[188] in Info-AFS_Redistribution
miscellaneous questions about AFS
daemon@ATHENA.MIT.EDU (Steven McElwee)
Wed Jul 3 12:42:02 1991
Date: Wed, 3 Jul 91 11:45:21 -0400
From: steven@mozart.ac.duke.edu (Steven McElwee)
To: Info-Afs@transarc.com
Hello!
We are thinking about incorporating AFS into an existing system of
Ultrix/RISC machines which currently consists of the following:
1. 4 DS/5000 servers (each with 64 MB RAM, 4 GB of hard disk)
2. 55 DS21/3100 workstation clients (each with 16 MB of RAM,
104 MB internal hard drive).
3. About 1500 user accounts (most of which are active)
4. Uses Hesiod/Bind to distribute the password database
(hence, the magic "local" password files are-
/etc/passwd and /var/dss/namedb/src/passwd)
5. Is running Ultrix 4.2
6. Each workstation has a 20 MB partition on the internal drive
which is currently unused and is anticipated to be the
afs client caching area.
We have spent the past week in reading the AFS documentation and
in setting up a "test" cell involving a DS3100 as the database server
machine, system control machine, and binary distribution machine
and one DS2100 as an AFS client within the same cell. In the course of
this experimentation, a variety of questions have come up regarding the
implementation of AFS into the bigger DEC system described above. We are
hoping to take advantage of more experienced AFS folks like yourselves to
help us out with these questions which are:
1. While it is apparent that vfsck is necessary for all afs file partitions,
what about the cache directory for the AFS client? It is apparent to us
that one does not necessarily have to allocate an entire partition to
the cache. Instead one can use any directory in a ufs partition for cache.
In the case where a ufs file system is both a local ufs file system to the
machine and also "keeper" of the caching directory, can regular "fsck"
screw up the caching directory when this file system is fscked?
2. Another major issue we are facing involves the conversion of existing
unix accounts to AFS/Kerberos Authenticated accounts. From reading the
documentation, it is quite clear that the encrypted password string in the
"local password file" (in our case, "local password file" refers to
/etc/passwd and /var/dss/namedb/src/passwd) is incompatible with the
encrypted password string that is stored in the Authentication Database.
The differences between the two encryption methods appears to be that
AFS/kerberos combines the Cell Name with the user's password and then uses
DES Encryption to encrypt the resulting string with DES Encryption routines.
This encryption string is then stored in the Authentication Database. On the
other hand, Ultrix 4.2 uses the standard unix (CRC) routines to encrypt the
password. As I see it, the bottomline is that these two encryption methods,
quite understandably, are incompatible with one another. Does this mean
that we will have to reissue passwords to 1500 users or simply not convert
these users over to AFS?
3. If we elect to use "klog", what exactly happens if a user is not
authenticated and then is logged into the unix machine? Will this login
process use HESIOD/BIND to log in the user or is it hard-coded that only
"/etc/passwd" is checked?
4. If there is no relatively simple way of converting the existing unix
accounts into AFS accounts that avoids reissuing 1500 passwords to users,
what sort of problems would there be with not converting the existing
unix accounts and creating AFS accounts for all future accounts that are
created?
If some of these questions are repeats of prior questions,
please forgive us- we just got added to this distribution list about a
week ago. Thanks for all help in advance.
Steven McElwee
steven@mozart.ac.duke.edu
