Skip to main content

Common Questions about AFS

To increase security and reduce risk, Stanford is sunsetting its WebAFS service that is used to upload and download files to AFS.

To optimize AFS and make sure it is serving its intended functions, UIT has also taken these actions:

  • UIT no longer automatically provisions new faculty and staff members with AFS user volumes. New faculty or staff who need a personal user volume must submit a Help request.
    • This change does not impact existing AFS directories or the process for adding permissions for new individuals to those existing directories. Your existing space and everything in it remains intact.
    • This change does not impact the auto-provisioning of new AFS user volumes for students and postdocs.

​Class volumes do not expire and are kept indefinitely. This is an official academic policy, and any change to this policy must be considered by the Faculty Senate.

Intermediate

  1. What is AFS?
  2. What is Kerberos?
  3. Why doesn't my .forward file work?
  4. How do I find out my disk quota?
  5. I added my friends to the ACL of my directory. Why can't they access that directory?
  6. How do I add a user at another school to my ACL?
  7. How do I add more than 20 entries to an ACL?
  8. I've been logged on for two days. Why can't I read my files anymore?
  9. My question isn't listed here. To whom do I ask my question?

Advanced

  1. Why can't I run fs? Why can't I get the man page for fs or pts?
  2. Why doesn't my plan show up when other people finger me?
  3. Do the UNIX file permissions mean anything anymore?
  4. What is the .backup directory?
  5. How do I undelete files?
  6. I need to run a very long process. How do keep it authenticated?
  7. Why doesn't rsh/rlogin/.rhosts work anymore?
  8. Why doesn't MacX work?
  9. Why doesn't autologout accept my password anymore?
  10. Why do I get the error "Cross-device link" when creating links?
  11. My question isn't listed here. To whom do I ask my question?

1. What is AFS?

AFS is a file-sharing system comparable to NFS, Apple File Protocol, NetBIOS, or Netware Core Protocol. It allows "client" work stations to access files from a remote file "server." AFS is under active development. From the standpoint of someone familiar with standard UNIX file systems or NFS, the main differences are the new file permissions and authentication system.

AFS provides several advantages over other file-sharing protocols that make it ideal for computing at Stanford:

  • AFS provides better network performance. Other protocols tend to be impractical for serving large numbers of workstations.
  • The AFS server authenticates users, not machines. This allows people with a Stanford account to access their files from any machine on campus that mounts AFS, including any Unix machine running AFS client software and Mac's and Windows machines outfitted with Stanford OpenAFS.
  • AFS allows greater control over access to one's files. Individuals can selectively grant file access privileges to individuals or user-created groups. This is ideal for group projects.
  • AFS has limited provisions for users to recover their own files.

Some of the major goals of the system are minimizing the burdens of system administration and providing a common basic level of service to all UNIX users at Stanford.

2. What is Kerberos?

For a longer but simpler explanation of Kerberos, take a look at our main Kerberos page.

Basically, Kerberos is an authentication service between machines on an open network. AFS is one of many services at Stanford that uses Kerberos for its authentication system. Kerberos provides user authentication for certain restricted services, such as afs, restricted web pages, and remote login access. It also provides for encrypted connections, so information being sent can't be seen by some third party who is eavesdropping on your session.

 

For more general information see the Kerberos User Guide..

3. Why doesn't my .forward file work?

FarmShare (Stanford's shared computing environment)  no longer uses .forward files. Run lelandforward to set up forwarding.

4. How do I find out my disk quota?

You can use any one of these commands:

fs listquota
fs lq
check-stanford-afs-quota

5. I added my friends to the ACL of my directory. Why can't they access that directory?

There are several possibilities. A user needs "list" permission on all the ancestors to a directory to access a directory. For example:

You wish to give a friend access to directory ~/private/project. Using the fs listacl command (or "fs la" for short), you find the following:

cardinal:> fs la ~ 

Access list for  /afs/ir/users/m/y/myself is

Normal rights:

   system:administrators rlidwka

   system:anyuser l

   myself rlidwka
cardinal:> fs la ~/private/

Access list for  /afs/ir/users/m/y/myself/private is

Normal rights:

   system:administrators rlidwka

   myself rlidwka
cardinal:> fs la ~/private/project/

Access list for  /afs/ir/users/m/y/myself/private/project is

Normal rights:

   system:administrators rlidwka

   myself rlidwka

   myfriend rlidwk

Your friend does not have access to the directory ~/private, so the permissions on ~/private/project are not accessible.

You can use the fs setacl (or "fs sa" for short) command to remedy this:

cardinal:> fs sa ~/private/ myfriend l

This gives myfriend "list" access to ~/private: the names of files and directories there will be visible to your friend, but not their contents (except in this case for project/, which you already gave myfriend "write" access to).

Another possibility is that the person has permission to get to the directory, but the change has not been updated on the local machine. AFS clients cache permissions locally and update them every two hours. If the friend runs klog, the recent change to the ACL will be reflected.

6. How do I add a user at another school to my ACL?

You can't name him or her explicitly. Your best bet is to put the files that your friend needs access into a publicly available directory.

7. How do I add more than 20 entries to an ACL?

An ACL can only hold 20 entries. Those entries, however, may be groups. You can, for instance, create a group with 30 members. By adding that group to an ACL, you can thus add 30 users with only one entry in the ACL for a given directory. Read the section on groups in the Advanced Section for an explanation of groups and the pts command.

8. I've been logged on for two days. Why can't I read my files anymore?

When you log in, you receive a "token", or authentication to your files. To determine if you have a token, type "tokens" at the system prompt. You will see the token, if any, that you have and when it expires. Tokens have a 25 hour lifetime on our system. To obtain a new token, run the program klog or kinit -t. It will prompt you for a password and grant you a new token.

9. My question isn't listed here. To whom do I ask my question?

Try posting your question to su.computers.afs or submit a HelpSU ticket.

10. Why can't I run fs? Why can't I get the man page for fs or pts?

You should update your UNIX session configuration files. The command

/usr/pubsw/bin/updaterc

will allow you to do this quickly. (You only need to run it once).

11. Why doesn't my plan show up when other people finger me?

You need to make sure the directory that your .plan and .project files are in is world-readable. One method to do this is to create a world-readable subdirectory to contain them. Type the following commands at the UNIX system prompt:

cd
mkdir public<
(This directory may already exist)  
fs setacl ~ system:anyuser l
fs setacl public system:anyuser read
mv .plan .project public/ 
ln -s public/.plan 
ln -s public/.project

The cd command makes you go to your root directory. The mkdir creates a public subdirectory. The first fs command gives the world list access to your home directory (so anyone can see the names of files and directories in your home, but not their contents). The second fs command gives the world read permission to the subdirectory public/. The mv command moves your .plan and .project files to the now world-readable subdirectory. The ln command creates a symbolic link from your .plan and .project files in public/ to your home directory, which is where the standard UNIX finger daemon expects them to be.

This solution will also work for the .klogin and .rhosts files.

12. Do the UNIX file permissions mean anything anymore?

The files contained within your afs home directory use both AFS and UNIX file permissions. The only UNIX (chmod) permissions which are still applicable under AFS, however, are the permissions for the owner. UNIX permissions on directories are not used.

Your temporary files (those found in /tmp and /usr/tmp) are in local UNIX file space. Only the UNIX file privileges apply here. That is why the umask variable in your .cshrc is still important. The default .cshrc file has umask set to 077, which gives no file permissions to other users.

For more info on UNIX permissions and AFS, read the Advanced AFS Page.

13. What is the .backup directory?

Each night between midnight and 3 AM, a backup image of your account is made. If you delete a file under the standard UNIX file system or in NFS, it is gone. If you delete or modify a file in an AFS volume, you may be able to retrieve the file *if* it existed when the backup image was made.

Newer accounts are created with their backup volume mounted as the directory named ".backup". If you do not have this mounted, it is easy to do. Running

fs mkmount ~/.backup user.$USER.backup

will mount your backup volume in the directory named .backup in your home directory. (Note, you can use a name other than "backup".)

To unmount the volume type

fs rmmount ~/.backup

You don't need to unmount it: files in .backup do not count against your disk quota usage.

The backup volume (user.$USER.backup) is a read-only copy of your account. It takes up minimal space and does not count against your quota. You cannot remove or alter files in the backup volume, and file changes made after the last backup but before the next backup are not available.

14. How do I undelete files?

Unlike the local UNIX file system and NFS, AFS has a limited mechanism to undelete files. To restore a file for UNIX users, you must copy the file from the "backup volume" to your account.

Be aware that the file you are recovering needs to be at least a day old (i.e., existed before the last backup was made), and you must take steps to recover it on the same day that you deleted it (i.e., before the next backup image is made).

If you do not have a .backup directory, mount it:

fs mkmount ~/.backup user.$USER.backup

Suppose you delete the file ~/Mail/incoming. The following commands may recover it (assuming you have sufficient quota):

cd 
cp .backup/Mail/incoming ~/Mail/incoming.bak 

Your recovered file would be located in your Mail subdirectory and named incoming.bak

NOTE: if you are trying to recover files from an AFS directory other than your home directory, you will need to mount a different volume. To find a directory's volume name, type

cd directory  (e.g., cd /afs/ir/data/mydata) 
fs examine 
Volume status for vid = 667788959 named data.mydata

A command to mount this particular backup volume is

fs mkmount OldData data.mydata.backup

You can then copy what files you need. The unmount command is

fs rmmount OldData

15. I need to run a very long process. How do keep it authenticated?

Before logging out of the FarmShare host you are using, run the command

keeptoken NumberOfHours

Where NumberOfHOurs is an integer indicating the number of hours you expect your program to run. You can guess generously if you aren't sure.

16. Why doesn't rsh/rlogin/.rhosts work anymore?

If you are trying to use rlogin to connect to a FarmShare host, you will need to have a .klogin file set up in your FarmShare account.

Assuming you have setup your public directory (see question 4), the following will allow you to use klogin and the other Kerberos programs:

 cd 
echo "$USER@IR.STANFORD.EDU" >! public/.klogin 
ln -s public/.klogin

You can then run "klogin hostname" to rlogin to another host. "ktelnet hostname" will give you the kerberized equivalent of telnet. In neither case will you need to provide your password to connect to the new machine.

The .klogin file makes the .rhosts file unnecessary. If you need to use rlogin for machines which do not run the kerberized rlogin daemon, you need to run klog after you rlogin. A convenient way to do this is to add the following to your interactive portion of your .cshrc file:
(tokens | egrep Expires >! /dev/null) || klog && rehash

For this to work, your .cshrc and .rhosts files need to be world-readable.

17. Why doesn't MacX work?

MacX utilizes remote commands, so it shares problems similar to that of a .rhosts file. It is still possible to use MacX with Kerberos, though, as follows:

  1. Determine your IP address from your MacTCP control panel.
  2. Launch MacX. Enable Access Control (in the Remote menu).
  3. Use MacSamson to log into the machine you will run X client software. Let's call this machine elaineN.
  4. On the elaine, set your DISPLAY variable:
    setenv DISPLAY 36.A.0.B:0.0 (for black and white macs)
    setenv DISPLAY 36.A.0.B:0.2 (for color macs)
    where 36.A.0.B is your IP address.
  5. On elaineN, run the X client. For example, run xclock and the xclock window will then appear on your macintosh. When you log out of the elaine, your remote clients do not quit. You need to kill the processes from a terminal or quit them from MacX.

18. Why doesn't autologout accept my password anymore?

tcsh6.05 has AFS support to enable this feature. It also supports the tcsh variable "afsuser" if your local username is different than your afs username.

19. Why do I get the error "Cross-device link" when creating links?

Use symbolic links (i.e., "ln -s"), not hard links. AFS currently only has ACLs for directories, so it would be ambiguous to allow hard links to files in different directories.

20. My question isn't listed here. To whom do I ask my question?

Try posting your question to su.computers.afs or submit a HelpSU ticket.

Last modified