AFS at Glasgow

Directory Layout

The local AFS cell (phas.gla.ac.uk, mounted as /afs/phas.gla.ac.uk) contains the following directories:

Refer to the section on back-ups for a list of those directories which are backed-up, and details of the retention schedule.

Cron jobs

Normal cron jobs cannot write to the AFS file system, and will only be able to read publicly-accessible files. You can create a cron job with full access to AFS using the kcrontab command.

External Kerberos Access (Linux / Mac OS X)

You can configure Kerberos on a Linux or Mac OS X machine to enable passwordless log-in to remote machines once a Kerberos ticket has been created. To do this, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the realms section:

PHAS.GLA.AC.UK = {
  default_domain = phas.gla.ac.uk
  kdc = kdc2.phas.gla.ac.uk:88
  kdc = kdc1.phas.gla.ac.uk:88
  admin_server = kdc1.phas.gla.ac.uk
 }

In the same file, add the following to the libdefaults section:

Then add/edit to the libdefaults section:

allow_weak_crypto = true
default_realm = PHAS.GLA.AC.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 25h
renew_lifetime = 672h
forwardable = true
proxiable = true

To use Kerberos with SSH, open /etc/ssh/ssh_config (/etc/ssh_config on OS X) and check the following values are set:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes

You will need administrative rights to make any changes to these files.

To use a Kerberos ticket to log-in to ppelx:

$ kinit <USERNAME>@PHAS.GLA.AC.UK
$ ssh <USERNAME>@ppelx.physics.gla.ac.uk

External AFS Access (Linux / Mac OS X)

Access to the phas.gla.ac.uk AFS cell from a non-PPE machine requires that you first configure Kerberos as described above, then install the appropriate OpenAFS client.

After installing OpenAFS, open /etc/krb5.conf (/Library/Preferences/edu.mit.Kerberos under OS X) in a text editor, and add the following to the domain_realm section:

 .phas.gla.ac.uk = PHAS.GLA.AC.UK
 .physics.gla.ac.uk = PHAS.GLA.AC.UK
 .ppe.gla.ac.uk = PHAS.GLA.AC.UK

You will then need to edit your CellServDB file, which can usually be found in either /usr/vice/etc/CellServDB or /etc/openafs/CellServDB (/var/db/openafs/etc/CellServDB under OS X), adding the following lines:

>phas.gla.ac.uk         #Univeristy of Glasgow Physics And Astronomy
194.36.1.27                     #afsdb3.phas.gla.ac.uk
194.36.1.19                     #afsdb1.phas.gla.ac.uk
194.36.1.33                     #afsdb2.phas.gla.ac.uk

Finally, edit the ThisCell file which can be found in the same directory, replacing its contents with:

phas.gla.ac.uk

Restart the OpenAFS client either by restarting the service, or by rebooting the machine.

To create a Kerberos ticket and obtain an AFS token, use commands similar to the following:

$ kinit <USERNAME>@PHAS.GLA.AC.UK
$ aklog

Hints, Tips and Issues

Common AFS commands

AFS ACLs (Protecting Data)

AFS file systems use directory based ACLs to determine the access permissions for a given file. The following is taken from the afs documentation (http://docs.openafs.org/AdminGuide/ch15s02.html):

• The permissions on a directory's ACL apply to all of the files in the directory. When you move a file to a different directory, you effectively change the access permissions that apply to it to those on its new directory's ACL. Changing a directory's ACL changes the protection on all the files in it.
• When you create a subdirectory, its initial ACL is created as a copy of its parent directory's ACL. You can then change the subdirectory's ACL independently. However, the parent directory's ACL continues to control access to the subdirectory in the following way: the parent directory's ACL must grant the l (lookup) permission to a user (or a group the user belongs to) in order for the user to access the subdirectory at all.

By default the following directories are created in a user's afs home area:

• private - access only for the user and the system administrator, this is also the default for any new directories.
• public - public (world wide) access for anyone.
• public_html - public (world wide) access for anyone, user web pages belong here.
• public_ppe - readable to the ppe group only.

To see the acl list on a directory use the command fs listacl dir .

To allow a user or group user read access to a directory dir :

fs setacl dir user read

To give write permissions:

fs setacl dir user write

And to remove all permissions for a user or group:

fs setacl dir user none

System administrator access is required to all directories to allow backups to be taken.

There is a limit of around 20 entries that can be added to an acl list. The exact number depends on the size (in characters) of each acl entry. To get around this user created groups can be used and then the group can be added to the acl list. The cern web page http://information-technology.web.cern.ch/services/fe/afs/howto/work-afs-groups has instructions on how to create groups and add people to them.

Recursive setting of ACLs

A helper script to recursively set an ACL is available on all the scientific linux desktop machines. Usage is similar to the standard fs setacl command:

fs-recursive-setacl dir user acl

Accessing the CERN afs cell (/afs/cern.ch)

Getting a kerberos ticket for another kerberos realm using kinit will overwrite the existing kerberos tickets file destroying any local Glasgow ticket. To get around this tickets for different kerberos realms have to be written to different files. A couple of helper scripts have been written to made this straight forward: kinit-cern, klist-cern, kdestroy-cern, ssh-cern, kinit-fnal, klist-fnal, kdestroy-fnal, ssh-fnal.

They are used in the same way as the standard kinit, klist and kdestroy. For example:

$ kinit-cern <lxplus user name>@CERN.CH

and after doing the kinit:

$ ssh-cern <lxplus user name>@lxplus.cern.ch

rsyncing files to afs

rsync will copy files to an afs file system in the same way as any other file system. However if directories in the source file system have the stick bit set rsync will complain that it 'failed to set permissions'. A directory with the sticky bit set will have a 's' in the permissions bit field eg:

drwxrwsr-x  4 ppemgr ppemgr   45 Jan 14  2009 sl44

These errors can be safely ignored but they may obscure other errors when rsyncing. To remove stick bits before rsyncing use chmod:

chmod a-s _dir_

replacing _dir_ as required. To recursively remove sticky bits use the -R option.

Automatic Token Renewal

To automatically renew an AFS token for up to 30 days after logging in requires either a small addition the shell login script for ssh logins or for desktop logins a small script to be auto run. Each login change is independent of the others and all can be safely used at the same time.

ssh login

For bash shell users add the following to the top of .bash_profile:

if [ -e /bin/ps ] && [ -e /bin/grep ]
then
    kproc=`/bin/ps x -u ${USER} | /bin/grep krenew | /bin/grep ${KRB5CCNAME}`
    if [ "${kproc}" == "" ] && [ -e /usr/bin/krenew ]
    then
        /usr/bin/krenew -K 60 -t -k ${KRB5CCNAME} &
    fi
fi

For csh/tcsh users the untested equivalent is to add the following to the top of .cshrc or .tcshrc:

if ( -e /bin/ps && -e /bin/grep ) then
    setenv kproc `/bin/ps x -u ${USER} | /bin/grep krenew | /bin/grep ${KRB5CCNAME}`
    if ( "${kproc}" == "" && -e /usr/bin/krenew ) then
        /usr/bin/krenew -K 60 -t -k ${KRB5CCNAME} &
    endif
endif