direkt zum Inhalt springen

direkt zum Hauptnavigationsmenü

Sie sind hier

TU Berlin

Page Content

FAQ AFS

Frequently asked questions about AFS

General: Security

AFS provides a secured privacy granting data access only to those who are authorised. For this purpose a procedure called Kerberos is employed. Kerberos ensures that only the registered user can access the data which relevant to him.

There are three parties involved at Kerberos: The client, the server (which the client wants to use) and the Kerberos server. The Kerberos service authenticates the server for the client as well as the client for the server. The Kerberos server itself also proves his authentication to the client and the server while verifying their identity.

Kerberos employes so-called tickets (=token) for the authentication process. (Access authorisation for an AFS cell; granted for approx. 10 hours after login).

In order to receive a valid token, the user has to enter his tubIT credentials. If the authentication is succesful, the user receives a ticket which is valid for a limited time period granting access to the AFS file server. After that time period it is necessary to obtain a new token meaning that the user credentails have to be entered again.

The entire communication between AFS client, AFS server and Kerberos is encrypted at any time and there provides high security. You can find further information about Kerberos here

Die gesamte Kommunikation zwischen AFS-Client, AFS-Server und Kerberos erfolgt zu jedem Zeitpunkt verschlüsselt und bietet deshalb hohe Sicherheit. Weitere Informationen zu Kerberos finden Sie unter (wikipedia).

General: AFS Technology

What is AFS exactly?

A service allowing you to save data to a storage (hard disk drive, CD ROM or flash drive), organise it in a hierarchy, tree like structure built with main and subdirectories.

AFS is a world wide file tree of files formed by single trees from universities, companies and other institutions. The personal data of all tubIT users is also found there as subdirectory. 

These user files are not located on a local hard drive but on an AFS fileserver. This grants access to the personal data from any computer which has been "prepared".

The data access is a transparent process for every user meaning that you will not notice the network activity. All operations are executed in the same way as for files which are stored on the local hard drive.

Further information can be found here.

General: AFS functionality

AFS works based on the client server scheme. All files are hosted on one or more fileservers.

In order to access this data an AFS client is required. This will enable the client to obtain the information and data available.

An amount of servers which form a single file system are called AFS cell. The AFS cell of TU Berlin is called "TU-BERLIN.DE".

This AFS cell is maintained by the AFS administrators. They assign rights to the users which are allowed to access areas of the fileserver.

The main directory of the AFS tree is called "afs". We mounted the partial tree TU-BERLIN.DE so that the directory "afs/TU-BERLIN.DE" came into existence.

If a computer has access to the main directory "afs/TU-BERLIN.DE" after the installation of an AFS client, it can also access the subdirectories.

The home directories of the tubIT users are subdirectories of this tree.

The file path is stuctured in the following way:

\afs\tu-berlin.de\home\“1st letter of the username“\“username“

General: Kerberos technology

There are three parties involved at Kerberos: The client, the server (which the client wants to use) and the Kerberos server. The Kerberos service authenticates the server for the client as well as the client for the server. The Kerberos server itself also proves his authentication to the client and the server while verifying their identity.

Kerberos employes so-called tickets (=token) for the authentication process. (Access authorisation for an AFS cell; granted for approx. 10 hours after login).

In order to receive a valid token, the user has to enter his tubIT credentials. If the authentication is succesful, the user receives a ticket which is valid for a limited time period granting access to the AFS file server. After that time period it is necessary to obtain a new token meaning that the user credentails have to be entered again.

The entire communication between AFS client, AFS server and Kerberos is encrypted at any time and there provides high security. You can find further information about Kerberos here.

OpenAFS: Forwarding Firewall/Ports

The following ports have be forwarded:

  • Kerberos:
    • Port 88 tcp/udp outgoing
    • Port 4444 tcp/udp outgoing
  • AFS:
    • Ports 7000-7009 tcp/udp incoming and outgoing
   

OpenAFS: Correct system time

Kerberos will only work properly if the system time of your computer is correct within 5 minutes tolerance. You should synchronise your computer with a time server automatically to ensure that (such as times.tubit.tu-berlin.de).

OpenAFS: Linux & ReiserFS

OpenAFS for Linux employs a cache manager which can not handle ReiserFS partitions. If you only have a ReiserFS partition, you are required to create a new ext3 partition. Create the folders afs and afscache on that partition and change the filepath in the cache-info file located at /etc/openafs/.

OpenAFS: Vista & Windows domain

Problems occur in relation with Microsoft Vista (32 and 64 Bit) if the computer is part of a Windows domain and the profile or app data are obtained via AFS. A solution is being developed.

OpenAFS: Vista 64-Bit system

Please install the x64 versions of Kerberos and AFS from the correspondent websites.

OpenAFS: VPN connections

A VPN connection to tubIT is not necessary and therefore not recommended.

OpenAFS: Status of the OpenAFS service

Lupe

You can check if your AFS ticket request has been accepted, by looking at the icon in your system tray (bottom right corner) and look for a lock icon.

Zusatzinformationen / Extras

Quick Access:

Schnellnavigation zur Seite über Nummerneingabe

Auxiliary Functions

tubIT - Hotline

Tel. 314 - 28 000
Mo-Fr von 8-18 Uhr