AFS Authentication and Users


Authentication in AFS is done via the Kerberos network security system. Once a user is validated to Kerberos via an AFS password, a "ticket" or "token" is given to that user, which will permit the user to access all services specified by the ACL (Access Control List) for that user in any given AFS directory.

If a user gets a Permission Denied message when trying to access some file, it could be because that user's token has expired. To re-authenticate to Kerberos without logging out use the command:

kinit && aklog


  • There are several built-in AFS users, including system:anyuser and system:authuser.
  • system:authuser -- any one who is logged in to an AFS cell (e.g., and has a token for that cell.
  • system:anyuser -- any one who is logged in to an AFS cell, regardless of whether this user has a token or not.
  • system:administrators -- staff who administer the AFS system.
  • A user has all four AFS permissions (lida) in the login directory, and always has the administer (a) right on that directory, and on any directory owned by that user -- this right cannot be removed by the user.
Last Updated: June 29, 2017