How to use AFS (Andrew File System)

If you have your home directory in AFS, or in some other way work with directories in AFS, you should know what is described here about AFS.

You find out if a certain directory is in AFS by issuing the command "df directory". If it is an AFS file system, AFS is written in the column to the far left. If you want to know if your home directory is in AFS, you can type "df ~".

D.1 Differences compared to UFS (Unix File System)

The following are the most important differences which AFS features compared to normal UNIX file systems:

D.1.1 File access works differently

The access rights are governed at the directory level by access control lists, one for each directory. An access list indicates who can do what with all the files in the directory. Access control lists are described in section D.2.

D.1.2 Output from the command ls does not show file protection

For each file only the first three file protection codes shown by the command ls are used. In the AFS system these codes show whether or not the file is protected for all who have these rights through the access control list fore directory.

D.1.3 A home directory problem with file protection

The system with file protection at the directory level causes a problem in directories which need to include both private and public files. This is primarily a problem pertaining to the top level of a user's home directory. How to solve this problem is described in section D.3.

D.1.4 A Kerberos ticket is required

The use of AFS files requires that you have authenticated yourself with the security system Kerberos: You need a valid Kerberos ticket for AFS. You get one automatically when you log on, but sometimes you need to get one manually. One such case is when you log on to another computer using SSH or telnet. Often, the tickets are not forwarded to the other computer, so you need to get a new one. Another case is when the ticket ceases to be valid, normally after 10 hours. You use the command kauth to identify yourself to Kerberos and get an AFS ticket. The command klist is used to show what Kerberos ticket you have.

D.1.5 Quota is used

Each AFS volume has a limit for the disk space it is allowed to use. This is called quota. Quota can be used in ordinary UNIX file systems, but so far this has not been used at KTH. KTH ITA handles changes to the quota for a volume. The command

fs listquota folder_name

shows the quota for the volume (storage unit) where the directory is and shows how large a part of the quota that is being used at the moment. (listquota can be abbreviated lq.)

D.1.6 The last backup is available on line for about 24 hours

Every night your files are backed up to tape. At the same time, a snapshot of every volume is created, and this "frozen" volume is available during the next day. In your home directory, the backup is available under the directory OldFiles. If you make an error - remove a file, change a file's contents by mistake - and discover this the same day, you can get yesterday's version from the directory OldFiles.

In other directories you use can the fs exa command to find out which volume the directory is stored on. Then you issue the command

fs mkm directory volumename.backup

to access the backup volume. After you copy the files, you use

fs rmm directory

to unmount the backup volume.

D.2 Access control lists

Each directory in AFS is associated with an access control list, ACL, that defines who is allowed to do what with the files in that directory. There are seven different actions for a directory and the files within, for which AFS governs the rights.

Bokstav Betydelse Effekt
r read Read the files in the directory
l list List the files in the directory
i insert Create new files in the directory
d delete Delete files from the directory
w write Modify the files in the directory
k lock Lock the files in the directory
a administer Change the ACL of the directory

An example of an ACL:

ran rlidwka
system:administrators rlidwka
system:anyuser l
bg rlidwk
ran:friends rl

The line "ran rlidwka" indicates that the owner (the user "ran" in this example) has full access rights. "system:administrators rlidwka" shows that the special group system:administrators has the same rights (the members of this group can always get whatever rights they want, so it is meaningless to remove them). "system:anyuser l" tells us that the group system:anyuser, which includes all users, only has the right to list the files in the directory. In the fourth line the user bg gets all rights, except the right to change the ACL. "ran:friends rl" (or "ran:friends read") in the last line gives the members of the user owned group ran:friends the right to list and read the files in the directory. (See section D.4. about groups of your own.)

D.2.1 Commands for dealing with access control lists

fs listacl directory

Shows the ACL for the given directory (listacl can be abbreviated la)

fs setacl directory user/group rights

Gives a certain right to a certain group of the indicated directory. (Abbreviated sa)

fs setacl directory user/group none

Revokes all rights for the user/group.

fs help

List all fs commands

D.3 How to work around the problem that you cannot have different file protection for different files in the same directory

Since the protection of files in AFS is done on the directory level, you cannot have different file protection for different files in the same directory. For example, you cannot have a file that only you can read in a directory that is readable to any user. Usually this does not matter, you just put the files in different directories, but in some cases you have a problem. Some initialization files (e.g. .bashrc, .tschrc) in your home directory need to be publicly readable. If these files are not public, remote (or even local) login will not function normally.

At the same time you need secret files. The solution is to give list access to system:anyuser and then create a public subdirectory where you put non-secret files. For each file that needs to be publicly readable from the protected home directory, you then create symbolic links to the public subdirectory. In this way, programs access the non-secret files through the links in the read protected directory.

An example of commands used:

Go to the home directory:

cd

Create a sub directory:

mkdir Public

Make the subdirectory publically readable:

fs setacl Public system:anyuser read

Move the files that should be publically readable to that directory:

mv .bash_profile .bashrc .modules Public

Create links

ln -s Public/.bash_profile; ln -s Public/.bashrc; [etc.]

D.4 Personal access groups

In AFS, each user has the possibility to create personal groups of users in order to create ACLs in a convenient way. By adding a certain group to an ACL, all members in that group are given the same access rights at the same time. In the ACL above ran:friends is an example of a personal group. The name of personal groups always starts with the name of the owner followed by a colon.

D.4.1 Commands for dealing with groups in the AFS system

pts creategroup owner:group

Creates a group. The owner should be your username (creategroup can be abbreviated cg)

pts adduser user owner:group

Adds the user to the group (adduser can be abbreviated ad)

pts delete owner:group

Delete the group (delete can be abbreviated del)

pts removeuser user owner:group

Remove the user from the group (removeuser can be abbreviated rem)

pts membership owner:group

Show the members of the group (membership can be abbreviated m)

pts help

Show all pts commands

Did you find this page useful?
Thank you for helping us!
Page responsible:it-support@kth.se
Belongs to: KTH Intranet
Last changed: Jan 10, 2018