AFS file system service at the SDCC
The SDCC provides AFS (Andrew File System) service for RHIC and US Atlas users. The service provides worldwide access to files, allowing users to share information more easily. The rhic.bnl.gov AFS cell holds information for RHIC users and the usatlas.bnl.gov AFS cell holds information for US Atlas users. On SDCC systems, the cells are visible at /afs/rhic.bnl.gov and /afs/usatlas.bnl.gov in the local file system name space. Althought both cells are visible on all SDCC systems, the RHIC and LSST systems are clients of the rhic.bnl.gov AFS cell and the US Atlas systems are clients of the usatlas.bnl.gov AFS cell. Access to the cells from other systems requires the installation of AFS client software on the system and possibly, a configuration of the local AFS cell (if the system already is an AFS client for a foreign cell). If the system is configured to use a local AFS cell, you will need to contact the local AFS adminstrator to add access to the desired cell (rhic.bnl.gov, usatlas.bnl.gov, or both).
One unique characteristic of the rhic.bnl.gov and usatlas.bnl.gov cells is that the cells are based on Kerberos 5 instead of the AFS standard Kerberos 4 (kaserver). With the exception of password changing, UNIX AFS clients are not affected by this difference. On the other hand, Windows AFS clients will most likely need to install the latest OpenAFS Windows client software and may also need to install the latest Kerberos for Windows software.
For the rhic.bnl.gov cell, all RHIC experiments have an assigned area within the cell (/afs/rhic.bnl.gov/star, /afs/rhic.bnl.gov/phenix, /afs/rhic.bnl.gov/brahms, /afs/rhic.bnl.gov/phobos, and /afs/rhic.bnl.gov/gc). Access to world readable files in AFS requires no special action, but write access or read access to protected AFS areas requires an AFS account and an AFS token.
Getting an AFS account
All users with interactive accounts at the SDCC have an account in AFS. For RHIC/LSST users, the account will be in the rhic.bnl.gov cell. For US Atlas users, the account will be in the usatlas.bnl.gov cell. The account name is the same as your UNIX account name. If, for some reason, you do not have an AFS account, submit a problem report using the "User Accounts" problem type. Remember to include your UNIX account name and the AFS cell name.
How to get an AFS token
The AFS cells hosted at BNL, rhic.bnl.gov and usatlas.bnl.gov, are Kerberos 5 based AFS cells. As a result, these two cells do not support the legacy Kerberos 4 base native AFS klog command for acquiring AFS tokens.
Obtaining a token with the native AFS klog.krb5 command
The native Kerberos 5 based AFS method for obtaining an AFS token is to use the
klog.krb5 AFS command. On Linux systems at the SDCC, the
klog.krb5 command is
/usr/bin/klog.krb5. This command is typically provided by the openafs-krb5 RPM for RPM based Linux systems. When you run the
klog.krb5 command, you will be prompted for your password; at the prompt enter your Kerberos 5 password. On RHIC/Astro/EIC/Daya Bay/LBNE systems, the default AFS cell is rhic.bnl.gov, which in turn utilizes the RHIC.BNL.GOV Kerberos realm for authentication. On US Atlas systems, the default AFS cell is usatlas.bnl.gov, which in turn utilizes the USATLAS.BNL.GOV Kerberos realm for authentication. By default, running
klog.krb5 will result in the acquisition of an AFS token for the default cell.
klog.krb5 to obtain tokens for other cells by providing a cell name:
klog.krb5 -cell <cell name>.
Note that the klog.krb5 command uses the Kerberos 5 configuration file (typically /etc/krb5.conf) to find hostname(s) of the Kerberos authentication servers for the requested realm.
For further information on
klog.krb5, refer to the man page.
Obtaining a token with Kerberos 5/AFS aklog
An alternative to using the native AFS
klog.krb5 command is using the Kerberos 5
kinit command to obtain a Kerberos 5 TGT and then use the native AFS
aklog command to obtain an AFS token with the TGT. If you already have a Kerberos 5 TGT, then you can simply run
/usr/bin/aklog) to obtain an AFS token. If you do not have a Kerberos 5 TGT, you will first need to obtain a Kerberos 5 TGT using
kinit, then run
Obtaining a token from outside of BNL
For Linux/UNIX systems that are outside of BNL that have been configured as AFS clients, the either the AFS native klog.krb5 or the Kerberos 5 kinit/AFS aklog commands can be used to obtain an AFS token. In both cases, the system must be configured to know about the RHIC.BNL.GOV and/or the USATLAS.BNL.GOV Kerberos realms.