<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
<HTML><HEAD>
<TITLE>Administration Guide</TITLE>
<!-- Begin Header Records  ========================================== -->
<!-- /tmp/idwt3570/auagd000.scr converted by idb2h R4.2 (359) ID      -->
<!-- Workbench Version (AIX) on 2 Oct 2000 at 11:42:14                -->
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 11:42:13">
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 11:42:13">
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 11:42:13">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved    --> 
<BODY bgcolor="ffffff"> 
<!-- End Header Records  ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>Administration Guide</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auagd002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auagd006.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auagd008.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auagd026.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<HR><H1><A NAME="HDRWQ29" HREF="auagd002.htm#ToC_33">Issues in Cell Configuration and Administration</A></H1>
<P>This chapter discusses many of the issues to consider when
configuring and administering a cell, and directs you to detailed related
information available elsewhere in this guide. It is assumed you are
already familiar with the material in <A HREF="auagd006.htm#HDRWQ5">An Overview of AFS Administration</A>.
<P>It is best to read this chapter before installing your cell's first
file server machine or performing any other administrative task.
<A NAME="IDX5609"></A>
<A NAME="IDX5610"></A>
<A NAME="IDX5611"></A>
<HR><H2><A NAME="HDRWQ30" HREF="auagd002.htm#ToC_34">Differences between AFS and UNIX: A Summary</A></H2>
<P>AFS behaves like a standard UNIX file system in most
respects, while also making file sharing easy within and between cells.
This section describes some differences between AFS and the UNIX file system,
referring you to more detailed information as appropriate.
<A NAME="IDX5612"></A>
<P><H3><A NAME="Header_35" HREF="auagd002.htm#ToC_35">Differences in File and Directory Protection</A></H3>
<P>AFS augments the standard UNIX file protection mechanism in two
ways: it associates an <I>access control list</I> (<I>ACL</I>)
with each directory, and it enables users to define a large number of their
own groups, which can be placed on ACLs.
<P>AFS uses ACLs to protect files and directories, rather than relying
exclusively on the mode bits. This has several implications, which are
discussed further in the indicated sections:
<UL>
<P><LI>AFS ACLs use seven access permissions rather than the three UNIX mode
bits. See <A HREF="auagd020.htm#HDRWQ567">The AFS ACL Permissions</A>.
<P><LI>For directories, AFS ignores the UNIX mode bits. For files, AFS
uses only the first set of mode bits (the <B>owner</B> bits) , and their
meaning interacts with permissions on the directory's ACL. See <A HREF="auagd020.htm#HDRWQ580">How AFS Interprets the UNIX Mode Bits</A>.
<P><LI>A directory's ACL protects all of the files in a directory in the
same manner. To apply a more restrictive set of AFS permissions to
certain file, place it in directory with a different ACL.
<P><LI>Moving a file to a different directory changes its protection. See <A HREF="auagd020.htm#HDRWQ566">Differences Between UFS and AFS Data Protection</A>.
<P><LI>An ACL can include about 20 entries granting different combinations of
permissions to different users or groups, rather than only the three UNIX
entities represented by the three sets of mode bits. See <A HREF="auagd020.htm#HDRWQ566">Differences Between UFS and AFS Data Protection</A>.
<P><LI>You can designate an AFS file as write-only as in the UNIX file system, by
setting only the <B>w</B> (<B>write</B>) mode bit. You cannot
designate an AFS directory as write-only, because AFS ignores the mode bits on
a directory. See <A HREF="auagd020.htm#HDRWQ580">How AFS Interprets the UNIX Mode Bits</A>.
</UL>
<P>AFS enables users to define the groups of other users. Placing these
groups on ACLs extends the same permissions to a number of exactly specified
users at the same time, which is much more convenient than placing the
individuals on the ACLs directly. See <A HREF="auagd019.htm#HDRWQ531">Administering the Protection Database</A>.
<P>There are also system-defined groups, <B>system:anyuser</B> and
<B>system:authuser</B>, whose presence on an ACL extends access to a
wide range of users at once. See <A HREF="auagd019.htm#HDRWQ535">The System Groups</A> and <A HREF="auagd020.htm#HDRWQ571">Using Groups on ACLs</A>.
<A NAME="IDX5613"></A>
<A NAME="IDX5614"></A>
<P><H3><A NAME="HDRWQ31" HREF="auagd002.htm#ToC_36">Differences in Authentication</A></H3>
<P>Just as the AFS filespace is distinct from each
machine's local file system, AFS authentication is separate from local
login. This has two practical implications, which are discussed further
in <A HREF="#HDRWQ65">Using an AFS-modified login Utility</A>.
<UL>
<P><LI>To access AFS files, users must both log into the local machine's
UNIX file system and authenticate with the AFS authentication service.
(Logging into the local UNIX file system is necessary because the AFS
filespace is accessed through the Cache Manager, which resides in the local
machine's kernel.)
<P>AFS provides a modified login utility for each system type that
accomplishes both local login and AFS authentication in one step, based on a
single password. If you choose not to use the AFS-modified login
utility, your users must login and authenticate in separate steps, as detailed
in the <I>IBM AFS User Guide</I>.
<P><LI>Passwords are stored in two separate places: the Authentication
Database for AFS and each machine's local password file
(<B>/etc/passwd</B> or equivalent) for the UNIX file system. A
user's passwords in the two places can differ if desired, though the
resulting behavior depends on whether and how the cell is using an
AFS-modified login utility.
</UL>
<P><H3><A NAME="Header_37" HREF="auagd002.htm#ToC_37">Differences in the Semantics of Standard UNIX Commands</A></H3>
<P>This section summarizes how AFS modifies the functionality of some UNIX
commands.
<DL>
<A NAME="IDX5615"></A>
<A NAME="IDX5616"></A>
<A NAME="IDX5617"></A>
<P><DT><B>The chmod command
</B><DD>Only members of the <B>system:administrators</B> group can use
this command to turn on the setuid, setgid or sticky mode bits on AFS
files. For more information, see <A HREF="auagd015.htm#HDRWQ409">Determining if a Client Can Run Setuid Programs</A>.
<A NAME="IDX5618"></A>
<A NAME="IDX5619"></A>
<P><DT><B>The chown command
</B><DD>Only members of the <B>system:administrators</B> group can issue
this command on AFS files.
<A NAME="IDX5620"></A>
<A NAME="IDX5621"></A>
<P><DT><B>The chgrp command
</B><DD>Only members of the <B>system:administrators</B> can issue this
command on AFS files and directories.
<A NAME="IDX5622"></A>
<A NAME="IDX5623"></A>
<P><DT><B>The ftpd daemon
</B><DD>The AFS-modified version of this daemon attempts to authenticate remote
issuers of the <B>ftp</B> command with the local AFS authentication
service. See <A HREF="#HDRWQ78">Using UNIX Remote Services in the AFS Environment</A>.
<A NAME="IDX5624"></A>
<A NAME="IDX5625"></A>
<P><DT><B>The groups command
</B><DD>If the user's AFS tokens are associated with a process authentication
group (PAG), the output of this command sometimes includes two large
numbers. To learn about PAGs, see <A HREF="#HDRWQ64">Identifying AFS Tokens by PAG</A>.
<A NAME="IDX5626"></A>
<A NAME="IDX5627"></A>
<P><DT><B>The inetd daemon
</B><DD>The AFS-modified version of this daemon authenticates remote issuers of
the AFS-modified <B>rcp</B> and <B>rsh</B> commands with the local AFS
authentication service. See <A HREF="#HDRWQ78">Using UNIX Remote Services in the AFS Environment</A>.
<P><DT><B>The login utility
</B><DD>AFS-modified login utilities both log the issuer into the local file
system and authenticate the user with the AFS authentication service.
See <A HREF="#HDRWQ65">Using an AFS-modified login Utility</A>.
<A NAME="IDX5628"></A>
<A NAME="IDX5629"></A>
<P><DT><B>The ln command
</B><DD>This command cannot create hard links between files in different AFS
directories. See <A HREF="#HDRWQ32">Creating Hard Links</A>.
<A NAME="IDX5630"></A>
<A NAME="IDX5631"></A>
<P><DT><B>The rcp command
</B><DD>The AFS-modified version of this command enables the issuer to access
files on the remote machine as an authenticated AFS user. See <A HREF="#HDRWQ78">Using UNIX Remote Services in the AFS Environment</A>.
<A NAME="IDX5632"></A>
<A NAME="IDX5633"></A>
<P><DT><B>The rlogind daemon
</B><DD>The AFS-modified version of this daemon authenticates remote issuers of
the <B>rlogin</B> command with the local AFS authentication
service. See <A HREF="#HDRWQ78">Using UNIX Remote Services in the AFS Environment</A>.
<P>The AFS distribution for some system types possibly does not include a
modified <B>rlogind</B> program. See the <I>IBM AFS Release
Notes</I>.
<A NAME="IDX5634"></A>
<A NAME="IDX5635"></A>
<P><DT><B>The remsh or rsh command
</B><DD>The AFS-modified version of this command enables the issuer to execute
commands on the remote machine as an authenticated AFS user. See <A HREF="#HDRWQ78">Using UNIX Remote Services in the AFS Environment</A>.
</DL>
<A NAME="IDX5636"></A>
<A NAME="IDX5637"></A>
<A NAME="IDX5638"></A>
<A NAME="IDX5639"></A>
<A NAME="IDX5640"></A>
<A NAME="IDX5641"></A>
<P><H3><A NAME="Header_38" HREF="auagd002.htm#ToC_38">The AFS version of the fsck Command</A></H3>
<P>Never run the standard UNIX <B>fsck</B> command on an AFS file
server machine. It does not understand how the File Server organizes
volume data on disk, and so moves all AFS data into the <B>lost+found</B>
directory on the partition.
<P>Instead, use the version of the <B>fsck</B> program that is included in
the AFS distribution. The <I>IBM AFS Quick Beginnings</I> explains
how to replace the vendor-supplied <B>fsck</B> program with the AFS
version as you install each server machine.
<P>The AFS version functions like the standard <B>fsck</B> program on data
stored on both UFS and AFS partitions. The appearance of a banner like
the following as the <B>fsck</B> program initializes confirms that you are
running the correct one:
<PRE>   --- AFS (R) <VAR>version</VAR> fsck---
</PRE>
<P>where <VAR>version</VAR> is the AFS version. For correct results, it
must match the AFS version of the server binaries in use on the
machine.
<P>If you ever accidentally run the standard version of the program, contact
AFS Product Support immediately. It is sometimes possible to recover
volume data from the <B>lost+found</B> directory.
<A NAME="IDX5642"></A>
<A NAME="IDX5643"></A>
<P><H3><A NAME="HDRWQ32" HREF="auagd002.htm#ToC_39">Creating Hard Links</A></H3>
<P>AFS does not allow hard links (created with the UNIX
<B>ln</B> command) between files that reside in different directories,
because in that case it is unclear which of the directory's ACLs to
associate with the link.
<P>AFS also does not allow hard links to directories, in order to keep the
file system organized as a tree.
<P>It is possible to create symbolic links (with the UNIX <B>ln -s</B>
command) between elements in two different AFS directories, or even between an
element in AFS and one in a machine's local UNIX file system. Do
not create a symbolic link to a file whose name begins with either a number
sign (<B>#</B>) or a percent sign (<B>%</B>), however. The
Cache Manager interprets such links as a mount point to a regular or
read/write volume, respectively.
<A NAME="IDX5644"></A>
<A NAME="IDX5645"></A>
<A NAME="IDX5646"></A>
<P><H3><A NAME="HDRWQ33" HREF="auagd002.htm#ToC_40">AFS Implements Save on Close</A></H3>
<P>When an application issues the UNIX <B>close</B> system
call on a file, the Cache Manager performs a synchronous write of the data to
the File Server that maintains the central copy of the file. It does
not return control to the application until the File Server has acknowledged
receipt of the data. For the <B>fsync</B> system call, control does
not return to the application until the File Server indicates that it has
written the data to non-volatile storage on the file server machine.
<P>When an application issues the UNIX <B>write</B> system call, the Cache
Manager writes modifications to the local AFS client cache only. If the
local machine crashes or an application program exits without issuing the
<B>close</B> system call, it is possible that the modifications are not
recorded in the central copy of the file maintained by the File Server.
The Cache Manager does sometimes write this type of modified data from the
cache to the File Server without receiving the <B>close</B> or
<B>fsync</B> system call, for example if it needs to free cache chunks for
new data. However, it is not generally possible to predict when the
Cache Manager transfers modified data to the File Server in this way.
<P>The implication is that if an application's <B>Save</B> option
invokes the <B>write</B> system call rather than <B>close</B> or
<B>fsync</B>, the changes are not necessarily stored permanently on the
File Server machine. Most application programs issue the
<B>close</B> system call for save operations, as well as when they finish
handling a file and when they exit.
<P><H3><A NAME="Header_41" HREF="auagd002.htm#ToC_41">Setuid Programs</A></H3>
<A NAME="IDX5647"></A>
<P>Set the UNIX setuid bit only for the local superuser <B>root</B>;
this does not present an automatic security risk: the local superuser
has no special privilege in AFS, but only in the local machine's UNIX
file system and kernel.
<P>Any file can be marked with the setuid bit, but only members of the
<B>system:administrators</B> group can issue the <B>chown</B>
system call or the <B>/etc/chown</B> command.
<P>The <B>fs setcell</B> command determines whether setuid programs that
originate in a foreign cell can run on a given client machine. See <A HREF="auagd015.htm#HDRWQ409">Determining if a Client Can Run Setuid Programs</A>.
<A NAME="IDX5648"></A>
<A NAME="IDX5649"></A>
<A NAME="IDX5650"></A>
<A NAME="IDX5651"></A>
<HR><H2><A NAME="HDRWQ34" HREF="auagd002.htm#ToC_42">Choosing a Cell Name</A></H2>
<P>This section explains how to choose a cell name and explains
why choosing an appropriate cell name is important.
<P>Your cell name must distinguish your cell from all others in the AFS global
namespace. By conventions, the cell name is the second element in any
AFS pathname; therefore, a unique cell name guarantees that every AFS
pathname uniquely identifies a file, even if cells use the same directory
names at lower levels in their local AFS filespace. For example, both
the ABC Corporation cell and the State University cell can have a home
directory for the user <B>pat</B>, because the pathnames are
distinct: <B>/afs/abc.com/usr/pat</B> and
<B>/afs/stateu.edu/usr/pat</B>.
<P>By convention, cell names follow the ARPA Internet Domain System
conventions for site names. If you are already an Internet site, then
it is simplest to choose your Internet domain name as the cellname.
<P>If you are not an Internet site, it is best to choose a unique
Internet-style name, particularly if you plan to connect to the Internet in
the future. AFS Product Support is available for help in selecting an
appropriate name. There are a few constraints on AFS cell names:
<UL>
<P><LI>It can contain as many as 64 characters, but shorter names are better
because the cell name frequently is part of machine and file names. If
your cell name is long, you can reduce pathname length by creating a symbolic
link to the complete cell name, at the second level in your file tree.
See <A HREF="#HDRWQ42">The Second (Cellname) Level</A>.
<P><LI>To guarantee it is suitable for different operating system types, the cell
name can contain only lowercase characters, numbers, underscores, dashes, and
periods. Do not include command shell metacharacters.
<P><LI>It can include any number of fields, which are conventionally separated by
periods (see the examples below).
<P><LI>It must end in a suffix that indicates the type of institution it is, or
the country in which it is situated. The following are some of the
standard suffixes:
<DL>
<P><DT><B>.com
</B><DD>For businesses and other commercial organizations. Example:
<B>abc.com</B> for the ABC Corporation cell.
<P><DT><B>.edu
</B><DD>For educational institutions such as universities. Example:
<B>stateu.edu</B> for the State University cell.
<P><DT><B>.gov
</B><DD>For United States government institutions.
<P><DT><B>.mil
</B><DD>For United States military installations.
</DL>
</UL>
<P>Other suffixes are available if none of these are appropriate. 
<A NAME="IDX5652"></A>
<A NAME="IDX5653"></A>
You can learn about suffixes by calling the Defense Data Network [Internet]
Network Information Center in the United States at (800) 235-3155. The
NIC can also provide you with the forms necessary for registering your cell
name as an Internet domain name. Registering your name prevents another
Internet site from adopting the name later.
<A NAME="IDX5654"></A>
<A NAME="IDX5655"></A>
<A NAME="IDX5656"></A>
<A NAME="IDX5657"></A>
<P><H3><A NAME="Header_43" HREF="auagd002.htm#ToC_43">How to Set the Cell Name</A></H3>
<P>The cell name is recorded in two files on the local disk of each file
server and client machine. Among other functions, these files define
the machine's cell membership and so affect how programs and processes
run on the machine; see <A HREF="#HDRWQ35">Why Choosing the Appropriate Cell Name is Important</A>. The procedure for setting the cell name is different
for the two types of machines.
<P>For file server machines, the two files that record the cell name are the
<B>/usr/afs/etc/ThisCell</B> and <B>/usr/afs/etc/CellServDB</B>
files. As described more explicitly in the <I>IBM AFS Quick
Beginnings</I>, you set the cell name in both by issuing the <B>bos
setcellname</B> command on the first file server machine you install in your
cell. It is not usually necessary to issue the command again. If
you run the United States edition of AFS and use the Update Server, it
distributes its copy of the <B>ThisCell</B> and <B>CellServDB</B>
files to additional server machines that you install. If you use the
international edition of AFS, the <I>IBM AFS Quick Beginnings</I> explains
how to copy the files manually.
<P>For client machines, the two files that record the cell name are the
<B>/usr/vice/etc/ThisCell</B> and <B>/usr/vice/etc/CellServDB</B>
files. You create these files on a per-client basis, either with a text
editor or by copying them onto the machine from a central source in
AFS. See <A HREF="auagd015.htm#HDRWQ406">Maintaining Knowledge of Database Server Machines</A> for details.
<P>Change the cell name in these files only when you want to transfer the
machine to a different cell (it can only belong to one cell at a time).
If the machine is a file server, follow the complete set of instructions in
the <I>IBM AFS Quick Beginnings</I> for configuring a new cell. If
the machine is a client, all you need to do is change the files appropriately
and reboot the machine. The next section explains further the negative
consequences of changing the name of an existing cell.
<P>To set the default cell name used by most AFS commands without changing the
local <B>/usr/vice/etc/ThisCell</B> file, set the AFSCELL environment
variable in the command shell. It is worth setting this variable if you
need to complete significant administrative work in a foreign cell.
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The <B>fs checkservers</B> and <B>fs mkmount</B> commands do not use
the AFSCELL variable. The <B>fs checkservers</B> command always
defaults to the cell named in the <B>ThisCell</B> file, unless the
<B>-cell</B> argument is used. The <B>fs mkmount</B> command
defaults to the cell in which the parent directory of the new mount point
resides.
</TD></TR></TABLE>
<A NAME="IDX5658"></A>
<P><H3><A NAME="HDRWQ35" HREF="auagd002.htm#ToC_44">Why Choosing the Appropriate Cell Name is Important</A></H3>
<P>Take care to select a cell name that is suitable for
long-term use. Changing a cell name later is complicated. An
appropriate cell name is important because it is the second element in the
pathname of all files in a cell's file tree. Because each cell
name is unique, its presence in an AFS pathname makes the pathname unique in
the AFS global namespace, even if multiple cells use similar filespace
organization at lower levels. For instance, it means that every cell
can have a home directory called <B>/afs/<VAR>cellname</VAR>/usr/pat</B>
without causing a conflict. The presence of the cell name in pathnames
also means that users in every cell use the same pathname to access a file,
whether the file resides in their local cell or in a foreign cell.
<P>Another reason to choose the correct cell name early in the process of
installing your cell is that the cell membership defined in each
machine's <B>ThisCell</B> file affects the performance of many
programs and processes running on the machine. For instance, AFS
commands (<B>fs</B>, <B>kas</B>, <B>pts</B> and <B>vos</B>
commands) by default execute in the cell of the machine on which they are
issued. The command interpreters check the <B>ThisCell</B> file on
the local disk and then contact the database server machines listed in the
<B>CellServDB</B> file for the indicated cell (the <B>bos</B> commands
work differently because the issuer always has to name of the machine on which
to run the command).
<P>The <B>ThisCell</B> file also determines the cell for which a user
receives an AFS token when he or she logs in to a machine. The cell
name also plays a role in security. As it converts a user password into
an encryption key for storage in the Authentication Database, the
Authentication Server combines the password with the cell name found in the
<B>ThisCell</B> file. AFS-modified login utilities use the same
algorithm to convert the user's password into an encryption key before
contacting the Authentication Server to obtain a token for the user.
(For a description of how AFS's security system uses encryption keys, see
<A HREF="#HDRWQ75">A More Detailed Look at Mutual Authentication</A>.)
<P>This method of converting passwords into encryption keys means that the
same password results in different keys in different cells. Even if a
user uses the same password in multiple cells, obtaining a user's token
from one cell does not enable unauthorized access to the user's account
in another cell.
<P>If you change the cell name, you must change the <B>ThisCell</B> and
<B>CellServDB</B> files on every server and client machine. Failure
to change them all can prevent login, because the encryption keys produced by
the login utility do not match the keys stored in the Authentication
Database. In addition, many commands from the AFS suites do not work as
expected.
<A NAME="IDX5659"></A>
<A NAME="IDX5660"></A>
<A NAME="IDX5661"></A>
<HR><H2><A NAME="HDRWQ36" HREF="auagd002.htm#ToC_45">Participating in the AFS Global Namespace</A></H2>
<P>Participating in the AFS global namespace makes your
cell's local file tree visible to AFS users in foreign cells and makes
other cells' file trees visible to your local users. It makes file
sharing across cells just as easy as sharing within a cell. This
section outlines the procedures necessary for participating in the global
namespace.
<UL>
<P><LI>Participation in the global namespace is not mandatory. Some cells
use AFS primarily to facilitate file sharing within the cell, and are not
interested in providing their users with access to foreign cells.
<P><LI>Making your file tree visible does not mean making it vulnerable.
You control how foreign users access your cell using the same protection
mechanisms that control local users' access. See <A HREF="#HDRWQ40">Granting and Denying Foreign Users Access to Your Cell</A>.
<P><LI>The two aspects of participation are independent. A cell can make
its file tree visible without allowing its users to see foreign cells'
file trees, or can enable its users to see other file trees without
advertising its own.
<P><LI>You make your cell visible to others by advertising your database server
machines. See <A HREF="#HDRWQ38">Making Your Cell Visible to Others</A>.
<P><LI>You control access to foreign cells on a per-client machine basis.
In other words, it is possible to make a foreign cell accessible from one
client machine in your cell but not another. See <A HREF="#HDRWQ39">Making Other Cells Visible in Your Cell</A>.
</UL>
<A NAME="IDX5662"></A>
<A NAME="IDX5663"></A>
<A NAME="IDX5664"></A>
<A NAME="IDX5665"></A>
<A NAME="IDX5666"></A>
<A NAME="IDX5667"></A>
<P><H3><A NAME="HDRWQ37" HREF="auagd002.htm#ToC_46">What the Global Namespace Looks Like</A></H3>
<P>The AFS global namespace appears the same to all AFS cells
that participate in it, because they all agree to follow a small set of
conventions in constructing pathnames.
<P>The first convention is that all AFS pathnames begin with the string
<B>/afs</B> to indicate that they belong to the AFS global
namespace.
<P>The second convention is that the cell name is the second element in an AFS
pathname; it indicates where the file resides (that is, the cell in which
a file server machine houses the file). As noted, the presence of a
cell name in pathnames makes the global namespace possible, because it
guarantees that all AFS pathnames are unique even if cells use the same
directory names at lower levels in their AFS filespace.
<P>What appears at the third and lower levels in an AFS pathname depends on
how a cell has chosen to arrange its filespace. There are some
suggested conventional directories at the third level; see <A HREF="#HDRWQ43">The Third Level</A>.
<A NAME="IDX5668"></A>
<A NAME="IDX5669"></A>
<A NAME="IDX5670"></A>
<P><H3><A NAME="HDRWQ38" HREF="auagd002.htm#ToC_47">Making Your Cell Visible to Others</A></H3>
<P>You make your cell visible to others by advertising your cell
name and database server machines. Just like client machines in the
local cell, the Cache Manager on machines in foreign cells use the information
to reach your cell's Volume Location (VL) Servers when they need volume
and file location information. Similarly, client-side authentication
programs running in foreign cells use the information to contact your
cell's authentication service.
<P>There are two places you can make this information available:
<UL>
<A NAME="IDX5671"></A>
<A NAME="IDX5672"></A>
<P><LI>In the global <B>CellServDB</B> file maintained by the AFS Product
Support group. This file lists the name and database server machines of
every cell that has agreed to make this information available to other
cells. 
<P>To add or change your cell's listing in this file, have the official
support contact at your site call or write to AFS Product Support.
Changes to the file are frequent enough that AFS Product Support does not
announce each one. It is a good policy to check the file for changes on
a regular schedule.
<A NAME="IDX5673"></A>
<A NAME="IDX5674"></A>
<P><LI>A file called <B>CellServDB.local</B> in the
<B>/afs/</B><VAR>cellname</VAR><B>/service/etc</B> directory of your
cell's filespace. List only your cell's database server
machines.
</UL>
<P>Update the files whenever you change the identity of your cell's
database server machines. Also update the copies of the
<B>CellServDB</B> files on all of your server machines (in the
<B>/usr/afs/etc</B> directory) and client machines (in the
<B>/usr/vice/etc</B> directory). For instructions, see <A HREF="auagd008.htm#HDRWQ118">Maintaining the Server CellServDB File</A> and <A HREF="auagd015.htm#HDRWQ406">Maintaining Knowledge of Database Server Machines</A>.
<P>Once you have advertised your database server machines, it can be difficult
to make your cell invisible again. You can remove the
<B>CellServDB.local</B> file and ask AFS Product Support to remove
your entry from the global <B>CellServDB</B> file, but other cells
probably have an entry for your cell in their local <B>CellServDB</B>
files already. To make those entries invalid, you must change the names
or IP addresses of your database server machines.
<P>Your cell does not have to be invisible to be inaccessible, however.
To make your cell completely inaccessible to foreign users, remove the
<B>system:anyuser</B> group from all ACLs at the top three levels of
your filespace; see <A HREF="#HDRWQ40">Granting and Denying Foreign Users Access to Your Cell</A>.
<A NAME="IDX5675"></A>
<A NAME="IDX5676"></A>
<A NAME="IDX5677"></A>
<A NAME="IDX5678"></A>
<P><H3><A NAME="HDRWQ39" HREF="auagd002.htm#ToC_48">Making Other Cells Visible in Your Cell</A></H3>
<P>To make a foreign cell's filespace visible on a client
machine in your cell, perform the following three steps:
<OL TYPE=1>
<P><LI>Mount the cell's <B>root.cell</B> volume at the second
level in your cell's filespace just below the <B>/afs</B>
directory. Use the <B>fs mkmount</B> command with the
<B>-cell</B> argument as instructed in <A HREF="auagd010.htm#HDRWQ213">To create a cellular mount point</A>.
<P><LI>Mount AFS at the <B>/afs</B> directory on the client machine.
The <B>afsd</B> program, which initializes the Cache Manager, performs the
mount automatically at the directory named in the first field of the local
<B>/usr/vice/etc/cacheinfo</B> file or by the command's
<B>-mountdir</B> argument. Mounting AFS at an alternate location
makes it impossible to reach the filespace of any cell that mounts its
<B>root.afs</B> and <B>root.cell</B> volumes at the
conventional locations. See <A HREF="auagd015.htm#HDRWQ395">Displaying and Setting the Cache Size and Location</A>.
<P><LI>Create an entry for the cell in the list of database server machines which
the Cache Manager maintains in kernel memory. 
<P>The <B>/usr/vice/etc/CellServDB</B> file on every client machine's
local disk lists the database server machines for the local and foreign
cells. The <B>afsd</B> program reads the contents of the
<B>CellServDB</B> file into kernel memory as it initializes the Cache
Manager. You can also use the <B>fs newcell</B> command to add or
alter entries in kernel memory directly between reboots of the machine.
See <A HREF="auagd015.htm#HDRWQ406">Maintaining Knowledge of Database Server Machines</A>.
</OL>
<P>Note that making a foreign cell visible to client machines does not
guarantee that your users can access its filespace. The ACLs in the
foreign cell must also grant them the necessary permissions.
<A NAME="IDX5679"></A>
<A NAME="IDX5680"></A>
<P><H3><A NAME="HDRWQ40" HREF="auagd002.htm#ToC_49">Granting and Denying Foreign Users Access to Your Cell</A></H3>
<P>Making your cell visible in the AFS global namespace does not
take away your control over the way in which users from foreign cells access
your file tree.
<P>By default, foreign users access your cell as the user
<B>anonymous</B>, which means they have only the permissions granted to
the <B>system:anyuser</B> group on each directory's ACL.
Normally these permissions are limited to the <B>l</B> (<B>lookup</B>)
and <B>r</B> (<B>read</B>) permissions.
<P>There are two ways to grant wider access to foreign users:
<UL>
<P><LI>Grant additional permissions to the <B>system:anyuser</B> group
on certain ACLs. Keep in mind, however, that all users can then access
that directory in the indicated way (not just specific foreign users you have
in mind).
<P><LI>Create a local authentication account for specific foreign users, by
creating entries in the Protection and Authentication Databases and local
password file. It is not possible to place foreign usernames on ACLs,
nor to authenticate in a foreign cell without having an account in it.
</UL>
<A NAME="IDX5681"></A>
<A NAME="IDX5682"></A>
<A NAME="IDX5683"></A>
<HR><H2><A NAME="HDRWQ41" HREF="auagd002.htm#ToC_50">Configuring Your AFS Filespace</A></H2>
<P>This section summarizes the issues to consider when
configuring your AFS filespace. For a discussion of creating volumes
that correspond most efficiently to the filespace's directory structure,
see <A HREF="#HDRWQ44">Creating Volumes to Simplify Administration</A>.
<P><B>Note for Windows users:</B> Windows uses a backslash
(&nbsp;<B>\</B>&nbsp;) rather than a forward slash
(&nbsp;<B>/</B>&nbsp;) to separate the elements in a
pathname. The hierarchical organization of the filespace is however the
same as on a UNIX machine.
<P>AFS pathnames must follow a few conventions so the AFS global namespace
looks the same from any AFS client machine. There are corresponding
conventions to follow in building your file tree, not just because pathnames
reflect the structure of a file tree, but also because the AFS Cache Manager
expects a certain configuration.
<A NAME="IDX5684"></A>
<A NAME="IDX5685"></A>
<P><H3><A NAME="Header_51" HREF="auagd002.htm#ToC_51">The Top /afs Level</A></H3>
<P>The first convention is that the top level in your file tree be called
the <B>/afs</B> directory. If you name it something else, then you
must use the <B>-mountdir</B> argument with the <B>afsd</B> program to
get Cache Managers to mount AFS properly. You cannot participate in the
AFS global namespace in that case.
<A NAME="IDX5686"></A>
<A NAME="IDX5687"></A>
<A NAME="IDX5688"></A>
<P><H3><A NAME="HDRWQ42" HREF="auagd002.htm#ToC_52">The Second (Cellname) Level</A></H3>
<P>The second convention is that just below the <B>/afs</B>
directory you place directories corresponding to each cell whose file tree is
visible and accessible from the local cell. Minimally, there must be a
directory for the local cell. Each such directory is a mount point to
the indicated cell's <B>root.cell</B> volume. For
example, in the ABC Corporation cell, <B>/afs/abc.com</B> is a
mount point for the cell's own <B>root.cell</B> volume and
<B>stateu.edu</B> is a mount point for the State University
cell's <B>root.cell</B> volume. The <B>fs
lsmount</B> command displays the mount points.
<PRE>   % <B>fs lsmount /afs/abc.com</B> 
   '/afs/abc.com' is a mount point for volume '#root.cell'
   % <B>fs lsmount /afs/stateu.edu</B>
   '/afs/stateu.edu' is a mount point for volume '#stateu.edu:root.cell'
</PRE>
<P>To reduce the amount of typing necessary in pathnames, you can create a
symbolic link with an abbreviated name to the mount point of each cell your
users frequently access (particularly the home cell). In the ABC
Corporation cell, for instance, <B>/afs/abc</B> is a symbolic link to the
<B>/afs/abc.com</B> mount point, as the <B>fs lsmount</B>
command reveals.
<PRE>   % <B>fs lsmount /afs/abc</B>
   '/afs/abc' is a symbolic link, leading to a mount point for volume '#root.cell'
</PRE>
<A NAME="IDX5689"></A>
<A NAME="IDX5690"></A>
<P><H3><A NAME="HDRWQ43" HREF="auagd002.htm#ToC_53">The Third Level</A></H3>
<P>You can organize the third level of your cell's file
tree any way you wish. The following list describes directories that
appear at this level in the conventional configuration:
<DL>
<P><DT><B>common
</B><DD>This directory contains programs and files needed by users working on
machines of all system types, such as text editors, online documentation
files, and so on. Its <B>/etc</B> subdirectory is a logical place
to keep the central update sources for files used on all of your cell's
client machines, such as the <B>ThisCell</B> and <B>CellServDB</B>
files.
<P><DT><B>public
</B><DD>A directory accessible to anyone who can access your filespace, because
its ACL grants the <B>l</B> (<B>lookup</B>) and <B>r</B>
(<B>read</B>) permissions to the <B>system:anyuser</B>
group. It is useful if you want to enable your users to make selected
information available to everyone, but do not want to grant foreign users
access to the contents of the <B>usr</B> directory which houses user home
directories ( and is also at this level). It is conventional to create
a subdirectory for each of your cell's users.
<P><DT><B>service
</B><DD>This directory contains files and subdirectories that help cells
coordinate resource sharing. For a list of the proposed standard files
and subdirectories to create, call or write to AFS Product Support.
<P>As an example, files that other cells expect to find in this
directory's <B>etc</B> subdirectory can include the following:
<UL>
<P><LI><B>CellServDB.export</B>, a list of database server machines
for many cells
<P><LI><B>CellServDB.local</B>, a list of the cell's own database
server machines
<P><LI><B>passwd</B>, a copy of the local password file
(<B>/etc/passwd</B> or equivalent) kept on the local disk of the
cell's client machines
<P><LI><B>group</B>, a copy of the local groups file (<B>/etc/group</B>
or equivalent) kept on the local disk of the cell's client machines
</UL>
<P><DT><B><VAR>sys_type</VAR>
</B><DD>A separate directory for storing the server and client binaries for each
system type you use in the cell. Configuration is simplest if you use
the system type names assigned in the AFS distribution, particularly if you
wish to use the <B>@sys</B> variable in pathnames (see <A HREF="#HDRWQ56">Using the @sys Variable in Pathnames</A>). The <I>IBM AFS Release Notes</I> lists the
conventional name for each supported system type.
<P>Within each such directory, create directories named <B>bin</B>,
<B>etc</B>, <B>usr</B>, and so on, to store the programs normally kept
in the <B>/bin</B>, <B>/etc</B> and <B>/usr</B> directories on a
local disk. Then create symbolic links from the local directories on
client machines into AFS; see <A HREF="#HDRWQ55">Configuring the Local Disk</A>. Even if you do not choose to use symbolic links in
this way, it can be convenient to have central copies of system binaries in
AFS. If binaries are accidentally removed from a machine, you can
recopy them onto the local disk from AFS rather than having to recover them
from tape
<P><DT><B>usr
</B><DD>This directory contains home directories for your local users. As
discussed in the previous entry for the <B>public</B> directory, it is
often practical to protect this directory so that only locally authenticated
users can access it. This keeps the contents of your user's home
directories as secure as possible.
<P>If your cell is quite large, directory lookup can be slowed if you put all
home directories in a single <B>usr</B> directory. For suggestions
on distributing user home directories among multiple grouping directories, see
<A HREF="#HDRWQ59">Grouping Home Directories</A>.
<P><DT><B>wsadmin
</B><DD>This directory contains prototype, configuration and library files for use
with the <B>package</B> program. See <A HREF="auagd016.htm#HDRWQ419">Configuring Client Machines with the package Program</A>.
</DL>
<A NAME="IDX5691"></A>
<A NAME="IDX5692"></A>
<A NAME="IDX5693"></A>
<A NAME="IDX5694"></A>
<HR><H2><A NAME="HDRWQ44" HREF="auagd002.htm#ToC_54">Creating Volumes to Simplify Administration</A></H2>
<P>This section discusses how to create volumes in ways that
make administering your system easier.
<P>At the top levels of your file tree (at least through the third level),
each directory generally corresponds to a separate volume. Some cells
also configure the subdirectories of some third level directories as separate
volumes. Common examples are the
<B>/afs/</B><VAR>cellname</VAR><B>/common</B> and
<B>/afs/</B><VAR>cellname</VAR><B>/usr</B> directories.
<P>You do not have to create a separate volume for every directory level in a
tree, but the advantage is that each volume tends to be smaller and easier to
move for load balancing. The overhead for a mount point is no greater
than for a standard directory, nor does the volume structure itself require
much disk space. Most cells find that below the fourth level in the
tree, using a separate volume for each directory is no longer
efficient. For instance, while each user's home directory (at the
fourth level in the tree) corresponds to a separate volume, all of the
subdirectories in the home directory normally reside in the same
volume.
<P>Keep in mind that only one volume can be mounted at a given directory
location in the tree. In contrast, a volume can be mounted at several
locations, though this is not recommended because it distorts the hierarchical
nature of the file tree, potentially causing confusion.
<A NAME="IDX5695"></A>
<A NAME="IDX5696"></A>
<A NAME="IDX5697"></A>
<A NAME="IDX5698"></A>
<A NAME="IDX5699"></A>
<P><H3><A NAME="Header_55" HREF="auagd002.htm#ToC_55">Assigning Volume Names</A></H3>
<P>You can name your volumes anything you choose, subject to a few
restrictions:
<UL>
<P><LI>Read/write volume names can be up to 22 characters in length. The
maximum length for volume names is 31 characters, and there must be room to
add the <B>.readonly</B> extension on read-only volumes.
<P><LI>Do not add the <B>.readonly</B> and <B>.backup</B>
extensions to volume names yourself, even if they are appropriate. The
Volume Server adds them automatically as it creates a read-only or backup
version of a volume.
<P><LI>There must be volumes named <B>root.afs</B> and
<B>root.cell</B>, mounted respectively at the top (<B>/afs</B>)
level in the filespace and just below that level, at the cell's name (for
example, at <B>/afs/abc.com</B> in the ABC Corporation
cell).
<P>Deviating from these names only creates confusion and extra work.
Changing the name of the <B>root.afs</B> volume, for instance,
means that you must use the <B>-rootvol</B> argument to the
<B>afsd</B> program on every client machine, to name the alternate
volume.
<P>Similarly, changing the <B>root.cell</B> volume name prevents
users in foreign cells from accessing your filespace, if the mount point for
your cell in their filespace refers to the conventional
<B>root.cell</B> name. Of course, this is one way to make
your cell invisible to other cells.
</UL>
<P>It is best to assign volume names that indicate the type of data they
contain, and to use similar names for volumes with similar contents. It
is also helpful if the volume name is similar to (or at least has elements in
common with) the name of the directory at which it is mounted.
Understanding the pattern then enables you accurately to guess what a volume
contains and where it is mounted.
<P>Many cells find that the most effective volume naming scheme puts a common
prefix on the names of all related volumes. <A HREF="#TBLVOL-PREFIX">Table 1</A> describes the recommended prefixing scheme.
<BR>
<P><B><A NAME="TBLVOL-PREFIX" HREF="auagd004.htm#FT_TBLVOL-PREFIX">Table 1. Suggested volume prefixes</A></B><BR>
<TABLE WIDTH="100%" BORDER>
<TR>
<TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="14%"><B>Prefix</B>
</TH><TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="28%"><B>Contents</B>
</TH><TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="22%"><B>Example Name</B>
</TH><TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="36%"><B>Example Mount Point</B>
</TH></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="14%"><B>common.</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="28%">popular programs and files
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="22%"><B>common.etc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="36%"><B>/afs/</B><VAR>cellname</VAR><B>/common/etc</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="14%"><B>src.</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="28%">source code
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="22%"><B>src.afs</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="36%"><B>/afs/</B><VAR>cellname</VAR><B>/src/afs</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="14%"><B>proj.</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="28%">project data
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="22%"><B>proj.portafs</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="36%"><B>/afs/</B><VAR>cellname</VAR><B>/proj/portafs</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="14%"><B>test.</B><TT></TT>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="28%">testing or other temporary data
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="22%"><B>test.smith</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="36%"><B>/afs/</B><VAR>cellname</VAR><B>/usr/smith/test</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="14%"><B>user.</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="28%">user home directory data
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="22%"><B>user.terry</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="36%"><B>/afs/</B><VAR>cellname</VAR><B>/usr/terry</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="14%"><VAR>sys_type</VAR><B>.</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="28%">programs compiled for an operating system type
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="22%"><B>rs_aix42.bin</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="36%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/bin</B>
</TD></TR></TABLE>
<P><A HREF="#TBLPREFIX-EXAMPLE">Table 2</A> is a more specific example for a cell's
<B>rs_aix42</B> system volumes and directories:
<BR>
<P><B><A NAME="TBLPREFIX-EXAMPLE" HREF="auagd004.htm#FT_TBLPREFIX-EXAMPLE">Table 2. Example volume-prefixing scheme</A></B><BR>
<TABLE WIDTH="100%" BORDER>
<TR>
<TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="35%"><B><B>Example Name</B></B>
</TH><TH ALIGN="LEFT" VALIGN="BOTTOM" WIDTH="65%"><B><B>Example Mount Point</B></B>
</TH></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.bin</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/bin</B><B>/afs/<B>cell</B>/rs_aix42/bin</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.etc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/etc</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr.afsws</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr/afsws</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr.lib</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr/lib</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr.bin</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr/bin</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr.etc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr/etc</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr.inc</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr/inc</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr.man</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr/man</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr.sys</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr/sys</B>
</TD></TR><TR>
<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="35%"><B>rs_aix42.usr.local</B>
</TD><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="65%"><B>/afs/</B><VAR>cellname</VAR><B>/rs_aix42/usr/local</B>
</TD></TR></TABLE>
<P>There are several advantages to this scheme:
<UL>
<P><LI>The volume name is similar to the mount point name in the
filespace. In all of the entries in <A HREF="#TBLPREFIX-EXAMPLE">Table 2</A>, for example, the only difference between the
volume and mount point name is that the former uses periods as separators and
the latter uses slashes. Another advantage is that the volume name
indicates the contents, or at least suggests the directory on which to issue
the <B>ls</B> command to learn the contents.
<P><LI>It makes it easy to manipulate groups of related volumes at one
time. In particular, the <B>vos backupsys</B> command's
<B>-prefix</B> argument enables you to create a backup version of every
volume whose name starts with the same string of characters. Making a
backup version of each volume is one of the first steps in backing up a volume
with the AFS Backup System, and doing it for many volumes with one command
saves you a good deal of typing. For instructions for creating backup
volumes, see <A HREF="auagd010.htm#HDRWQ201">Creating Backup Volumes</A>, For information on the AFS Backup System, see <A HREF="auagd011.htm#HDRWQ248">Configuring the AFS Backup System</A> and <A HREF="auagd012.htm#HDRWQ283">Backing Up and Restoring AFS Data</A>.
<P><LI>It makes it easy to group related volumes together on a partition.
Grouping related volumes together has several advantages of its own, discussed
in <A HREF="#HDRWQ49">Grouping Related Volumes on a Partition</A>.
</UL>
<A NAME="IDX5700"></A>
<A NAME="IDX5701"></A>
<P><H3><A NAME="HDRWQ49" HREF="auagd002.htm#ToC_56">Grouping Related Volumes on a Partition</A></H3>
<P>If your cell is large enough to make it practical, consider
grouping related volumes together on a partition. In general, you need
at least three file server machines for volume grouping to be
effective. Grouping has several advantages, which are most obvious when
the file server machine becomes inaccessible:
<UL>
<P><LI>If you keep a hardcopy record of the volumes on a partition, you know
which volumes are unavailable. You can keep such a record without
grouping related volumes, but a list composed of unrelated volumes is much
harder to maintain. Note that the record must be on paper, because the
outage can prevent you from accessing an online copy or from issuing the
<B>vos listvol</B> command, which gives you the same information.
<P><LI>The effect of an outage is more localized. For example, if all of
the binaries for a given system type are on one partition, then only users of
that system type are affected. If a partition houses binary volumes
from several system types, then an outage can affect more people, particularly
if the binaries that remain available are interdependent with those that are
not available.
</UL>
<P>The advantages of grouping related volumes on a partition do not
necessarily extend to the grouping of all related volumes on one file server
machine. For instance, it is probably unwise in a cell with two file
server machines to put all system volumes on one machine and all user volumes
on the other. An outage of either machine probably affects
everyone.
<P>Admittedly, the need to move volumes for load balancing purposes can limit
the practicality of grouping related volumes. You need to weigh the
complementary advantages case by case.
<A NAME="IDX5702"></A>
<A NAME="IDX5703"></A>
<A NAME="IDX5704"></A>
<A NAME="IDX5705"></A>
<P><H3><A NAME="HDRWQ50" HREF="auagd002.htm#ToC_57">When to Replicate Volumes</A></H3>
<P>As discussed in <A HREF="auagd006.htm#HDRWQ15">Replication</A>, replication refers to making a copy, or
clone, of a read/write source volume and then placing the copy on one or more
additional file server machines. Replicating a volume can increase the
availability of the contents. If one file server machine housing the
volume becomes inaccessible, users can still access the copy of the volume
stored on a different machine. No one machine is likely to become
overburdened with requests for a popular file, either, because the file is
available from several machines.
<P>However, replication is not appropriate for all cells. If a cell
does not have much disk space, replication can be unduly expensive, because
each clone not on the same partition as the read/write source takes up as much
disk space as its source volume did at the time the clone was made.
Also, if you have only one file server machine, replication uses up disk space
without increasing availability.
<P>Replication is also not appropriate for volumes that change
frequently. You must issue the <B>vos release</B> command every
time you need to update a read-only volume to reflect changes in its
read/write source.
<P>For both of these reasons, replication is appropriate only for popular
volumes whose contents do not change very often, such as system binaries and
other volumes mounted at the upper levels of your filespace. User
volumes usually exist only in a read/write version since they change so
often.
<P>If you are replicating any volumes, you must replicate the
<B>root.afs</B> and <B>root.cell</B> volumes, preferably
at two or three sites each (even if your cell only has two or three file
server machines). The Cache Manager needs to pass through the
directories corresponding to the <B>root.afs</B> and
<B>root.cell</B> volumes as it interprets any pathname. The
unavailability of these volumes makes all other volumes unavailable too, even
if the file server machines storing the other volumes are still
functioning.
<P>Another reason to replicate the <B>root.afs</B> volume is that
it can lessen the load on the File Server machine. The Cache Manager
has a bias to access a read-only version of the <B>root.afs</B>
volume if it is replicate, which puts the Cache Manager onto the
<I>read-only path</I> through the AFS filespace. While on the
read-only path, the Cache Manager attempts to access a read-only copy of
replicated volumes. The File Server needs to track only one callback
per Cache Manager for all of the data in a read-only volume, rather than the
one callback per file it must track for read/write volumes. Fewer
callbacks translate into a smaller load on the File Server.
<P>If the <B>root.afs</B> volume is not replicated, the Cache
Manager follows a read/write path through the filespace, accessing the
read/write version of each volume. The File Server distributes and
tracks a separate callback for each file in a read/write volume, imposing a
greater load on it.
<P>For more on read/write and read-only paths, see <A HREF="auagd010.htm#HDRWQ209">The Rules of Mount Point Traversal</A>.
<P>It also makes sense to replicate system binary volumes in many cases, as
well as the volume corresponding to the
<B>/afs/</B><VAR>cellname</VAR><B>/usr</B> directory and the volumes
corresponding to the <B>/afs/</B><VAR>cellname</VAR><B>/common</B>
directory and its subdirectories.
<P>It is a good idea to place a replica on the same partition as the
read/write source. In this case, the read-only volume is a clone (like
a backup volume): it is a copy of the source volume's <VAR>vnode
index</VAR>, rather than a full copy of the volume contents. Only if the
read/write volume moves to another partition or changes substantially does the
read-only volume consume significant disk space. Read-only volumes kept
on other partitions always consume the full amount of disk space that the
read/write source consumed when the read-only volume was created.
<P><H3><A NAME="Header_58" HREF="auagd002.htm#ToC_58">The Default Quota and ACL on a New Volume</A></H3>
<P>Every AFS volume has associated with it a quota that limits the amount
of disk space the volume is allowed to use. To set and change quota,
use the commands described in <A HREF="auagd010.htm#HDRWQ234">Setting and Displaying Volume Quota and Current Size</A>.
<P>By default, every new volume is assigned a space quota of 5000 KB blocks
unless you include the <B>-maxquota</B> argument to the <B>vos
create</B> command. Also by default, the ACL on the root directory of
every new volume grants all permissions to the members of the
<B>system:administrators</B> group. To learn how to change
these values when creating an account with individual commands, see <A HREF="auagd018.htm#HDRWQ503">To create one user account with individual commands</A>. When using <B>uss</B> commands to create
accounts, you can specify alternate ACL and quota values in the template
file's <B>V</B> instruction; see <A HREF="auagd017.htm#HDRWQ473">Creating a Volume with the V Instruction</A>.
<A NAME="IDX5706"></A>
<A NAME="IDX5707"></A>
<A NAME="IDX5708"></A>
<A NAME="IDX5709"></A>
<A NAME="IDX5710"></A>
<HR><H2><A NAME="HDRWQ51" HREF="auagd002.htm#ToC_59">Configuring Server Machines</A></H2>
<P>This section discusses some issues to consider when
configuring server machines, which store AFS data, transfer it to client
machines on request, and house the AFS administrative databases. To
learn about client machines, see <A HREF="#HDRWQ54">Configuring Client Machines</A>.
<P>If your cell has more than one AFS server machine, you can configure them
to perform specialized functions. A machine can assume one or more of
the roles described in the following list. For more details, see <A HREF="auagd008.htm#HDRWQ90">The Four Roles for File Server Machines</A>.
<UL>
<P><LI>A <I>simple file server machine</I> runs only the processes that store
and deliver AFS files to client machines. You can run as many simple
file server machines as you need to satisfy your cell's performance and
disk space requirements.
<P><LI>A <I>database server machine</I> runs the four database server
processes that maintain AFS's replicated administrative databases:
the Authentication, Backup, Protection, and Volume Location (VL) Server
processes.
<P><LI>A <I>binary distribution machine</I> distributes the AFS server
binaries for its system type to all other server machines of that system
type.
<P><LI>The single <I>system control machine</I> distributes common server
configuration files to all other server machines in the cell, in a cell that
runs the United States edition of AFS (cells that use the international
edition of AFS must not use the system control machine for this
purpose). The machine conventionally also serves as the time
synchronization source for the cell, adjusting its clock according to a time
source outside the cell.
</UL>
<P>The <I>IBM AFS Quick Beginnings</I> explains how to configure your
cell's first file server machine to assume all four roles. The
<I>IBM AFS Quick Beginnings</I> chapter on installing additional server
machines also explains how to configure them to perform one or more
roles.
<A NAME="IDX5711"></A>
<A NAME="IDX5712"></A>
<A NAME="IDX5713"></A>
<A NAME="IDX5714"></A>
<P><H3><A NAME="HDRWQ52" HREF="auagd002.htm#ToC_60">Replicating the AFS Administrative Databases</A></H3>
<P>The AFS administrative databases are housed on database
server machines and store information that is crucial for correct cell
functioning. Both server processes and Cache Managers access the
information frequently:
<UL>
<P><LI>Every time a Cache Manager fetches a file from a directory that it has not
previously accessed, it must look up the file's location in the Volume
Location Database (VLDB).
<P><LI>Every time a user obtains an AFS token from the Authentication Server, the
server looks up the user's password in the Authentication
Database.
<P><LI>The first time that a user accesses a volume housed on a specific file
server machine, the File Server contacts the Protection Server for a list of
the user's group memberships as recorded in the Protection
Database.
<P><LI>Every time you back up a volume using the AFS Backup System, the Backup
Server creates records for it in the Backup Database.
</UL>
<P>Maintaining your cell is simplest if the first machine has the lowest IP
address of any machine you plan to use as a database server machine. If
you later decide to use a machine with a lower IP address as a database server
machine, you must update the <B>CellServDB</B> file on all clients before
introducing the new machine.
<P>If your cell has more than one server machine, it is best to run more than
one as a database server machine (but more than three are rarely
necessary). Replicating the administrative databases in this way yields
the same benefits as replicating volumes: increased availability and
reliability. If one database server machine or process stops
functioning, the information in the database is still available from
others. The load of requests for database information is spread across
multiple machines, preventing any one from becoming overloaded.
<P>Unlike replicated volumes, however, replicated databases do change
frequently. Consistent system performance demands that all copies of
the database always be identical, so it is not acceptable to record changes in
only some of them. To synchronize the copies of a database, the
database server processes use AFS's distributed database technology,
Ubik. See <A HREF="auagd008.htm#HDRWQ102">Replicating the AFS Administrative Databases</A>.
<P>If your cell has only one file server machine, it must also serve as a
database server machine. If you cell has two file server machines, it
is not always advantageous to run both as database server machines. If
a server, process, or network failure interrupts communications between the
database server processes on the two machines, it can become impossible to
update the information in the database because neither of them can alone elect
itself as the synchronization site.
<A NAME="IDX5715"></A>
<A NAME="IDX5716"></A>
<P><H3><A NAME="HDRWQ53" HREF="auagd002.htm#ToC_61">AFS Files on the Local Disk</A></H3>
<P>It is generally simplest to store the binaries for all AFS
server processes in the <B>/usr/afs/bin</B> directory on every file server
machine, even if some processes do not actively run on the machine.
This makes it easier to reconfigure a machine to fill a new role.
<P>For security reasons, the <B>/usr/afs</B> directory on a file server
machine and all of its subdirectories and files must be owned by the local
superuser <B>root</B> and have only the first <B>w</B>
(<B>write</B>) mode bit turned on. Some files even have only the
first <B>r</B> (<B>read</B>) mode bit turned on (for example, the
<B>/usr/afs/etc/KeyFile</B> file, which lists the AFS server encryption
keys). Each time the BOS Server starts, it checks that the mode bits on
certain files and directories match the expected values. For a list,
see the <I>IBM AFS Quick Beginnings</I> section about protecting sensitive
AFS directories, or the discussion of the output from the <B>bos
status</B> command in <A HREF="auagd009.htm#HDRWQ159">To display the status of server processes and their BosConfig entries</A>.
<P>For a description of the contents of all AFS directories on a file server
machine's local disk, see <A HREF="auagd008.htm#HDRWQ80">Administering Server Machines</A>.
<P><H3><A NAME="Header_62" HREF="auagd002.htm#ToC_62">Configuring Partitions to Store AFS Data</A></H3>
<P>The partitions that house AFS volumes on a file server machine must be
mounted at directories named
<P><B>/vicep<VAR>index</VAR></B>
<P>where <VAR>index</VAR> is one or two lowercase letters. By convention,
the first AFS partition created is mounted at the <B>/vicepa</B>
directory, the second at the <B>/vicepb</B> directory, and so on through
the <B>/vicepz</B> directory. The names then continue with
<B>/vicepaa</B> through <B>/vicepaz</B>, <B>/vicepba</B> through
<B>/vicepbz</B>, and so on, up to the maximum supported number of server
partitions, which is specified in the <I>IBM AFS Release Notes</I>.
<P>Each <B>/vicep</B><VAR>x</VAR> directory must correspond to an entire
partition or logical volume, and must be a subdirectory of the root directory
( / ). It is not acceptable to configure part of (for example) the
<B>/usr</B> partition as an AFS server partition and mount it on a
directory called <B>/usr/vicepa</B>.
<P>Also, do not store non-AFS files on AFS server partitions. The File
Server and Volume Server expect to have available all of the space on the
partition. Sharing space also creates competition between AFS and the
local UNIX file system for access to the partition, particularly if the UNIX
files are frequently used.
<A NAME="IDX5717"></A>
<A NAME="IDX5718"></A>
<A NAME="IDX5719"></A>
<A NAME="IDX5720"></A>
<A NAME="IDX5721"></A>
<P><H3><A NAME="Header_63" HREF="auagd002.htm#ToC_63">Monitoring, Rebooting and Automatic Process Restarts</A></H3>
<P>AFS provides several tools for monitoring the File Server, including
the <B>scout</B> and <B>afsmonitor</B> programs. You can
configure them to alert you when certain threshold values are exceeded, for
example when a server partition is more than 95% full. See <A HREF="auagd013.htm#HDRWQ323">Monitoring and Auditing AFS Performance</A>.
<P>Rebooting a file server machine requires shutting down the AFS processes
and so inevitably causes a service outage. Reboot file server machines
as infrequently as possible. For instructions, see <A HREF="auagd008.htm#HDRWQ139">Rebooting a Server Machine</A>.
<P>By default, the BOS Server on each file server machine stops and
immediately restarts all AFS server processes on the machine (including
itself) once a week, at 4:00 a.m. on Sunday. This
reduces the potential for the core leaks that can develop as any process runs
for an extended time.
<P>The BOS Server also checks each morning at 5:00 a.m.
for any newly installed binary files in the <B>/usr/afs/bin</B>
directory. It compares the timestamp on each binary file to the time at
which the corresponding process last restarted. If the timestamp on the
binary is later, the BOS Server restarts the corresponding process to start
using it.
<P>The default times are in the early morning hours when the outage that
results from restarting a process is likely to disturb the fewest number of
people. You can display the restart times for each machine with the
<B>bos getrestart</B> command, and set them with the <B>bos
setrestart</B> command. The latter command enables you to disable
automatic restarts entirely, by setting the time to <B>never</B>.
See <A HREF="auagd009.htm#HDRWQ171">Setting the BOS Server's Restart Times</A>.
<A NAME="IDX5722"></A>
<A NAME="IDX5723"></A>
<HR><H2><A NAME="HDRWQ54" HREF="auagd002.htm#ToC_64">Configuring Client Machines</A></H2>
<P>This section summarizes issues to consider as you install and
configure client machines in your cell.
<A NAME="IDX5724"></A>
<A NAME="IDX5725"></A>
<A NAME="IDX5726"></A>
<P><H3><A NAME="HDRWQ55" HREF="auagd002.htm#ToC_65">Configuring the Local Disk</A></H3>
<P>You can often free up significant amounts of local disk space
on AFS client machines by storing standard UNIX files in AFS and creating
symbolic links to them from the local disk. The <B>@sys</B>
pathname variable can be useful in links to system-specific files; see <A HREF="#HDRWQ56">Using the @sys Variable in Pathnames</A>.
<P>There are two types of files that must actually reside on the local
disk: boot sequence files needed before the <B>afsd</B> program is
invoked, and files that can be helpful during file server machine
outages.
<P>During a reboot, AFS is inaccessible until the <B>afsd</B> program
executes and initializes the Cache Manager. (In the conventional
configuration, the AFS initialization file is included in the machine's
initialization sequence and invokes the <B>afsd</B> program.) Files
needed during reboot prior to that point must reside on the local disk.
They include the following, but this list is not necessarily
exhaustive.
<UL>
<P><LI>Standard UNIX utilities including the following or their
equivalents:
<UL>
<P><LI>Machine initialization files (stored in the <B>/etc</B> or
<B>/sbin</B> directory on many system types)
<P><LI>The <B>fstab</B> file
<P><LI>The <B>mount</B> command binary
<P><LI>The <B>umount</B> command binary
</UL>
<P><LI>All subdirectories and files in the <B>/usr/vice</B> directory,
including the following:
<UL>
<P><LI>The <B>/usr/vice/cache</B> directory
<P><LI>The <B>/usr/vice/etc/afsd</B> command binary
<P><LI>The <B>/usr/vice/etc/cacheinfo</B> file
<P><LI>The <B>/usr/vice/etc/CellServDB</B> file
<P><LI>The <B>/usr/vice/etc/ThisCell</B> file
</UL>
<P>For more information on these files, see <A HREF="auagd015.htm#HDRWQ391">Configuration and Cache-Related Files on the Local Disk</A>.
</UL>
<P>The other type of files and programs to retain on the local disk are those
you need when diagnosing and fixing problems caused by a file server outage,
because the outage can make inaccessible the copies stored in AFS.
Examples include the binaries for a text editor (such as <B>ed</B> or
<B>vi</B>) and for the <B>fs</B> and <B>bos</B> commands.
Store copies of AFS command binaries in the <B>/usr/vice/etc</B> directory
as well as including them in the <B>/usr/afsws</B> directory, which is
normally a link into AFS. Then place the <B>/usr/afsws</B>
directory before the <B>/usr/vice/etc</B> directory in users'
<TT>PATH</TT> environment variable definition. When AFS is
functioning normally, users access the copy in the <B>/usr/afsws</B>
directory, which is more likely to be current than a local copy.
<P>You can automate the configuration of client machine local disks by using
the <B>package</B> program, which updates the contents of the local disk
to match a configuration file. See <A HREF="auagd016.htm#HDRWQ419">Configuring Client Machines with the package Program</A>.
<A NAME="IDX5727"></A>
<P><H3><A NAME="Header_66" HREF="auagd002.htm#ToC_66">Enabling Access to Foreign Cells</A></H3>
<P>As detailed in <A HREF="#HDRWQ39">Making Other Cells Visible in Your Cell</A>, you enable the Cache Manager to access a cell's
AFS filespace by storing a list of the cell's database server machines in
the local <B>/usr/vice/etc/CellServDB</B> file. The Cache Manager
reads the list into kernel memory at reboot for faster retrieval. You
can change the list in kernel memory between reboots by using the <B>fs
newcell</B> command. It is often practical to store a central version
of the <B>CellServDB</B> file in AFS and use the <B>package</B>
program periodically to update each client's version with the source
copy. See <A HREF="auagd015.htm#HDRWQ406">Maintaining Knowledge of Database Server Machines</A>.
<P>Because each client machine maintains its own copy of the
<B>CellServDB</B> file, you can in theory enable access to different
foreign cells on different client machines. This is not usually
practical, however, especially if users do not always work on the same
machine.
<A NAME="IDX5728"></A>
<A NAME="IDX5729"></A>
<A NAME="IDX5730"></A>
<P><H3><A NAME="HDRWQ56" HREF="auagd002.htm#ToC_67">Using the @sys Variable in Pathnames</A></H3>
<P>When creating symbolic links into AFS on the local disk, it
is often practical to use the <VAR>@sys</VAR> variable in pathnames. The
Cache Manager automatically substitutes the local machine's AFS system
name (CPU/operating system type) for the <VAR>@sys</VAR> variable. This
means you can place the same links on machines of various system types and
still have each machine access the binaries for its system type. For
example, the Cache Manager on a machine running AIX 4.2 converts
<B>/afs/abc.com/@sys</B> to
<B>/afs/abc.com/rs_aix42</B>, whereas a machine running Solaris 7
converts it to <B>/afs/abc.com/sun4x_57</B>.
<P>If you want to use the <VAR>@sys</VAR> variable, it is simplest to use the
conventional AFS system type names as specified in the <I>IBM AFS Release
Notes</I>. The Cache Manager records the local machine's system
type name in kernel memory during initialization. If you do not use the
conventional names, you must use the <B>fs sysname</B> command to change
the value in kernel memory from its default just after Cache Manager
initialization, on every client machine of the relevant system type.
The <B>fs sysname</B> command also displays the current value; see <A HREF="auagd015.htm#HDRWQ417">Displaying and Setting the System Type Name</A>.
<P>In pathnames in the AFS filespace itself, use the <VAR>@sys</VAR> variable
carefully and sparingly, because it can lead to unexpected results. It
is generally best to restrict its use to only one level in the
filespace. The third level is a common choice, because that is where
many cells store the binaries for different machine types.
<P>Multiple instances of the <VAR>@sys</VAR> variable in a pathname are
especially dangerous to people who must explicitly change directories (with
the <B>cd</B> command, for example) into directories that store binaries
for system types other than the machine on which they are working, such as
administrators or developers who maintain those directories. After
changing directories, it is recommended that such people verify they are in
the desired directory.
<P><H3><A NAME="Header_68" HREF="auagd002.htm#ToC_68">Setting Server Preferences</A></H3>
<P>The Cache Manager stores a table of preferences for file server
machines in kernel memory. A preference rank pairs a file server
machine interface's IP address with an integer in the range from 1 to
65,534. When it needs to access a file, the Cache Manager compares the
ranks for the interfaces of all machines that house the file, and first
attempts to access the file via the interface with the best rank. As it
initializes, the Cache Manager sets default ranks that bias it to access files
via interfaces that are close to it in terms of network topology. You
can adjust the preference ranks to improve performance if you wish.
<P>The Cache Manager also uses similar preferences for Volume Location (VL)
Server machines. Use the <B>fs getserverprefs</B> command to
display preference ranks and the <B>fs setserverprefs</B> command to set
them. See <A HREF="auagd015.htm#HDRWQ414">Maintaining Server Preference Ranks</A>.
<A NAME="IDX5731"></A>
<HR><H2><A NAME="HDRWQ57" HREF="auagd002.htm#ToC_69">Configuring AFS User Accounts</A></H2>
<P>This section discusses some of the issues to consider when
configuring AFS user accounts. Because AFS is separate from the UNIX
file system, a user's AFS account is separate from her UNIX
account.
<P>The preferred method for creating a user account is with the <B>uss</B>
suite of commands. With a single command, you can create all the
components of one or many accounts, after you have prepared a template file
that guides the account creation. See <A HREF="auagd017.htm#HDRWQ449">Creating and Deleting User Accounts with the uss Command Suite</A>.
<P>Alternatively, you can issue the individual commands that create each
component of an account. For instructions, along with instructions for
removing user accounts and changing user passwords, user volume quotas and
usernames, see <A HREF="auagd018.htm#HDRWQ491">Administering User Accounts</A>.
<P>When users leave your system, it is often good policy to remove their
accounts. Instructions appear in <A HREF="auagd017.htm#HDRWQ486">Deleting Individual Accounts with the uss delete Command</A> and <A HREF="auagd018.htm#HDRWQ524">Removing a User Account</A>.
<P>An AFS user account consists of the following components, which are
described in greater detail in <A HREF="auagd018.htm#HDRWQ494">The Components of an AFS User Account</A>.
<UL>
<P><LI>A Protection Database entry
<P><LI>An Authentication Database entry
<P><LI>A volume
<P><LI>A home directory at which the volume is mounted
<P><LI>Ownership of the home directory and full permissions on its ACL
<P><LI>An entry in the local password file (<B>/etc/passwd</B> or equivalent)
of each machine the user needs to log into
<P><LI>Optionally, standard files and subdirectories that make the account more
useful
</UL>
<P>By creating some components but not others, you can create accounts at
different levels of functionality, using either <B>uss</B> commands as
described in <A HREF="auagd017.htm#HDRWQ449">Creating and Deleting User Accounts with the uss Command Suite</A> or individual commands as described in <A HREF="auagd018.htm#HDRWQ491">Administering User Accounts</A>. The levels of functionality include
the following
<UL>
<P><LI>An <I>authentication-only account</I> enables the user to obtain AFS
tokens and so to access protected AFS data and to issue privileged
commands. It consists only of entries in the Authentication and
Protection Database. This type of account is suitable for
administrative accounts and for users from foreign cells who need to access
protected data. Local users generally also need a volume and home
directory.
<P><LI>A <I>basic user account</I> includes a volume for the user, in
addition to Authentication and Protection Database entries. The volume
is mounted in the AFS filespace as the user's home directory, and
provides a repository for the user's personal files.
<P><LI>A <I>full account</I> adds configuration files for basic functions
such as logging in, printing, and mail delivery to a basic account, making it
more convenient and useful. For a discussion of some useful types of
configuration files, see <A HREF="#HDRWQ60">Creating Standard Files in New AFS Accounts</A>.
</UL>
<P>If your users have UNIX user accounts that predate the introduction of AFS
in the cell, you possibly want to convert them into AFS accounts. There
are three main issues to consider:
<UL>
<P><LI>Making UNIX and AFS UIDs match
<P><LI>Setting the password field in the local password file appropriately
<P><LI>Moving files from the UNIX file system into AFS
</UL>
<P>For further discussion, see <A HREF="auagd017.htm#HDRWQ459">Converting Existing UNIX Accounts with uss</A> or <A HREF="auagd018.htm#HDRWQ498">Converting Existing UNIX Accounts</A>.
<A NAME="IDX5732"></A>
<A NAME="IDX5733"></A>
<A NAME="IDX5734"></A>
<A NAME="IDX5735"></A>
<A NAME="IDX5736"></A>
<P><H3><A NAME="HDRWQ58" HREF="auagd002.htm#ToC_70">Choosing Usernames and Naming Other Account Components</A></H3>
<P>This section suggests schemes for choosing usernames, AFS
UIDs, user volume names and mount point names, and also outlines some
restrictions on your choices.
<P><B>Usernames</B>
<P>AFS imposes very few restrictions on the form of usernames. It is
best to keep usernames short, both because many utilities and applications can
handle usernames of no more than eight characters and because by convention
many components of and AFS account incorporate the name. These include
the entries in the Protection and Authentication Databases, the volume, and
the mount point. Depending on your electronic mail delivery system, the
username can become part of the user's mailing address. The
username is also the string that the user types when logging in to a client
machine.
<P>Some common choices for usernames are last names, first names, initials, or
a combination, with numbers sometimes added. It is also best to avoid
using the following characters, many of which have special meanings to the
command shell.
<UL>
<P><LI>The comma ( <B>,</B> )
<P><LI>The colon ( <B>:</B> ), because AFS reserves it as a field
separator in protection group names; see <A HREF="#HDRWQ62">The Two Types of User-Defined Groups</A>
<P><LI>The semicolon ( <B>;</B> )
<P><LI>The "at-sign" ( <B>@</B> ); this character is reserved for
Internet mailing addresses
<P><LI>Spaces
<P><LI>The newline character
<P><LI>The period ( <B>.</B> ); it is conventional to use this
character only in the special username that an administrator adopts while
performing privileged tasks, such as <B>pat.admin</B>
</UL>
<P><B>AFS UIDs and UNIX UIDs</B>
<P>AFS associates a unique identification number, the <I>AFS UID</I>, with
every username, recording the mapping in the user's Protection Database
entry. The AFS UID functions within AFS much as the UNIX UID does in
the local file system: the AFS server processes and the Cache Manager
use it internally to identify a user, rather than the username.
<P>Every AFS user also must have a UNIX UID recorded in the local password
file (<B>/etc/passwd</B> or equivalent) of each client machine they log
onto. Both administration and a user's AFS access are simplest if
the AFS UID and UNIX UID match. One important consequence of matching
UIDs is that the owner reported by the <B>ls -l</B> command matches the
AFS username.
<P>It is usually best to allow the Protection Server to allocate the AFS UID
as it creates the Protection Database entry. However, both the <B>pts
createuser</B> command and the <B>uss</B> commands that create user
accounts enable you to assign AFS UIDs explicitly. This is appropriate
in two cases:
<UL>
<P><LI>You wish to group together the AFS UIDs of related users
<P><LI>You are converting an existing UNIX account into an AFS account and want
to make the AFS UID match the existing UNIX UID
</UL>
<P>After the Protection Server initializes for the first time on a cell's
first file server machine, it starts assigning AFS UIDs at a default
value. To change the default before creating any user accounts, or at
any time, use the <B>pts setmax</B> command to reset the <TT>max user
id</TT> counter. To display the counter, use the <B>pts
listmax</B> command. See <A HREF="auagd019.htm#HDRWQ560">Displaying and Setting the AFS UID and GID Counters</A>.
<P>AFS reserves one AFS UID, 32766, for the user <B>anonymous</B>.
The AFS server processes assign this identity and AFS UID to any user who does
not possess a token for the local cell. Do not assign this AFS UID to
any other user or hardcode its current value into any programs or a
file's owner field, because it is subject to change in future
releases.
<A NAME="IDX5737"></A>
<A NAME="IDX5738"></A>
<P><B>User Volume Names</B>
<P>Like any volume name, a user volume's base (read/write) name cannot
exceed 22 characters in length or include the <B>.readonly</B> or
<B>.backup</B> extension. See <A HREF="#HDRWQ44">Creating Volumes to Simplify Administration</A>. By convention, user volume names have the format
<B>user.</B><VAR>username</VAR>. Using the
<B>user.</B> prefix not only makes it easy to identify the
volume's contents, but also to create a backup version of all user
volumes by issuing a single <B>vos backupsys</B> command.
<A NAME="IDX5739"></A>
<A NAME="IDX5740"></A>
<P><B>Mount Point Names</B>
<P>By convention, the mount point for a user's volume is named after the
username. Many cells follow the convention of mounting user volumes in
the <B>/afs/</B><VAR>cellname</VAR><B>/usr</B> directory, as discussed
in <A HREF="#HDRWQ43">The Third Level</A>. Very large cells sometimes find that mounting all
user volumes in the same directory slows directory lookup, however; for
suggested alternatives, see the following section.
<A NAME="IDX5741"></A>
<A NAME="IDX5742"></A>
<P><H3><A NAME="HDRWQ59" HREF="auagd002.htm#ToC_71">Grouping Home Directories</A></H3>
<P>Mounting user volumes in the
<B>/afs/</B><VAR>cellname</VAR><B>/usr</B> directory is an
AFS-appropriate variation on the standard UNIX practice of putting user home
directories under the <B>/usr</B> subdirectory. However, cells with
more than a few hundred users sometimes find that mounting all user volumes in
a single directory results in slow directory lookup. The solution is to
distribute user volume mount points into several directories; there are a
number of alternative methods to accomplish this.
<UL>
<P><LI>Distribute user home directories into multiple directories that reflect
organizational divisions, such as academic or corporate departments.
For example, a company can create group directories called
<B>usr/marketing</B>, <B>usr/research</B>,
<B>usr/finance</B>. A good feature of this scheme is that knowing a
user's department is enough to find the user's home
directory. Also, it makes it easy to set the ACL to limit access to
members of the department only. A potential drawback arises if
departments are of sufficiently unequal size that users in large departments
experience slower lookup than users in small departments. This scheme
is also not appropriate in cells where users frequently change between
divisions.
<P><LI>Distribute home directories into alphabetic subdirectories of the
<B>usr</B> directory (the <B>usr/a</B> subdirectory, the
<B>usr/b</B> subdirectory, and so on), based on the first letter of the
username. If the cell is very large, create subdirectories under each
letter that correspond to the second letter in the user name. This
scheme has the same advantages and disadvantages of a department-based
scheme. Anyone who knows the user's username can find the
user's home directory, but users with names that begin with popular
letters sometimes experience slower lookup.
<P><LI>Distribute home directories randomly but evenly into more than one
grouping directory. One cell that uses this scheme has over twenty such
directories called the <B>usr1</B> directory, the <B>usr2</B>
directory, and so on. This scheme is especially appropriate in cells
where the other two schemes do not seem feasible. It eliminates the
potential problem of differences in lookup speed, because all directories are
about the same size. Its disadvantage is that there is no way to guess
which directory a given user's volume is mounted in, but a solution is to
create a symbolic link in the regular <B>usr</B> directory that references
the actual mount point. For example, if user <B>smith</B>'s
volume is mounted at the <B>/afs/bigcell.com/usr17/smith</B>
directory, then the <B>/afs/bigcell.com/usr/smith</B> directory is
a symbolic link to the <B>../usr17/smith</B>
directory. This way, if someone does not know which directory the user
<B>smith</B> is in, he or she can access it through the link called
<B>usr/smith</B>; people who do know the appropriate directory save
lookup time by specifying it.
</UL>
<P>For instructions on how to implement the various schemes when using the
<B>uss</B> program to create user accounts, see <A HREF="auagd017.htm#HDRWQ472">Evenly Distributing User Home Directories with the G Instruction</A> and <A HREF="auagd017.htm#HDRWQ473">Creating a Volume with the V Instruction</A>.
<P><H3><A NAME="Header_72" HREF="auagd002.htm#ToC_72">Making a Backup Version of User Volumes Available</A></H3>
<P>Mounting the backup version of a user's volume is a simple way to
enable users themselves to restore data they have accidentally removed or
deleted. It is conventional to mount the backup version at a
subdirectory of the user's home directory (called perhaps the
<B>OldFiles</B> subdirectory), but other schemes are possible. Once
per day you create a new backup version to capture the changes made that day,
overwriting the previous day's backup version with the new one.
Users can always retrieve the previous day's copy of a file without your
assistance, freeing you to deal with more pressing tasks.
<P>Users sometimes want to delete the mount point to their backup volume,
because they erroneously believe that the backup volume's contents count
against their quota. Remind them that the backup volume is separate, so
the only space it uses in the user volume is the amount needed for the mount
point.
<P>For further discussion of backup volumes, see <A HREF="#HDRWQ77">Backing Up AFS Data</A> and <A HREF="auagd010.htm#HDRWQ201">Creating Backup Volumes</A>.
<A NAME="IDX5743"></A>
<A NAME="IDX5744"></A>
<A NAME="IDX5745"></A>
<P><H3><A NAME="HDRWQ60" HREF="auagd002.htm#ToC_73">Creating Standard Files in New AFS Accounts</A></H3>
<P>From your experience as a UNIX administrator, you are
probably familiar with the use of login and shell initialization files (such
as the <B>.login</B> and <B>.cshrc</B> files) to make an
account easier to use.
<P>It is often practical to add some AFS-specific directories to the
definition of the user's <TT>PATH</TT> environment variable, including
the following:
<UL>
<P><LI>The path to a <B>bin</B> subdirectory in the user's home
directory for binaries the user has created (that is,
<B>/afs/<VAR>cellname</VAR><B>/usr/</B>
<VAR>username</VAR><B>/bin</B>)</B>
<P><LI>The <B>/usr/afsws/bin</B> path, which conventionally includes programs
like <B>fs</B>, <B>klog</B>, <B>kpasswd</B>, <B>pts</B>,
<B>tokens</B>, and <B>unlog</B>
<P><LI>The <B>/usr/afsws/etc</B> path, if the user is an administrator;
it usually houses the AFS command suites that require privilege (the
<B>backup</B>, <B>butc</B>, <B>kas</B>, <B>uss</B>,
<B>vos</B> commands), the <B>package</B> program, and others
</UL>
<P>If you are not using an AFS-modified login utility, it can be helpful to
users to invoke the <B>klog</B> command in their <B>.login</B>
file so that they obtain AFS tokens as part of logging in. In the
following example command sequence, the first line echoes the string
<TT>klog</TT> to the standard output stream, so that the user understands
the purpose of the <TT>Password:</TT> prompt that appears when the
second line is executed. The <B>-setpag</B> flag associates the new
tokens with a process authentication group (PAG), which is discussed further
in <A HREF="#HDRWQ64">Identifying AFS Tokens by PAG</A>.
<PRE>   echo -n "klog "
   klog -setpag
</PRE>
<P>The following sequence of commands has a similar effect, except that the
<B>pagsh</B> command forks a new shell with which the PAG and tokens are
associated.
<PRE>   pagsh
   echo -n "klog "
   klog
</PRE>
<P>If you use an AFS-modified login utility, this sequence is not necessary,
because such utilities both log a user in locally and obtain AFS
tokens.
<A NAME="IDX5746"></A>
<A NAME="IDX5747"></A>
<A NAME="IDX5748"></A>
<A NAME="IDX5749"></A>
<HR><H2><A NAME="HDRWQ61" HREF="auagd002.htm#ToC_74">Using AFS Protection Groups</A></H2>
<P>AFS enables users to define their own <I>groups</I> of
other users or machines. The groups are placed on ACLs to grant the
same permissions to many users without listing each user individually.
For group creation instructions, see <A HREF="auagd019.htm#HDRWQ531">Administering the Protection Database</A>.
<P>Groups have AFS ID numbers, just as users do, but an AFS group ID (GID) is
a negative integer whereas a user's AFS UID is a positive integer.
By default, the Protection Server allocates a new group's AFS GID
automatically, but members of the <B>system:administrators</B> group
can assign a GID when issuing the <B>pts creategroup</B> command.
Before explicitly assigning a GID, it is best to verify that it is not already
in use.
<P>A group cannot belong to another group, but it can own another group or
even itself as long as it (the owning group) has at least one member.
The current owner of a group can transfer ownership of the group to another
user or group, even without the new owner's permission. At that
point the former owner loses administrative control over the group.
<P>By default, each user can create 20 groups. A system administrator
can increase or decrease this group creation quota with the <B>pts
setfields</B> command.
<P>Each Protection Database entry (group or user) is protected by a set of
five <I>privacy flags</I>which limit who can administer the entry and what
they can do. The default privacy flags are fairly restrictive,
especially for user entries. See <A HREF="auagd019.htm#HDRWQ559">Setting the Privacy Flags on Database Entries</A>.
<A NAME="IDX5750"></A>
<A NAME="IDX5751"></A>
<A NAME="IDX5752"></A>
<A NAME="IDX5753"></A>
<P><H3><A NAME="Header_75" HREF="auagd002.htm#ToC_75">The Three System Groups</A></H3>
<P>As the Protection Server initializes for the first time on a
cell's first database server machine, it automatically creates three
group entries: the <B>system:anyuser</B>,
<B>system:authuser</B>, and <B>system:administrators</B>
groups. 
<A NAME="IDX5754"></A>
<P>The first two system groups are unlike any other groups in the Protection
Database in that they do not have a stable membership:
<UL>
<P><LI>The <B>system:anyuser</B> group includes everyone who can access
a cell's AFS filespace: users who have tokens for the local cell,
users who have logged in on a local AFS client machine but not obtained tokens
(such as the local superuser <B>root</B>), and users who have connected to
a local machine from outside the cell. Placing the
<B>system:anyuser</B> group on an ACL grants access to the widest
possible range of users. It is the only way to extend access to users
from foreign AFS cells that do not have local accounts.
<P><LI>The <B>system:authuser</B> group includes everyone who has a
valid token obtained from the cell's AFS authentication service.
</UL>
<P>Because the groups do not have a stable membership, the <B>pts
membership</B> command produces no output for them. Similarly, they
do not appear in the list of groups to which a user belongs.
<P>The <B>system:administrators</B> group does have a stable
membership, consisting of the cell's privileged administrators.
Members of this group can issue any <B>pts</B> command, and are the only
ones who can issue several other restricted commands (such as the
<B>chown</B> command on AFS files). By default, they also
implicitly have the <B>a</B> (<B>administer</B>) and <B>l</B>
(<B>lookup</B>) permissions on every ACL in the filespace. For
information about changing this default, see <A HREF="auagd021.htm#HDRWQ586">Administering the system:administrators Group</A>.
<P>For a discussion of how to use system groups effectively on ACLs, see <A HREF="auagd020.htm#HDRWQ571">Using Groups on ACLs</A>.
<P><H3><A NAME="HDRWQ62" HREF="auagd002.htm#ToC_76">The Two Types of User-Defined Groups</A></H3>
<P>All users can create <I>regular</I> groups. A
regular group name has two fields separated by a colon, the first of which
must indicate the group's ownership. The Protection Server refuses
to create or change the name of a group if the result does not accurately
indicate the ownership.
<P>Members of the <B>system:administrators</B> group can create
<I>prefix-less</I> groups whose names do not have the first field that
indicates ownership. For suggestions on using the two types of groups
effectively, see <A HREF="auagd019.htm#HDRWQ545">Using Groups Effectively</A>.
<A NAME="IDX5755"></A>
<A NAME="IDX5756"></A>
<HR><H2><A NAME="HDRWQ63" HREF="auagd002.htm#ToC_77">Login and Authentication in AFS</A></H2>
<P>As explained in <A HREF="#HDRWQ31">Differences in Authentication</A>, AFS authentication is separate from UNIX
authentication because the two file systems are separate. The
separation has two practical implications:
<UL>
<P><LI>To access AFS files, users must both log into the local file system and
authenticate with the AFS authentication service. (Logging into the
local file system is necessary because the only way to access the AFS
filespace is through a Cache Manager, which resides in the local
machine's kernel.)
<P><LI>Passwords are stored in two separate places: in the Authentication
Database for AFS and in the each machine's local password file (the
<B>/etc/passwd</B> file or equivalent) for the local file system.
</UL>
<P>When a user successfully authenticates, the AFS authentication service
passes a <I>token</I> to the user's Cache Manager. The token
is a small collection of data that certifies that the user has correctly
provided the password associated with a particular AFS identity. The
Cache Manager presents the token to AFS server processes along with service
requests, as proof that the user is genuine. To learn about the mutual
authentication procedure they use to establish identity, see <A HREF="#HDRWQ75">A More Detailed Look at Mutual Authentication</A>.
<P>The Cache Manager stores tokens in the user's credential structure in
kernel memory. To distinguish one user's credential structure from
another's, the Cache Manager identifies each one either by the
user's UNIX UID or by a <I>process authentication group</I>
(<I>PAG</I>), which is an identification number guaranteed to be unique in
the cell. For further discussion, see <A HREF="#HDRWQ64">Identifying AFS Tokens by PAG</A>.
<A NAME="IDX5757"></A>
<P>A user can have only one token per cell in each separately identified
credential structure. To obtain a second token for the same cell, the
user must either log into a different machine or obtain another credential
structure with a different identifier than any existing credential structure,
which is most easily accomplished by issuing the <B>pagsh</B> command (see
<A HREF="#HDRWQ64">Identifying AFS Tokens by PAG</A>). In a single credential structure, a user can have
one token for each of many cells at the same time. As this implies,
authentication status on one machine or PAG is independent of authentication
status on another machine or PAG, which can be very useful to a user or system
administrator.
<P>The AFS distribution includes library files that enable each system
type's login utility to authenticate users with AFS and log them into the
local file system in one step. If you do not configure an AFS-modified
login utility on a client machine, its users must issue the <B>klog</B>
command to authenticate with AFS after logging in. 
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The AFS-modified libraries do not necessarily support all features available
in an operating system's proprietary login utility. In some cases,
it is not possible to support a utility at all. For more information
about the supported utilities in each AFS version, see the <I>IBM AFS
Release Notes</I>.
</TD></TR></TABLE>
<A NAME="IDX5758"></A>
<A NAME="IDX5759"></A>
<A NAME="IDX5760"></A>
<A NAME="IDX5761"></A>
<A NAME="IDX5762"></A>
<A NAME="IDX5763"></A>
<A NAME="IDX5764"></A>
<P><H3><A NAME="HDRWQ64" HREF="auagd002.htm#ToC_78">Identifying AFS Tokens by PAG</A></H3>
<P>As noted, the Cache Manager identifies user credential
structures either by UNIX UID or by PAG. Using a PAG is preferable
because it guaranteed to be unique: the Cache Manager allocates it based
on a counter that increments with each use. In contrast, multiple users
on a machine can share or assume the same UNIX UID, which creates potential
security problems. The following are two common such situations:
<UL>
<P><LI>The local superuser <B>root</B> can always assume any other
user's UNIX UID simply by issuing the <B>su</B> command, without
providing the user's password. If the credential structure is
associated with the user's UNIX UID, then assuming the UID means
inheriting the AFS tokens.
<P><LI>Two users working on different NFS client machines can have the same UNIX
UID in their respective local file systems. If they both access the
same NFS/AFS Translator machine, and the Cache Manager there identifies them
by their UNIX UID, they become indistinguishable. To eliminate this
problem, the Cache Manager on a translator machine automatically generates a
PAG for each user and uses it, rather than the UNIX UID, to tell users
apart.
</UL>
<P>Yet another advantage of PAGs over UIDs is that processes spawned by the
user inherit the PAG and so share the token; thus they gain access to AFS
as the authenticated user. In many environments, for example, printer
and other daemons run under identities (such as the local superuser
<B>root</B>) that the AFS server processes recognize only as the
<B>anonymous</B> user. Unless PAGs are used, such daemons cannot
access files for which the <B>system:anyuser</B> group does not have
the necessary ACL permissions.
<P>Once a user has a PAG, any new tokens the user obtains are associated with
the PAG. The PAG expires two hours after any associated tokens expire
or are discarded. If the user issues the <B>klog</B> command before
the PAG expires, the new token is associated with the existing PAG (the PAG is
said to be <I>recycled</I> in this case).
<P>AFS-modified login utilities automatically generate a PAG, as described in
the following section. If you use a standard login utility, your users
must issue the <B>pagsh</B> command before the <B>klog</B> command, or
include the latter command's <B>-setpag</B> flag. For
instructions, see <A HREF="#HDRWQ69">Using Two-Step Login and Authentication</A>.
<P>Users can also use either command at any time to create a new PAG.
The difference between the two commands is that the <B>klog</B> command
replaces the PAG associated with the current command shell and tokens.
The <B>pagsh</B> command initializes a new command shell before creating a
new PAG. If the user already had a PAG, any running processes or jobs
continue to use the tokens associated with the old PAG whereas any new jobs or
processes use the new PAG and its associated tokens. When you exit the
new shell (by pressing &lt;<B>Ctrl-d</B>>, for example), you return to the
original PAG and shell. By default, the <B>pagsh</B> command
initializes a Bourne shell, but you can include the <B>-c</B> argument to
initialize a C shell (the <B>/bin/csh</B> program on many system types) or
Korn shell (the <B>/bin/ksh</B> program) instead.
<A NAME="IDX5765"></A>
<P><H3><A NAME="HDRWQ65" HREF="auagd002.htm#ToC_79">Using an AFS-modified login Utility</A></H3>
<P>As previously mentioned, an AFS-modified login utility
simultaneously obtains an AFS token and logs the user into the local file
system. This section outlines the login and authentication process and
its interaction with the value in the password field of the local password
file.
<P>An AFS-modified login utility performs a sequence of steps similar to the
following; details can vary for different operating systems:
<OL TYPE=1>
<P><LI>It checks the user's entry in the local password file (the
<B>/etc/passwd</B> file or equivalent).
<P><LI>If no entry exists, or if an asterisk ( <TT>*</TT> ) appears in the
entry's password field, the login attempt fails. If the entry
exists, the attempt proceeds to the next step.
<P><LI><A NAME="LIWQ66"></A>The utility obtains a PAG.
<P><LI><A NAME="LIWQ67"></A>The utility converts the password provided by the user into an
encryption key and encrypts a packet of data with the key. It sends the
packet to the AFS authentication service (the AFS Authentication Server in the
conventional configuration).
<P><LI>The authentication service decrypts the packet and, depending on the
success of the decryption, judges the password to be correct or
incorrect. (For more details, see <A HREF="#HDRWQ75">A More Detailed Look at Mutual Authentication</A>.)
<UL>
<P><LI>If the authentication service judges the password incorrect, the user does
not receive an AFS token. The PAG is retained, ready to be associated
with any tokens obtained later. The attempt proceeds to Step <A HREF="#LIWQ68">6</A>.
<P><LI>If the authentication service judges the password correct, it issues a
token to the user as proof of AFS authentication. The login utility
logs the user into the local UNIX file system. Some login utilities
echo the following banner to the screen to alert the user to authentication
with AFS. Step <A HREF="#LIWQ68">6</A> is skipped. 
<PRE>   AFS(R) <VAR>version</VAR> Login 
</PRE>
</UL>
<P><LI><A NAME="LIWQ68"></A>If no AFS token was granted in Step <A HREF="#LIWQ67">4</A>, the login utility attempts to log the user into the local
file system, by comparing the password provided to the local password
file. 
<UL>
<P><LI>If the password is incorrect or any value other than an encrypted
13-character string appears in the password field, the login attempt
fails.
<P><LI>If the password is correct, the user is logged into the local file system
only.
</UL>
</OL>
<A NAME="IDX5766"></A>
<A NAME="IDX5767"></A>
<A NAME="IDX5768"></A>
<P>As indicated, when you use an AFS-modified login utility, the password
field in the local password file is no longer the primary gate for access to
your system. If the user provides the correct AFS password, then the
program never consults the local password file. However, you can still
use the password field to control access, in the following way:
<UL>
<P><LI>To prevent both local login and AFS authentication, place an asterisk (
<B>*</B> ) in the field. This is useful mainly in emergencies, when
you want to prevent a certain user from logging into the machine.
<P><LI>To prevent login to the local file system if the user does not provide the
correct AFS password, place a character string of any length other than the
standard thirteen characters in the field. This is appropriate if you
want to permit only people with local AFS accounts to login on your
machines. A single <B>X</B> or other character is the most easily
recognizable way to do this.
<P><LI>To enable a user to log into the local file system even after providing an
incorrect AFS password, record a standard UNIX encrypted password in the field
by issuing the standard UNIX password-setting command (<B>passwd</B> or
equivalent).
</UL>
<P>Systems that use a Pluggable Authentication Module (PAM) for login and AFS
authentication do not necessarily consult the local password file at all, in
which case they do not use the password field to control authentication and
login attempts. Instead, instructions in the PAM configuration file (on
many system types, <B>/etc/pam.conf</B>) fill the same
function. See the instructions in the <I>IBM AFS Quick
Beginnings</I> for installing AFS-modified login utilities.
<A NAME="IDX5769"></A>
<P><H3><A NAME="HDRWQ69" HREF="auagd002.htm#ToC_80">Using Two-Step Login and Authentication</A></H3>
<P>In cells that do not use an AFS-modified login utility, users
must issue separate commands to login and authenticate, as detailed in the
<I>IBM AFS User Guide</I>:
<OL TYPE=1>
<P><LI>They use the standard <B>login</B> program to login to the local file
system, providing the password listed in the local password file (the
<B>/etc/passwd</B> file or equivalent).
<P><LI>They must issue the <B>klog</B> command to authenticate with the AFS
authentication service, including its <B>-setpag</B> flag to associate the
new tokens with a process authentication group (PAG).
</OL>
<P>As mentioned in <A HREF="#HDRWQ60">Creating Standard Files in New AFS Accounts</A>, you can invoke the <B>klog -setpag</B> command in a
user's <B>.login</B> file (or equivalent) so that the user
does not have to remember to issue the command after logging in. The
user still must type a password twice, once at the prompt generated by the
login utility and once at the <B>klog</B> command's prompt.
This implies that the two passwords can differ, but it is less confusing if
they do not.
<P>Another effect of not using an AFS-modified login utility is that the AFS
servers recognize the standard <B>login</B> program as the
<B>anonymous</B> user. If the <B>login</B> program needs to
access any AFS files (such as the <B>.login</B> file in a
user's home directory), then the ACL that protects the file must include
an entry granting the <B>l</B> (<B>lookup</B>) and <B>r</B>
(<B>read</B>) permissions to the <B>system:anyuser</B>
group.
<P>When you do not use an AFS-modified login utility, an actual (scrambled)
password must appear in the local password file for each user. Use the
<B>/bin/passwd</B> file to insert or change these passwords. It is
simpler if the password in the local password file matches the AFS password,
but it is not required.
<A NAME="IDX5770"></A>
<A NAME="IDX5771"></A>
<A NAME="IDX5772"></A>
<A NAME="IDX5773"></A>
<A NAME="IDX5774"></A>
<A NAME="IDX5775"></A>
<A NAME="IDX5776"></A>
<A NAME="IDX5777"></A>
<A NAME="IDX5778"></A>
<A NAME="IDX5779"></A>
<A NAME="IDX5780"></A>
<A NAME="IDX5781"></A>
<A NAME="IDX5782"></A>
<A NAME="IDX5783"></A>
<P><H3><A NAME="Header_81" HREF="auagd002.htm#ToC_81">Obtaining, Displaying, and Discarding Tokens</A></H3>
<P>Once logged in, a user can obtain a token at any time with the
<B>klog</B> command. If a valid token already exists, the new one
overwrites it. If a PAG already exists, the new token is associated
with it.
<P>By default, the <B>klog</B> command authenticates the issuer using the
identity currently logged in to the local file system. To authenticate
as a different identity, use the <B>-principal</B> argument. To
obtain a token for a foreign cell, use the <B>-cell</B> argument (it can
be combined with the <B>-principal</B> argument). See the <I>IBM
AFS User Guide</I> and the entry for the <B>klog</B> command in the
<I>IBM AFS Administration Reference</I>.
<P>To discard either all tokens or the token for a particular cell, issue the
<B>unlog</B> command. The command affects only the tokens
associated with the current command shell. See the <I>IBM AFS User
Guide</I>and the entry for the <B>unlog</B> command in the <I>IBM AFS
Administration Reference</I>.
<P>To display the tokens associated with the current command shell, issue the
<B>tokens</B> command. The following examples illustrate its output
in various situations.
<P>If the issuer is not authenticated in any cell:
<PRE>   % <B>tokens</B>
   Tokens held by the Cache Manager:
          --End of list--
</PRE>
<P>The following shows the output for a user with AFS UID 1000 in the ABC
Corporation cell:
<PRE>   % <B>tokens</B>
   Tokens held by the Cache Manager: 
   
   User's (AFS ID 1000) tokens for afs@abc.com  [Expires Jun  2 10:00]
       --End of list--
</PRE>
<P>The following shows the output for a user who is authenticated in ABC
Corporation cell, the State University cell and the DEF Company cell.
The user has different AFS UIDs in the three cells. Tokens for the last
cell are expired:
<PRE>   % <B>tokens</B>
   Tokens held by the Cache Manager:
    
   User's (AFS ID 1000) tokens for afs@abc.com  [Expires Jun  2 10:00]
   User's (AFS ID 4286) tokens for afs@stateu.edu  [Expires Jun  3 1:34]
   User's (AFS ID 22) tokens for afs@def.com  [>>Expired&lt;&lt;]
       --End of list--
</PRE>
<P>The Kerberos version of the <B>tokens</B> command (the
<B>tokens.krb</B> command), also reports information on the
ticket-granting ticket, including the ticket's owner, the ticket-granting
service, and the expiration date, as in the following example. Also see
<A HREF="#HDRWQ70">Support for Kerberos Authentication</A>.
<PRE>   % <B>tokens.krb</B>
   Tokens held by the Cache Manager:
   User's (AFS ID 1000) tokens for afs@abc.com [Expires Jun  2 10:00]
   User smith's tokens for krbtgt.ABC.COM@abc.com [Expires Jun  2 10:00]
     --End of list--
</PRE>
<P><H3><A NAME="Header_82" HREF="auagd002.htm#ToC_82">Setting Default Token Lifetimes for Users</A></H3>
<A NAME="IDX5784"></A>
<P>The maximum lifetime of a user token is the smallest of the <I>ticket
lifetimes</I> recorded in the following three Authentication Database
entries. The <B>kas examine</B> command reports the lifetime as
<TT>Max ticket lifetime</TT>. Administrators who have the
<TT>ADMIN</TT> flag on their Authentication Database entry can use the
<B>-lifetime</B> argument to the <B>kas setfields</B> command to set
an entry's ticket lifetime.
<UL>
<P><LI>The <B>afs</B> entry, which corresponds to the AFS server
processes. The default is 100 hours.
<P><LI>The <B>krbtgt</B>.<VAR>cellname</VAR> entry, which corresponds to
the ticket-granting ticket used internally in generating the token. The
default is 720 hours (30 days).
<P><LI>The entry for the user of the AFS-modified login utility or issuer of the
<B>klog</B> command. The default is 25 hours for user entries
created using the AFS 3.1 or later version of the Authentication
Server, and 100 hours for user entries created using the AFS 3.0
version of the Authentication Server. A user can use the <B>kas
examine</B> command to display his or her own Authentication Database
entry.
</UL>
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">An AFS-modified login utility always grants a token with a lifetime
calculated from the previously described three values. When issuing the
<B>klog</B> command, a user can request a lifetime shorter than the
default by using the <B>-lifetime</B> argument. For further
information, see the <I>IBM AFS User Guide</I> and the <B>klog</B>
reference page in the <I>IBM AFS Administration Reference</I>.
</TD></TR></TABLE>
<P><H3><A NAME="Header_83" HREF="auagd002.htm#ToC_83">Changing Passwords</A></H3>
<A NAME="IDX5785"></A>
<A NAME="IDX5786"></A>
<A NAME="IDX5787"></A>
<A NAME="IDX5788"></A>
<A NAME="IDX5789"></A>
<P>Regular AFS users can change their own passwords by using either the
<B>kpasswd</B> or <B>kas setpassword</B> command. The commands
prompt for the current password and then twice for the new password, to screen
out typing errors.
<P>Administrators who have the <TT>ADMIN</TT> flag on their Authentication
Database entries can change any user's password, either by using the
<B>kpasswd</B> command (which requires knowing the current password) or
the <B>kas setpassword</B> command.
<P>If your cell does not use an AFS-modified login utility, remember also to
change the local password, using the operating system's password-changing
command. For more instructions on changing passwords, see <A HREF="auagd018.htm#HDRWQ516">Changing AFS Passwords</A>.
<P><H3><A NAME="Header_84" HREF="auagd002.htm#ToC_84">Imposing Restrictions on Passwords and Authentication Attempts</A></H3>
<P>You can help to make your cell more secure by imposing restrictions on
user passwords and authentication attempts. To impose the restrictions
as you create an account, use the <B>A</B> instruction in the
<B>uss</B> template file as described in <A HREF="auagd017.htm#HDRWQ478">Increasing Account Security with the A Instruction</A>. To set or change the values on an existing
account, use the <B>kas setfields</B> command as described in <A HREF="auagd018.htm#HDRWQ515">Improving Password and Authentication Security</A>.
<A NAME="IDX5790"></A>
<A NAME="IDX5791"></A>
<A NAME="IDX5792"></A>
<A NAME="IDX5793"></A>
<A NAME="IDX5794"></A>
<A NAME="IDX5795"></A>
<P>By default, AFS passwords never expire. Limiting password lifetime
can help improve security by decreasing the time the password is subject to
cracking attempts. You can choose an lifetime from 1 to 254 days after
the password was last changed. It automatically applies to each new
password as it is set. When the user changes passwords, you can also
insist that the new password is not similar to any of the 20 passwords
previously used.
<A NAME="IDX5796"></A>
<A NAME="IDX5797"></A>
<A NAME="IDX5798"></A>
<A NAME="IDX5799"></A>
<P>Unscrupulous users can try to gain access to your AFS cell by guessing an
authorized user's password. To protect against this type of
attack, you can limit the number of times that a user can consecutively fail
to provide the correct password. When the limit is exceeded, the
authentication service refuses further authentication attempts for a specified
period of time (the <I>lockout time</I>). To reenable
authentication attempts before the lockout time expires, an administrator must
issue the <B>kas unlock</B> command.
<A NAME="IDX5800"></A>
<A NAME="IDX5801"></A>
<A NAME="IDX5802"></A>
<A NAME="IDX5803"></A>
<A NAME="IDX5804"></A>
<A NAME="IDX5805"></A>
<P>In addition to settings on user's authentication accounts, you can
improve security by automatically checking the quality of new user
passwords. The <B>kpasswd</B> and <B>kas setpassword</B>
commands pass the proposed password to a program or script called
<B>kpwvalid</B>, if it exists. The <B>kpwvalid</B> performs
quality checks and returns a code to indicate whether the password is
acceptable. You can create your own program or modified the sample
program included in the AFS distribution. See the <B>kpwvalid</B>
reference page in the <I>IBM AFS Administration Reference</I>.
<P>There are several types of quality checks that can improve password
quality.
<UL>
<P><LI>The password is a minimum length
<P><LI>The password is not a word
<P><LI>The password contains both numbers and letters
</UL>
<P><H3><A NAME="HDRWQ70" HREF="auagd002.htm#ToC_85">Support for Kerberos Authentication</A></H3>
<A NAME="IDX5806"></A>
<A NAME="IDX5807"></A>
<A NAME="IDX5808"></A>
<A NAME="IDX5809"></A>
<A NAME="IDX5810"></A>
<A NAME="IDX5811"></A>
<A NAME="IDX5812"></A>
<P>If your site is using standard Kerberos authentication rather than the AFS
Authentication Server, use the modified versions of the <B>klog</B>,
<B>pagsh</B>, and <B>tokens</B> commands that support Kerberos
authentication. The binaries for the modified version of these commands
have the same name as the standard binaries with the addition of a
<B>.krb</B> extension.
<P>Use either the Kerberos version or the standard command throughout the
cell; do not mix the two versions. AFS Product Support can provide
instructions on installing the Kerberos version of these four commands.
For information on the differences between the two versions of these commands,
see the <I>IBM AFS Administration Reference</I>.
<HR><H2><A NAME="HDRWQ71" HREF="auagd002.htm#ToC_86">Security and Authorization in AFS</A></H2>
<P>AFS incorporates several features to ensure that only
authorized users gain access to data. This section summarizes the most
important of them and suggests methods for improving security in your
cell.
<P><H3><A NAME="HDRWQ72" HREF="auagd002.htm#ToC_87">Some Important Security Features</A></H3>
<A NAME="IDX5813"></A>
<A NAME="IDX5814"></A>
<P><B>ACLs on Directories</B>
<P>Files in AFS are protected by the access control list (ACL) associated with
their parent directory. The ACL defines which users or groups can
access the data in the directory, and in what way. See <A HREF="auagd020.htm#HDRWQ562">Managing Access Control Lists</A>.
<P><B>Mutual Authentication Between Client and Server</B>
<P>When an AFS client and server process communicate, each requires the other
to prove its identity during mutual authentication, which involves the
exchange of encrypted information that only valid parties can decrypt and
respond to. For a detailed description of the mutual authentication
process, see <A HREF="#HDRWQ75">A More Detailed Look at Mutual Authentication</A>.
<P>AFS server processes mutually authenticate both with one another and with
processes that represent human users. After mutual authentication is
complete, the server and client have established an authenticated connection,
across which they can communicate repeatedly without having to authenticate
again until the connection expires or one of the parties closes it.
Authenticated connections have varying lifetimes.
<P><B>Tokens</B>
<P>In order to access AFS files, users must prove their identities to the AFS
authentication service by providing the correct AFS password. If the
password is correct, the authentication service sends the user a
<I>token</I> as evidence of authenticated status. See <A HREF="#HDRWQ63">Login and Authentication in AFS</A>.
<P>Servers assign the user identity <B>anonymous</B> to users and
processes that do not have a valid token. The <B>anonymous</B>
identity has only the access granted to the <B>system:anyuser</B>
group on ACLs.
<P><B>Authorization Checking</B>
<P>Mutual authentication establishes that two parties communicating with one
another are actually who they claim to be. For many functions, AFS
server processes also check that the client whose identity they have verified
is also authorized to make the request. Different requests require
different kinds of privilege. See <A HREF="#HDRWQ73">Three Types of Privilege</A>.
<P><B>Encrypted Network Communications</B>
<A NAME="IDX5815"></A>
<A NAME="IDX5816"></A>
<A NAME="IDX5817"></A>
<P>The AFS server processes encrypt particularly sensitive information before
sending it back to clients. Even if an unauthorized party is able to
eavesdrop on an authenticated connection, they cannot decipher encrypted data
without the proper key.
<P>The following AFS commands encrypt data because they involve server
encryption keys and passwords: 
<UL>
<P><LI>The <B>bos addkey</B> command, which adds a server encryption key to
the <B>/usr/afs/etc/KeyFile</B> file
<P><LI>The <B>bos listkeys</B> command, which lists the server encryption
keys from the <B>/usr/afs/etc/KeyFile</B> file
<P><LI>The <B>kpasswd</B> command, which changes a password in the
Authentication Database
<P><LI>Most commands in the <B>kas</B> command suite
</UL>
<P>In addition, the United States edition of the Update Server encrypts
sensitive information (such as the contents of <B>KeyFile</B>) when
distributing it. Other commands in the <B>bos</B> suite and the
commands in the <B>fs</B>, <B>pts</B> and <B>vos</B> suites do not
encrypt data before transmitting it.
<P><H3><A NAME="HDRWQ73" HREF="auagd002.htm#ToC_88">Three Types of Privilege</A></H3>
<P>AFS uses three separate types of privilege for the reasons
discussed in <A HREF="auagd021.htm#HDRWQ585">The Reason for Separate Privileges</A>.
<UL>
<P><LI>Membership in the <B>system:administrators</B> group.
Members are entitled to issue any <B>pts</B> command and those
<B>fs</B> commands that set volume quota. By default, they also
implicitly have the <B>a</B> (<B>administer</B>) and <B>l</B>
(<B>lookup</B>) permissions on every ACL in the file tree even if the ACL
does not include an entry for them.
<P><LI>The <TT>ADMIN</TT> flag on the Authentication Database entry. An
administrator with this flag can issue any <B>kas</B> command.
<P><LI>Inclusion in the <B>/usr/afs/etc/UserList</B> file. An
administrator whose username appears in this file can issue any
<B>bos</B>, <B>vos</B>, or <B>backup</B> command (although some
<B>backup</B> commands require additional privilege as described in <A HREF="auagd011.htm#HDRWQ260">Granting Administrative Privilege to Backup Operators</A>).
</UL>
<P><H3><A NAME="Header_89" HREF="auagd002.htm#ToC_89">Authorization Checking versus Authentication</A></H3>
<P>AFS distinguishes between authentication and authorization
checking. <I>Authentication</I> refers to the process of proving
identity. <I>Authorization checking</I> refers to the process of
verifying that an authenticated identity is allowed to perform a certain
action.
<P>AFS implements authentication at the level of connections. Each time
two parties establish a new connection, they mutually authenticate. In
general, each issue of an AFS command establishes a new connection between AFS
server process and client.
<P>AFS implements authorization checking at the level of server
machines. If authorization checking is enabled on a server machine,
then all of the server processes running on it provide services only to
authorized users. If authorization checking is disabled on a server
machine, then all of the server processes perform any action for
anyone. Obviously, disabling authorization checking is an extreme
security exposure. For more information, see <A HREF="auagd008.htm#HDRWQ123">Managing Authentication and Authorization Requirements</A>.
<P><H3><A NAME="HDRWQ74" HREF="auagd002.htm#ToC_90">Improving Security in Your Cell</A></H3>
<A NAME="IDX5818"></A>
<P>You can improve the level of security in your cell by configuring user
accounts, server machines, and system administrator accounts in the indicated
way.
<P><B>User Accounts</B>
<UL>
<P><LI>Use an AFS-modified login utility, or include the <B>-setpag</B> flag
to the <B>klog</B> command, to associate the credential structure that
houses tokens with a PAG rather than a UNIX UID. This prevents users
from inheriting someone else's tokens by assuming their UNIX
identity. For further discussion, see <A HREF="#HDRWQ64">Identifying AFS Tokens by PAG</A>.
<P><LI>Encourage users to issue the <B>unlog</B> command to destroy their
tokens before logging out. This forestalls attempts to access tokens
left behind kernel memory. Consider including the <B>unlog</B>
command in every user's <B>.logout</B> file or
equivalent.
</UL>
<P><B>Server Machines</B>
<UL>
<P><LI>Disable authorization checking only in emergencies or for very brief
periods of time. It is best to work at the console of the affected
machine during this time, to prevent anyone else from accessing the machine
through the keyboard.
<P><LI>Change the AFS server encryption key on a frequent and regular
schedule. Make it difficult to guess (a long string including
nonalphabetic characters, for instance). Unlike user passwords, the
password from which the AFS key is derived can be longer than eight
characters, because it is never used during login. The <B>kas
setpassword</B> command accepts a password hundreds of characters
long. For instructions, see <A HREF="auagd014.htm#HDRWQ355">Managing Server Encryption Keys</A>.
<P><LI>As much as possible, limit the number of people who can login at a server
machine's console or remotely. Imposing this limit is an extra
security precaution rather than a necessity. The machine cannot serve
as an AFS client in this case.
<P><LI>Particularly limit access to the local superuser <B>root</B> account
on a server machine. The local superuser <B>root</B> has free
access to important administrative subdirectories of the <B>/usr/afs</B>
directory, as described in <A HREF="#HDRWQ53">AFS Files on the Local Disk</A>.
<A NAME="IDX5819"></A>
<P><LI>As in any computing environment, server machines must be located in a
secured area. Any other security measures are effectively worthless if
unauthorized people can access the computer hardware.
</UL>
<P><B>System Administrators</B>
<UL>
<P><LI>Limit the number of system administrators in your cell. Limit the
use of system administrator accounts on publicly accessible
workstations. Such machines are not secure, so unscrupulous users can
install programs that try to steal tokens or passwords. If
administrators must use publicly accessible workstations at times, they must
issue the <B>unlog</B> command before leaving the machine.
<P><LI>Create an administrative account for each administrator separate from the
personal account, and assign AFS privileges only to the administrative
account. The administrators must authenticate to the administrative
accounts to perform duties that require privilege, which provides a useful
audit trail as well.
<P><LI>Administrators must not leave a machine unattended while they have valid
tokens. Issue the <B>unlog</B> command before leaving.
<P><LI>Use the <B>-lifetime</B> argument to the <B>kas setfields</B>
command to set the token lifetime for administrative accounts to a fairly
short amount of time. The default lifetime for AFS tokens is 25 hours,
but 30 or 60 minutes is possibly a more reasonable lifetime for administrative
tokens. The tokens for administrators who initiate AFS Backup System
operations must last somewhat longer, because it can take several hours to
complete some dump operations, depending on the speed of the tape device and
the network connecting it to the file server machines that house the volumes
is it accessing.
<P><LI>Limit administrators' use of the <B>telnet</B> program. It
sends unencrypted passwords across the network. Similarly, limit use of
other remote programs such as <B>rsh</B> and <B>rcp</B>, which send
unencrypted tokens across the network.
</UL>
<A NAME="IDX5820"></A>
<A NAME="IDX5821"></A>
<A NAME="IDX5822"></A>
<A NAME="IDX5823"></A>
<P><H3><A NAME="HDRWQ75" HREF="auagd002.htm#ToC_91">A More Detailed Look at Mutual Authentication</A></H3>
<P>As in any file system, security is a prime concern in
AFS. A file system that makes file sharing easy is not useful if it
makes file sharing mandatory, so AFS incorporates several features that
prevent unauthorized users from accessing data. Security in a networked
environment is difficult because almost all procedures require transmission of
information across wires that almost anyone can tap into. Also, many
machines on networks are powerful enough that unscrupulous users can monitor
transactions or even intercept transmissions and fake the identity of one of
the participants.
<P>The most effective precaution against eavesdropping and information theft
or fakery is for servers and clients to accept the claimed identity of the
other party only with sufficient proof. In other words, the nature of
the network forces all parties on the network to assume that the other party
in a transaction is not genuine until proven so. <I>Mutual
authentication</I> is the means through which parties prove their
genuineness.
<P>Because the measures needed to prevent fakery must be quite sophisticated,
the implementation of mutual authentication procedures is complex. The
underlying concept is simple, however: parties prove their identities by
demonstrating knowledge of a <I>shared secret</I>. A shared secret
is a piece of information known only to the parties who are mutually
authenticating (they can sometimes learn it in the first place from a trusted
third party or some other source). The party who originates the
transaction presents the shared secret and refuses to accept the other party
as valid until it shows that it knows the secret too.
<P>The most common form of shared secret in AFS transactions is the
<I>encryption key</I>, also referred to simply as a <I>key</I>.
The two parties use their shared key to encrypt the packets of information
they send and to decrypt the ones they receive. Encryption using keys
actually serves two related purposes. First, it protects messages as
they cross the network, preventing anyone who does not know the key from
eavesdropping. Second, ability to encrypt and decrypt messages
successfully indicates that the parties are using the key (it is their shared
secret). If they are using different keys, messages remain scrambled
and unintelligible after decryption.
<P>The following sections describe AFS's mutual authentication procedures
in more detail. Feel free to skip these sections if you are not
interested in the mutual authentication process.
<P><H4><A NAME="Header_92">Simple Mutual Authentication</A></H4>
<P>Simple mutual authentication involves only one encryption key and two
parties, generally a client and server. The client contacts the server
by sending a <I>challenge</I> message encrypted with a key known only to
the two of them. The server decrypts the message using its key, which
is the same as the client's if they really do share the same
secret. The server responds to the challenge and uses its key to
encrypt its response. The client uses its key to decrypt the
server's response, and if it is correct, then the client can be sure that
the server is genuine: only someone who knows the same key as the client
can decrypt the challenge and answer it correctly. On its side, the
server concludes that the client is genuine because the challenge message made
sense when the server decrypted it.
<P>AFS uses simple mutual authentication to verify user identities during the
first part of the login procedure. In that case, the key is based on
the user's password.
<P><H4><A NAME="HDRWQ76">Complex Mutual Authentication</A></H4>
<P>Complex mutual authentication involves three encryption keys
and three parties. All secure AFS transactions (except the first part
of the login process) employ complex mutual authentication.
<A NAME="IDX5824"></A>
<A NAME="IDX5825"></A>
<A NAME="IDX5826"></A>
<P>When a client wishes to communicate with a server, it first contacts a
third party called a <I>ticket-granter</I>. The ticket-granter and
the client mutually authenticate using the simple procedure. When they
finish, the ticket-granter gives the client a <I>server ticket</I> (or
simply <I>ticket</I>) as proof that it (the ticket-granter) has
preverified the identity of the client. The ticket-granter encrypts the
ticket with the first of the three keys, called the <I>server encryption
key</I> because it is known only to the ticket-granter and the server the
client wants to contact. The client does not know this key.
<P>The ticket-granter sends several other pieces of information along with the
ticket. They enable the client to use the ticket effectively despite
being unable to decrypt the ticket itself. Along with the ticket, the
items constitute a <I>token</I>:
<UL>
<A NAME="IDX5827"></A>
<P><LI>A <I>session key</I>, which is the second encryption key involved in
mutual authentication. The ticket-granter invents the session key at
random as the shared secret between client and server. For reasons
explained further below, the ticket-granter also puts a copy of the session
key inside the ticket. The client and server use the session key to
encrypt messages they send to one another during their transactions.
The ticket-granter invents a different session key for each connection between
a client and a server (there can be several transactions during a single
connection).
<P><LI>The name of the server for which the ticket is valid (and so which server
encryption key encrypts the ticket itself).
<P><LI>A ticket lifetime indicator. The default lifetime of AFS server
tickets is 100 hours. If the client wants to contact the server again
after the ticket expires, it must contact the ticket-granter to get a new
ticket.
</UL>
<P>The ticket-granter seals the entire token with the third key involved in
complex mutual authentication--the key known only to it (the
ticket-granter) and the client. In some cases, this third key is
derived from the password of the human user whom the client represents.
<P>Now that the client has a valid server ticket, it is ready to contact the
server. It sends the server two things:
<UL>
<P><LI>The server ticket. This is encrypted with the server encryption
key.
<P><LI>Its request message, encrypted with the session key. Encrypting the
message protects it as it crosses the network, since only the server/client
pair for whom the ticket-granter invented the session key know it.
</UL>
<P>At this point, the server does not know the session key, because the
ticket-granter just created it. However, the ticket-granter put a copy
of the session key inside the ticket. The server uses the server
encryption key to decrypts the ticket and learns the session key. It
then uses the session key to decrypt the client's request message.
It generates a response and sends it to the client. It encrypts the
response with the session key to protect it as it crosses the network.
<P>This step is the heart of mutual authentication between client and server,
because it proves to both parties that they know the same secret:
<UL>
<P><LI>The server concludes that the client is authorized to make a request
because the request message makes sense when the server decrypts it using the
session key. If the client uses a different session key than the one
the server finds inside the ticket, then the request message remains
unintelligible even after decryption. The two copies of the session key
(the one inside the ticket and the one the client used) can only be the same
if they both came from the ticket-granter. The client cannot fake
knowledge of the session key because it cannot look inside the ticket, sealed
as it is with the server encryption key known only to the server and the
ticket-granter. The server trusts the ticket-granter to give tokens
only to clients with whom it (the ticket-granter) has authenticated, so the
server decides the client is legitimate.
<P>(Note that there is no direct communication between the ticket-granter and
the server, even though their relationship is central to ticket-based mutual
authentication. They interact only indirectly, via the client's
possession of a ticket sealed with their shared secret.)
<P><LI>The client concludes that the server is genuine and trusts the response it
gets back from the server, because the response makes sense after the client
decrypts it using the session key. This indicates that the server
encrypted the response with the same session key as the client knows.
The only way for the server to learn that matching session key is to decrypt
the ticket first. The server can only decrypt the ticket because it
shares the secret of the server encryption key with the ticket-granter.
The client trusts the ticket-granter to give out tickets only for legitimate
servers, so the client accepts a server that can decrypt the ticket as
genuine, and accepts its response.
</UL>
<HR><H2><A NAME="HDRWQ77" HREF="auagd002.htm#ToC_94">Backing Up AFS Data</A></H2>
<P>AFS provides two related facilities that help the
administrator back up AFS data: backup volumes and the AFS Backup
System.
<P><H3><A NAME="Header_95" HREF="auagd002.htm#ToC_95">Backup Volumes</A></H3>
<P>The first facility is the backup volume, which you create by cloning a
read/write volume. The backup volume is read-only and so preserves the
state of the read/write volume at the time the clone is made.
<P>Backup volumes can ease administration if you mount them in the file system
and make their contents available to users. For example, it often makes
sense to mount the backup version of each user volume as a subdirectory of the
user's home directory. A conventional name for this mount point is
<B>OldFiles</B>. Create a new version of the backup volume (that
is, reclone the read/write) once a day to capture any changes that were made
since the previous backup. If a user accidentally removes or changes
data, the user can restore it from the backup volume, rather than having to
ask you to restore it.
<P>The <I>IBM AFS User Guide</I> does not mention backup volumes, so
regular users do not know about them if you decide not to use them.
This implies that if you <B>do</B> make backup versions of user volumes,
you need to tell your users about how the backup works and where you have
mounted it.
<P>Users are often concerned that the data in a backup volume counts against
their volume quota and some of them even want to remove the
<B>OldFiles</B> mount point. It does not, because the backup volume
is a separate volume. The only amount of space it uses in the
user's volume is the amount needed for the mount point, which is about
the same as the amount needed for a standard directory element.
<P>Backup volumes are discussed in detail in <A HREF="auagd010.htm#HDRWQ201">Creating Backup Volumes</A>.
<P><H3><A NAME="Header_96" HREF="auagd002.htm#ToC_96">The AFS Backup System</A></H3>
<P>Backup volumes can reduce restoration requests, but they reside on disk
and so do not protect data from loss due to hardware failure. Like any
file system, AFS is vulnerable to this sort of data loss.
<P>To protect your cell's users from permanent loss of data, you are
strongly urged to back up your file system to tape on a regular and frequent
schedule. The AFS Backup System is available to ease the administration
and performance of backups. For detailed information about the AFS
Backup System, see <A HREF="auagd011.htm#HDRWQ248">Configuring the AFS Backup System</A> and <A HREF="auagd012.htm#HDRWQ283">Backing Up and Restoring AFS Data</A>.
<A NAME="IDX5828"></A>
<A NAME="IDX5829"></A>
<A NAME="IDX5830"></A>
<A NAME="IDX5831"></A>
<A NAME="IDX5832"></A>
<A NAME="IDX5833"></A>
<A NAME="IDX5834"></A>
<A NAME="IDX5835"></A>
<A NAME="IDX5836"></A>
<A NAME="IDX5837"></A>
<A NAME="IDX5838"></A>
<A NAME="IDX5839"></A>
<HR><H2><A NAME="HDRWQ78" HREF="auagd002.htm#ToC_97">Using UNIX Remote Services in the AFS Environment</A></H2>
<P>The AFS distribution includes modified versions of several
standard UNIX commands, daemons and programs that provide remote services,
including the following:
<UL>
<P><LI>The <B>ftpd</B> program
<P><LI>The <B>inetd</B> daemon
<P><LI>The <B>rcp</B> program
<P><LI>The <B>rlogind</B> daemon
<P><LI>The <B>rsh</B> command
</UL>
<P>These modifications enable the commands to handle AFS authentication
information (tokens). This enables issuers to be recognized on the
remote machine as an authenticated AFS user.
<P>Replacing the standard versions of these programs in your file tree with
the AFS-modified versions is optional. It is likely that AFS's
transparent access reduces the need for some of the programs anyway,
especially those involved in transferring files from machine to machine, like
the <B>ftpd</B> and <B>rcp</B> programs.
<P>If you decide to use the AFS versions of these commands, be aware that
several of them are interdependent. For example, the passing of AFS
authentication information works correctly with the <B>rcp</B> command
only if you are using the AFS version of both the <B>rcp</B> and
<B>inetd</B> commands.
<P>The conventional installation location for the modified remote commands are
the <B>/usr/afsws/bin</B> and <B>/usr/afsws/etc</B>
directories. To learn more about commands' functionality, see
their reference pages in the <I>IBM AFS Administration
Reference</I>.
<HR><H2><A NAME="HDRWQ79" HREF="auagd002.htm#ToC_98">Accessing AFS through NFS</A></H2>
<P>Users of NFS client machines can access the AFS filespace by
mounting the <B>/afs</B> directory of an AFS client machine that is
running the <I>NFS/AFS Translator</I>. This is a particular
advantage in cells already running NFS who want to access AFS using client
machines for which AFS is not available. See <A HREF="auagd022.htm#HDRWQ595">Appendix A,  Managing the NFS/AFS Translator</A>.
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auagd002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auagd006.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auagd008.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auagd026.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<!-- Begin Footer Records  ========================================== -->
<P><HR><B> 
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A>  All Rights Reserved 
</B> 
<!-- End Footer Records  ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>