Versions Compared

Old Version 7

changes.mady.by.user David William Botsch

Saved on

compared with

New Version Current

changes.mady.by.user David William Botsch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
minLevel1
outlinetrue

General Overview of OpenAFS

...

Your token has a limited lifetime, which is 8 hours at CNF. To check your
token's expiration date, do the following:

 Windows

         Click the lock icon in your system tray. Select the "Tokens" tab
        if it is not already selected. If there is no lock icon in your
        system tray, from the Start Menu, choose All Programs, OpenAFS, then
        Authentication.

Do not use the Kerberos for Windows application to obtain new tokens. Use the AFS client (lock icon).

 Linux

         From the "Applications" menu on CNF SunRays, choose "afstokens". Your tokens are
        displayed in the box labeled "My AFS Tokens".

Use the AFS "Authentication" application to obtain new AFS tokens or view your current tokens. Check your system tray for two lock icons, possibly with a red 'x' over them.  

Of the potentially two lock icons, the correct one for AFS authentencation is the one that says "AFS Client" when you mouse over the icon. The other one will mention AFS and its version number and is not the correct one – this will start the related and separate Keberos for Windows application if you click it.

If you don't see the correct lock icon in your system tray, you can start the AFS Authentication application from the Windows start menu ... Start - O - OpenAFS - Authentication .

In the AFS Authentication application window, to obtain new tokens, click "Obtain new tokens"... your username will be formatted as one of two ways depending on if you have a Cornell NetID or Cornell GuestID:

both are case sensitive... the part after the '@' symbol must be all caps. While your netid or guestid itself must be lowercase.

 Linux

Look for the Key icon at the top right of your screen and mouse over the icon. A popup will tell you when your credentials will expire (if renewable the credentials will be renewed). You can also right click on the key icon and choose "List Tickets"... look for the tickets labeled "afs/cnf.cornell.edu@CNF.CORNELL.EDU" . If the key icon has a yellow exclamation or a red x, then you should manually obtain new credentials. Simply left click on the key icon – you will be prompted for your password.

        Or from the commandline, type "tokens" to see your tokens.

To obtain new tokens, either use the GUI application (key icon) mentioned above or from the commandline type in kinit <username> followed by entering your password followed by typing in: aklog. See below for proper formatting of your username.

Newer versions of the gui krb5-auth-dialog application (the key icon mentioned above) have the ability to obtain and renew AFS tokens – you can install and configure this application on your local Linux system.

Macintosh

The buildbuilt-in System Preferences panel for managing AFS tokens does not work properly in the CNF environment. Do not use it.

We suggest using the GUI AFSLog application . This application will first open the Kerberos Ticket Viewer. After logging into Kerberos, exit the Kerberos Ticket Viewer. In approximately 5 seconds, the AFSLog application will either bounce for your attention or pop up a new window. The new window will show you your AFS tokens.

Alternatively, you may use the commandline. Open a terminalEither use the AFSTokens gui application or the commandline.On the commandline, type in kinit <username> followed by aklog .See below for proper formatting of your username. The "tokens" command will list your AFS tokens.

...

If using a Cornell GuestID (gid-xxxx), your username must be formatted as:
        guestid@GUEST.CORNELLguestid@CORNELL.EDU (@GUEST.CORNELL@CORNELL.EDU must be all caps).

 Access Control Lists

...

        *base permissions apply to directories (not files)
        *new sub-directories inherit from parent directory permissions
        *files have no individual protection. They inherit the protection from
        the directory they sit in.

Wiki MarkupACLs are composed of pairs \ [ protection group or user, access rights \ ]. For
example, grp_users (the group of all users) might have read permissions on a
particular directory.

 Access Rights

 There are seven access rights. Four deal with directories:
        
        *a (administer) : right to administer of the ACLs of this directory
        *l (lookup) : right to list the content of the directory
        *d (delete) : right to delete files or sub-directories
        *i (insert) : right to create new files or directories

...

        pts membership

 Linux

         From the AFSTokens application (under the Applications menu), click
        "PTS (Group Mgmt)". To view groups of which you are a member, click
        the "Group Membership" button. To work with groups that you own, click
        the "Groups I Own" button. Groups you own will be named either:
        netid@cit.cornell.edu:groupname or guestid@guest.cornell.edu:groupname

 From a terminal (XTerm from the Applications - CNF Applications menu on CNF Thin, or simply a terminal on your own Linux box), type in (all lower case):

   pts membership netid@cit.cornell.edu
or for a GuestID:
   pts membership gid-guestid@cornell.edu

Substituting your netid or guestid for "netid" and "gid-guestid" above        When adding a new group, the part of the groupname before the colon is
        automatically filled in.

 Working with Directory ACLs

...

         Right click on a folder in AFS. Choose AFS, and then choose Access
        Control Lists. You may edit ACLs on folders for which you have "all"
        (rlidwka) permissions (for example, those in your AFS home directory)

 Linux

         From the Applications menu, choose "afs acl mgr". Click the "Open"
        button, and browse to the directory for which you want to view/edit
        AFS ACLs. The application defaults to your home directory... afs-land
        can be found under "Filesystem" in the leftmost pane. After selecting
        a directory in AFS, click "OK".

        If you prefer to use the         Use the linux commandline...

        From a terminal, use fs la directory and fs sa directory acl. For
        example:

No Format

        $ fs la /afs/cnf.cornell.edu
        Access list for /afs/cnf.cornell.edu is
        Normal rights:
          cnfhosts rl
          grp_all rl
          grp_it rlidwka
          system:administrators rlidwka
          system:anyuser rl

        If I was in the system:administrators group, I could change the ACLs
        on /afs/cnf.cornell.edu to, for example, give system:anyuser write
        access:

No Format

         $ fs sa /afs/cnf.cornell.edu system:anyuser write

...