By Chris Lepore |

AFS file system service at the SDCC

The SDCC provides AFS (Andrew File System) service for RHIC and US Atlas users. The service provides worldwide access to files, allowing users to share information more easily. The AFS cell holds information for RHIC users and the AFS cell holds information for US Atlas users. On SDCC systems, the cells are visible at /afs/ and /afs/ in the local file system name space. Althought both cells are visible on all SDCC systems, the RHIC and LSST systems are clients of the AFS cell and the US Atlas systems are clients of the AFS cell. Access to the cells from other systems requires the installation of AFS client software on the system and possibly, a configuration of the local AFS cell (if the system already is an AFS client for a foreign cell). If the system is configured to use a local AFS cell, you will need to contact the local AFS adminstrator to add access to the desired cell (, or both).

One unique characteristic of the and cells is that the cells are based on Kerberos 5 instead of the AFS standard Kerberos 4 (kaserver). With the exception of password changing, UNIX AFS clients are not affected by this difference. On the other hand, Windows AFS clients will most likely need to install the latest OpenAFS Windows client software and may also need to install the latest Kerberos for Windows software.

For the cell, all RHIC experiments have an assigned area within the cell (/afs/, /afs/, /afs/, /afs/, and /afs/ Access to world readable files in AFS requires no special action, but write access or read access to protected AFS areas requires an AFS account and an AFS token.

Getting an AFS account

All users with interactive accounts at the SDCC have an account in AFS. For RHIC/LSST users, the account will be in the cell. For US Atlas users, the account will be in the cell. The account name is the same as your UNIX account name. If, for some reason, you do not have an AFS account, submit a problem report using the "User Accounts" problem type. Remember to include your UNIX account name and the AFS cell name.

How to get an AFS token

The AFS cells hosted at BNL, and, are Kerberos 5 based AFS cells. As a result, these two cells do not support the legacy Kerberos 4 base native AFS klog command for acquiring AFS tokens.

Note: Loading your SSH public key into the SDCC LDAP server will only allow you to log in to the SDCC gateway machines. You will no longer automatically get your Kerberos and AFS tokens. It is recommended that you run the kinit program on the gateway machine as kinit -5 -4 -l 7d (the third argument is a lower-case L) to obtain your Kerberos and AFS tokens. You can then proceed to login to an internal machine at the facility. An alternative would be to copy your public key to the authorized_keys file in the .ssh directory in your NFS home directory in the facility. Adding your public key to the file will allow you to log in to the internal machines, but you will not have your Kerberos or AFS credentials.

Obtaining a token with the native AFS klog.krb5 command

The native Kerberos 5 based AFS method for obtaining an AFS token is to use the klog.krb5 AFS command. On Linux systems at the SDCC, the klog.krb5 command is /usr/bin/klog.krb5. This command is typically provided by the openafs-krb5 RPM for RPM based Linux systems. When you run the klog.krb5 command, you will be prompted for your password; at the prompt enter your Kerberos 5 password. On RHIC/Astro/EIC/Daya Bay/LBNE systems, the default AFS cell is, which in turn utilizes the  RHIC.BNL.GOV Kerberos realm for authentication.  On US Atlas systems, the default AFS cell is, which in turn utilizes the USATLAS.BNL.GOV Kerberos realm for authentication. By default, running klog.krb5 will result in the acquisition of an AFS token for the default cell.  klog.krb5 to obtain tokens for other cells by providing a cell name: klog.krb5 -cell <cell name>.

Note that the klog.krb5 command uses the Kerberos 5 configuration file (typically /etc/krb5.conf) to find hostname(s) of the Kerberos authentication servers for the requested realm. 

For further information on klog.krb5, refer to the man page.

Obtaining a token with Kerberos 5/AFS aklog

An alternative to using the native AFS klog.krb5 command is using the Kerberos 5 kinit command to obtain a Kerberos 5 TGT and then use the native AFS aklog command to obtain an AFS token with the TGT. If you already have a Kerberos 5 TGT, then you can simply run aklog (/usr/bin/aklog) to obtain an AFS token. If you do not have a Kerberos 5 TGT, you will first need to obtain a Kerberos 5 TGT using kinit, then run aklog.

Obtaining a token from outside of BNL

For Linux/UNIX systems that are outside of BNL that have been configured as AFS clients, the either the AFS native klog.krb5 or the Kerberos 5 kinit/AFS aklog commands can be used to obtain an AFS token. In both cases, the system must be configured to know about the RHIC.BNL.GOV and/or the USATLAS.BNL.GOV Kerberos realms.