Personal tools
You are here: Home Network Services Configuring your PC
 

Configuring your PC

How to configure a machine to use the RZG-infrastructure (afs, ntp and kerberos) efficiently.

General remarks

 

This document describe some configurations you should use on a PC which is installed within the IPP.

Do not use the given  NTP-configuration if you have a laptop. NTP just works within IPP.

In order to keep the configuration of a client as solid as possible, we have introduced

a couple of DNS-Aliases, which point to the actual servers.

It is good practice to use those aliases in your configuration, so that they don't have to be changed when

some services are migrated.

Some services are also offered using DNS directly (SRV-records). These are at the minute only useful for people working at Garching.

Note for Windows-users :

These configurations are only for Windows-stand-alone PCs. Do not use them if your PC is member of the Active Directories (ipp.mpg.de or ipp-hgw.mpg.de)

Note for non-IPP-users :

If you are not within IPP, but want to use the AFS-cell "ipp-garching.mpg.de",

you should use the configuration of Kerberos and the AFS-client for the location closest to you.

If you are in doubt, use the location Garching.

 

Table of contents :

 

 

NTP (Network Time Protocol) :

Do not use this NTP-configuration if you have a laptop and use it also in external networks.

This NTP-configuration just works within IPP. Use the configuration recommended by

your OS-vendor  if you want to use it outside IPP.

DNS-entries :

Garching :

Alias : time1.rzg.mpg.de, time2.rzg.mpg.de, time3.rzg.mpg.de

Round-Robin : time.rzg.mpg.de

Greifswald :

Alias : time1.ipp-hgw.mpg.de, time2.ipp-hgw.mpg.de, time3.ipp-hgw.mpg.de

Round-Robin : time.ipp-hgw.mpg.de

File Location on your PC:

  • UNIX:  /etc/ntp.conf
  • Windows : click on the clock on the lower right corner and choose internet-timeserver (Internetzeit)

Download :

Different distributions require different configurations for some aspects (e.g. driftfile)

Therefore we do not supply a standard configuration. Please use the snippets below to

modify your preinstalled /etc/ntp.conf file.

Snippets :

if you want to configure your client differently, only the snippets below are relevant to you :

Garching, UNIX:

restrict default ignore
restrict 127.127.1.0 mask 255.255.255.255
server 127.127.1.0            # local clock (LCL)
fudge 127.127.1.0  stratum 10 # LCL is unsynchronized
restrict 127.0.0.1 mask 255.255.255.255

# NTP-Servers at Garching
restrict time1.rzg.mpg.de mask 255.255.255.255
restrict time2.rzg.mpg.de mask 255.255.255.255
restrict time3.rzg.mpg.de mask 255.255.255.255
server time1.rzg.mpg.de
server time2.rzg.mpg.de
server time3.rzg.mpg.de

Greifswald, UNIX :

restrict default ignore
restrict 127.127.1.0 mask 255.255.255.255                             
server 127.127.1.0              # local clock (LCL)                   
fudge  127.127.1.0 stratum 10   # LCL is unsynchronized               
restrict 127.0.0.1 mask 255.255.255.255

# NTP-Servers at Greifswald                               
restrict time1.ipp-hgw.mpg.de mask 255.255.255.255                                                
restrict time2.ipp-hgw.mpg.de mask 255.255.255.255        
restrict time3.ipp-hgw.mpg.de mask 255.255.255.255                                       
server time1.ipp-hgw.mpg.de                                                                                                
server time2.ipp-hgw.mpg.de                                           
server time3.ipp-hgw.mpg.de

To activate these changes, restart your ntp-client (typically with /etc/init.d/ntp restart).

Garching, Windows :

enter time.rzg.mpg.de for the internet-timeserver (Internetzeit)

Greisfwald, Windows :

enter time.ipp-hgw.mpg.de for the internet-timeserver (Internetzeit)

Kerberos :

DNS-entries :

Garching :

Alias : kerberos1.rzg.mpg.de, kerberos2.rzg.mpg.de, kerberos3.rzg.mpg.de

Round-Robin: kerberos.rzg.mpg.de

Greifswald :

Alias : kerberos1.ipp-hgw.mpg.de, kerberos2.ipp-hgw.mpg.de

Round-Robin : kerberos.ipp-hgw.mpg.de

SRV-Records available: you can also configure your client to get this information from the DNS, but then you'll get those server located in Garching, which is not what you want, when you are sitting in Greifswald.

File location on your PC:

  • UNIX: /etc/krb5.conf or /etc/krb5/krb5.conf
  • Windows:
    • MIT: KfW: C:\WINDOWS\krb5.ini
    • Heimdal (recommended) C:\ProgramData\Kerberos

Download :

Download standard configuration for your client :

OS\Location Garching Greifswald

Linux  krb5.conf  krb5.conf
Solaris  krb5.conf  krb5.conf
Windows/KfW (MIT)  krb5.ini  krb5.ini
Windows/Heimdal  krb5.conf  krb5.conf

 

Snippets :

if you want to configure your client differently, the snippets might help you :

Garching:

clients in Garching should use following realm-definition:

[realms]
IPP-GARCHING.MPG.DE = {
        kdc = kerberos.rzg.mpg.de
        kdc = kerberos1.rzg.mpg.de
        kdc = kerberos2.rzg.mpg.de
        kdc = kerberos3.rzg.mpg.de
        admin_server = kerberos1.rzg.mpg.de
        default_domain = rzg.mpg.de       
}       
[domain_realm]
        rzg.mpg.de = IPP-GARCHING.MPG.DE
        .rzg.mpg.de = IPP-GARCHING.MPG.DE
        ipp.mpg.de = IPP-GARCHING.MPG.DE
        .ipp.mpg.de = IPP-GARCHING.MPG.DE
        ipp-hgw.mpg.de = IPP-GARCHING.MPG.DE
        .ipp-hgw.mpg.de = IPP-GARCHING.MPG.DE
        ipp-garching.mpg.de = IPP-GARCHING.MPG.DE
        .ipp-garching.mpg.de = IPP-GARCHING.MPG.DE

Greifswald :

clients in Greifswald should use :

[realms]
IPP-GARCHING.MPG.DE = {
        kdc = kerberos.ipp-hgw.mpg.de
        kdc = kerberos1.ipp-hgw.mpg.de   
        kdc = kerberos2.ipp-hgw.mpg.de  
        kdc = kerberos1.rzg.mpg.de
        admin_server = kerberos1.rzg.mpg.de
        default_domain = rzg.mpg.de       
}             
[domain_realm]
        rzg.mpg.de = IPP-GARCHING.MPG.DE
        .rzg.mpg.de = IPP-GARCHING.MPG.DE
        ipp.mpg.de = IPP-GARCHING.MPG.DE
        .ipp.mpg.de = IPP-GARCHING.MPG.DE
        ipp-hgw.mpg.de = IPP-GARCHING.MPG.DE
        .ipp-hgw.mpg.de = IPP-GARCHING.MPG.DE
        ipp-garching.mpg.de = IPP-GARCHING.MPG.DE
        .ipp-garching.mpg.de = IPP-GARCHING.MPG.DE

 

AFS-Client:

The openAFS-Client requires mainly two configurations:

The cell it belongs to (ThisCell) and where to find the AFS-Database-servers.

The configuration of the cache is complex and should only be touched by experienced users.

Please search the documentation of your distribution on how-to install you client.

The packages itself you may find in your distribution or at www.openafs.org.

Unix users shold use the version 1.4.x,

Windows users the latest version from www.openafs.org. A short installlation guide for windows is given here.

If you change any of the parameters described below, do not forget to restart the AFS-client.

More information about the AFS at IPP is given here.

AFS-ThisCell

File-location on your PC :

Unix: /usr/vice/etc/ThisCell or /etc/openafs/ThisCell

Windows : C:\Programme\OpenAFS\Client\ThisCell

 

This file should contain only "ipp-garching.mpg.de" without a newline-character.

 Download ThisCell.

AFS-Database-servers:

DNS-entries:

SRV-Records. Clients using DNS-servers in Greifswald, will be directed to AFS-Database-Servers in Greifswald, those using the DNS-servers in Garching,

will be directed to Serves located in Garching.

File-location on your PC :

Unix: /usr/vice/etc/CellServDB or /etc/openafs/CellServDB

Windows : C:\Programme\OpenAFS\Client\CellServDB 

Download :

Download standard configuration for your client :

OS\Location Garching Greifswald
 all  CellServDB  CellServDB

 

Snippets :

Here is the for the AFS-cell "ipp-garching.mpg.de" relevant snippet.

Other cells can be taken from other sources.

Garching : 

>ipp-garching.mpg.de    #Institut fuer Plasmaphysik
130.183.9.5                     #afs-db1.rzg.mpg.de
130.183.100.10                  #afs-db2.aug.ipp-garching.mpg.de
130.183.14.14                   #afs-db3.bc.rzg.mpg.de

Greisfwald :

>ipp-garching.mpg.de    #Institut fuer Plasmaphysik
194.94.214.4                    #greif-01.ipp-hgw.mpg.de
194.94.214.140                  #afs-db-hgw.ipp-hgw.mpg.de
130.183.9.5                     #afs-db1.rzg.mpg.de
130.183.14.14                   #afs-db3.bc.rzg.mpg.de

CellAlias

 

A cellalias is a shortcut in the /afs - directory.
The (here) most well-known is /afs/ipp to /afs/ipp-garching.mpg.de

File-location on your PC :

Unix: /usr/vice/etc/CellAlias or /etc/openafs/CellAlias

Windows : Registry-Key [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks] (details)

Download :

Download standard configuration for your client :

OS\Location IPP
 Unix  CellAlias
Windows

 see snippets below

 

Snippets :

Here is the for the AFS-cell "ipp-garching.mpg.de" relevant snippet.

Other cells can be taken from other sources.

Unix :

ipp-garching.mpg.de ipp
ipp-garching.mpg.de rzg.mpg.de
ipp-garching.mpg.de rzg
ipp-garching.mpg.de @cell
mpa-garching.mpg.de mpa
mpe.mpg.de mpe

Windows :

Warning! Only do this, when you know what you are doing!

You need to add following entries of type "REG_SZ" (Zeichenfolge) to the registry-key [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks] :

(Do not forget the dots "." !)

ipp:ipp-garching.mpg.de.
.ipp:.ipp-garching.mpg.de.

Firewall

AFS is a distributed filesystem. For performance reasons, files are cached locally on the client.

Therefore, a fileserver needs to be able to inform your client that the file it has cached has been

changed by another client and the local copy must be discarded.

For this to work,  the fileservers need to be able to talk to the client on port UDP/7001.

Please make sure that your personal firewall allows incoming packets on this port.

 

Login using PAM (UNIX only, newer MACOS is UNIX)

 

This section is about getting the credentials (Kerberos-Ticket, AFS-Token) directly with the login  by means of  PAM (Pluggable Authentication Mechanism).

! If you install this, you need to use your userid and password from RZG to login to your PC/Laptop.

We recommend the use of pam-krb5 and pam-afs-session from Russ Allbery at Stanford.

You can get those at :

http://www.eyrie.org/~eagle/software/pam-afs-session/

http://www.eyrie.org/~eagle/software/pam-krb5/

 

Notes:

Some LINUX-distributions have already packaged versions of those. Unfortunately there also exists another pam_krb5- package which is not written by Russ Allbery and not compatible with this way of doing things. Using rpm you can check this with rpm -qi pam_krb5

For compiling you might need to install the krb5-devel or equivalent package.

you would need to install the pam_afs_session.so and pam_krb5.so in the same directory as the other libraries e.g. pam_unix2.so

After compiling, you will need to activate those in /etc/pam.d/login (for text-login), /etc/pam.d/[egk]dm (for graphical login) or /etc/pam.d/sshd (for sshd),

the exact mechnism depends on your UNIX-flavour.

ATTENTION: pam-afs-session needs the binary "aklog" to work. This should be included with you openafs-client installation.

As an example  /etc/pam.d/login could look like this, but do not just copy this over your given pam-file!

The important lines are are marked with # XXX.

For further documentation, read the respective README.html on the web-pages given above.

#%PAM-1.0
auth     required       pam_env.so
auth     sufficient     pam_krb5.so  minimum_uid=500    # XXX
auth     required       pam_unix2.so    # set_secrpc
auth     required       pam_nologin.so
account  required       pam_unix2.so
account  required       pam_nologin.so
account  required       pam_access.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session  required       pam_unix2.so    none # trace or debug
session  optional	pam_krb5.so      # XXX
session  optional       pam_afs_session.so ignore_root program=/usr/bin/aklog   # XXX
session  required       pam_limits.so

 

Document Actions