Documentation about the ncm-afsclt component

Prevent authconfig from trying to launch in X11 mode

[Parameters]

authconfig='/usr/bin/authconfig'

iptables = '/etc/sysconfig/iptables'

sysconfig_afs = '/etc/sysconfig/afs'

afs_cacheinfo = '/usr/vice/etc/cacheinfo'

localcelldb = '/usr/vice/etc/CellServDB'

afsmount = 'afs'

cachemount = '/usr/vice/cache'

cachesize = 512000

cellservdb = 'http://cern.ch/afs/CellServDB'

debug = false

enabled = yes

libpam_options_auth = 'try_first_pass minimum_uid=100'

settime = true

thiscell = 'cern.ch'

verbose = 0

Configure State

There are a few things we must configure

  1. Configure PAM
  2. Configure Cell
  3. Configure Cache
  4. Configure Firewall
  5. Configure CellServDB
  6. Configure some extra things (e.g Options, nosetime, etc..)

We dont need to declare anymore, the path "lib{64}/security/ ..." because now pam_krb5{afs}.so are standard on the system

The pam_krb5{afs} modules are the same now.

1) Configure Pam

We add 3 specific lines in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth". The line configure the auth, password and session part. This configuration is for Kerberos and not afs explicitly, maybe in the future this configuration will be in the Kerberos module.

Example:

# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
# next line added by NCM-afsclt
auth sufficient /lib/security/$ISA/pam_krb5afs.so try_first_pass minimum_uid=100
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
# next line added by NCM-afsclt
password sufficient /lib/security/$ISA/pam_krb5afs.so try_first_pass minimum_uid=100
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
# next line added by NCM-afsclt
session required /lib/security/$ISA/pam_krb5afs.so try_first_pass minimum_uid=100
session optional pam_krb5.so

As I said above, we dont need to declare the path of the library anymore as its standard.


2) Cell Configure

pathcell = "/usr/vice/etc/ThisCell"

and we add the line "cern.ch" to the file


3) Configure Cache

  • edit the "/usr/vice/etc/cacheinfo" with the line, "/afs:/usr/vice/cache:512000"
  • add the lines in "/etc/sysconfig/afs" : (mode of the file must be 00755)

# OpenAFS Client Configuration
AFSD_ARGS="-daemons 3 -dcache 8000 -files 10000 -stat 10000 -volumes 196"

# OpenAFS Server Configuration
BOSSERVER_ARGS=
# changed by NCM-afsclt-options
OPTIONS="-daemons 3 -dcache 8000 -files 10000 -stat 10000 -volumes 196"
VERBOSE=
AFS_CLIENT=on
CACHESIZE=512000



4) Configure CellServDB

_The contents of the CellservDB are from the link: http://cern.ch/afs/CellServDB_

The file /usr/vice/CellServDB should have attributes like:

- owner => root

-group => root

-mode => 0444

We will ship in the afs module two more files:

1) CellServDB.dist ( -owner => root, group => root, mode => 0644 ), its like an archive.

2) CellServDB.local ( -owner => root, group => root, mode => 0644 ), the local Database for the user, by default is empty)

( With the yum-autoupdate tool, We can update the CellServDB when some entry change/deleted/added, so we dont need to do checks if the cells are appropriate,etc .. cause we will push the changes every time some thing change )


5) Extra Configure

We modify the file "/etc/sysconfig/afs",

# OpenAFS Client Configuration
AFSD_ARGS="-daemons 3 -dcache 8000 -files 10000 -stat 10000 -volumes 196"

# OpenAFS Server Configuration
BOSSERVER_ARGS=
# changed by NCM-afsclt-options
OPTIONS="-daemons 3 -dcache 8000 -files 10000 -stat 10000 -volumes 196"
VERBOSE=
AFS_CLIENT=on
CACHESIZE=512000

(Check if the mount point is the "/afs" )


6) Firewall

We need to enable the server callbacks on the client machine, the rules are

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 7001 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 7003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 7004 -j ACCEPT

Of course Iptables must be enabled in the machine ( The file /etc/sysconfig/iptables must exist)


Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2015-11-03 - AristeidisBoutselis
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Sandbox All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback