In short an AFS file system allows you to access your files from anywhere in the world in a secure manner.

“AFS is a distributed filesystem product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Labs). It offers a client-server architecture for file sharing, providing location independence, scalability, security, and transparent migration capabilities for data. IBM branched the source of the AFS product, and made a copy of the source available for community development and maintenance. They called the release OpenAFS.”

At PSI the Andrew File System (AFS), can be accessed by each AIT-supported operating system. Central AFS file servers provide storage for the users home directories and project directories. The AFS cell at PSI can be securely accessed world wide, using the corresponding client software.

If you do not have a standard PSI System you will need to install an AFS client for yourself. Since this is a task which depends strongly on the operating system you are referred to the installation instruction on the openafs webpage We advise that you always install the latest client version on your computer.

For the Authentication setting see KerberosAuthenticationEN

The users private data is stored on dedicated home directory servers, which are based on the AFS file-system. As a user you will hardly notice any difference compared to a normal local unix file-system. The normal unix commands for listing directories, creating, moving and deleting files will work in the usual way. But there are some additional features, which you will like to get acquainted with sooner or later. The AFS installation at PSI provides you with the following features and benefits:

  • Each user has a unique homedirectory with an initial total file size quota of 500 MB.
  • This directory is globally accessible. On all machines with an installed AFS client the home directory is /afs/ where U is the first character of USERNAME.
  • Centralized daily backup of data to tape is provided. In addition you can always access the state of the home-directory from the previous day, which exists as a snapshot in the directory Backup in your home-directory. Thus you can easily recover accidentally modified or deleted files from the state of the previous day without operator intervention by just copying the file back with the normal cp command. Note that this Backup directory is occupying essentially no disk-space and is not counted against your quota. Therefore don't try to delete it.
  • Near local harddisk performance for reading: data is locally cached in a dedicated cache file on your desktop computer. Therefore after the initial access all subsequent access to the same file will be very fast.
  • Fine grained access control to the data. AFS gives you much more control of who can access your data in which way compared to the normal unix user/group/world access control. In particular you can define which user or group has read/write/lookup/modify etc access rights by creating so called access control lists ACL. Each user can even create his own group definitions. This is especially useful for group-work, e.g. in connection with the web pages of a project. For some examples see below.
  • Better security since access control is based on a kerberos server with strong authentication. The default access rights to your directory is:
    only you and the AFS administrator has full access to the data. All other users have only lookup rights, i.e. they can see filenames, but not the contents of the files.
  • There are two predefined directories named public and private. All files in the public folder are visible and readable from any user, but can not be modified. All files in the private folder are completely invisible to the other users, i.e. even no lookup rights exist.

The following table summarizes the directory structure of a users home-directory:





$USER rlidwka
system:administrators rlidwka

The user $USER and the system admin has all permissions, any other user has no access to the contents.


$USER rlidwka
system:administrators rlidwka
system:anyuser rl

Any user can see and read the files in this directory.


$USER rlidwka

Nobody except the user can see and change files.


$USER rlidwka
system:administrators rlidwka
system:anyuser l

Backup of previous day.

On request a project can be created. The project name can be chosen by the project leader. The project leader requests an initial quota for the project disk-space. This project will be made available in /afs/$PROJECT/. The project leader determines the users, which should become a member of this project. A corresponding project-group will be created. All members of the project group will by default get read/write/modify rights in this directory. This can later be changed by the project leader. The following table summarizes the directory structure and AFS permissions of a new-style project directory.





$PROJECT rlidwka
$PROJECT:users rlidwk

All project administrators must be member of the group $PROJECT, this group has all permissions. Normal users must be member of the group $PROJECT:users, they have all but administrative permissions.