AFS servers are quite important to us because they help take care of most of our important data. The largest logical unit of AFS is the cell, which represents a site installation. The cell "lives" in /afs/cellname, so ours in in /afs/ugcs.caltech.edu. For convenience, /afs/ugcs and /afs/.ugcs is a symlink to /afs/ugcs.caltech.edu
AFS has several different types of file servers. They are generically split into database servers and file servers. A server can be either a database or file server, or it can be both. For UGCS, apollo, athena, and hermes are our AFS database servers. They are also our three AFS file servers. Although we may add future AFS file servers, we won't need more database servers.
Database servers have three databases on them:
- volume location databases
- protection database (pts) - user information
- backup server: maintains backup information
File server have a file server on them.
Servers are configured in file in /etc/openafs/server. They have their on CellServDB that just lists the database servers for this cell. The other key piece they have is the KeyFile, a Kerberos keytab that the servers use to authenticate to each other (every server has the same one). Thus if one server is rooted, the attacker will have access to the key and will then be able to gain access to the AFS cell.
We now monitor several key AFS services with Nagios. Among them are: