[openafs-wiki.git] / AFSLore / GeneralFAQ.mdwn

## <a name="1  General"></a> 1 General

The General Section of the [[AFSFrequentlyAskedQuestions]].

- [[PreambleFAQ]]

<div>
  <ul>
    <li><a href="#1  General"> 1 General</a><ul>
        <li><a href="#1.01  What is AFS?"> 1.01 What is AFS?</a></li>
        <li><a href="#1.02  Who supplies AFS?"> 1.02 Who supplies AFS?</a></li>
        <li><a href="#1.03  What is /afs?"> 1.03 What is /afs?</a></li>
        <li><a href="#1.04  What is an AFS cell?"> 1.04 What is an AFS cell?</a></li>
        <li><a href="#1.05  What are the benefits of u"> 1.05 What are the benefits of using AFS?</a><ul>
            <li><a href="#1.05.a  Cache Manager"> 1.05.a Cache Manager</a></li>
            <li><a href="#1.05.b  Location independence"> 1.05.b Location independence</a></li>
            <li><a href="#1.05.c  Scalability"> 1.05.c Scalability</a></li>
            <li><a href="#1.05.d  Improved security"> 1.05.d Improved security</a></li>
            <li><a href="#1.05.e  Single systems image (SS"> 1.05.e Single systems image (SSI)</a></li>
            <li><a href="#1.05.f  Replicated AFS volumes"> 1.05.f Replicated AFS volumes</a></li>
            <li><a href="#1.05.g  Improved robustness to s"> 1.05.g Improved robustness to server crash</a></li>
            <li><a href="#1.05.h  "Easy to use" networking"> 1.05.h "Easy to use" networking</a></li>
            <li><a href="#1.05.i  Communications protocol"> 1.05.i Communications protocol</a></li>
            <li><a href="#1.05.j  Improved system manageme"> 1.05.j Improved system management capability</a></li>
          </ul>
        </li>
        <li><a href="#1.06  Which systems is AFS avail"> 1.06 Which systems is AFS available for?</a></li>
        <li><a href="#1.07  What does "ls /afs" displa"> 1.07 What does "ls /afs" display in the Internet AFS filetree?</a></li>
        <li><a href="#1.08  Why does AFS use Kerberos"> 1.08 Why does AFS use Kerberos authentication?</a></li>
        <li><a href="#1.09  Does AFS work over protoco"> 1.09 Does AFS work over protocols other than TCP/IP?</a></li>
        <li><a href="#1.10  How can I access AFS from"> 1.10 How can I access AFS from my PC?</a></li>
        <li><a href="#1.11  How does AFS compare with"> 1.11 How does AFS compare with NFS?</a></li>
      </ul>
    </li>
  </ul>
</div>

- [[UsageFAQ]]
- [[AdminFAQ]]
- [[ResourcesFAQ]]
- [[AboutTheFAQ]]
- [[FurtherReading]]

### <a name="1.01  What is AFS?"></a> 1.01 What is AFS?

AFS is a distributed filesystem that enables co-operating hosts (clients and servers) to efficiently share filesystem resources across both local area and wide area networks.

The commercial version of AFS is marketed, maintained, and extended by Transarc Corporation.

AFS is based on a distributed file system originally developed at the Information Technology Center at Carnegie-Mellon University that was called the "Andrew File System".

"Andrew" was the name of the research project at CMU - honouring th founders of the University. Once Transarc was formed and AFS became a product, the "Andrew" was dropped to indicate that AFS had gone beyond the Andrew research project and had become a supported, product quality filesystem. However, there were a number of existing cells that rooted their filesystem as /afs. At the time, changing the root of the filesystem was a non-trivial undertaking. So, to save the early AFS sites from having to rename their filesystem, AFS remained as the name and filesystem root.

### <a name="1.02  Who supplies AFS?"></a> 1.02 Who supplies AFS?

There are currently three sources for AFS: Commercial Transarc (now part of IBM), the open sourced version of former Transarc AFS called [[OpenAFS]] and the independent open source project [[Arla]].

<table border="1" cellpadding="0" cellspacing="0">
  <tr>
    <td> 1. </td>
    <td> IBM Pittsburgh Lab </td>
    <td> phone: +1 (412) 667-4400 </td>
  </tr>
  <tr>
    <td>   </td>
    <td> 11 Stanwix Street </td>
    <td> fax: +1 (412) 667-6977 </td>
  </tr>
  <tr>
    <td>   </td>
    <td> Pittsburgh </td>
    <td> email: <a href="mailto:information@transarc.com">information@transarc.com</a></td>
  </tr>
  <tr>
    <td>   </td>
    <td> PA 15222 </td>
    <td><a href="mailto:afs-sales@transarc.com">afs-sales@transarc.com</a></td>
  </tr>
  <tr>
    <td>   </td>
    <td> United States of America </td>
    <td> WWW: <a href="http://www.transarc.com" target="_top">http://www.transarc.com</a></td>
  </tr>
  <tr>
    <td> 2. </td>
    <td>[[Main/OpenAFS]]</td>
    <td> WWW: <a href="http://www.openafs.org/" target="_top">http://www.openafs.org/</a></td>
  </tr>
  <tr>
    <td> 3. </td>
    <td>[[Main/Arla]]</td>
    <td> WWW: <a href="http://www.stacken.kth.se/projekt/arla/" target="_top">http://www.stacken.kth.se/projekt/arla/</a></td>
  </tr>
</table>

### <a name="1.03  What is /afs?"></a> 1.03 What is /afs?

The root of the AFS filetree is /afs. If you execute "ls /afs" you will see directories that correspond to AFS cells (see below). These cells may be local (on same LAN) or remote (eg halfway around the world).

With AFS you can access all the filesystem space under /afs with commands you already use (eg: cd, cp, rm, and so on) provided you have been granted permission (see AFS ACL below).

### <a name="1.04  What is an AFS cell?"></a> 1.04 What is an AFS cell?

An AFS cell is a collection of servers grouped together administratively and presenting a single, cohesive filesystem. Typically, an AFS cell is a set of hosts that use the same Internet domain name.

Normally, a variation of the domain name is used as the AFS cell name.

Users log into AFS client workstations which request information and files from the cell's servers on behalf of the users.

### <a name="1.05  What are the benefits of u"></a> 1.05 What are the benefits of using AFS?

The main strengths of AFS are its:

- caching facility
- security features
- simplicity of addressing
- scalability
- communications protocol

Here are some of the advantages of using AFS in more detail:

#### <a name="1.05.a  Cache Manager"></a> 1.05.a Cache Manager

AFS client machines run a Cache Manager process. The Cache Manager maintains information about the identities of the users logged into the machine, finds and requests data on their behalf, and keeps chunks of retrieved files on local disk.

The effect of this is that as soon as a remote file is accessed a chunk of that file gets copied to local disk and so subsequent accesses (warm reads) are almost as fast as to local disk and considerably faster than a cold read (across the network).

Local caching also significantly reduces the amount of network traffic, improving performance when a cold read is necessary.

#### <a name="1.05.b  Location independence"></a> 1.05.b Location independence

Unlike NFS, which makes use of /etc/filesystems (on a client) to map (mount) between a local directory name and a remote filesystem, AFS does its mapping (filename to location) at the server. This has the tremendous advantage of making the served filespace location independent.

Location independence means that a user does not need to know which fileserver holds the file, the user only needs to know the pathname of a file. Of course, the user does need to know the name of the AFS cell to which the file belongs. Use of the AFS cellname as the second part of the pathname (eg: /afs/$AFSCELL/somefile) is helpful to distinguish between file namespaces of the local and non-local AFS cells.

To understand why such location independence is useful, consider having 20 clients and two servers. Let's say you had to move a filesystem "/home" from server a to server b.

Using NFS, you would have to change the /etc/filesystems file on 20 clients and take "/home" off-line while you moved it between servers.

With AFS, you simply move the AFS volume(s) which constitute "/home" between the servers. You do this "on-line" while users are actively using files in "/home" with no disruption to their work.

(Actually, the AFS equivalent of "/home" would be /afs/$AFSCELL/home where $AFSCELL is the AFS cellname.)

#### <a name="1.05.c  Scalability"></a> 1.05.c Scalability

With location independence comes scalability. An architectural goal of the AFS designers was client/server ratios of 200:1 which has been successfully exceeded at some sites. Transarc do not recommend customers use the 200:1 ratio. A more cautious value of 50:1 is expected to be practical in most cases. It is certainly possible to work with a ratio somewhere between these two values. Exactly what value depends on many factors including: number of AFS files, size of AFS files, rate at which changes are made, rate at which file are being accessed, speed of servers processor, I/O rates, and network bandwidth.

AFS cells can range from the small (1 server/client) to the massive (with tens of servers and thousands of clients). Cells can be dynamic: it is simple to add new fileservers or clients and grow the computing resources to meet new user requirements.

#### <a name="1.05.d  Improved security"></a> 1.05.d Improved security

Firstly, AFS makes use of Kerberos to authenticate users. This improves security for several reasons:

- passwords do not pass across the network in plaintext

- encrypted passwords no longer need to be visible
  - You don't have to use NIS, aka yellow pages, to distribute /etc/passwd - thus "ypcat passwd" can be eliminated.
  - If you do choose to use NIS, you can replace the password field with "X" so the encrypted password is not visible. (These issues are discussed in detail in [25]).

- AFS uses mutual authentication - both the service provider and service requester prove their identities

Secondly, AFS uses access control lists (ACLs) to enable users to restrict access to their own directories.

#### <a name="1.05.e  Single systems image (SS"></a> 1.05.e Single systems image (SSI)

Establishing the same view of filestore from each client and server in a network of systems (that comprise an AFS cell) is an order of magnitude simpler with AFS than it is with, say, NFS.

This is useful to do because it enables users to move from workstation to workstation and still have the same view of filestore. It also simplifies part of the systems management workload.

In addition, because AFS works well over wide area networks the SSI is also accessible remotely.

As an example, consider a company with two widespread divisions (and two AFS cells): ny.acme.com and sf.acme.com. Mr Fudd, based in the New York office, is visiting the San Francisco office.

Mr. Fudd can then use any AFS client workstation in the San Francisco office that he can log into (a unprivileged guest account would suffice). He could authenticate himself to the ny.acme.com cell and securely access his New York filespace.

For example:

The following shows a guest in the sf.acme.com AFS cell:

1. add AFS executables directory to PATH
2. obtaining a PAG with pagsh command (see 2.06)
3. use the klog command to authenticate into the ny.acme.com AFS cell
4. making a HOME away from home
5. invoking a homely .profile

           guest@toontown.sf.acme.com $ PATH=/usr/afsws/bin:$PATH       # {1}
           guest@toontown.sf.acme.com $ pagsh                           # {2}
           $ klog -cell ny.acme.com -principal elmer                    # {3}
           Password:
           $ HOME=/afs/ny.acme.com/user/elmer; export HOME              # {4}
           $ cd
           $ .  .profile                                                # {5}
           you have new mail
           guest@toontown $

It is not necessary for the San Francisco sys admin to give Mr. Fudd an AFS account in the sf.acme.com cell. Mr. Fudd only needs to be able to log into an AFS client that is:

1. on the same network as his cell and
2. his ny.acme.com cell is mounted in the sf.acme.com cell (as would certainly be the case in a company with two cells).

#### <a name="1.05.f  Replicated AFS volumes"></a> 1.05.f Replicated AFS volumes

AFS files are stored in structures called Volumes. These volumes reside on the disks of the AFS file server machines. Volumes containing frequently accessed data can be read-only replicated on several servers.

Cache managers (on users client workstations) will make use of replicate volumes to load balance. If accessing data from one replicate copy, and that copy becomes unavailable due to server or network problems, AFS will automatically start accessing the same data from a different replicate copy.

An AFS client workstation will access the closest volume copy. By placing replicate volumes on servers closer to clients (eg on same physical LAN) access to those resources is improved and network traffic reduced.

#### <a name="1.05.g  Improved robustness to s"></a> 1.05.g Improved robustness to server crash

The Cache Manager maintains local copies of remotely accessed files. This is accomplished in the cache by breaking files into chunks of up to 64k (default chunk size). So, for a large file, there may be several chunks in the cache but a small file will occupy a single chunk (which will be only as big as is needed).

A "working set" of files that have been accessed on the client is established locally in the client's cache (copied from fileserver(s)).

If a fileserver crashes, the client's locally cached file copies remain readable but updates to cached files fail while the server is down.

Also, if the AFS configuration has included replicated read-only volumes then alternate fileservers can satisfy requests for files from those volumes.

#### <a name="1.05.h  &quot;Easy to use&quot; networking"></a> 1.05.h "Easy to use" networking

Accessing remote file resources via the network becomes much simpler when using AFS. Users have much less to worry about: want to move a file from a remote site? Just copy it to a different part of /afs.

Once you have wide-area AFS in place, you don't have to keep local copies of files. Let AFS fetch and cache those files when you need them.

#### <a name="1.05.i  Communications protocol"></a> 1.05.i Communications protocol

AFS communications protocol is optimized for Wide Area Networks. Retransmitting only the single bad packet in a batch of packets and allowing the number of unacknowledged packets to be higher (than in other protocols, see [4]).

#### <a name="1.05.j  Improved system manageme"></a> 1.05.j Improved system management capability

Systems administrators are able to make configuration changes from any client in the AFS cell (it is not necessary to login to a fileserver).

With AFS it is simple to effect changes without having to take systems off-line.

Example:

A department (with its own AFS cell) was relocated to another office. The cell had several fileservers and many clients. How could they move their systems without causing disruption?

First, the network infrastructure was established to the new location. The AFS volumes on one fileserver were migrated to the other fileservers. The "freed up" fileserver was moved to the new office and connected to the network.

A second fileserver was "freed up" by moving its AFS volumes across the network to the first fileserver at the new office. The second fileserver was then moved.

This process was repeated until all the fileservers were moved.

All this happened with users on client workstations continuing to use the cell's filespace. Unless a user saw a fileserver being physically moved (s)he would have no way to tell the change had taken place.

Finally, the AFS clients were moved - this was noticed!

### <a name="1.06  Which systems is AFS avail"></a> 1.06 Which systems is AFS available for?

AFS runs on systems from: HP, Compaq, IBM, SUN, SGI, Apple ([[MacOSX]]) and PCs with flavours of Unix.

AFS has been available for Next and DEC (Ultrix).

Transarc customers have done ports to Crays, and the 3090, but all are based on some flavour of unix. Some customers have done work to make AFS data available to PCs and Macs, although they are using something similar to the AFS/NFS translator (a system that enables "NFS only" clients to NFS mount the AFS filetree /afs).

There is a client only implementation "AFS Client for Windows/NT".

A page describing the current systems for which AFS is supported may be found at:

- <http://www.transarc.com/Support/afs/relversions/platforms.html>

There are also ports of AFS done by customers available from Transarc on an "as is" unsupported basis.

More information on this can be found at:

- <file:///afs/transarc.com/public/afs-contrib/bin/README>
- <ftp://ftp.transarc.com/pub/afs-contrib/bin/README>

These ports of AFS client code include:

- HP (Apollo) Domain OS - by Jim Rees at the University of Michigan.
- sun386i - by Derek Atkins and Chris Provenzano at MIT.
- Linux - by Derek Atkins, mailing list: &lt;linux-afs-request@mit.edu&gt; <http://www.mit.edu:8008/menelaus/linux-afs/>
- [[NetBSD]] - by John Kohl, mailing list: &lt;netbsd-afs@mit.edu&gt;

There is some information about AFS on OS/2 at:

- <http://www.club.cc.cmu.edu/~jgrande/afsos2.html>

The AFS on Linux FAQ may be found at:

- <http://www.umlug.umd.edu/linuxafs/>

Check out the [[OpenAFS]] and [[Arla]] pages for port avilablity.

### <a name="1.07  What does &quot;ls /afs&quot; displa"></a> 1.07 What does "ls /afs" display in the Internet AFS filetree?

Essentially this displays the AFS cells that co-operate in the Internet AFS filetree.

Note that the output of this will depend on the cell you do it from; a given cell may not have all the publicly advertised cells available, and it may have some cells that aren't advertised outside of the given site.

The definitive source for this information is:

- <file:///afs/transarc.com/service/etc/CellServDB.export>

I've included the list of cell names included in it below:

       asu.edu                 #ASU
       uni-freiburg.de         #Albert-Ludwigs-Universitat Freiburg
       anl.gov                 #Argonne National Laboratory
       fl.mcs.anl.gov          # Argonne National Laboratory MCS Division FL
       dapnia.saclay.cea.fr    #Axlan-CEA
       bcc.ac.uk               #Bloomsbury Computing Consortium
       bu.edu                  #Boston University
       cs.brown.edu            #Brown University Department of Computer Science
       caspur.it               #CASPUR Inter-University Computing Consortium,Rome
       ciesin.org              #CIESIN
       mathematik-cip.uni-stuttgart.de #CIP-Pool of Math. Dept, Univ. Stuttgart
       gg.caltech.edu          #Caltech Computer Graphics Group
       cards.com               #Cards - Electronic Warfare Associates
       cheme.cmu.edu           #Carnegie Mellon Univ. Chemical Engineering Dept.
       cmu.edu                 #Carnegie Mellon University
       andrew.cmu.edu          #Carnegie Mellon University - Campus
       ce.cmu.edu              #Carnegie Mellon University - Civil Eng. Dept.
       ece.cmu.edu             #Carnegie Mellon University - Elec. Comp. Eng. Dept.
       me.cmu.edu              #Carnegie Mellon University - Mechanical Engineering
       cs.cmu.edu              #Carnegie Mellon University - School of Comp. Sci.
       club.cc.cmu.edu         #Carnegie Mellon University Computer Club
       cert.org                #CERT/Coordination Center
       others.chalmers.se      #Chalmers University of Technology - General users
       cipool.uni-stuttgart.de #CIP Pool, Rechenzentrum University of Stuttgart
       clarkson.edu            #Clarkson University, Potsdam, USA
       msc.cornell.edu         #Cornell University Materials Science Center
       graphics.cornell.edu    #Cornell University Program of Computer Graphics
       theory.cornell.edu      #Cornell University Theory Center
       ifh.de                  #DESY-IfH Zeuthen
       northstar.dartmouth.edu #Dartmouth College, Project Northstar
       desy.de                 #Deutsches Elektronen-Synchrotron
       dkrz.de                 #Deutsches Klimarechenzentrum Hamburg
       dis.uniroma1.it         #DIS, Univ. "La Sapienza", Rome, area Buonarotti
       msrc.pnl.gov            #EMSL's AFS Cell
       zdvpool.uni-tuebingen.de#Eberhard-Karls-Universitaet Tuebingen, WS-Pools
       enea.it                 #enea.it
       es.net                  #Energy Sciences Net
       research.ec.org         #Esprit Research Network of Excellence
       dce.emsl.pnl.gov        #EMSL's DCE Cell
       cern.ch                 #European Laboratory for Particle Physics, Geneva
       fnal.gov                #Fermi National Acclerator Laboratory
       fh-heilbronn.de         #Fachhochschule Heilbronn
       hephy.at                #hephy-vienna
       sleeper.nsa.hp.com      #HP Cupertino
       palo_alto.hpl.hp.com    #HP Palo Alto
       afs.hursley.ibm.com     #IBM Hursley Laboratories (UK), external cell
       ibm.uk                  #IBM UK, AIX Systems Support Centre
       zurich.ibm.ch           #IBM Zurich Internet Cell
       ctp.se.ibm.com          #IBM/4C, Chalmers, Sweden
       ipp-hgw.mpg.de          #IPP site at Greifswald
       in2p3.fr                #IN2P3 production cell
       lngs.infn.it            #INFN Laboratori Nazionali di Gran Sasso, Italia
       le.infn.it              #INFN Sezione di Lecce, Italia
       pi.infn.it              #INFN Sezione di Pisa
       ike.uni-stuttgart.de    #Institut fuer Kernenergetik, Universitaet Stuttgart
       ipp-garching.mpg.de     #Institut fuer Plasmaphysik
       csv.ica.uni-stuttgart.de #Institut fuer Computeranwendungen, Uni. Stuttgart
       iastate.edu             #Iowa State University
       infn.it                 #Istituto Nazionale di Fisica Nucleare, Italia
       jpl.nasa.gov            #Jet Propulsion Laboratory
       zdv.uni-mainz.de        #Johannes-Gutenberg-Universitaet Mainz
       isk.kth.se              #KTH College of Engineering
       cc.keio.ac.jp           #Keio University, Fac. of Sci. & Tech. Computing Ctr
       sfc.keio.ac.jp          #Keio University, Japan
       afs-math.zib-berlin.de  #Konrad-Zuse-Zentrum fuer Informationstechnik Berlin
       thermo-a.mw.tu-muenchen.de #Lehrstuhl A fuer Thermodynamik,TUM
       lrz-muenchen.de         #Leibniz-Rechenzentrum Muenchen Germany
       athena.mit.edu          #MIT/Athena cell
       net.mit.edu             #MIT/Network Group cell
       sipb.mit.edu            #MIT/SIPB cell
       msu.edu                 #Michigan State University home cell
       mpa-garching.mpg.de     #Max-Planck-Institut fuer Astrophysik
       federation.atd.net      #Multi Resident AFS at Naval Research Lab - CCS
       isl.ntt.jp              #NTT Information and Communication
       nersc.gov               #National Energy Research Supercomputer Center
       alw.nih.gov             #National Institutes of Health
       nrel.gov                #National Renewable Energy Laboratory
       cmf.nrl.navy.mil        #Naval Research Lab
       lcp.nrl.navy.mil        #Naval Research Lab - Lab for Computational Physics
       nrlfs1.nrl.navy.mil     #Naval Research Laboratory
       eos.ncsu.edu            #NCSU - College of Engineering
       unity.ncsu.edu          #NCSU Campus
       ncat.edu                #North Carolina Agricultural and Technical State U.
       bp.ncsu.edu             #North Carolina State University - Backbone Prototype
       ri.osf.org              #OSF Research Institute
       gr.osf.org              #OSF Research Institute, Grenoble
       urz.uni-magdeburg.de    #Otto-von-Guericke-Universitaet, Magdeburg
    N  ovpit.indiana.edu       #OVPIT at Indiana University
       psc.edu                 #PSC (Pittsburgh Supercomputing Center)
       psu.edu                 #Penn State
       phy.bnl.gov             #Physics Deptpartment, Brookhaven National Lab
       postech.ac.kr           #Pohang University of Science
       pppl.gov                #Princeton Plasma Physics Laboratory
       rwcp.or.jp              #Real World Computer Partnership(rwcp)
       rz.uni-jena.de          #Rechenzentrum University of Jena, Germany
       rhrk.uni-kl.de          #Rechenzentrum University of Kaiserslautern
       rus.uni-stuttgart.de    #Rechenzentrum University of Stuttgart
       rhic                    #Relativistic Heavy Ion Collider
       rpi.edu                 #Rensselaer Polytechnic Institute
       uni-bonn.de             #Rheinische Friedrich Wilhelm Univesitaet Bonn
       rose-hulman.edu         #Rose-Hulman Institute of Technology
       cs.rose-hulman.edu      # Rose-Hulman Inst. of Tech., CS Department
       nada.kth.se             #Royal Institute of Technology, NADA
       rl.ac.uk                #Rutherford Appleton Lab, England
       slac.stanford.edu       #Stanford Linear Accelerator Center
       dsg.stanford.edu        #Stanford Univ. - Comp. Sci. - Distributed Systems
       ir.stanford.edu         #Stanford University
       afs1.scri.fsu.edu       #Supercomputer Computations Research Instit
       ethz.ch                 #Swiss Federal Inst. of Tech. - Zurich, Switzerland
       hrzone.th-darmstadt.de  #TH-Darmstadt
       tu-bs.de                #Technical University of Braunschweig, Germany
       tu-chemnitz.de          #Technische Universitaet Chemnitz-Zwickau, Germany
       telos.com               #Telos Systems Group - Chantilly, Va.
       transarc.com            #Transarc Corporation
       cats.ucsc.edu           #UC Santa Cruz, Comp and Tech Services, California
       umr.edu                 #UMR - Missouri's Technological University
       hep.net                 #US High Energy Physics Information cell
       uni-mannheim.de         #Uni Mannheim (Rechenzentrum)
       ece.ucdavis.edu         #Univ California - Davis campus
       geo.uni-koeln.de        #Univ. of Cologne Inst. for Geophysics & Meteorology
       meteo.uni-koeln.de      #Univ. of Cologne Inst. for Geophysics & Meteorology
    N  dsi.uniroma1.it         #Univ. Rome-1, Dept. of Computer Science
    U  spv.uniroma1.it         #Univ. Rome-1, Area San Pietro in Vincoli
    N  vn.uniroma3.it          #Univ. Rome-3, Area Vasca Navale
       urz.uni-heidelberg.de   #Universitaet Heidelberg
       spc.uchicago.edu        #University of Chicago - Social Sciences
       rrz.uni-koeln.de        #University of Cologne -  Reg Comp Center
       wu-wien.ac.at           #University of Economics, Vienna, Austria
       uni-hohenheim.de        #University of Hohenheim
       ncsa.uiuc.edu           #University of Illinois
       wam.umd.edu             #University of Maryland Network WAM Project
       glue.umd.edu            #University of Maryland - Project Glue
       engin.umich.edu         #University of Michigan - CAEN
       umich.edu               #University of Michigan - Campus
       dmsv.med.umich.edu      #University of Michigan - DMSV
       citi.umich.edu          #University of Michigan - IFS Development
       lsa.umich.edu           #University of Michigan - LSA College
       math.lsa.umich.edu      #University of Michigan - Math Cell
       sph.umich.edu           #University of Michigan -- School of Public
       cs.unc.edu              #University of North Carolina at Chapel Hill
       nd.edu                  #University of Notre Dame
       pitt.edu                #University of Pittsburgh
       vn.uniroma3.it          #University of Rome 3, Area Vasca Navale, Italy
       isi.edu                 #University of Southern California/ISI
       dce.uni-stuttgart.de    #University of Stuttgart - DCE/DFS Cell
       ihf.uni-stuttgart.de    #University of Stuttgart, Ins. fuer Hochfrequenz-Tec
       mathematik.uni-stuttgart.de #University of Stuttgart, Math Dept.
       cs.utah.edu             #University of Utah Computer Science Dept
       utah.edu                #University of Utah Information Tech. Service
       cs.washington.edu       #University of Washington Comp Sci Department
       wisc.edu                #University of Wisconsin-Madison, Campus
       cs.wisc.edu             #University of Wisconsin-Madison, Comp Sci Dept
       belwue.uni-tuebingen.de #ZDV Universitaet Tuebingen

This shows different and widespread organizations making use of the Internet AFS filetree.

Note that it is also possible to use AFS "behind the firewall" within the confines of your organization's network - you don't have to participate in the Internet AFS filetree.

Indeed, there are lots of benefits of using AFS on a local area network without using the WAN capabilities.

### <a name="1.08  Why does AFS use Kerberos"></a><a name="1.08  Why does AFS use Kerberos "></a> 1.08 Why does AFS use Kerberos authentication?

It improves security.

Kerberos uses the idea of a trusted third party to prove identification. This is a bit like using a letter of introduction or quoting a referee who will vouch for you.

When a user authenticates using the klog command (s)he is prompted for a password. If the password is accepted the Kerberos Authentication Server (KAS) provides the user with an encrypted token (containing a "ticket granting ticket").

From that point on, it is the encrypted token that is used to prove the user's identity. These tokens have a limited lifetime (typically a day) and are useless when expired.

In AFS, it is possible to authenticate into multiple AFS cells. A summary of the current set of tokens held can be displayed by using the "tokens" command.

For example:

       elmer@toontown $ tokens

       Tokens held by the Cache Manager:

       User's (AFS ID 9997) tokens for afs@ny.acme.com [Expires Sep 15 06:50]
       User's (AFS ID 5391) tokens for afs@sf.acme.com [Expires Sep 15 06:48]
          --End of list--

Kerberos improves security because a users's password need only be entered once (at klog time).

AFS uses Kerberos to do complex mutual authentication which means that both the service requester and the service provider have to prove their identities before a service is granted.

Transarc's implementation of Kerberos is slightly different from MIT Kerberos V4 but AFS can work with either version. Joe Jackson wrote about this in: <http://www.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs/afs-with-kerberos.html>

For more detail on this and other Kerberos issues see the faq for Kerberos (posted to news.answers and comp.protocols.kerberos) [28]. (Also, see [15], [16], [26], [27])

### <a name="1.09  Does AFS work over protoco"></a> 1.09 Does AFS work over protocols other than TCP/IP?

No. AFS was designed to work over TCP/IP.

### <a name="1.10  How can I access AFS from"></a><a name="1.10  How can I access AFS from "></a> 1.10 How can I access AFS from my PC?

You can use PC-Interface which is available from Transarc and Locus Computing Corporations.

For more information on PC-Interface see the PC-Interface Frequently Asked Questions file in:

- <file:///afs/transarc.com/public/afs-contrib/doc/faq/pci.faq>
- <ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/pci.faq>

There is also SAMBA (an SMB/netbios server for UNIX). The current version will authenticate the connecting process with AFS as well.

- <http://samba.anu.edu.au/samba/>

The SAMBA FAQ is in:

- <http://samba.anu.edu.au/samba/docs/faq/sambafaq-1.html#ss1.1>

The SAMBA mailing list can be joined via: <samba-request@anu.edu.au>

### <a name="1.11  How does AFS compare with"></a><a name="1.11  How does AFS compare with "></a> 1.11 How does AFS compare with NFS?

<table border="1" cellpadding="0" cellspacing="0">
  <tr>
    <td>   </td>
    <th align="center" bgcolor="#99CCCC"><strong> AFS </strong></th>
    <th align="center" bgcolor="#99CCCC"><strong> NFS </strong></th>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> File Access </strong></th>
    <td> Common name space from all workstations </td>
    <td> Different file names from different workstations </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> File Location Tracking </strong></th>
    <td> Automatic tracking by file system processes and databases </td>
    <td> Mountpoints to files set by administrators and users </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> Performance </strong></th>
    <td> Client caching to reduce network load; callbacks to maintain cache consistency </td>
    <td> No local disk caching; limited cache consistency </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> Andrew Benchmark (5 phases, 8 clients) </strong></th>
    <td> Average time of 210 seconds/client </td>
    <td> Average time of 280 seconds/client </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> Scaling capabilities </strong></th>
    <td> Maintains performance in small and very large installations </td>
    <td> Best in small to mid-size installations </td>
  </tr>
  <tr>
    <td>   </td>
    <td> Excellent performance on wide-area configuration </td>
    <td> Best in local-area configurations </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> Security </strong></th>
    <td> Kerberos mutual authentication </td>
    <td> Security based on unencrypted user ID's </td>
  </tr>
  <tr>
    <td>   </td>
    <td> Access control lists on directories for user and group access </td>
    <td> No access control lists </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> Availability </strong></th>
    <td> Replicates read-mostly data and AFS system information </td>
    <td> No replication </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> Backup Operation </strong></th>
    <td> No system downtime with specially developed AFS Backup System </td>
    <td> Standard UNIX backup system </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> Reconfiguration </strong></th>
    <td> By volumes (groups of files) </td>
    <td> Per-file movement </td>
  </tr>
  <tr>
    <td>   </td>
    <td> No user impact; files remain accessible during moves, and file names do not change </td>
    <td> Users lose access to files and filenames change (mountpoints need to be reset) </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> System Management </strong></th>
    <td> Most tasks performed from any workstation </td>
    <td> Frequently involves telnet to other workstations </td>
  </tr>
  <tr>
    <th bgcolor="#99CCCC"><strong> Autonomous Architecture </strong></th>
    <td> Autonomous administrative units called cells, in addition to file servers and clients </td>
    <td> File servers and clients </td>
  </tr>
  <tr>
    <td>   </td>
    <td> No trust required between cells </td>
    <td> No security distinctions between sites </td>
  </tr>
  <tr>
    <td>
    </td>
    <td colspan="2"> [ source: <a href="ftp://ftp.transarc.com/pub/afsps/doc/afs-nfs.comparison" target="_top">ftp://ftp.transarc.com/pub/afsps/doc/afs-nfs.comparison</a> ] </td>
  </tr>
</table>

Other points:

- Some vendors offer more secure versions of NFS but implementations vary. Many NFS ports have no extra security features (such as Kerberos).

- The AFS Cache Manager can be configured to work with a RAM (memory) based cache. This offers signifigant performance benefits over a disk based cache. NFS has no such feature. Imagine how much faster it is to access files cached into RAM!

- The Andrew benchmark demonstrates that AFS has better performance than NFS as the number of clients increases. A graph of this (taken from Andrew benchmark report) is available in:
  - ![andrew1.jpg](http://www.angelfire.com/hi/plutonic/images/andrew1.jpg)