Authentication in AFS is done via the Kerberos network security system. Once a user is validated to Kerberos via an AFS password, a "ticket" or "token" is given to that user, which will permit the user to access all services specified by the ACL (Access Control List) for that user in any given AFS directory.

A user's token normally expires 25 hours after it is granted, at which point the user has only those AFS permissions granted to system:anyuser (see Users section below); however, a user's token expiration time can be extended to 500 hours, if needed.w5

If a user gets a Permission Denied message when trying to access some file, it could be because that user's token has expired. To re-authenticate to Kerberos without logging out use the command:

klog

• There are several "built-in" AFS users, including system:anyuser and system:authuser.
• system:authuser -- any one who is logged in to an AFS cell (cad at NJIT) and has a token for that cell.
• system:anyuser -- any one who is logged in to an AFS cell, regardless of whether this user has a token or not.
• system:administrators -- staff who administer the AFS system.
• A user has all four AFS permissions (lida) in the login directory, and always has the administer (a) right on that directory, and on any directory owned by that user -- this right cannot be removed by the user.

To run applications over 25 hours:

• Upon login to an AFS machine, a user is automatically granted a "token" by the Kerberos authentication system. This token allows the user access to directories in AFS where that user is explicitly allowed access, such as the user's login directory tree. Without a token, a user is in the category "system:anyuser" (anonymous), and has access only to those directories where system:anyuser is explicitly given access rights.
• Tokens are on a per-machine basis: i.e., a user's tokens on machine-A and machine-B are not related.
• To check token status, run:
  

  /usr/afsws/bin/tokens

• Tokens man page: man tokens (/usr/afsws/man/man1/tokens.1 on afs1.njit.edu - afs36.njit.edu, except afs35, which is currently reserved for instructors).
• The default token lifetime is 25 hours; to request a longer token lifetime, up to 500 hours, send mail to ucssys@njit.edu.
  
  
• If your program reads or writes files, you will need to make sure that your Kerberos token does not expire before your job ends. The best way to do this is to log in to the machine on which your job runs often enough so that the expiration time of your token is later than the expected finish time of your job.
• Your processes on a given machine will inherit whatever the current expiration time of your token is. Upon logout, your processes will retain your token expiration time as of immediately before logout.