Dieser Inhalt ist nur in englischer Sprache verfügbar
Frequently Asked Questions about AFS @ PSI
1. General Questions
1.1. How can I store binaries for different platforms into AFS?There is a special mechanism build into AFS. If the string
@sysappears in a file name to be used in AFS, it is automatically replaced with the system name of the machine that the file name is being expanded on. The system name is defined in the AFS client and usually composed of the system architecture and the operating system (or distribution).
For example, on a system with ScientificLinux 4 and Intel's 32bit architecture
@syshas the legal value
i386_sl4. On a system with an Alpha-CPU running Tru64 version 5.1,
@syshas the value
Thus the directory name
$HOME/.@syscorresponds to different directories on different platforms.
To use the
@sysmechanism within the directory
$HOME/bindirectory you should do:
$ cd ~ $ ln -s .@sys/bin bin $ mkdir -p .i386_linuxsl4/bin $ mkdir -p .sun4x_56/bin $ mkdir -p .alpha_dux51/bin
If there are platform with the same binaries/libraries/whatsoever, just create a symbolic link instead of a directory.
1.2. How can I start long-running jobs on AFS?
k5run -b CMD ARGS...
CMDis the program you want to start and
ARGS...are arguments you want to pass to this program.
- You must specify the option
-b, if you want to log-out from the system while the job is still running.
- Jobs may run up to 7 days if the Unified Logon is used and up to 30 days if the AFS login is used.
- If you get the error
renew: error renewing credentials: KDC can't fulfill requested optionyou must run
klogfirst to get a fresh token. This may happen even if you just have logged-in to the system.
| The utility
1.3. I need an AFS-token with a lifetime longer than 10h. What should I do?If you need Kerberos5-tickets/AFS-tokens with a lifetime longer than 10h, the recommended solution is to run
(krenew -t -K 10 &)after logging-in.
1.4. Can I use AFS to store the output of CRON jobs?Currently this is not supported at PSI, due to technical problems and security issues. Without a valid AFS token, no process can write to AFS. CRON has no token, thus has no permissions to write and you cannot pass your token to CRON.
2. SSH and AFS
2.1. Can I use public-key authentication to an user account with home-directory on AFS?No! Why not? The problem is, that you need read-access to the file
$HOME/.ssh/authorized_keyswhile logging in. Before you can read the file, you must obtain an AFS-token. But there is no way to give you an AFS-token at this time. Thus you can not read the file and the authentication will fail.
With older OpenSSH versions there is a work-around for this problem. But the work-around will not work with newer OpenSSH version. For this reason it's not described here.