Frequently Asked Questions about AFS @ PSI
1. General Questions
1.1. How can I store binaries for different platforms into AFS?
There is a special mechanism build into AFS. If the string
@sys appears in a file name to be used in AFS, it is automatically replaced with the system name of the machine that the file name is being expanded on. The system name is defined in the AFS client and usually composed of the system architecture and the operating system (or distribution).
For example, on a system with ScientificLinux 4 and Intel's 32bit architecture
@sys has the legal value
i386_sl4. On a system with an Alpha-CPU running Tru64 version 5.1,
@sys has the value
Thus the directory name
$HOME/.@sys corresponds to different directories on different platforms.
To use the
@sys mechanism within the directory
$HOME/bin directory you should do:
$ cd ~ $ ln -s .@sys/bin bin $ mkdir -p .i386_linuxsl4/bin $ mkdir -p .sun4x_56/bin $ mkdir -p .alpha_dux51/bin
If there are platform with the same binaries/libraries/whatsoever, just create a symbolic link instead of a directory.
1.2. How can I start long-running jobs on AFS?
k5run -b CMD ARGS...
CMD is the program you want to start and
ARGS... are arguments you want to pass to this program.
- You must specify the option
-b, if you want to log-out from the system while the job is still running.
- Jobs may run up to 7 days if the Unified Logon is used and up to 30 days if the AFS login is used.
- If you get the error
renew: error renewing credentials: KDC can't fulfill requested optionyou must run
klogfirst to get a fresh token. This may happen even if you just have logged-in to the system.
1.3. I need an AFS-token with a lifetime longer than 10h. What should I do?
If you need Kerberos5-tickets/AFS-tokens with a lifetime longer than 10h, the recommended solution is to run
(krenew -t -K 10 &)
1.4. Can I use AFS to store the output of CRON jobs?
Currently this is not supported at PSI, due to technical problems and security issues. Without a valid AFS token, no process can write to AFS. CRON has no token, thus has no permissions to write and you cannot pass your token to CRON.
2. SSH and AFS
2.1. Can I use public-key authentication to an user account with home-directory on AFS?
No! Why not? The problem is, that you need read-access to the file
$HOME/.ssh/authorized_keys while logging in. Before you can read the file, you must obtain an AFS-token. But there is no way to give you an AFS-token at this time. Thus you can not read the file and the authentication will fail.
With older OpenSSH versions there is a work-around for this problem. But the work-around will not work with newer OpenSSH version. For this reason it's not described here.
2.2. Are there alternatives to public-key authentication?
Yes, but not yet and probably not to all systems! In the future Kerberos5 via GSSAPI-Authentication will be available.