.1 or higher, set the NFS variable as follows. Note that NFS must already be loaded into the kernel, which happens automatically on systems running AIX 4.1.1 and later, as long as the file /etc/exports exists.
NFS=$NFS_IAUTH
# /etc/rc.afs
Now incorporate AFS into the AIX secondary authentication system.
# ls /usr/vice/etc
If the files do not exist, mount the AFS CD-ROM for AIX (if it is not already), change directory as indicated, and copy them.
# cd /cdrom/rs_aix42/root.client/usr/vice/etc # cp -p afs_dynamic* /usr/vice/etc
registry = DCE
If the machine is an AFS client only, set the following value:
SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
If the machine is both an AFS and a DCE client, set the following value (it must appear on a single line in the file):
   
   SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL]  \
       AND compat[SUCCESS])"
   
   
   root:
         registry = files
   
If you use the AFS Authentication Server (kaserver process):
   
   DCE:
        program = /usr/vice/etc/afs_dynamic_auth   
 
If you use a Kerberos implementation of AFS authentication:
   
   DCE:
        program = /usr/vice/etc/afs_dynamic_kerbauth
   
If you use the AFS Authentication Server (kaserver process):
   
   AFS:
        program = /usr/vice/etc/afs_dynamic_auth   
 
If you use a Kerberos implementation of AFS authentication:
   
   AFS:
        program = /usr/vice/etc/afs_dynamic_kerbauth
   
In this section you build AFS into the Digital UNIX kernel. Then incorporate AFS modifications into the machine's Security Integration Architecture (SIA) matrix, if you wish to enable AFS login.
On Digital UNIX systems, you must build AFS modifications into a new static kernel; Digital UNIX does not support dynamic loading. If the machine's hardware and software configuration exactly matches another Digital UNIX machine on which AFS is already built into the kernel, you can choose to copy the kernel from that machine to this one. In general, however, it is better to build AFS modifications into the kernel on each machine according to the following instructions.
# cd /usr/sys/conf # cp machine_name AFS
          .                   .
          .                   .
       options               UFS
       options               NFS
       options               AFS
          .                   .
          .                   .
   
             .                .      .
             .                .      .
      OPTIONS/nfs          optional nfs 
      OPTIONS/afs          optional afs 
      OPTIONS/nfs_server   optional nfs_server
             .                .      .
             .                .      .
   
             .                  .        .          .
             .                  .        .          .
      #
      MODULE/nfs_server	    optional nfs_server Binary
      nfs/nfs_server.c      module nfs_server optimize -g3
      nfs/nfs3_server.c	    module nfs_server optimize -g3
      #
      MODULE/afs            optional afs Binary
      afs/libafs.c          module afs
      #
   
        .       .              
        .       .              
     #include <afs.h>
     #if defined(AFS) && AFS
            extern struct vfsops afs_vfsops;
     #endif  
        .       .              
        .       .              
   
        .                          .              .
        .                          .              .
      &fdfs_vfsops,         "fdfs",   /* 12 = MOUNT_FDFS */
   #if	defined(AFS)
      &afs_vfsops,          "afs",
   #else
      (struct vfsops *)0,   "",       /* 13 = MOUNT_ADDON */
   #endif
   #if NFS && INFS_DYNAMIC   
       &nfs3_vfsops,        "nfsv3",  /* 14 = MOUNT_NFS3 */		
   
# cd /cdrom/alpha_dux40/root.client
# cp usr/vice/etc/afs.rc /sbin/init.d/afs
If the machine's kernel supports NFS server functionality:
# cp bin/libafs.o /usr/sys/BINARY/afs.mod
If the machine's kernel does not support NFS server functionality:
# cp bin/libafs.nonfs.o /usr/sys/BINARY/afs.mod
# doconfig -c AFS
# mv /vmunix /vmunix_noafs # cp /sys/AFS/vmunix /vmunix
# cd / # shutdown -r now login: root Password: root_password
On Digital UNIX systems, the AFS initialization script automatically incorporates the AFS authentication library file into the Security Integration Architecture (SIA) matrix on the machine, so that users with AFS accounts obtain a token at login. In this section you copy the library file to the appropriate location.
For more information on SIA, see the Digital UNIX reference page for matrix.conf, or consult the section on security in your Digital UNIX documentation.
| Note: | If the machine runs both the DCE and AFS client software, AFS must start after DCE. Consult the AFS initialization script for suggested symbolic links to create for correct ordering. Also, the system startup script order must initialize SIA before any long-running process that uses authentication. | 
Perform the following steps to enable AFS login.
# cd /cdrom/alpha_dux40/lib/afs
If you use the AFS Authentication Server (kaserver process) in the cell:
# cp libafssiad.so /usr/shlib
If you use a Kerberos implementation of AFS authentication, rename the library file as you copy it:
# cp libafssiad.krb.so /usr/shlib/libafssiad.so
In this section you build AFS into the HP-UX kernel. Then incorporate AFS modifications into the machine's Pluggable Authentication Module (PAM) system, if you wish to enable AFS login.
On HP-UX systems, you must build AFS modifications into a new static kernel; HP-UX does not support dynamic loading. If the machine's hardware and software configuration exactly matches another HP-UX machine on which AFS is already built into the kernel, you can choose to copy the kernel from that machine to this one. In general, however, it is better to build AFS modifications into the kernel on each machine according to the following instructions.
# cp /stand/vmunix /stand/vmunix.noafs # cp /stand/system /stand/system.noafs
# cd /cdrom/hp_ux110/root.client
# cp usr/vice/etc/afs.rc /sbin/init.d/afs
# cp usr/vice/etc/afs.driver /usr/conf/master.d/afs
If the machine's kernel supports NFS server functionality:
# cp bin/libafs.a /usr/conf/lib
If the machine's kernel does not support NFS server functionality, change the file's name as you copy it:
# cp bin/libafs.nonfs.a /usr/conf/lib/libafs.a
# sam -display local_hostname:0
login: root Password: root_password
   
   # cd /stand/build
      
   # mk_kernel
   
   
   # mv /stand/build/vmunix_test /stand/vmunix
      
   # cd /
      
   # shutdown -r now		
   
   login: root
   Password: root_password
   
At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for authenticated access to and from the machine.
Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of settings in the PAM configuration file (for example, how the other entry works, the effect of marking an entry as required, optional, or sufficient, and so on).
The following instructions explain how to alter the entries in the PAM configuration file for each service for which you wish to use AFS authentication. Other configurations possibly also work, but the instructions specify the recommended and tested configuration.
| Note: | The instructions specify that you mark each entry as
optional. However, marking some modules as optional can mean
that they grant access to the corresponding service even when the user does
not meet all of the module's requirements. In some operating
system revisions, for example, if you mark as optional the module that
controls login via a dial-up connection, it allows users to login without
providing a password. See the IBM AFS Release Notes for a
discussion of any limitations that apply to this operating system. Also, with some operating system versions you must install patches for PAM to interact correctly with certain authentication programs. For details, see the IBM AFS Release Notes. | 
The recommended AFS-related entries in the PAM configuration file make use of one or more of the following three attributes.
Perform the following steps to enable AFS login.
# cd /usr/lib/security
If you use the AFS Authentication Server (kaserver process) in the cell:
# cp /cdrom/hp_ux110/lib/pam_afs.so.1 . # ln -s pam_afs.so.1 pam_afs.so
If you use a Kerberos implementation of AFS authentication:
# cp /cdrom/hp_ux110/lib/pam_afs.krb.so.1 . # ln -s pam_afs.krb.so.1 pam_afs.so
First edit the standard entries, which refer to the HP-UX PAM module (usually, the file /usr/lib/security/libpam_unix.1) in their fourth field. For each service for which you want to use AFS authentication, edit the third field of its entry to read optional. The pam.conf file in the HP-UX distribution usually includes standard entries for the login and ftp services, for instance.
If there are services for which you want to use AFS authentication, but for which the pam.conf file does not already include a standard entry, you must create that entry and place the value optional in its third field. For instance, the HP-UX pam.conf file does not usually include standard entries for the remsh or telnet services.
Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following example shows what the Authentication Management section looks like after you have you edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines only for legibility.
   
   login   auth  optional  /usr/lib/security/libpam_unix.1
   login   auth  optional  /usr/lib/security/pam_afs.so      \
         try_first_pass  ignore_root  setenv_password_expires
   ftp     auth  optional  /usr/lib/security/libpam_unix.1
   ftp     auth  optional  /usr/lib/security/pam_afs.so      \
         try_first_pass  ignore_root
   remsh   auth  optional  /usr/lib/security/libpam_unix.1
   remsh   auth  optional  /usr/lib/security/pam_afs.so      \
         try_first_pass  ignore_root		
   telnet  auth  optional  /usr/lib/security/libpam_unix.1
   telnet  auth  optional  /usr/lib/security/pam_afs.so      \
         try_first_pass  ignore_root  setenv_password_expires
   
  
   dtlogin   auth  optional  /usr/lib/security/libpam_unix.1
   dtlogin   auth  optional  /usr/lib/security/pam_afs.so     \
         try_first_pass  ignore_root
   dtaction  auth  optional  /usr/lib/security/libpam_unix.1
   dtaction  auth  optional  /usr/lib/security/pam_afs.so     \
         try_first_pass  ignore_root
   
In this section you incorporate AFS into the IRIX kernel, choosing one of two methods:
Then see Enabling AFS Login on IRIX Systems to read about integrated AFS login on IRIX systems.
In preparation for either dynamic loading or kernel building, perform the following procedures:
# cd /cdrom/sgi_65/root.client
# cp -p usr/vice/etc/afs.rc /etc/init.d/afs
   
   # uname -m
    
The ml program is the dynamic kernel loader provided by SGI for IRIX systems. If you use it rather than building AFS modifications into a static kernel, then for AFS to function correctly the ml program must run each time the machine reboots. Therefore, the AFS initialization script (included on the AFS CD-ROM) invokes it automatically when the afsml configuration variable is activated. In this section you activate the variable and run the script.
In a later section you verify that the script correctly initializes the Cache Manager, then create the links that incorporate AFS into the IRIX startup and shutdown sequence.
# mkdir /usr/vice/etc/sgiload
(You can choose to copy all of the kernel library files into the /usr/vice/etc/sgiload directory, but they require a significant amount of space.)
If the machine's kernel supports NFS server functionality:
# cp -p usr/vice/etc/sgiload/libafs.IPxx.o /usr/vice/etc/sgiload
If the machine's kernel does not support NFS server functionality:
   
   # cp -p  usr/vice/etc/sgiload/libafs.IPxx.nonfs.o   \
                   /usr/vice/etc/sgiload
   
# /etc/chkconfig -f afsml on
If the machine is to function as an NFS/AFS Translator and the kernel supports NFS server functionality, activate the afsxnfs variable.
# /etc/chkconfig -f afsxnfs on
You can ignore any error messages about the inability to start the BOS Server or the Cache Manager or AFS client.
# /etc/init.d/afs start
If you prefer to build a kernel, and the machine's hardware and software configuration exactly matches another IRIX machine on which AFS is already built into the kernel, you can choose to copy the kernel from that machine to this one. In general, however, it is better to build AFS modifications into the kernel on each machine according to the following instructions.
# cp -p bin/afs.sm /var/sysgen/system # cp -p bin/afs /var/sysgen/master.d
If the machine's kernel supports NFS server functionality:
# cp -p bin/libafs.IPxx.a /var/sysgen/boot/afs.a
If the machine's kernel does not support NFS server functionality:
# cp -p bin/libafs.IPxx.nonfs.a /var/sysgen/boot/afs.a
# /etc/chkconfig -f afsml off
If the machine is to function as an NFS/AFS Translator and the kernel supports NFS server functionality, activate the afsxnfs variable.
# /etc/chkconfig -f afsxnfs on
# cp /unix /unix_noafs # autoconfig
   
   # cd /
         
   # shutdown -i6 -g0 -y
   
   login: root
   Password: root_password
   
The standard IRIX command-line login program and the graphical xdm login program both automatically grant an AFS token when AFS is incorporated into the machine's kernel. However, some IRIX distributions use another login utility by default, and it does not necessarily incorporate the required AFS modifications. If that is the case, you must disable the default utility if you want AFS users to obtain AFS tokens at login. For further discussion, see the IBM AFS Release Notes.
If you configure the machine to use an AFS-modified login utility, then the afsauthlib.so and afskauthlib.so files (included in the AFS distribution) must reside in the /usr/vice/etc directory. Issue the ls command to verify.
# ls /usr/vice/etc
If the files do not exist, mount the AFS CD-ROM for IRIX (if it is not already), change directory as indicated, and copy them.
# cd /cdrom/sgi_65/root.client/usr/vice/etc # cp -p *authlib* /usr/vice/etc
After taking any necessary action, proceed to Loading and Creating Client Files.
In this section you load AFS into the Linux kernel. Then incorporate AFS modifications into the machine's Pluggable Authentication Module (PAM) system, if you wish to enable AFS login.
The insmod program is the dynamic kernel loader for Linux. Linux does not support incorporation of AFS modifications during a kernel build.
For AFS to function correctly, the insmod program must run each time the machine reboots, so the AFS initialization script (included on the AFS CD-ROM) invokes it automatically. The script also includes commands that select the appropriate AFS library file automatically. In this section you run the script.
In a later section you also verify that the script correctly initializes the Cache Manager, then activate a configuration variable, which results in the script being incorporated into the Linux startup and shutdown sequence.
# cd /cdrom/i386_linux22/root.client/usr/vice/etc
# cp -rp modload /usr/vice/etc
   
   # cp -p   afs.rc  /etc/rc.d/init.d/afs 
    
# /etc/rc.d/init.d/afs start
At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for authenticated access to and from the machine.
Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of settings in the PAM configuration file (for example, how the other entry works, the effect of marking an entry as required, optional, or sufficient, and so on).
The following instructions explain how to alter the entries in the PAM configuration file for each service for which you wish to use AFS authentication. Other configurations possibly also work, but the instructions specify the recommended and tested configuration.
The recommended AFS-related entries in the PAM configuration file make use of one or more of the following three attributes.
        .
        .
afsuserone:x:99:100::/afs/afscell/u/afsuserone:/bin/bash
afsusertwo:x:100:100::/afs/afscell/u/afsusertwo:/bin/bash
localuserone:x:101:100::/home/localuserone:/bin/bash
localusertwo:x:102:100::/home/localusertwo:/bin/bash
        .
        .
        .
        .
afsuserone:!!:11500:0:99999:7:::
afsusertwo:!!:11500:0:99999:7:::
localuserone:<thelocaluserone'skey>:11500:0:99999:7:::
localusertwo:<thelocalusertwo'skey>:11500:0:99999:7:::
        .
        .
Perform the following steps to enable AFS login.
If you are using a Linux distribution from Red Hat Software:
# cd /lib/security
If you are using another Linux distribution:
# cd /usr/lib/security
If you use the AFS Authentication Server (kaserver process):
# cp /cdrom/i386_linux22/lib/pam_afs.so.1 . # ln -s pam_afs.so.1 pam_afs.so
If you use a Kerberos implementation of AFS authentication:
# cp /cdrom/i386_linux22/lib/pam_afs.krb.so.1 . # ln -s pam_afs.krb.so.1 pam_afs.so
Place the AFS entry below any entries that impose conditions under which you want the service to fail for a user who does not meet the entry's requirements. Mark these entries required. Place the AFS entry above any entries that need to execute only if AFS authentication fails.
Insert the following AFS entry if using the Red Hat distribution:
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
Insert the following AFS entry if using another distribution:
auth sufficient /usr/lib/security/pam_afs.so try_first_pass ignore_root
Check the PAM config files also for "session" entries. If there are lines beginning with "session" then please insert this line too:
session optional /lib/security/pam_afs.so
or
session optional /usr/lib/security/pam_afs.so
This guaranties that the user's tokens are deleted from memory after his
session ends so that no other user coincidently gets those tokens without authorization!
The following examples illustrate the recommended configuration of the
configuration file for several services:
#%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #This enables AFS authentication for every user but root auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session optional /lib/security/pam_afs.so #Make sure tokens are deleted after the user logs out session required /lib/security/pam_pwdb.so
auth required /lib/security/pam_afs.so ignore_uid 100 set_token # ^^^^^^^^^^^^^^^^^^^^^^^^ #Here, users with uid>100 are considered to belong to the AFS and users #with uid<=100 are ignored by pam_afs. The token is retrieved already in #pam_sm_authenticate() (this is an example pam config for a samba version #that does not call pam_setcred(), it also does no sense to include session #entries here since they would be ignored by this version of samba ). account required /lib/security/pam_pwdb.so(/etc/pam.d/xscreensaver)
auth sufficient /lib/security/pam_afs.so ignore_uid 100 refresh_token # ^^^^^^^^^^^^^ #Avoid generating a new PAG for the new tokens, use the already existing PAG and #establish a fresh token in it. auth required /lib/security/pam_pwdb.so try_first_pass(/etc/pam.d/httpd)
auth required /lib/security/pam_afs.so ignore_uid 100 dont_fork # ^^^^^^^^^ #Don't fork for the verification of the password.
auth sufficient /lib/security/pam_afs.so ignore_uid 100 auth required /lib/security/pam_pwdb.so try_first_pass account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so use_authtok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_afs.so no_unlog # ^^^^^^^^ #Don't delete the token in this case, since the user may still #need it (for example if somebody logs in and changes to root #afterwards he may still want to access his home space in AFS). session required /lib/security/pam_login_access.so session optional /lib/security/pam_xauth.so(/etc/pam.d/xdm)
auth required /lib/security/pam_nologin.so auth required /lib/security/pam_login_access.so auth sufficient /lib/security/pam_afs.so ignore_uid 100 use_klog auth required /lib/security/pam_pwdb.so try_first_pass account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session optional /lib/security/pam_afs.so remainlifetime 10 # ^^^^^^^^^^^^^^^^^ #Wait 10 seconds before deleting the AFS tokens in order to give #the programs of the X session some time to save their settings #to AFS. session required /lib/security/pam_pwdb.so
In this section you load AFS into the Solaris kernel. Then incorporate AFS modifications into the machine's Pluggable Authentication Module (PAM) system, if you wish to enable AFS login.
The modload program is the dynamic kernel loader provided by Sun Microsystems for Solaris systems. Solaris does not support incorporation of AFS modifications during a kernel build.
For AFS to function correctly, the modload program must run each time the machine reboots, so the AFS initialization script (included on the AFS CD-ROM) invokes it automatically. In this section you copy the appropriate AFS library file to the location where the modload program accesses it and then run the script.
In a later section you verify that the script correctly initializes the Cache Manager, then create the links that incorporate AFS into the Solaris startup and shutdown sequence.
# cd /cdrom/sun4x_56/root.client/usr/vice/etc
# cp -p afs.rc /etc/init.d/afs
If the machine is running Solaris 2.6 or the 32-bit version of Solaris 7, its kernel supports NFS server functionality, and the nfsd process is running:
# cp -p modload/libafs.o /kernel/fs/afs
If the machine is running Solaris 2.6 or the 32-bit version of Solaris 7, and its kernel does not support NFS server functionality or the nfsd process is not running:
# cp -p modload/libafs.nonfs.o /kernel/fs/afs
If the machine is running the 64-bit version of Solaris 7, its kernel supports NFS server functionality, and the nfsd process is running:
# cp -p modload/libafs64.o /kernel/fs/sparcv9/afs
If the machine is running the 64-bit version of Solaris 7, and its kernel does not support NFS server functionality or the nfsd process is not running:
# cp -p modload/libafs64.nonfs.o /kernel/fs/sparcv9/afs
# /etc/init.d/afs start
When an entry called afs does not already exist in the local /etc/name_to_sysnum file, the script automatically creates it and reboots the machine to start using the new version of the file. If this happens, log in again as the superuser root after the reboot and run the initialization script again. This time the required entry exists in the /etc/name_to_sysnum file, and the modload program runs.
login: root Password: root_password # /etc/init.d/afs start
At this point you incorporate AFS into the operating system's Pluggable Authentication Module (PAM) scheme. PAM integrates all authentication mechanisms on the machine, including login, to provide the security infrastructure for authenticated access to and from the machine.
Explaining PAM is beyond the scope of this document. It is assumed that you understand the syntax and meanings of settings in the PAM configuration file (for example, how the other entry works, the effect of marking an entry as required, optional, or sufficient, and so on).
The following instructions explain how to alter the entries in the PAM configuration file for each service for which you wish to use AFS authentication. Other configurations possibly also work, but the instructions specify the recommended and tested configuration.
| Note: | The instructions specify that you mark each entry as
optional. However, marking some modules as optional can mean
that they grant access to the corresponding service even when the user does
not meet all of the module's requirements. In some operating
system revisions, for example, if you mark as optional the module that
controls login via a dial-up connection, it allows users to login without
providing a password. See the IBM AFS Release Notes for a
discussion of any limitations that apply to this operating system. Also, with some operating system versions you must install patches for PAM to interact correctly with certain authentication programs. For details, see the IBM AFS Release Notes. | 
The recommended AFS-related entries in the PAM configuration file make use of one or more of the following three attributes.
Perform the following steps to enable AFS login.
# cd /usr/lib/security
If you use the AFS Authentication Server (kaserver process):
# cp /cdrom/sun4x_56/lib/pam_afs.so.1 . # ln -s pam_afs.so.1 pam_afs.so
If you use a Kerberos implementation of AFS authentication:
# cp /cdrom/sun4x_56/lib/pam_afs.krb.so.1 . # ln -s pam_afs.krb.so.1 pam_afs.so
First edit the standard entries, which refer to the Solaris PAM module (usually, the file /usr/lib/security/pam_unix.so.1) in their fourth field. For each service for which you want to use AFS authentication, edit the third field of its entry to read optional. The pam.conf file in the Solaris distribution usually includes standard entries for the login, rlogin, and rsh services, for instance.
If there are services for which you want to use AFS authentication, but for which the pam.conf file does not already include a standard entry, you must create that entry and place the value optional in its third field. For instance, the Solaris pam.conf file does not usually include standard entries for the ftp or telnet services.
Then create an AFS-related entry for each service, placing it immediately below the standard entry. The following example shows what the Authentication Management section looks like after you have you edited or created entries for the services mentioned previously. Note that the example AFS entries appear on two lines only for legibility.
  
   login   auth  optional  /usr/lib/security/pam_unix.so.1
   login   auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root  setenv_password_expires
   rlogin  auth  optional  /usr/lib/security/pam_unix.so.1
   rlogin  auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root  setenv_password_expires
   rsh     auth  optional  /usr/lib/security/pam_unix.so.1
   rsh     auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root		
   ftp     auth  optional  /usr/lib/security/pam_unix.so.1
   ftp     auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root
   telnet  auth  optional  /usr/lib/security/pam_unix.so.1
   telnet  auth  optional  /usr/lib/security/pam_afs.so       \
         try_first_pass  ignore_root  setenv_password_expires
   
   
   dtlogin   auth  optional  /usr/lib/security/pam_unix.so.1
   dtlogin   auth  optional  /usr/lib/security/pam_afs.so     \
         try_first_pass  ignore_root
   dtsession  auth  optional /usr/lib/security/pam_unix.so.1
   dtsession  auth  optional /usr/lib/security/pam_afs.so     \
         try_first_pass  ignore_root
   
The first possible alteration is to add the -local flag to the existing command, so that it looks like the following:
  
   find $dir -local -name .nfs\* -mtime +7 -mount -exec rm -f {} \;   
 
Another alternative is to exclude any directories whose names begin with the lowercase letter a or a non-alphabetic character.
find /[A-Zb-z]* remainder of existing command
Do not use the following command, which still searches under the /afs directory, looking for a subdirectory of type 4.2.
find / -fstype 4.2 /* do not use */
Now copy files from the AFS CD-ROM to the /usr/vice/etc directory. On some platforms that use a dynamic loader program to incorporate AFS modifications into the kernel, you have already copied over some the files. Copying them again does no harm.
Every AFS client machine has a copy of the /usr/vice/etc/ThisCell file on its local disk to define the machine's cell membership for the AFS client programs that run on it. Among other functions, this file determines the following:
Similarly, the /usr/vice/etc/CellServDB file on a client machine's local disk lists the database server machines in each cell that the local Cache Manager can contact. If there is no entry in the file for a cell, or the list of database server machines is wrong, then users working on this machine cannot access the cell. The chapter in the IBM AFS Administration Guide about administering client machines explains how to maintain the file after creating it. A version of the client CellServDB file was created during the installation of your cell's first machine (in Creating the Client CellServDB File). It is probably also appropriate for use on this machine.
Remember that the Cache Manager consults the /usr/vice/etc/CellServDB file only at reboot, when it copies the information into the kernel. For the Cache Manager to perform properly, the CellServDB file must be accurate at all times. Refer to the chapter in the IBM AFS Administration Guide about administering client machines for instructions on updating this file, with or without rebooting.
This step places a copy of the AFS initialization script (and related files, if applicable) into the /usr/vice/etc directory. In the preceding instructions for incorporating AFS into the kernel, you copied the script directly to the operating system's conventional location for initialization files. When you incorporate AFS into the machine's startup sequence in a later step, you can choose to link the two files.
On some system types that use a dynamic kernel loader program, you previously copied AFS library files into a subdirectory of the /usr/vice/etc directory. On other system types, you copied the appropriate AFS library file directly to the directory where the operating system accesses it. The following commands do not copy or recopy the AFS library files into the /usr/vice/etc directory, because on some system types the library files consume a large amount of space. If you want to copy them, add the -r flag to the first cp command and skip the second cp command.
# cd /cdrom/sysname/root.client/usr/vice/etc # cp -p * /usr/vice/etc # cp -rp C /usr/vice/etc
   
   # echo "cellname" > /usr/vice/etc/ThisCell
    
The Cache Manager uses a cache on the local disk or in machine memory to store local copies of files fetched from file server machines. As the afsd program initializes the Cache Manager, it sets basic cache configuration parameters according to definitions in the local /usr/vice/etc/cacheinfo file. The file has three fields:
The values you define must meet the following requirements.
afsd: memCache allocation failure at number KB
The number value is how many kilobytes were allocated just before the failure, and so indicates the approximate amount of memory available.
Within these hard limits, the factors that determine appropriate cache size include the number of users working on the machine, the size of the files with which they work, and (for a memory cache) the number of processes that run on the machine. The higher the demand from these factors, the larger the cache needs to be to maintain good performance.
Disk caches smaller than 10 MB do not generally perform well. Machines serving multiple users usually perform better with a cache of at least 60 to 70 MB. The point at which enlarging the cache further does not really improve performance depends on the factors mentioned previously and is difficult to predict.
Memory caches smaller than 1 MB are nonfunctional, and the performance of caches smaller than 5 MB is usually unsatisfactory. Suitable upper limits are similar to those for disk caches but are probably determined more by the demands on memory from other sources on the machine (number of users and processes). Machines running only a few processes possibly can use a smaller memory cache.
| Note: | Not all file system types that an operating system supports are necessarily supported for use as the cache partition. For possible restrictions, see the IBM AFS Release Notes. | 
To configure the disk cache, perform the following procedures:
# mkdir /usr/vice/cache
# echo "/afs:/usr/vice/cache:#blocks" > /usr/vice/etc/cacheinfo
The following example defines the disk cache size as 50,000 KB:
# echo "/afs:/usr/vice/cache:50000" > /usr/vice/etc/cacheinfo
To configure a memory cache, create the cacheinfo file to define the configuration parameters discussed previously. The following instruction shows the standard mount location, /afs, and the standard cache location, /usr/vice/cache (though the exact value of the latter is irrelevant for a memory cache).
# echo "/afs:/usr/vice/cache:#blocks" > /usr/vice/etc/cacheinfo
The following example allocates 25,000 KB of memory for the cache.
# echo "/afs:/usr/vice/cache:25000" > /usr/vice/etc/cacheinfo
By convention, the Cache Manager mounts the AFS filespace on the local /afs directory. In this section you create that directory.
The afsd program sets several cache configuration parameters as it initializes the Cache Manager, and starts daemons that improve performance. You can use the afsd command's arguments to override the parameters' default values and to change the number of some of the daemons. Depending on the machine's cache size, its amount of RAM, and how many people work on it, you can sometimes improve Cache Manager performance by overriding the default values. For a discussion of all of the afsd command's arguments, see its reference page in the IBM AFS Administration Reference.
The afsd command line in the AFS initialization script on each system type includes an OPTIONS variable. You can use it to set nondefault values for the command's arguments, in one of the following ways:
You use two variables in the AFS initialization script to specify the path to the options file: CONFIG and AFSDOPT. On system types that define a conventional directory for configuration files, the CONFIG variable indicates it by default; otherwise, the variable indicates an appropriate location.
List the desired afsd options on a single line in the options file, separating each option with one or more spaces. The following example sets the -stat argument to 2500, the -daemons argument to 4, and the -volumes argument to 100.
-stat 2500 -daemons 4 -volumes 100
| Note: | Do not set the OPTIONS variable to $SMALL, $MEDIUM, or $LARGE on a machine that uses a memory cache. The arguments it sets are appropriate only on a machine that uses a disk cache. | 
The script (or on some system types the afsd options file named by the AFSDOPT variable) defines a value for each of SMALL, MEDIUM, and LARGE that sets afsd command arguments appropriately for client machines of different sizes:
# mkdir /afs
afs 4 none none
# cp /usr/vice/etc/afs.conf /etc/sysconfig/afs
Use one of the methods described in the introduction to this section to add the following flags to the afsd command line. Also set any performance-related arguments you wish.
In this section you run the AFS initialization script to start the Cache Manager. If the script works correctly, perform the steps that incorporate it into the machine's startup and shutdown sequence. If there are problems during the initialization, attempt to resolve them. The AFS Product Support group can provide assistance if necessary.
On machines that use a disk cache, it can take a while for the afsd program to run the first time on a machine, because it must create all of the Vn files in the cache directory. Subsequent Cache Manager initializations do not take nearly as long, because the Vn files already exist.
On system types that use a dynamic loader program, you must reboot the machine before running the initialization script, so that it can freshly load AFS modifications into the kernel.
Proceed to the instructions for your system type:
# cd / # shutdown -r now login: root Password: root_password
# /etc/rc.afs
rcafs:2:wait:/etc/rc.afs > /dev/console 2>&1 # Start AFS services
# cd /usr/vice/etc # rm rc.afs # ln -s /etc/rc.afs
# /sbin/init.d/afs start
# cd /sbin/init.d # ln -s ../init.d/afs /sbin/rc3.d/S67afs # ln -s ../init.d/afs /sbin/rc0.d/K66afs
# cd /usr/vice/etc # rm afs.rc # ln -s /sbin/init.d/afs afs.rc
# /sbin/init.d/afs start
# cd /sbin/init.d # ln -s ../init.d/afs /sbin/rc2.d/S460afs # ln -s ../init.d/afs /sbin/rc2.d/K800afs
# cd /usr/vice/etc # rm afs.rc # ln -s /sbin/init.d/afs afs.rc
   
   # cd /
         
   # shutdown -i6 -g0 -y
   
   login: root
   Password: root_password
   
# /etc/chkconfig -f afsclient on
# /etc/init.d/afs start
# cd /etc/init.d # ln -s ../init.d/afs /etc/rc2.d/S35afs # ln -s ../init.d/afs /etc/rc0.d/K35afs
# cd /usr/vice/etc # rm afs.rc # ln -s /etc/init.d/afs afs.rc
  
   # cd /
         
   # shutdown -r now
   
   login: root
   Password: root_password
   
# /etc/rc.d/init.d/afs start
# /sbin/chkconfig --add afs
   
   # cd /usr/vice/etc
   
   # rm afs.rc afs.conf
    
   # ln -s  /etc/rc.d/init.d/afs  afs.rc
   
   # ln -s  /etc/sysconfig/afs  afs.conf
   
   
   # cd /
      
   # shutdown -i6 -g0 -y
   
   login: root
   Password: root_password
   
# /etc/init.d/afs start
# cd /etc/init.d # ln -s ../init.d/afs /etc/rc3.d/S99afs # ln -s ../init.d/afs /etc/rc0.d/K66afs
# cd /usr/vice/etc # rm afs.rc # ln -s /etc/init.d/afs afs.rc
In this section, you link /usr/afsws on the local disk to the directory in AFS that houses AFS binaries for this system type. The conventional name for the AFS directory is /afs/cellname/sysname/usr/afsws.
If this machine is an existing system type, the AFS directory presumably already exists. You can simply create a link from the local /usr/afsws directory to it. Follow the instructions in Linking /usr/afsws on an Existing System Type.
If this machine is a new system type (there are no AFS machines of this type in your cell), you must first create and mount volumes to store its AFS binaries, and then create the link from /usr/afsws to the new directory. See Creating Binary Volumes for a New System Type.
You can also store UNIX system binaries (the files normally stored in local disk directories such as /bin, /etc, and /lib) in volumes mounted under /afs/cellname/sysname. See Storing System Binaries in AFS .
If this client machine is an existing system type, there is already a volume mounted in the AFS filespace that houses AFS client binaries for it.
# ln -s /afs/cellname/@sys/usr/afsws /usr/afsws
# ln -s /afs/cellname/afsdoc/format_name /usr/afsdoc
An alternative is to create a link in each user's home directory to the /afs/cellname/afsdoc/format_name directory.
If this client machine is a new system type, you must create and mount volumes for its binaries before you can link the local /usr/afsws directory to an AFS directory.
To create and mount the volumes, you use the klog command to authenticate as an administrator and then issue commands from the vos and fs command suites. However, the command binaries are not yet available on this machine (by convention, they are accessible via the /usr/afsws link that you are about to create). You have two choices:
If you work on another AFS machine, be sure to substitute the new system type name for the sysname argument in the following commands, not the system type of the machine on which you are issuing the commands.
Perform the following steps to create a volume for housing AFS binaries.
   
   # cd  /cdrom/new_sysname/root.server/usr/afs/bin
   
   # cp -p  klog  /tmp
 
   # cp -p  fs  /tmp
 
   # cp -p  vos  /tmp
     
   
   # klog admin
   Password: admin_password
    
    
   # vos create <machine name> <partition name> sysname
     
   # vos create <machine name> <partition name> sysname.usr
     
   # vos create <machine name> <partition name> sysname.usr.afsws
    
# fs mkmount -dir /afs/.cellname/sysname -vol sysname # fs mkmount -dir /afs/.cellname/sysname/usr -vol sysname.usr # fs mkmount -dir /afs/.cellname/sysname/usr/afsws -vol sysname.usr.afsws # vos release root.cell # fs checkvolumes
# cd /afs/.cellname/sysname # fs setacl -dir . usr usr/afsws -acl system:anyuser rl
If you wish, you can set the volume's quota to a finite value after you complete the copying operation. At that point, use the vos examine command to determine how much space the volume is occupying. Then issue the fs setquota command to set a quota that is slightly larger.
# fs setquota /afs/.cellname/sysname/usr/afsws 0
# cd /afs/.cellname/sysname/usr/afsws # cp -rp /cdrom/sysname/bin . # cp -rp /cdrom/sysname/etc . # cp -rp /cdrom/sysname/include . # cp -rp /cdrom/sysname/lib .
     
   # cd /afs/.cellname/sysname/usr/afsws
   
   # fs setacl  -dir etc include lib  -acl  system:authuser rl  \
              system:anyuser none
   
# ln -s /afs/cellname/@sys/usr/afsws /usr/afsws
# ln -s /afs/cellname/afsdoc/format_name /usr/afsdoc
An alternative is to create a link in each user's home directory to the /afs/cellname/afsdoc/format_name directory.
   
   # cd  /tmp
   
   # rm  klog  fs  vos