1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="AFS User Guide"
11 HREF="book1.html"><LINK
13 TITLE="An Introduction to AFS"
14 HREF="c113.html"><LINK
16 TITLE="Displaying Information about AFS"
17 HREF="c1095.html"></HEAD
28 SUMMARY="Header navigation table"
37 >AFS User Guide: Version 3.6</TH
74 >Chapter 2. Using AFS</H1
76 >This chapter explains how to perform four basic AFS tasks: logging in and authenticating with AFS, ending an AFS session,
77 accessing the AFS filespace, and changing your password.</P
84 >Logging in and Authenticating with AFS</A
87 >To access the AFS filespace as an authenticated user, you must both log into an AFS client machine's local (UNIX) file
88 system and authenticate with AFS. When you log in, you establish your local system identity. When you authenticate, you prove
89 your identity to AFS and obtain a token, which your Cache Manager uses to prove your authenticated status to the AFS server
90 processes it contacts on your behalf. Users who are not authenticated (who do not have a token) have limited access to AFS
91 directories and files.</P
101 >On machines that use an AFS-modified login utility, you log in and authenticate in one step. On machines that do not use
102 an AFS-modified login utility, you log in and authenticate in separate steps. To determine which type of login utility your
103 machine uses, you can check for AFS tokens after logging in, or ask your system administrator, who can also tell you about any
104 differences between your login procedure and the two methods described here.</P
112 >To Log In Using an AFS-modified Login Utility</A
115 >Provide your username at the <SAMP
116 CLASS="computeroutput"
118 > prompt that appears when you establish a new
119 connection to a machine. Then provide your password at the <SAMP
120 CLASS="computeroutput"
122 > prompt as shown in the
123 following example. (Your password does not echo visibly on the screen.)</P
125 CLASS="programlisting"
136 >If you are not sure which type of login utility is running on your machine, it is best to issue the <SPAN
142 > command to check if you are authenticated; for instructions, see <A
143 HREF="c569.html#HDRWQ30"
145 Display Your Tokens</A
146 >. If you do not have tokens, issue the <SPAN
152 > command as described in
154 HREF="c569.html#HDRWQ29"
155 >To Authenticate with AFS</A
164 >To Log In Using a Two-Step Login Procedure</A
167 >If your machine does not use an AFS-modified login utility, you must perform a two-step procedure:
173 >Log in to your client machine's local file system by providing a user name and password at the <SPAN
179 > program's prompts.</P
189 > command to authenticate with AFS. Include the command's <SPAN
195 > argument to associate your token with a special identification number called a
206 >process authentication group</I
208 >). For a description of PAGs, see <A
209 HREF="c569.html#HDRWQ25"
210 >Protecting Your Tokens with a PAG</A
212 CLASS="programlisting"
223 >your_AFS_password</VAR
238 >If your machine uses a two-step login procedure, you can choose to use different passwords for logging in and
239 authenticating. It is simplest to use the same one for both, though. Talk with your system administrator.</P
249 >Authenticating with AFS</A
252 >To work most effectively in the AFS filespace, you must authenticate with AFS. When you do, your Cache Manager is given
253 a token as proof of your authenticated status. It uses your token when requesting services from AFS servers, which accept the
254 token as proof of your authenticated status. If you do not have a token, AFS servers consider you to be the <SPAN
260 > user and your access to AFS filespace is limited: you have only the ACL permissions granted
269 >You can obtain new tokens (reauthenticate) at any time, even after using an AFS-modified login utility, which logs you
270 in and authenticates you in one step. Issue the <SPAN
276 > command as described in <A
277 HREF="c569.html#HDRWQ29"
278 >To Authenticate with AFS</A
286 >Protecting Your Tokens with a PAG</A
289 >To make your access to AFS as secure as possible, it is best to associate your tokens with a unique identification
290 number called a <SPAN
300 >process authentication group</I
303 AFS-modified login utilities automatically create a PAG and associate the new
304 token with it. To create a PAG when you use the two-step login procedure, include the <SPAN
317 > flag. If you do not use this flag, your tokens are associated with your
318 UNIX UID number instead. This type of association has two potential drawbacks:
323 >Anyone who can assume your local UNIX identity can use your tokens. The local superuser <SPAN
329 > can always use the UNIX <SPAN
335 > command to assume your UNIX UID,
336 even without knowing your password.</P
340 >In some environments, certain programs cannot use your tokens even when it is appropriate for them to do so. For
341 example, printing commands such as <SPAN
354 cannot access the files you want to print, because they cannot use your tokens.</P
366 >Obtaining Tokens For Foreign Cells</A
369 >A token is valid only in one cell (the cell whose AFS authentication service issued it). The AFS server processes in
370 any other cell consider you to be the <SPAN
376 > user unless you have an account in the cell
377 and authenticate with its AFS authentication service.</P
379 >To obtain tokens in a foreign cell, use the <SPAN
385 > argument to the <SPAN
391 > command. You can have tokens for your home cell and one or more foreign cells at the same
400 >The One-Token-Per-Cell Rule</A
403 >You can have only one token per cell for each PAG you have obtained on a client machine. If you already have a token
404 for a particular cell and issue the <SPAN
410 > command, the new token overwrites the existing
411 one. Getting a new token is useful if your current token is almost expired but you want to continue accessing AFS files. For
412 a discussion of token expiration, see <A
413 HREF="c569.html#HDRWQ28"
417 >To obtain a second token for the same cell, you must either login on a different machine or establish another separate
418 connection to the machine where you already have a token (by using the <SPAN
425 example). You get a new PAG for each separate machine or connection, and can use the associated tokens only while working on
426 that machine or connection.</P
434 >Obtaining Tokens as Another User</A
437 >You can authenticate as another username if you know the associated password. (It is, of course, unethical to use
438 someone else's tokens without permission.) If you use the <SPAN
444 > command to authenticate as
445 another AFS username, you retain your own local (UNIX) identity, but the AFS server processes recognize you as the other
446 user. The new token replaces any token you already have for the relevant cell (for the reason described in <A
447 HREF="c569.html#HDRWQ27"
448 >The One-Token-Per-Cell Rule</A
460 >Tokens have a limited lifetime. To determine when your tokens expire, issue the <SPAN
466 > command as described in <A
467 HREF="c569.html#HDRWQ30"
468 >To Display Your Tokens</A
470 unable to access AFS in a way that you normally can, issuing the <SPAN
477 whether an expired token is a possible reason.</P
479 >Your cell's administrators set the default lifetime of your token. The AFS authentication service never grants a token
480 lifetime longer than the default, but you can request a token with a shorter lifetime. See the <SPAN
486 > reference page in the <SPAN
490 >IBM AFS Administration Reference</I
492 > to learn how to use
499 > argument for this purpose.</P
507 >Authenticating for DFS Access</A
510 >If your machine is configured to access a DCE cell's DFS filespace by means of the AFS/DFS Migration Toolkit, you can
517 > command to authenticate with DCE. The <SPAN
524 command has no effect on your ability to access AFS filespace.</P
526 >If your system administrator has converted your AFS account to a DCE account and you are not sure of your DCE
527 password, use the <SPAN
533 > command to display it. You must be authenticated as the AFS user
534 whose AFS account was converted to a DCE account, and be able to provide the correct AFS password. Like the <SPAN
546 > command has no functionality with respect to
549 >For more information on using the <SPAN
562 commands, see your system administrator.</P
571 >To Authenticate with AFS</A
574 >If your machine is not using an AFS-modified login utility, you must authenticate after login by issuing the <SPAN
580 > command. You can also issue this command at any time to obtain a token with a later expiration
581 date than your current token.</P
583 CLASS="programlisting"
608 >your_AFS_password</VAR
627 >Associates the resulting tokens with a PAG (see <A
628 HREF="c569.html#HDRWQ25"
629 >Protecting Your Tokens with a PAG</A
631 Include this flag the first time you obtain a token for a particular cell during a login session or connection. Do not
632 include it when refreshing the token for a cell during the same session.</P
644 >Names the cell for which to obtain the token. You must have an account in the cell.</P
651 >Your password does not echo visibly appear on the screen. When the command shell prompt returns, you are an
652 authenticated AFS user. You can use the <SPAN
658 > command to verify that you are authenticated,
659 as described in the following section.</P
667 >To Display Your Tokens</A
676 > command to display your tokens.</P
678 CLASS="programlisting"
688 >The following output indicates that you have no tokens:</P
690 CLASS="programlisting"
691 > Tokens held by the Cache Manager:
695 >If you have one or more tokens, the output looks something like the following example, in which the tokens for AFS UID
702 > cell expire on August 3 at 2:35 p.m. The tokens for AFS UID 9554 in the
709 > cell expire on August 4 at 1:02 a.m.</P
711 CLASS="programlisting"
712 > Tokens held by the Cache Manager:
713 User's (AFS ID 1022) tokens for afs@abc.com [Expires Aug 3 14:35]
714 User's (AFS ID 9554) tokens for afs@stateu.edu [Expires Aug 4 1:02]
724 >Example: Authenticating in the Local Cell</A
727 >Suppose that user <SPAN
733 > cannot save a file. He uses the <SPAN
739 > command and finds that his tokens have expired. He reauthenticates in his local cell under his
740 current identity by issuing the following command:</P
742 CLASS="programlisting"
752 >terry's_password</VAR
756 >The he issues the <SPAN
762 > command to make sure he is authenticated.</P
764 CLASS="programlisting"
772 Tokens held by the Cache Manager:
773 User's (AFS ID 4562) tokens for afs@abc.com [Expires Jun 22 14:35]
783 >Example: Authenticating as a Another User</A
792 > authenticates in his local cell as another user, <SPAN
798 >. The new token replaces <SPAN
804 >'s existing token, because the Cache
805 Manager can store only one token per cell per login session on a machine.</P
807 CLASS="programlisting"
826 Tokens held by the Cache Manager:
827 User's (AFS ID 4278) tokens for afs@abc.com [Expires Jun 23 9:46]
837 >Example: Authenticating in a Foreign Cell</A
846 > authenticates in the <SPAN
853 his account is called <SPAN
861 CLASS="programlisting"
866 >klog ts09 -cell stateu.edu</B
871 >ts09's_password</VAR
880 Tokens held by the Cache Manager:
881 User's (AFS ID 4562) tokens for afs@abc.com [Expires Jun 22 14:35]
882 User's (AFS ID 8346) tokens for afs@stateu.edu [Expires Jun 23 1:02]
892 >Limits on Failed Authentication Attempts</A
895 >Your system administrator can choose to limit the number of times that you fail to provide the correct password when
896 authenticating with AFS (using either an AFS-modified login utility or the <SPAN
903 you exceed the limit, the AFS authentication service refuses further authentication attempts for a period of time set by your
904 system administrator. The purpose of this limit is to prevent unauthorized users from breaking into your account by trying a
905 series of passwords.</P
907 >To determine if your user account is subject to this limit, ask your system administrator or issue the <SPAN
913 > command as described in <A
914 HREF="c569.html#HDRWQ32"
915 >To Display Your Failed Authentication Limit
919 >The following message indicates that you have exceeded the limit on failed authentication attempts.</P
921 CLASS="programlisting"
922 > Unable to authenticate to AFS because ID is locked - see your system admin
931 >To Display Your Failed Authentication Limit and Lockout Time</A
940 > command to determine if there is a limit on the number of
941 unsuccessful authentication attempts for your user account and any associated lockout time. You can examine only your own
942 account. The fourth line of the output reports the maximum number of times you can provide an incorrect password before being
943 locked out of your account. The <SAMP
944 CLASS="computeroutput"
946 > field on the next line reports how long the AFS
947 authentication service refuses authentication attempts after the limit is exceeded.</P
949 CLASS="programlisting"
965 >your_AFS_password</VAR
969 >The following example displays the output for the user <SPAN
975 >, who is allowed nine failed
976 authentication attempts. The lockout time is 25.5 minutes.</P
978 CLASS="programlisting"
979 > User data for pat
980 key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999
981 password will expire: Fri Nov 26 20:44:36 1999
982 9 consecutive unsuccessful authentications are permitted.
983 The lock time for this user is 25.5 minutes.
985 entry never expires. Max ticket lifetime 100.00 hours.
986 last mod on Wed Aug 18 08:22:29 1999 by admin
987 permit password reuse
997 >Exiting an AFS Session</A
1000 >Because logging in and authenticating with AFS are distinct operations, you must both logout and unauthenticate (issue the
1007 > command to discard your tokens) when exiting an AFS session. Simply logging out does not
1008 necessarily destroy your tokens.</P
1010 >You can use the <SPAN
1016 > command any time you want to unauthenticate, not just when logging
1017 out. For instance, it is a good practice to unauthenticate before leaving your machine unattended, to prevent other users from
1018 using your tokens during your absence. When you return to your machine, issue the <SPAN
1025 to reauthenticate, as described in <A
1026 HREF="c569.html#HDRWQ29"
1027 >To Authenticate with AFS</A
1030 >Do not issue the <SPAN
1036 > command when you are running jobs that take a long time to
1037 complete, even if you are logging out. Such processes must have a token during the entire time they need authenticated access to
1040 >If you have tokens from multiple cells and want to discard only some of them, include the <SPAN
1059 >To Discard Tokens</A
1068 > command to discard your tokens:</P
1070 CLASS="programlisting"
1091 > argument to discard all of your tokens, or use it to name each cell for
1092 which to discard tokens. It is best to provide the full name of each cell (such as <SPAN
1107 >You can issue the <SPAN
1113 > command to verify that your tokens were destroyed, as in the
1114 following example.</P
1116 CLASS="programlisting"
1124 Tokens held by the Cache Manager:
1134 >Example: Unauthenticating from a Specific Cell</A
1137 >In the following example, a user has tokens in both the <SPAN
1149 > cells at her company. She discards the token for the <SPAN
1155 > cell but keeps the token for the <SPAN
1164 CLASS="programlisting"
1172 Tokens held by the Cache Manager:
1173 User's (AFS ID 35) tokens for afs@acctg.abc.com [Expires Nov 10 22:30]
1174 User's (AFS ID 674) tokens for afs@mktg.abc.com [Expires Nov 10 18:44]
1180 >unlog -cell acctg.abc.com</B
1190 Tokens held by the Cache Manager:
1191 User's (AFS ID 674) tokens for afs@mktg.abc.com [Expires Nov 10 18:44]
1204 >After you have unauthenticated, log out by issuing the command appropriate for your machine type, which is possibly one
1205 of the following.</P
1207 CLASS="programlisting"
1219 CLASS="programlisting"
1231 CLASS="programlisting"
1248 >Accessing the AFS Filespace</A
1251 >While you are logged in and authenticated, you can access files in AFS just as you do in the UNIX file system. The only
1252 difference is that you can access potentially many more files. Just as in the UNIX file system, you can only access those files
1253 for which you have permission. AFS uses access control lists (ACLs) to control access, as described in <A
1255 >Protecting Your Directories and Files</A
1266 >AFS pathnames look very similar to UNIX file system names. The main difference is that every AFS pathname begins with
1267 the AFS root directory, which is called <SPAN
1273 > by convention. Having <SPAN
1279 > at the top of every AFS cell's filespace links together their filespaces into a global filespace.
1286 >Note for Windows users:</B
1288 > Windows uses a backslash (Â <SPAN
1294 >Â ) rather than a forward slash (Â <SPAN
1300 >Â ) to separate the
1301 elements in a pathname. Otherwise, your access to AFS filespace is much the same as for users working on UNIX machines.</P
1303 >The second element in AFS pathnames is generally a cell's name. For example, the ABC Corporation cell is called
1310 > and the pathname of every file in its filespace begins with the string <SPAN
1316 >. Some cells also create a directory at the second level with a shortened name (such as
1342 >), to reduce the amount of typing necessary. Your system administrator can tell
1343 you if your cell's filespace includes shortened names like this. The rest of the pathname depends on how the cell's
1344 administrators organized its filespace.</P
1346 >To access directories and files in AFS you must both specify the correct pathname and have the required permissions on
1347 the ACL that protects the directory and the files in it.</P
1355 >Example: Displaying the Contents of Another User's Directory</A
1364 > wants to look for a file belonging to another user, <SPAN
1370 >. He issues the <SPAN
1376 > command on the appropriate pathname.</P
1378 CLASS="programlisting"
1383 >ls /afs/abc.com/usr/pat/public</B
1397 >Accessing Foreign Cells</A
1400 >You can access files not only in your own cell, but in any AFS cell that you can reach via the network, regardless of
1401 geographical location. There are two additional requirements:
1406 >Your Cache Manager's list of foreign cells must include the cell you want to access. Only the local superuser
1413 > can edit the list of cells, but anyone can display it. See <A
1414 HREF="c1095.html#HDRWQ42"
1415 >Determining Access to Foreign Cells</A
1420 >The ACL on the directory that houses the file, and on every parent directory in the pathname, must grant you the
1421 necessary permissions. The simplest way for the directory's owner to extend permission to foreign users is to put an entry
1428 > group on the ACL.</P
1430 >The alternative is for the foreign cell's administrator to create an account for you, essentially making you a local
1431 user in the cell. The directory's owner creates an ACL entry for you as for any other local user. To authenticate in the
1432 foreign cell, issue the <SPAN
1438 > command with the <SPAN
1451 >For further discussion of directory and file protection, see <A
1453 >Protecting Your Directories and
1464 >Changing Your Password</A
1467 >In cells that use an AFS-modified login utility, the password is the same for both logging in and authenticating with AFS.
1468 In this case, you use a single command, <SPAN
1474 >, to change the password.</P
1476 >If your machine does not use an AFS-modified login utility, there are separate passwords for logging into the local file
1477 system and authenticating with AFS. (The two passwords can be the same or different, at your discretion.) In this case, use the
1484 > command to change your AFS password and the UNIX <SPAN
1490 > command to change your UNIX password.</P
1492 >Your system administrator can improve cell security by configuring several features that guide your choice of password.
1493 Keep them in mind when you issue the <SPAN
1504 >Limiting the amount of time your password is valid. This improves your cell's security by limiting the amount of time
1505 an unauthorized user has to try to guess your password. Your system administrator needs to tell you when your password is
1506 due to expire so that you can change it in time. The administrator can configure the AFS-modified login utility to report
1507 this information automatically each time you log in. You can also use the <SPAN
1514 command to display the password expiration date, as instructed in <A
1515 HREF="c569.html#HDRWQ37"
1516 >To Display Password Expiration
1517 Date and Reuse Policy</A
1520 >You can change your password prior to the expiration date, but your system administrator can choose to set a minimum
1521 time between password changes. The following message indicates that the minimum time has not yet passed.</P
1523 CLASS="programlisting"
1524 > kpasswd: password was not changed because you changed it too
1525 recently; see your system administrator
1530 >Enforcing password quality standards, such as a minimum length or inclusion of nonalphabetic characters. The
1531 administrator needs to tell you about such requirements so that you do not waste time picking unacceptable passwords.</P
1535 >Rejecting a password that is too similar to the last 20 passwords you used. You can use the <SPAN
1542 > command to check whether this policy applies to you, as instructed in <A
1543 HREF="c569.html#HDRWQ37"
1545 Password Expiration Date and Reuse Policy</A
1546 >. The following message indicates that the password you have chosen is too
1547 similar to a previous password. <PRE
1548 CLASS="programlisting"
1549 > kpasswd: Password was not changed because it seems like a reused password
1562 >To Display Password Expiration Date and Reuse Policy</A
1571 > command to display your password expiration date and reuse
1572 policy. You can examine only your own account. The third line of the output reports your password's expiration date. The last
1573 line reports the password reuse policy that applies to you.</P
1575 CLASS="programlisting"
1591 >your_AFS_password</VAR
1595 >The following example displays the output for the user <SPAN
1603 CLASS="programlisting"
1604 > User data for pat
1605 key (15) cksum is 3414844392, last cpw: Thu Oct 21 16:05:44 1999
1606 password will expire: Fri Nov 26 20:44:36 1999
1607 9 consecutive unsuccessful authentications are permitted.
1608 The lock time for this user is 25.5 minutes.
1610 entry never expires. Max ticket lifetime 100.00 hours.
1611 last mod on Wed Aug 18 08:22:29 1999 by admin
1612 don't permit password reuse
1621 >To Change Your AFS Password</A
1630 > command, which prompts you to provide your old and new passwords and
1631 to confirm the new password. The passwords do not echo visibly on the screen.</P
1633 CLASS="programlisting"
1643 >current_password</VAR
1645 New password (RETURN to abort): <VAR
1649 Retype new password: <VAR
1661 >To Change Your UNIX Password</A
1664 > Issue the UNIX <SPAN
1670 > command, which prompts you to provide your old and new passwords and to confirm the new
1671 password. The passwords do not echo visibly on the screen. On many machines, the <SPAN
1678 resides in the <SPAN
1684 > directory, and you possibly need to type the complete pathname.</P
1686 CLASS="programlisting"
1694 Changing password for <VAR
1700 >current_password</VAR
1706 Retype new passwd: <VAR
1719 SUMMARY="Footer navigation table"
1758 >An Introduction to AFS</TD
1768 >Displaying Information about AFS</TD