The AFS (Andrew File System) Service provides networked file storage for CERN users, in particular home directories, work spaces and project spaces.

The AFS Service is based on OpenAFS, an open-source distributed filesystem which provides a client-server architecture for location-independent, scalable, and secure file sharing.

AFS User Short Guide

1. Rights and groups of access to files and directories “fs listacl”, “fs setacl”
Access rights in the AFS system:

– r    read,      allows the named user to read the file content
– l    lookup,  allows the user to list the files and directories
– i    insert,    allows the user to add new files and directories.
-d    delete,   allows the user to remove files
-w   write,    allows the user to change the file content
-k    lock ,      allows the user to use full-file advisory locks.
-a    administer   allows the user to change the ACL of a directory.

The following three access groups are most commonly used:

System: anyuser                                         any AFS-users
System: authuser                                       any users of this organization
System: administrators system               administrators of this organization

All information on rights and groups of access to files and directories is stored in special AFS tables called ACL (Access Control List), where the access rights to files and directories are defined, and to familiarize with the contents of these tables, i.e. To get information on the state of access to a file or directory, you can use the command :

fs listacl <file_name> or <dir_name>

Command “fs setacl”   Allows you to change access rights and groups.

Mnemonic designations of access rights:
All       r + w + k + l + i + d + a
None   remove entry from Access Control List
Read    r + l
Write   r + w + k + l + i + d

Example 1: Assign read access for user vmi at the ~/work:
lxpub05: ~> fs listacl ~/work

Normal rights:
system: administrators rlidwka
system: anyuser l
grom rlidwka

Lxpub05: ~> fs sa work/ vmi read

Lxpub05: ~> fs la work/

Access list for work/ is
normal rights:
system: administrators rlidwka
system: anyuser l
grom rlidwka
vmi rl

Example 2:  Assign “read” access for user “vmi” at all subdirectories of the ~/work directory using the command “find”:

lxpub05:~>cd ~/work

lxpub05:~>find . -type d -print -exec fs setacl {} vmi read\;

2. Users can change their AFS password with the command: kpasswd

When changing your AFS password, do not forget to make this change for the PBS system with the command “pbspwstore”.

3. Quota

On your home directory there is a quota, that is a limit on the maximum amount of information that can be viewed by the command:

fs lq

Quota on scratch directories can be viewed by the command:

quota username

4. Recover lost files

It is also useful to know that in directories

/afs/jinr.ru/ubackup/user_initial_name/user_name

The contents of the home directory of each JINR AFS user are stored as of 1 am of the current day. Thus, users have the opportunity during the day to restore their own erroneously deleted or overwritten files

5. Authorization of access to AFS files and directories.

Authentication of the user in the AFS cell: jinr.ru, cern.ch, desy.de, etc.

With successful  autotentification,  the user receives an afs token – a temporary identification of the AFS identifier:

lxpub05: ~> tokens
Tokens held by the Cache Manager:

User’s (AFS ID 8024) tokens for afs@jinr.ru [Expires May 16 15:14]

–End of list–

If, on entering the farm, the user receives a message:

“/ usr/ bin/xauth: timeout in locking authority file ~ / .Xauthority,. ~ / bash_profile: Permission denied”

To access AFS files, execute the following commands:

kinit, aklog and check klist

lxpub05: ~> kinit

Password for grom@JINR.RU:

lxpub05: ~> aklog

lxpub05: ~> klist