University Computing Systems
AFS -- Authentication and Users
Authentication
Authentication in AFS is done via the Kerberos network security system. Once
a user has validated him/herself to Kerberos via his/her AFS password,
a "ticket" or "token" is given to that user, which will permit the user to
access all services specified by the ACL (access control list) for that user
in any given AFS directory.
A user's token normally expires 25 hours after it is granted, at which
point the user has only those AFS permissions granted to system:anyuser
(see below); however, a user's token expiration time can be extended to
500 hours, if needed.
If a user gets a Permission Denied message when trying to access some
file, it could be because that user's token has expired. To re-authenticate
to Kerberos without logging out:
klog
Users
- There are several "built-in" AFS users, including system:anyuser an
d system:authuser
- system:authuser -- any one who is logged in to an AFS cell (cad at NJIT) and has a token for that cell
- system:anyuser -- any one who is logged in to an AFS cell, regardless of whether this user has a token or not
- system:administrators -- staff who administer the AFS system
- A user has all four AFS permissions (lida) in his/her login
directory, and always has the administer (a) right on that directory,
and on any directory owned by that user -- this right cannot be removed by
the user.