Frequently Asked Questions about AFS @ PSI

IntranetTopics

1.1. How can I store binaries for different platforms into AFS?

There is a special mechanism build into AFS. If the string @sys appears in a file name to be used in AFS, it is automatically replaced with the system name of the machine that the file name is being expanded on. The system name is defined in the AFS client and usually composed of the system architecture and the operating system (or distribution).

For example, on a system with ScientificLinux 4 and Intel's 32bit architecture @sys has the legal value i386_sl4. On a system with an Alpha-CPU running Tru64 version 5.1, @sys has the value alpha_dux51.

Thus the directory name $HOME/.@sys corresponds to different directories on different platforms.

To use the @sys mechanism within the directory $HOME/bin directory you should do:

$ cd ~ $ ln -s .@sys/bin bin $ mkdir -p .i386_linuxsl4/bin $ mkdir -p .sun4x_56/bin $ mkdir -p .alpha_dux51/bin

 


If there are platform with the same binaries/libraries/whatsoever, just create a symbolic link instead of a directory.

 

1.2. How can I start long-running jobs on AFS?

k5run -b CMD ARGS...

 


Whereby CMD is the program you want to start and ARGS... are arguments you want to pass to this program.

Remarks:

 

  • You must specify the option -b , if you want to log-out from the system while the job is still running.
  • Jobs may run up to 7 days if the Unified Logon is used and up to 30 days if the AFS login is used.
  • If you get the error renew: error renewing credentials: KDC can't fulfill requested option you must run klog first to get a fresh token. This may happen even if you just have logged-in to the system.
note.png The utility k5run is the only supported way to start long-running jobs with AFS access.
It obsoletes aexec and rexec ! These programs are not supported any more. They will not be available on SL5 and may be removed on SL3 and SL4 some day.

1.3. I need an AFS-token with a lifetime longer than 10h. What should I do?

If you need Kerberos5-tickets/AFS-tokens with a lifetime longer than 10h, the recommended solution is to run

(krenew -t -K 10 &)

after logging-in.

1.4. Can I use AFS to store the output of CRON jobs?

Currently this is not supported at PSI, due to technical problems and security issues. Without a valid AFS token, no process can write to AFS. CRON has no token, thus has no permissions to write and you cannot pass your token to CRON.

2.1. Can I use public-key authentication to an user account with home-directory on AFS?

No! Why not? The problem is, that you need read-access to the file $HOME/.ssh/authorized_keys while logging in. Before you can read the file, you must obtain an AFS-token. But there is no way to give you an AFS-token at this time. Thus you can not read the file and the authentication will fail.

With older OpenSSH versions there is a work-around for this problem. But the work-around will not work with newer OpenSSH version. For this reason it's not described here.

2.2. Are there alternatives to public-key authentication?

Yes, but not yet and probably not to all systems! In the future Kerberos5 via GSSAPI-Authentication will be available.