AFS is a distributed filesystem product, pioneered at Carnegie Mellon University. It offers a client-server architecture for file sharing, providing location independence, scalability and transparent migration capabilities for data.
An AFS system is composed of
one or more groups called cells. The AFS cell used at MIT is athena.mit.edu.
Each AFS cell uses a common server for authenticating users. At MIT, the
Kerberos system is used to authenticate users accessing the system. This
is the same authentication system used with Eudora and SAP. The MIT web site
resides on the AFS file system.
OpenAFS is a software utility which allows computers on various platforms the ability to access files on an AFS system. Windows clients running OpenAFS along with Kerberos can access files on an AFS file system in the same way they would access files on a Windows file server, including the ability to map drive letters within Windows to a folder on an AFS system.
From the Leash32 menu, select "Action" and then "Get Ticket(s)/Token(s)"
Next you will prompted for your
kerberos name and password. For security reasons, you will not see your
password displayed as "*" characters.This is to prevent anyone from possibly
guessing your password based on the number of characters. Entering the
"@ATHENA.MIT.EDU" after your user name is optional. After you have entered
your username and password, click "OK" or hit the "Enter" key to continue.
After you have obtained kerberos tickets/tokens you will see your username listed in the kerberos window along with a "+" sign to the left of your name. Clicking the "+" sign will display all the tickets and tokens you currently have. You should have three items listed, kerberos four tickets, kerberos five tickets, and AFS tokens. Green tickets mean they are active, red tickets are expired, gray tickets means a service is unavailable. Once you have obtained your tickets you can close out of the kerberos program. You can always view your kerberos tickets by opening the kerberos program. You can "get", "renew" and "destroy" tickets as often as you need to. The default lifetime for tickets is 8 hours. Tickets are destroyed any time you log off your computer or shutdown your computer. MIT’s Eudora program also uses kerberos. When you are prompted for your username and password within Eudora, the program is utilizing the kerberos program to obtain tickets, because of this, logging into Eudora in effect also logs you into the AFS file system.
2. Using the AFS Client
Once you have AFS tokens you can access AFS folders in the same way you would any other drive that appears under the "My Computer" icon in windows. The AFS client works by mapping a drive letter (A: through Z: ) to a folder on the AFS system. EHS has leased disk space in a locker called "ehslan". The full path to the ehslan locker on the AFS system is /afs/athena/dept/ehslan. The ehslan locker is divided into group and user folders. The standard drive mappings for computers in EHS are listed below:
Windows Drive Letter | AFS Folder |
Description |
G: |
/afs/athena/dept/ehslan/user/<kerberos-name> |
User’s personal
folder |
H: |
/afs/athena/dept/ehslan/group/rpp |
RPP Group Folder |
I: |
/afs/athena/dept/ehslan/group/ihp |
IHP Group Folder |
J: |
/afs/athena/dept/ehslan/group/bsp |
BSP Group Folder |
K: |
/afs/athena/dept/ehslan/group/ehs-ms |
EHS-MS Group Folder |
L: |
/afs/athena/dept/ehslan/group/emp |
EMP Group Folder |
M: |
/afs/athena/dept/ehslan/group/ehs |
Shared folder for EHS |
R: |
/afs/athena/dept/ehslan/group/rsk |
RSK Group Folder |
S: |
/afs/athena/dept/ehslan/group/safety |
Safety Group Folder |
T: |
/afs/athena/dept/ehslan/group/epo |
EPO "Shared Documents" |
U: |
/afs/athena/dept/ehslan/group |
All group folders |
V: |
/afs/athena/dept/ehslan/user |
All user folders |
You can change the AFS drives which
are listed within "My Computer" by opening the AFS Client utility, located
in the bottom left corner of your desktop next to the clock.
To add or remove drive letters, select the ‘Drive Letters" tab in the AFS Client utility. The "Drive Letters" window shows the AFS drive mappings which are currently configured on your computer. The make a drive letter available, simply check the box next to the drive letter. To make the drive letter unavailable, and not listed within "My Computer" simply uncheck the box. The drive mapping configuration is stored in c:\winnt\afsdsbmt.ini file or c:\windows\afsdsbmt.ini, depending on whether you are running Windows NT, 2000, or XP.
Troubleshooting OpenAFS
Unlike Eudora, OpenAFS is not fully integrated with MIT’s kerberos program. When Eudora requires Kerberos tickets, it brings up a kerberos login window which is linked to the kerberos program. The OpenAFS client is not linked in this manner. As part of the WinAthena project, MIT is working on a version of OpenAFS which is fully integrated with the MIT Kerberos client. Due to this fact, there are some key points to understand when trying to determine why OpenAFS may not be functioning properly.
As with all network applications, OpenAFS will only work with an active network connection. The OpenAFS service attempts to start when your system boots, and needs a network connection to start. If you do not have a network connection when you initially boot your computer, you will have to manually start the OpenAFS client once a network connection has been established. Laptop users may find that if their computer is configured for DHCP, they may have to disable and enable their network connection to get a valid network address for their current location, especially when moving between work and home networks.
To start the AFS service, click the AFS Client icon in the lower right hand corner of your screen.. In the AFS Client Wizard, click "Next" to start the AFS service.
If the AFS token icon is gray, then
you do not currently have AFS tokens.
Kerberos can only obtain AFS tokens
when the AFS client is running. When the AFS client service is stopped,
the AFS feature of kerberos is disabled. Even when the AFS service
is restarted, the AFS function within kerberos will sometimes remain disabled.
To get AFS tokens, it must be enabled manually. From the "options" menu within
kerberos, choose "AFS Properties".
Within AFS Properties change "AFS Disabled"
to "AFS Enabled" and click "OK"
After you login to kerberos, you
should verify that you have kerberos tickets and AFS tokens.
AFS Enabled
Once AFS is enabled, you will need
to destroy your kerberos tickets and obtain new tickets.