4th Ed. test Cpu/auth server setup


The cpu/auth server is the first machine that should be installed when setting up a plan 9 network. A good overview of the process is available from the Bell-labs Plan9 Wiki page "configuring a standalone CPU server". Before upgrading our existing 3rd Ed. network to the 4th Ed. we setup a test auth/cpu server. what follows are the notes from that process.

During the diskprep stage of the install we add a nvram partitions. To do this, use "p" to print the partition table. We are interested in the default fs partition, which we are going to decrease in size to make room for the nvram partition. For us the fs partition starts at 20482 and ends at 16826619 To change the partitions, enter commands like:

	d fs
	a fs 20382 16826618
	a nvram 16826618 16826619
	w
	q

After doing the install, the next thing to do is add the account of the cpu owner. Infomation on adding users be found in the configuration page.

Login as "glenda" and turn of permission checking on the kfs file system:

	disk/kfscmd allow

add a line like

10002:bootes:bootes
to /adm/users, run kfscmd user to read the user database back into kfs and then run
disk/kfscmd 'create /usr/bootes bootes bootes 775 d'
disk/kfscmd 'create /mail/box/bootes bootes upas 775 d'
disk/kfscmd 'create /mail/box/bootes/mbox bootes upas 622 al'
to setup bootes's home directory and mail box.

Turn back on filesystem checking and halt the filesystem

        disk/kfscmd halt

Now reboot the machine using ctrl-alt-del and login as bootes (note the window system will not start at this point) next run

	/sys/lib/newuser
to set up a profile and start the window system.

Build and install an auth server kernel. We made modifications to the pcauth . file to support more hardware. We also added the etherga620.c driver to support the acenic cards .

	disk/kfscmd allow
	cd /sys/src/9/pc
	mk 'CONF=pcauth' 9pcauth
	9fat:
	cp 9pcauth /n/9fat/9pcauth
	disk/kfscmd disallow
	disk/kfscmd sync

modify /n/9fat/plan9.ini to use the new kernel.

invalidate the nvram using:

	echo somegarbagehere > /dev/sd00/nvram

The next step is to setup networking by editing /rc/bin/cpurc and /lib/ndb/local as described in the Getting Started with plan 9 paper.

It is important to add an authdom line to /lib/ndb/local to make 4th Ed. authentication work. Note we had to have a class B section in both ndb files since we have a class B addresses.

The next setup is to make a number of changes to /rc/bin/cpurc as outlined in the Getting Started with plan 9 paper. Including enabling dhcp and tftp for the booting of diskless clients. Our cpurc . includes sections from termrc in order to run rio on the auth server.

generate ssh keys

Set up /lib/ndb/auth so that the cpu owner user is allowed to become any user

	hostid=bootes
	uid=!sys uid=!adm uid=*

setup custom authenication services for the cpu/auth server:

	disk/kfscmd allow
	cp /rc/bin/service.auth/authsrv.il566 /rc/bin/service.auth/il566
	cp /rc/bin/service.auth/authsrv.tcp567 /rc/bin/service.auth/tcp567
	mv /rc/bin/service/il566 /rc/bin/service/_il566
	mv /rc/bin/service/tcp567 /rc/bin/service/_tcp567
	echo '#!/bin/cpu -R' > /rc/bin/service/il17010
	echo '#!/bin/cpu -R' > /rc/bin/service/tcp17010
	chgrp sys /rc/bin/service/*17010
	chgrp -u sys /rc/bin/service/*17010
	chmod +x /rc/bin/service/*17010
	disk/kfscmd disallow
	disk/kfscmd sync

Connect the Gigbit ethernet fibres and reboot the machine. After the reboot it will ask for the passwd of the cpu owner user (bootes), secstore key, authentication id (bootes) and an authentication domain (acl.lanl.gov) make sure the authentication id matches the authdom in /lib/ndb/local.

Now add some user accounts using auth/changeuser in particular and account for bootes:

		/auth/enable bootes 
		/auth/changeuser bootes
at this point you should be able to connect to the cpu/auth server using a 4th Ed. terminal.
Last Modified: May 27 2002
dpx@acl.lanl.gov