You may be using a Web browser that does not support standards for accessibility and user interaction. Find out why you should upgrade your browser for a better experience of this and other standards-based sites...

Dartmouth Home  Search  Index

Dartmouth Home | Search | Index

 Dartmouth home page
Computing at Dartmouth

Home | Resources | Services | Support | About
Computing > Support >  Library >  Research > UNIX > Files > AFS >

Local Authentication and Local Home Directories

Currently, users of Research Cluster computers have a home directory for each computer they have access to, as well as a username and password. When a user connects or logs on to a computer, they will have access to the files and directories in the home directory, as well as files and directories that they have permission to access elsewhere on the system. The process of connecting to a computer, entering a user name and password, and gaining permission to access the computer is generally referred to as "authenticating" or "user authentication."

The block diagram (Figure 1, Local Home Directory) illustrates the process of connecting to a computer, Belknap, and shows the local home directory for the user.

In the situation in Figure 1, a user connects to Belknap from a desktop computer (PC, Macintosh, or UNIX workstation) and authenticates locally, and as a result of successful authentication, has the permissions required to access their home directory.

All the information for connecting to a particular computer is local to the computer, as is the user's home directory. If a user wishes to access another computer in the Research Cluster, they would repeat the login process for each computer, and in each case, they would have a separate home directory.

AFS Authentication

The main difference between an AFS user and a local user is that the AFS user is not tied or attached to a particular computer, but instead has a global identity that allows the user to authenticate to multiple computers.

The AFS authentication connection and authentication process is illustrated in Figure 2. In step 1, you can see that the user connects to whichever computer they want to use, and the process of connecting is handled in the same way as in the past. What is different is that the user's full identity (name and password) is stored remotely in AFS and the user authenticates against AFS (step 2).

An important component of the authentication process is the granting of a token that is associated with their current process. Tokens can be thought of as temporary identity cards that can be used to assure that a users process does indeed have the correct permissions to access particular files. Tokens time-out after a set period of time, and it is the side effects of token time-out that sometimes causes confusion.

Once the user has been identified by the AFS system, they are allowed to use the computer and access the files in their home directory. In some special cases, it is possible for a user to authenticate, but not be allowed to access the files in their home directory. This can happen if an AFS server is off-line or if authentication happens locally and not via AFS. A more common occurrence is that a previously authenticated user will lose permission to access their files because their token times out.

AFS Home Directories

The contents of AFS home directories are essentially the same as the contents of local home directories on an individual's computer. Like a local home directory, an AFS home directory contains configuration files (.cshrc .login, etc.) and most of the files a user owns.

The major difference between an AFS home directory and a local home directory is that an AFS home directory can be accessed from multiple computers which eliminates the need for home directories on each computer. With home directories no longer attached to a particular computer, users can more quickly and easily use applications on other computers in the Research Cluster, and when computers are added or retired, there is no need to move a user's account.

The other significant difference between local files and AFS files, including AFS home directories, is the way in which permissions are handled. Users who share files with others or need access to shared files should contact research.computing with any questions. For all other users, the important thing to note is that in your AFS home directory there will be two sub-directories, private and public.

As the names suggest, private is where a user should do all their work they want to prevent other users from seeing in any way, and public is a directory where other AFS users can read and access files. Users should note that AFS file permissions are more complicated than standard UNIX file permissions. All users who wish to share files are advised to consult with a member of the Research Computing staff.

05/08/08

Last Updated: 5/9/08