Introduction to the AFS


In the beginning the acronym AFS meant Andrew File System. But now that is history, and AFS is just another file system.

AFS was originally developed at Carnegie Mellon University. It is a network file system that is being used at DESY in the context of the Workgroup Server concept. Machines supporting AFS are called AFS clients. This concept is especially suited to solve the problem of multiple home directories: Users who have admission to more than one computer tend to have multiple home directories, one on each machine they log on to. Under AFS, users always access the same home directory, no matter what AFS client they log on to.

The AFS file system is a treelike system like the usual Unix file system. Unlike normal Unix file systems, file names are not bound to a specific computer, but unique worldwide within AFS file systems. They start with the string /afs and they contain the name of the AFS cell (the cell name for DESY is An AFS cell is the administrative domain (e.g. DESY) and consists of a set of servers and clients. An example of a file name at DESY could be /afs/

The AFS comprises:

  • the file servers for AFS home directories and application programs. The executables are maintained by the Application Software Group (ASG) of DESY/IT. They may be executed without a token only from within the DESY AFS cell. F
  • scalability: Read-only data, i.e. application programs, can easily be replicated over several servers to distribute the load and guarantee service even if one server crashes.
  • a local AFS cache on each participating host, providing a local copy of the files currently in use on this host
  • various other services, e.g. a Kerberos authentication server for better securit.

From the users' point of view, an AFS system is identical on all participating hosts. The local cache exists for performance reasons only and is completely transparent to the users. They will see the same home directory on all AFS clients.

File backup services are provided automatically on a regular basis for all user home directories. The tool for this is the TSM (formerADSM). As it reads the files with system administrator rights, only such files are backed up which are readable for the system administrator. Therefore access lists (ACLs, see below) should not exclude the system administrator.

Besides the AFS home directory, users will also find a normal Unix file system e.g. a /tmp directory, depending on the host.

Access Control under AFS

Although AFS looks much the same as a normal Unix file system, there are some points of interest for users switching from a normal Unix file system to AFS:

  • Access Rights

    One major difference are the access rights. Access rights in AFS are controlled by Access Control Lists (ACLs) on a directory basis. Although Unix file access rights are still visible, they will be ignored by AFS. Solely the Unix user flags have an effect, but function differently than under a Unix file system. Thus, be careful! Some more details follow below, under Access Control Lists.

  • Authentication, Token

    To use AFS services, a user has to be authenticated. This is usually done at login by giving the password associated with the username. The user then gets a token that permits access to the user's files and has a limited lifetime of usually 25 hours. Tokens are given per cell and per user.

    A token can be refreshed, or rather a new token can be obtained, with the command klog. At logout, the token is destroyed. At the next login, a fresh token will automatically be generated.

    When a batch job is submitted in a session it receives a copy of the session's token. This copy has the same remaining lifetime as the original token. It survives if the session is terminated.

Login Process

On most Unix machines at DESY, the login procedure will first try to authenticate the user for AFS. Only if this fails, the machine will continue with a non-AFS login, the type of which depends on the setup of the machine: DCE (Distributed Computing Environment), NIS (Network Information System), or local. The warning message generated in this event can be ignored by non-AFS users.

The AFS password does not have to be set with a separate command. The passwd command was modified to set it correctly. Nevertheless you should take care to use the correct password program: /usr/sue/bin/passwd . One can easily end up with another password program after changes in the PATH, a common error. Check for the right program with which passwd .Using the bash shell -though it seems to be the correct path- you should enter the whole path.

DESY Default Access Rights

  • l (lookup)
  • for system:anyuser and desy-hosts
  • rlidwka (administer)
  • for the user and system:administrators

Some Special Directories and Files

Each newly made home directory comes with a few subdirectories:

  • One with the name of the group, e.g. h1, zeus, etc. This has read access (rl attributes) for the group and no access for anyone else (except for system:administrators, of course).
  • Three with names private, Mail, and mail. These have no access for any users (again: except for system:administrators). Mail and mail are equivalent. Some message systems use Mail, others use mail.
  • One with the name public, which has read access for all users, that is for the group system:anyuser, as well as system:administrators.
  • One with the name .OldFiles, into which the old state of the home directory is retained each night, as fast short-term backup.
    Please note that this backup directory does not use any of the user's quota.
    How does .OldFiles work? Each night it receives links, one link to each file of the user. When the user deletes a file, the link from .OldFiles still exists, and the file disappears from the user's directory (and from his quota) but not from the disk. When a file is changed, a new one is made for the user, which he then sees in his directory (and in his quota), but .OldFiles retains its link to the old one.

Each user can change all his ACLs, and he can create his personal ACLs as he likes.

There are some files that need special consideration regarding who should be allowed access to them:

.netrc This file, if existent, will contain passwords and should consequently not permit read access to everyone. Therefore it should be located in the top level of the home directory, which should not allow read access to everyone.
.rhosts und andere "Punkt-Files" Such files contain information for tailoring individual ways of working with computers and should consequently not permit write access to everyone. Therefore they too should be located in the top level of the home directory.
.forward This file is looked for in the top level of the home directory, which should be closed to the public. On the other hand the mailer must be able to read it without privileges. The solution is to have a link in the root of the directory pointing to the true .forward file in the directory public, which should, "nomen est omen", be open to everyone, see below.
At DESY, the command mailfwd will handle all this correctly. Therefore the usage of this command is stronglyrecommended.

Backup of the AFS Files

Each night the state of the home directory of each AFS user is retained in a special directory named .OldFiles Here is the place to look for copies of files lost during the day.

In addition the TSM creates incremental backups, i.e. backups of modified files. For this purpose the system administrator needs to be able to read the files. This must be kept in mind when using ACLs to reduce access.

AFS Command Reference


Following is a short reference to the same AFS commands. Text in angled brackets indicates information the user must supply. Do not type the < > symbols. Text in square brackets indicates optional information to be supplied by the user. Therefore: do not type the [ ] symbols either. Sometimes this optional information may be a list. That is indicated by a + adjacent to > or ].

  • Basic Commands

    Changing the password on centrally supported systems at DESY, AFS or non-AFS
    passwd sets the password - The right password program is /usr/sue/bin/passwd
    Obtaining, Discarding, and Checking Tokens

    checks the tokens of the user and their lifetime. Once a token's lifetime has expired, access to AFS will not be possible any more, e.g. saving of the files being worked on will be impossible.

    A new token is received at every login to AFS or with the command klog.

    klog Obtain a new token. This may be useful when starting a lengthy session or if the existing token is about to expire.

    destroys a token

    Usage: unlog <cell name>

    Listing Volume Quota

    fs listquota

    kurz: fs lq

    shows all information about the user's "disk quota".

    An AFS user gets 20 Mbytes disk storage by default. The user's Unix disk space administrator has the right to grant more disk storage if needed "Computer Group Administrators" shows a list of DESY group administrators.

    fs quota

    kurz: fs q

    lists the percentage of the used disk quota
    Listing File Server Information
    fs whereis

    Ort lists a file system's location

    Anwendung: fs whereis [-path <Verzeichnis/Pfad>+] [-help ]

    fs checkservers checks the local cell's servers.
    fs flush

    As a possible reaction to a cache corruption, this command prompts the client to renew a file in its cache.

    Usage: fs flush [-path <dir/file path>+] [-help ]

    fs flushvolume

    kurz: fs flushv

    In case an application does not run properly, this command will prompt the server to renew all the files in the cache of the application.

    Usage: fs flushvolume [`which <Application>`]

  • Access Control Lists

    As mentioned above, Unix file permissions are treated differently under AFS: User bits (rwx) are still used. They apply not only to the user, but to everyone who has access to the file according to the ACLs. Strictly speaking: Access to the file is possible if no ACL is inhibiting this and if the user bits are set. The world and group bits are ignored by AFS. World and group access is controlled by ACLs:

    Access control under AFS is done via Access Control Lists (ACLs) on a directory basis. All files in a directory have the same access restrictions, and users have to group their files according to the preferred access restrictions.

    When you set the ACLs for a directory only this directory is concerned, not its existing subdirectories. When on the other hand a new subdirectory is created it will inherit the ACL attributes of its mother directory.
    When all subdirectories are to be fitted out recursively with the ACL attributes of the mother directory then the powerful Unix command find may be employed. This could issue the command fs setacl -dir ... for all found subdirectories. fs setacl will be explained below, for find see man find.
    Alternatively fs copyacl -fromdir <source> -todir <target1><target2> (explanation see below) can be used, though not recursively.

    ACLs are set via ACL entries consisting of a user or group name and the access control rights, separated by a space, e.g. testuser rlidw .

    Groups with specific access rights may be defined by the user (up to 20 groups). Group names are of the form owner:name. Some predefined groups exist at DESY, they are all owned by the group usg.
    Examples: usg:h1, usg:zeus and many more.

    Other important predefined groups are:

    system:anyuser all AFS users worldwide
    system:authuser all authorized users (users having an AFS token) in the AFS cell, not necessarily logged in from DESY
    desy-hosts all users logged in with IP addresses of DESY Hamburg or DESY Zeuthen, not necessarily authorized

    Possible acces rights are:

    l lookup list the files in a directory
    r read read a file
    i insert create new files or directories
    w write write to a file
    d delete files or subdirectories
    k lock Files
    a administer change ACLs

    Shorthands exist:

    all all of the rights above
    none none of the rights above
    read rl -rights
    write everything except a
  • ACL Commands

    Using Access Lists to Protect Files and Directories

    fs listacl

    kurz: fs la

    lists the ACL of a specific directory. If no directory is specified the working directory will be listed.

    Usage: fs listacl [<directory>]

    fs setacl

    kurz: fs sa

    sets the ACL of a specific directory

    Usage: fs setacl -dir <directory> -acl <access list entries>

    Example: fs setacl -dir private -acl system:anyuser none No access rights to directory 'private' for members of system:anyuser

    fs copyacl

    kurz: fs ca

    copies an access control list

    Usage: fs copyacl -fromdir <source directory>
    -todir <destination directory>+ [-clear ] [-id ] [-if ] [-help ]

    Manipulating Protection Groups

    pts creategroup

    kurz: pts cg

    creates a user-owned access group (one of 20 possible ones). Users can insert other users' IDs or machine names into their access groups. Later, they can assign these groups access rights to specific directories.

    Usage: pts creategroup -name <group name>

    Example: pts creategroup -name testuser:friends

    The user with ID 'testuser' creates a group 'friends' which is then owned by her.

    pts adduser

    adds a user to a group

    Usage: pts adduser -user <userid> -group <group name>

    Example: pts adduser -user heino -group testuser:friends

    The user 'testuser' adds the user 'heino' to her group 'friends'.

    pts removeuser

    removes a user from a group.

    Usage: pts removeuser -user <userid> -group <group name>

    Example: pts removeuser -user heino -group testuser:friends

    The user 'testuser' removes the user 'heino' from her group 'friends'.

    pts rename

    nicht kürzer:

    pts chname

    renames a user or a group.

    Usage: pts rename -oldname <old name> -newname <new name> [-cell <cell name>]
    [-noauth ] [-test ] [-force ] [-help ]

    Example: pts rename -oldname testuser:friends -newname testuser:foes

    The user 'testuser' renames her group 'friends' into 'foes'.

    pts delete

    deletes a user-owned access group

    Usage: pts delete -nameorid <group name or id>

    Example: pts delete -nameorid testuser:foes

    The user 'testuser' deletes her group 'foes'. .

    Listing Information About Protection Groups
    pts listowned

    lists the groups owned by a particular user. This command is subject to certain restrictions.

    Usage: pts listowned -nameorid <userid>

    pts membership

    kurz: pts member
    oder: pts m
    oder: pts groups

    lists the members of a particular group or the groups a user belongs to. This command is subject to certain restrictions. d

    Usage: pts membership <group name> oderpts membership <userid>

    pts examine

    kurz: pts check

    examines a user group or a user. This command is subject to certain restrictions. A

    Usage: pts examine -nameorid <Userid or group name or id>+ [-cell <cell name>] [-noauth ] [-test ] [-force ] [-help ]

    At any time, help about the commands may be obtained by typing one of

    • fs help
    • fs help <keyword>
    • fs apropos <keyword>
    • pts help
    • pts help <keyword>
    • pts apropos <keyword>

    Man kann jederzeit durch eines der folgenden Kommandos Hilfe zu den ACL-Kommandos erhalten:

    • fs help
    • fs help <Schlüsselwort>
    • fs apropos <Schlüsselwort>
    • pts help
    • pts help <Schlüsselwort>
    • pts apropos <Schlüsselwort>

Access to AFS from Microsoft Windows


If you install the AFS-Client via Netinstall (Start -> NetinstallPrograms -> Netinstall -> Installer -> Folder Communication) or via download,  you can add a network drive (or more) in your Windows Explorer which then will show an AFS path.  You will be able to change and move directories and files under Microsoft Windows independently of the platform.

Caution: You are in need of a token. You will get it automatically, if you use the same password under Unix and Microsoft Windows. If for reasons of security you have choosen different ones, your login possibly is followed by the message: 'Integrated login failed'. In this case you get a token by clicking the padlock symbol in the taskbar and choosing 'obtain new token'.

If you are local administrator in this case you should configure the client: On the register card 'Advanced' please disable the first button 'Start the AFS Client...'. Then (next boot) at the end of the login process a window will pop up (you can't forget to do it) and you can follow the steps to get a token. You can get rid of the warning 'Integrated login failed' by clicking 'Configure AFS Client -> Advanced -> Logon -> Fail Logins Silently' and here choosing 'yes'.

Further Information



Obtaining, Discarding, and Checking Tokens of centrally supported systems at DESY


sets the password - The right password program is /usr/sue/bin/passwd