Quick reference guide Scientific Linux for DESY

Previous Contents Index Next 

12. The AFS file system and Kerberos

The AFS file system comes with extended access control on the directory level. See fs to list and set ACL's. UNIX group and other permission modes (see chmod) are not respected!

Some AFS features can be used as an authenticated user only. Such a user has a valid AFS token, which can be derived from a valid Kerberos ticket. Most authentication methods are configured to generate both an AFS token and a Kerberos ticket, while for AFS alone only the token is required. Tokens and tickets have a default lifetime of 25 h.

Kerberos comes in several implementations with similar functionality and mostly identical commands. On Linux systems the Heimdal and MIT implementations are widely used. Both versions can be installed in parallel. Below both the MIT and the Heimdal versions of commands are documented, if they differ.

acrontab[-elr] NZ
Execute a cronjob with a valid Kerberos ticket and AFS token. To use this facility for the first time contact your sysadmin. Edit (-e), list (-l), or remove (-r) acrontab files. For the Hamburg site please see k5crontab. The format of the acrontab file is
minute hour day month weekday host command
(0-59, *) (0-23, *) (1-31, *) (1-12, *) (0-6, *)
Obtain tokens for authentication to AFS. Only required after the MIT kinit or if an AFS token was destroyed.  
arcx recover [-h] [-n] [-d|-v] [YYYYMMDD] volume NZ
arcx recover [-h] [-n] [-d|-v] [YYYYMMDD] [volume] file  
Recover a whole AFS volume or a file from backup with backup date YYYYMMDD. Implemented for TSM backup (Zeuthen) only. The option -h gives more help, -n does not actually recover but show what would be done. -d and -v increase the verbosity.  
fs subcommand [arguments]
Suite of commands to list, set and delete AFS ACL's.
fs help [subcommand] get help [on subcommand]
fs listacl [dir_or_file] list ACL's
fs setacl dir ACL[s] set ACL[s] for dir
fs setacl -dir dir[s] -acl ACL[s] set ACL[s] for dir[s]
fs copyacl source_dir dest_dir[s] copy ACL from source_dir

where each ACL consists of a user or protection group name followed by a space and letters representing access control rights as follows:
r read l lookup i insert a administer
w write k lock d delete

The shorthand forms write (rlidwk), read (rl), all (rlidwka) and none (remove entry) can be used to describe access rights.
The suite can also be used to obtain other file server information.
fs listquota [dir_or_file] list file quota for AFS volume
fs whereis file list file server housing file
k5crontab[-el] NH
Execute a cronjob with a valid Kerberos ticket and AFS token. Edit (-e) or list (-l) k5crontab files. A sample k5crontab entry is displayed with -l. For the Zeuthen site please see acrontab.  
kdestroy [cell_name]
Destroy the Kerberos tickets. Heimdal: also destroy AFS tokens.  
kinit [-l time] [-R] [principal]
Acquire a new Kerberos5 ticket. Destroys all previously existing tokens and tickets. A ticket with a lifetime of time can be issued and an existing ticket can be renewed (-R). Tickets for other realms can be issued if a principal of the form username@OTHER.REALM is given. The Heimdal version of the command also creates an AFS token. For MIT versions see aklog.  
klist [options]
List Kerberos credentials. MIT: Is silent if -s is given and tests if a valid ticket granting ticket (TGT) exists. Heimdal: Test (-t) if a valid ticket granting ticket (TGT) exists and be quiet, be verbose (-v) or display AFS tokens (-T).  
k5log [-c afs_cell] [principal]
Obtain a new AFS token. Should only be used to obtain additional tokens in other AFS cells using a principal username and a cell other.cell. Many services do require a Kerberos5 ticket, for that kinit is required. The old command klog may still work and tries to use Kerberos 4 authentication as well.  
lsmount [-hqt] [-p] volname or path NZ
Display the mount point(s) for a given volume name or path. With -p the argument will be interpreted as path, even if a volume of the same name exists. Can display the whole mount tree -t containing volname or path and quota and usage numbers (-q). Show a short help using -h.  
pts subcommand [arguments]
Suite of commands to list, create, modify and delete AFS (protection) groups.
For a list of subcommands use pts help, for help on specific subcommands pts help [subcommand] can be typed.
tklife NZ
Warn the user if tokens or tickets expire within an hour or are already expired.  
Display AFS tokens and their lifetime. See also klist.  
unlog [-c cell_name]
Destroy the AFS tokens.  

Previous Contents Index Next