PNCE User Intro to AFS

PNCE User Documentation

Introduction to AFS

The PNCE-Unix environment makes use of the Andrew File System (AFS) for home and group storage. AFS is different from standard Unix file systems (UFS) in a number of ways. Most significant among these is the way in which files are protected in AFS. Unlike UFS, AFS does not use the standard Unix permission bits for much; most access is controlled via access control lists (ACLs). ACLs act at the directory level, and allow access to be tailored to individual users and user-defined groups, unlike UFS. The standard homespace and groupspace directory structures are set up with ACLs designed to allow a reasonable degree of security and flexibility. It is advised that you do not change them unless you know what you are doing. If you are concerned about the security of certain files, please feel free to contact PCS to have them audit the ACLs. For more information about AFS access control lists.

The PNCE-Unix system also uses Kerberos for authentication. This provides additional security over standard Unix authentication procedures. Unlike standard Unix authentication schemes, Kerberos is based on the user obtaining tokens from trusted security servers. These tokens are only valid for about a day, and are necessary for you to prove your authorization to access files. Generally, the process of obtaining and destroying tokens is done automatically for you when you log on and off of the system. However, you may find that if you leave yourself logged in too long, your tokens may expire and need to be renewed. This may be problematic for long running batch jobs---currently we recommend that long running jobs use the scratch disk for all input and output as that is an NFS filesystem (and so uses standard Unix security not Kerberos). Similar problems may occur if you log out after starting a background process that requires authentication, due to the destruction of your tokens when you log out (and unless the background job started a new process authentication group, which is not the default behavior, the destruction of the tokens of your batch job). This can also be avoided by using non-AFS space (eg /scratch), or by using the pagsh command.

Some useful commands

The following commands may prove useful to you:

Commands relating to authentication and tokens

Commands relating to disk quotas

Commands relating to access control lists

For more information on AFS access control lists

For more information

Users who wish to learn more about AFS are referred to the following web sites:

Main Physics Dept site Main UMD site

Valid HTML 4.01! Valid CSS!