Last Reviewed 2021-06-28
This document provides information about AFS home directory access on Linux. AFS does not use Unix/Linux user IDs, since any Linux machine can give a user a particular User ID. Instead, AFS provides its own user ID’s which are managed at the AFS cell level. To get an AFS ID which identifies you to an AFS cell you must log in and have an account on that AFS cell. The Computer Science AFS cell name is cs.unc.edu.
AFS authentication is based on Kerberos, a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. When you log on successfully to an AFS cell, your local machine’s AFS cache manager will hold a “token” for you. Once you have an AFS token, you can access AFS directories that have their permissions set to allow your AFS User ID access. Tokens contain a time stamp and are valid for a pre-set amount of time. You can use the AFS command "aklog" to extend the life of a token or to get a new token if your original token expires.
You can run the command "tokens" to see if you have a valid token. If you do not have a token, the response will be this:
Tokens held by the Cache Manager:
–End of list–
Your AFS space may also look like this without a valid token:
#ls -lha
?????????? ? ? ? ? ? myscript.sh
?????????? ? ? ? ? ? access.log
?????????? ? ? ? ? ? addressbook.txt
You get a token by either: 1) logging in with a password, OR 2) running the commands "kinit && aklog". Once you have a valid token, the command "tokens" should return output showing your AFS ID and the expiration of the token:
Tokens held by the Cache Manager:
User’s (AFS ID 3903) tokens for afs@cs.unc.edu [Expires Mar 29 09:03]
This output says that the cache manager holds for you a token for the cell cs.unc.edu as AFS ID 3903. You may hold additional tokens for different cells, but you may not have more than one token for a particular cell. Tokens are specific to a machine, so authenticating on one machine does not give you a token for another workstation.
Tokens expire after some period of time and need to be renewed. The default lifetime at UNC Computer Science is one week. Also, tokens do not automatically go away when you log out, so that when you run programs overnight the background programs can use the tokens to access files. You can remove a token by using the "unlog" command.
If you use key authentication to access your system, you will land without any tokens. This means you will not have access to your AFS space until you run the "kinit" and "aklog" commands.
If you still can't find an answer to what you're looking for, or you have a specific question, open a new ticket and we'd be happy to help!
Contact Us